- Cisco Community
- Technology and Support
- Security
- Security Knowledge Base
- ASA/FTD top talkers using CLI
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
10-23-2024 10:46 AM - edited 11-02-2024 11:21 AM
One common task while troubleshooting ASA/FTD connections is to identify the connections with highest bytes count.
Easiest way is to filter the connections using REGEX on device CLI. This document is using "show conn" output,
"show conn long" and "show long detail" has multiline outputs and different processing is needed.
***Masking the ip addresses in output
ciscoasa# sh conn | ?
append Append to file
begin Begin with the line that matches
count Count number of lines which match regexp
exclude Exclude lines that match
grep Include/exclude lines that match
include Include lines that match
redirect Redirect to file
For example following command shows all connections which have bytes count of minimum two digits.
ciscoasa# sh conn | grep (bytes .*..,)
UDP outside x.x.x.x:123 inside x.x.x.x:52247, idle 0:00:55, bytes 48, flags -
TCP outside x.x.x.x:443 inside x.x.x.x:38940, idle 0:00:27, bytes 7297, flags UFRxIO
UDP outside x.x.x.x:123 inside x.x.x.x:59754, idle 0:00:35, bytes 48, flags -
UDP outside x.x.x.x:123 inside x.x.x.x:49357, idle 0:01:06, bytes 48, flags -
TCP outside x.x.x.x:443 inside x.x.x.x:45818, idle 0:00:02, bytes 1815578, flags UxIO
TCP outside x.x.x.x:8305 inside x.x.x.x:36269, idle 0:00:05, bytes 468661, flags UxIO
UDP outside x.x.x.x:123 inside x.x.x.x:57734, idle 0:00:45, bytes 48, flags -
UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:00, bytes 142503242, flags -
TCP outside x.x.x.x:8305 inside x.x.x.x:34791, idle 0:00:09, bytes 198211, flags UxIO
TCP outside x.x.x.x:61352 inside x.x.x.x:22, idle 0:25:23, bytes 135371, flags UxIOB
You can start from low value and move up by adding more . characters in regex
ciscoasa# sh conn | grep (bytes .*...,)
TCP outside x.x.x.x:443 inside x.x.x.x:45818, idle 0:00:01, bytes 1816454, flags UxIO
TCP outside x.x.x.x:8305 inside x.x.x.x:36269, idle 0:00:03, bytes 478265, flags UxIO
UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:00, bytes 142581070, flags -
TCP outside x.x.x.x:8305 inside x.x.x.x:34791, idle 0:00:02, bytes 199279, flags UxIO
TCP outside x.x.x.x:61352 inside x.x.x.x:22, idle 0:26:55, bytes 135371, flags UxIOB
ciscoasa# sh conn | grep (bytes .*....,)
TCP outside x.x.x.x:443 inside x.x.x.x:45818, idle 0:00:03, bytes 1816508, flags UxIO
TCP outside x.x.x.x:8305 inside x.x.x.x:36269, idle 0:00:00, bytes 478447, flags UxIO
UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:00, bytes 142584266, flags -
TCP outside x.x.x.x:8305 inside x.x.x.x:34791, idle 0:00:02, bytes 199509, flags UxIO
TCP outside x.x.x.x:61352 inside x.x.x.x:22, idle 0:27:01, bytes 135371, flags UxIOB
ciscoasa# sh conn | grep (bytes .*.....,)
TCP outside x.x.x.x:443 inside x.x.x.x:45818, idle 0:00:00, bytes 1816562, flags UxIO
TCP outside x.x.x.x:8305 inside x.x.x.x:36269, idle 0:00:03, bytes 478571, flags UxIO
UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:00, bytes 142586935, flags -
