a look at connection tracking: tcptrack
Today has been slow a slow day at work … so let’s learn about TCPTrack. What is TCPTrack? It can be defined as a passive network sniffer, that monitors an interface for network connections. More specifically it displays source and destination addresses and ports, connection state, idle time, and bandwidth usage, all in real time. Sure, that sounds a lot like netstat, until you get to the real time part. I love tcptrack for those situations where you are looking for a quick overview of current network connections, and don’t want to have to use something as robust as ntop.
On to the goodness ….
Here is a screen shot of tcptrack in action:
As you can see, it’s pretty straight forward. There are a few options that TCPTrack will accept for the command line:
-i <interface> sniff packets from the specified network interface.
-P <port>* define the port(s) to look for.
-f enable fast average recalculation. TCPTrack will use more memory and CPU time, but averages will seem closer to real time and will be updated more than once per second and may be more accurate under heavy load.*While the man page doesn’t cover this as well as I’d like; you can either define a single port or a port range using first:last. If you want to only look at a single port you simply use “port xx” at the command line.
You may also find it useful to look at only one host at a time, instead of every connection on the network. This can be achieved by passing bpf style filters at the command line.
In this example, I am going to use tcptrack to look at a specific host, as the destination, and see how much traffic it is receiving on a specific port, also I will use a specific interface on my machine.
(sudo/root) tcptrack -i eth1 -P 31337 dst 192.168.1.6
In my case, this better be none, less I have a problem :) .. your milage may vary.
To sum up, TCPTrack is an extremely handy tool to have in your arsenal. If you haven’t used it, you should. A lightweight passive connection sniffer like this, is invaluable.