TCP outside x.x.x.x:8305 inside x.x.x.x:34791, idle 0:00:02, bytes 199551, flags UxIO
TCP outside x.x.x.x:61352 inside x.x.x.x:22, idle 0:27:06, bytes 135371, flags UxIOB
ciscoasa# sh conn | grep (bytes .*......,)
TCP outside x.x.x.x:443 inside x.x.x.x:45818, idle 0:00:00, bytes 1816591, flags UxIO
TCP outside x.x.x.x:8305 inside x.x.x.x:36269, idle 0:00:00, bytes 478827, flags UxIO
UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:00, bytes 142589763, flags -
TCP outside x.x.x.x:8305 inside x.x.x.x:34791, idle 0:00:06, bytes 199551, flags UxIO
TCP outside x.x.x.x:61352 inside x.x.x.x:22, idle 0:27:09, bytes 135371, flags UxIOB
ciscoasa# sh conn | grep (bytes .*.......,)
TCP outside x.x.x.x:443 inside x.x.x.x:45818, idle 0:00:00, bytes 1816616, flags UxIO
UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:01, bytes 142590451, flags -
If you get lots of connections with same number of digits in bytes, you can use bracket expression on
the first number to further isolate
e.g
Filter with first digit between 5 and 9
ciscoasa# sh conn | grep (bytes [5-9]*.......,)
Filter with first digit between 1 and 4
ciscoasa# sh conn | grep (bytes [1-4]*.......,)
Filter with first digit is 8 or 9
ciscoasa# sh conn | grep (bytes [89]*.......,)
few examples
ciscoasa# sh conn | grep (bytes [1-9]*........,)
UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:00, bytes 145016668, flags -
ciscoasa# sh conn | grep (bytes [9]*........,)
ciscoasa# sh conn | grep (bytes [1]*........,)
UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:01, bytes 145029371, flags -
ciscoasa# sh conn | grep (bytes [1-5]*........,)
UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:00, bytes 145045409, flags -
ciscoasa# sh conn | grep (bytes [6-9]*........,)
ciscoasa# sh conn | grep (bytes [12]*........,)
UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:01, bytes 145050711, flags -
ciscoasa# sh conn | grep (bytes [123]*........,)
UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:00, bytes 145062292, flags -
Another common use case would be to filter the connection with specific flags and find largest bytes count e.g to
find the largest bytes connections inspected by snort.
On CLI of ASA/FTD you can do the following to filter with certain minimum bytes and flags
ciscoasa# sh conn | grep (bytes .*........,.*flags.*UxI.*)
TCP outside x.x.x.x:8305 inside x.x.x.x:39995, idle 0:00:04, bytes 28538458, flags UxIO
TCP outside x.x.x.x:8305 inside x.x.x.x:47339, idle 0:00:00, bytes 54874405, flags UxIO
ciscoasa# sh conn | grep (bytes .*.....,.*flags.*UxI.*)
TCP outside x.x.x.x:443 inside x.x.x.x:45818, idle 0:00:02, bytes 4728683, flags UxIO
TCP outside x.x.x.x:8305 inside x.x.x.x:41563, idle 0:00:07, bytes 6444613, flags UxIO
TCP outside x.x.x.x:8305 inside x.x.x.x:39995, idle 0:00:03, bytes 28539047, flags UxIO
TCP outside x.x.x.x:8305 inside x.x.x.x:47339, idle 0:00:03, bytes 54883832, flags UxIO
TCP outside x.x.x.x:8305 inside x.x.x.x:47487, idle 0:00:02, bytes 6488378, flags UxIO
for snort
ciscoasa# sh conn | grep (bytes .*.....,.*flags.*N.*)
You can do filtering for specific IP address, port numbers, bytes, flags etc.
ciscoasa# sh conn | grep TCP.*10.48.26.*bytes .*....,
TCP outside 10.48.26.239:8305 inside 192.168.1.94:41563, idle 0:00:09, bytes 16538192, flags UxIO
TCP outside 10.48.26.239:8305 inside 192.168.1.94:39995, idle 0:00:01, bytes 74024746, flags UxIO
TCP outside 10.48.26.239:8305 inside 192.168.1.96:47339, idle 0:00:02, bytes 140058784, flags UxIO
TCP outside 10.48.26.239:8305 inside 192.168.1.96:47487, idle 0:00:04, bytes 16537852, flags UxIO
ciscoasa# sh conn | grep TCP.*10.48.26.*bytes .*......,
TCP outside 10.48.26.239:8305 inside 192.168.1.94:41563, idle 0:00:04, bytes 16539300, flags UxIO
TCP outside 10.48.26.239:8305 inside 192.168.1.94:39995, idle 0:00:02, bytes 74025087, flags UxIO
TCP outside 10.48.26.239:8305 inside 192.168.1.96:47339, idle 0:00:02, bytes 140059424, flags UxIO
TCP outside 10.48.26.239:8305 inside 192.168.1.96:47487, idle 0:00:04, bytes 16537901, flags UxIO
ciscoasa# sh conn | grep TCP.*10.48.26.*bytes .*.........,
TCP outside 10.48.26.239:8305 inside 192.168.1.96:47339, idle 0:00:02, bytes 140059489, flags UxIO
ciscoasa# sh conn | grep UDP.*:123.*bytes .*,
UDP outside 173.38.201.115:123 inside 192.168.1.222:123, idle 0:01:40, bytes 96, flags -
if you need to check to the box traffic, you can use show conn all and do something like the following
For TCP
ciscoasa# sh conn all | grep (TCP.*inside.*Identity)
TCP inside 192.168.1.119:50854 NP Identity Ifc 192.168.1.1:179, idle 0:00:36, bytes 72263, flags UOB
TCP inside 192.168.1.219:29174 NP Identity Ifc 192.168.1.1:179, idle 0:00:25, bytes 73023, flags UOB
TCP inside 192.168.1.38:5201 NP Identity Ifc 192.168.1.1:63333, idle 0:00:00, bytes 0, flags
TCP inside 192.168.1.38:5201 NP Identity Ifc 192.168.1.1:28291, idle 0:00:00, bytes 0, flags
TCP inside 192.168.1.194:179 NP Identity Ifc 192.168.1.1:12854, idle 0:00:14, bytes 75037, flags UO
TCP inside 2a00:1028:1:207:8000::23:179 NP Identity Ifc 2a00:1028:1:207:8000::14:53955, idle 0:00:07, bytes 72196, flags UO
TCP inside 192.168.1.115:179 NP Identity Ifc 192.168.1.1:23889, idle 0:00:29, bytes 29098, flags UO
TCP inside 192.168.1.190:179 NP Identity Ifc 192.168.1.1:2209, idle 0:00:02, bytes 0, flags saA
TCP inside 192.168.1.38:5201 NP Identity Ifc 192.168.1.1:18834, idle 0:00:00, bytes 0, flags
You can apply similar logic on file as well. I am using a "sh conn" file with around 600k connections,
first you can filter the connections with bytes regex, so you are running sort on useful data.
(base) RAJATSH-M-V7QW:Desktop rajatsh$ wc -l connu
628849 connu
(base) RAJATSH-M-V7QW:Desktop rajatsh$ ls -lh connu
-rw-r--r-- 1 rajatsh staff 65M Oct 20 12:35 connu
***Numeric sort on the column 9 which is bytes value, with default field separator of blank space.
Please note if your file has additional spaces, column value will be different.
base) RAJATSH-M-V7QW:Desktop rajatsh$ time grep "bytes .*.........," connu | sort -nrk9 | head -30
TCP internet x.x.x.x:52423 outside x.x.x.x:8305, idle 0:37:51, bytes 234329823085, flags UIOoN1
TCP internet x.x.x.x:34113 outside x.x.x.x:8305, idle 0:38:09, bytes 210493179767, flags UIO N1
TCP internet x.x.x.x:36580 outside x.x.x.x:443, idle 0:00:00, bytes 15847987764, flags UIOoN1
TCP internet x.x.x.x:52376 outside x.x.x.x:443, idle 0:00:00, bytes 14810575645, flags UIOoN1
TCP internet x.x.x.x:44424 outside x.x.x.x:443, idle 0:00:00, bytes 12760598833, flags UIOoN1
TCP internet x.x.x.x:40032 outside x.x.x.x:443, idle 0:00:00, bytes 11037655427, flags UIOoN1
TCP internet x.x.x.x:46510 outside x.x.x.x:443, idle 0:00:00, bytes 7913673073, flags UIOoN1
TCP internet x.x.x.x:10001 outside x.x.x.x:36136, idle 0:00:00, bytes 6876346568, flags UIO N1
TCP internet x.x.x.x:41674 outside x.x.x.x:443, idle 0:17:54, bytes 6824429435, flags UIOoN1
UDP internet x.x.x.x:55030 outside x.x.x.x:59872, idle 0:00:00, bytes 6124057215, flags - N1
TCP internet x.x.x.x:46446 outside x.x.x.x:443, idle 0:00:01, bytes 6113582214, flags UIOoN1
TCP internet x.x.x.x:8000 outside x.x.x.x:60752, idle 0:00:00, bytes 5734013551, flags UIO N1
TCP internet x.x.x.x:35374 outside x.x.x.x:443, idle 0:00:04, bytes 4630486373, flags UIOoN1
TCP internet x.x.x.x:10201 outside x.x.x.x:52302, idle 0:00:00, bytes 4463234926, flags UIO N1
UDP internet x.x.x.x:54512 outside x.x.x.x:48078, idle 0:00:00, bytes 4324907121, flags - N1
TCP internet x.x.x.x:19219 outside x.x.x.x:443, idle 0:00:00, bytes 4306351549, flags UIOoN1
TCP internet x.x.x.x:52912 outside x.x.x.x:443, idle 0:00:00, bytes 4248417202, flags UIOoN1
TCP internet x.x.x.x:443 outside x.x.x.x:59700, idle 0:00:00, bytes 4166659235, flags UOo
TCP internet x.x.x.x:443 outside x.x.x.x:44570, idle 0:00:22, bytes 4064883107, flags UIOo
TCP internet x.x.x.x:443 outside x.x.x.x:16299, idle 0:00:00, bytes 3900868072, flags UIOo
TCP internet x.x.x.x:56789 outside x.x.x.x:443, idle 0:00:00, bytes 3889361205, flags UIOoN1
TCP internet x.x.x.x:443 outside x.x.x.x:25117, idle 0:00:00, bytes 3811128475, flags UOo
TCP internet x.x.x.x:23138 outside x.x.x.x:443, idle 0:00:00, bytes 3721076954, flags UIOoN1
TCP internet x.x.x.x:36832 outside x.x.x.x:443, idle 0:00:00, bytes 3611308750, flags UIOoN1
TCP internet x.x.x.x:52472 outside x.x.x.x:443, idle 0:00:00, bytes 3605029000, flags UIOoN1
TCP internet x.x.x.x:57060 outside x.x.x.x:443, idle 0:00:04, bytes 3405916155, flags UIOoN1
TCP internet x.x.x.x:46312 outside x.x.x.x:443, idle 0:00:00, bytes 3343244422, flags UIOoN1
TCP internet x.x.x.x:443 outside x.x.x.x:3327, idle 0:00:01, bytes 3291889440, flags UOo
TCP internet x.x.x.x:5044 outside x.x.x.x:45068, idle 0:00:10, bytes 3001475756, flags UIOoN1
UDP internet x.x.x.x:3480 outside x.x.x.x:50034, idle 0:00:00, bytes 2978517854, flags -o
real 0m1.643s
user 0m1.461s
sys 0m0.034s
top talkers inspected by snort
base) RAJATSH-M-V7QW:Desktop rajatsh$ time grep "bytes .*.........,.*flags.*N.*" connu | sort -nrk9 | head -20
TCP internet x.x.x.x:52423 INTERNAL-NETWORK x.x.x.x:8305, idle 0:37:51, bytes 234329823085, flags UIOoN1
TCP internet x.x.x.x:34113 INTERNAL-NETWORK x.x.x.x:8305, idle 0:38:09, bytes 210493179767, flags UIO N1
TCP internet x.x.x.x:36580 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 15847987764, flags UIOoN1
TCP internet x.x.x.x:52376 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 14810575645, flags UIOoN1
TCP internet x.x.x.x:44424 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 12760598833, flags UIOoN1
TCP internet x.x.x.x:40032 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 11037655427, flags UIOoN1
TCP internet x.x.x.x:46510 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 7913673073, flags UIOoN1
TCP internet x.x.x.x:10001 INTERNAL-NETWORK x.x.x.x:36136, idle 0:00:00, bytes 6876346568, flags UIO N1
TCP internet x.x.x.x:41674 INTERNAL-NETWORK x.x.x.x:443, idle 0:17:54, bytes 6824429435, flags UIOoN1
UDP internet x.x.x.x:55030 INTERNAL-NETWORK x.x.x.x:59872, idle 0:00:00, bytes 6124057215, flags - N1
TCP internet x.x.x.x:46446 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:01, bytes 6113582214, flags UIOoN1
TCP internet x.x.x.x:8000 INTERNAL-NETWORK x.x.x.x:60752, idle 0:00:00, bytes 5734013551, flags UIO N1
TCP internet x.x.x.x:35374 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:04, bytes 4630486373, flags UIOoN1
TCP internet x.x.x.x:10201 INTERNAL-NETWORK x.x.x.x:52302, idle 0:00:00, bytes 4463234926, flags UIO N1
UDP internet x.x.x.x:54512 INTERNAL-NETWORK x.x.x.x:48078, idle 0:00:00, bytes 4324907121, flags - N1
TCP internet x.x.x.x:19219 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 4306351549, flags UIOoN1
TCP internet x.x.x.x:52912 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 4248417202, flags UIOoN1
TCP internet x.x.x.x:56789 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 3889361205, flags UIOoN1
TCP internet x.x.x.x:23138 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 3721076954, flags UIOoN1
TCP internet x.x.x.x:36832 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 3611308750, flags UIOoN1
real 0m1.641s
user 0m1.458s
sys 0m0.042s
To sort only UDP connections passing through sort
(base) RAJATSH-M-V7QW:Desktop rajatsh$ time grep "UDP.*bytes .*.........,.*flags.*N.*" connu | sort -nrk9 | head -20
UDP internet x.x.x.x:55030 INTERNAL-NETWORK x.x.x.x:59872, idle 0:00:00, bytes 6124057215, flags - N1
UDP internet x.x.x.x:54512 INTERNAL-NETWORK x.x.x.x:48078, idle 0:00:00, bytes 4324907121, flags - N1
UDP internet x.x.x.x:1194 INTERNAL-NETWORK x.x.x.x:1194, idle 0:00:02, bytes 2552032864, flags - N2
UDP internet x.x.x.x:53922 INTERNAL-NETWORK x.x.x.x:49640, idle 0:00:00, bytes 2489273937, flags -oN1
UDP internet x.x.x.x:162 INTERNAL-NETWORK x.x.x.x:2048, idle 0:00:07, bytes 2387712788, flags -oN1
UDP internet x.x.x.x:47808 INTERNAL-NETWORK x.x.x.x:47808, idle 0:00:02, bytes 2265836395, flags - N2
UDP internet x.x.x.x:54484 INTERNAL-NETWORK x.x.x.x:54220, idle 0:00:00, bytes 2215362703, flags -oN1
UDP internet x.x.x.x:57052 INTERNAL-NETWORK x.x.x.x:48144, idle 0:00:00, bytes 1981823052, flags -oN1
UDP internet x.x.x.x:47808 INTERNAL-NETWORK x.x.x.x:47808, idle 0:00:02, bytes 1517950661, flags - N2
UDP internet x.x.x.x:57522 INTERNAL-NETWORK x.x.x.x:51214, idle 0:00:00, bytes 1293938206, flags -oN1
UDP internet x.x.x.x:1194 INTERNAL-NETWORK x.x.x.x:1194, idle 0:00:00, bytes 1234628116, flags - N2
UDP internet x.x.x.x:2088 INTERNAL-NETWORK x.x.x.x:2088, idle 0:00:00, bytes 1190928830, flags -oN1
UDP internet x.x.x.x:162 INTERNAL-NETWORK x.x.x.x:2048, idle 0:00:01, bytes 977088055, flags -oN1
UDP internet x.x.x.x:2088 INTERNAL-NETWORK x.x.x.x:2088, idle 0:00:00, bytes 975837747, flags - N1
UDP internet x.x.x.x:4500 INTERNAL-NETWORK x.x.x.x:4500, idle 0:00:00, bytes 974765422, flags - N2
UDP internet x.x.x.x:2088 INTERNAL-NETWORK x.x.x.x:2088, idle 0:00:07, bytes 959430559, flags -oN1
UDP internet x.x.x.x:4500 INTERNAL-NETWORK x.x.x.x:4500, idle 0:00:02, bytes 903971878, flags - N2
UDP internet x.x.x.x:4500 INTERNAL-NETWORK x.x.x.x:4500, idle 0:00:03, bytes 895766429, flags - N2
UDP internet x.x.x.x:59578 INTERNAL-NETWORK x.x.x.x:51312, idle 0:00:00, bytes 846297667, flags -oN1
UDP internet x.x.x.x:58232 INTERNAL-NETWORK x.x.x.x:50936, idle 0:00:00, bytes 838767369, flags -oN1
real 0m0.449s
user 0m0.212s
sys 0m0.032s
To sort only TCP connections passing through sort
(base) RAJATSH-M-V7QW:Desktop rajatsh$ time grep "TCP.*bytes .*.........,.*flags.*N.*" connu | sort -nrk9 | head -100
TCP internet x.x.x.x:52423 INTERNAL-NETWORK x.x.x.x:8305, idle 0:37:51, bytes 234329823085, flags UIOoN1
TCP internet x.x.x.x:34113 INTERNAL-NETWORK x.x.x.x:8305, idle 0:38:09, bytes 210493179767, flags UIO N1
TCP internet x.x.x.x:36580 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 15847987764, flags UIOoN1
TCP internet x.x.x.x:52376 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 14810575645, flags UIOoN1
TCP internet x.x.x.x:44424 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 12760598833, flags UIOoN1
TCP internet x.x.x.x:40032 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 11037655427, flags UIOoN1
TCP internet x.x.x.x:46510 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 7913673073, flags UIOoN1
TCP internet x.x.x.x:10001 INTERNAL-NETWORK x.x.x.x:36136, idle 0:00:00, bytes 6876346568, flags UIO N1
TCP internet x.x.x.x:41674 INTERNAL-NETWORK x.x.x.x:443, idle 0:17:54, bytes 6824429435, flags UIOoN1
TCP internet x.x.x.x:46446 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:01, bytes 6113582214, flags UIOoN1
TCP internet x.x.x.x:8000 INTERNAL-NETWORK x.x.x.x:60752, idle 0:00:00, bytes 5734013551, flags UIO N1
TCP internet x.x.x.x:35374 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:04, bytes 4630486373, flags UIOoN1
TCP internet x.x.x.x:51726 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 823645464, flags UIOoN1
TCP internet x.x.x.x:50538 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 823626941, flags UIOoN1
real 0m3.278s
user 0m3.096s
sys 0m0.049s
(base) RAJATSH-M-V7QW:Desktop rajatsh$
Sometimes U-turn connections needs to be examined for bytes count, you can do something like below and pipe to sort.
(base) RAJATSH-M-V7QW:Desktop rajatsh$ grep "TCP.*INTERNAL-NETWORK.*INTERNAL-NETWORK" connu
TCP INTERNAL-NETWORK x.x.x.x:41697 INTERNAL-NETWORK x.x.x.x:80, idle 0:00:20, bytes 0, flags aA N1
TCP INTERNAL-NETWORK x.x.x.x:43699 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:01, bytes 0, flags aA N1
TCP INTERNAL-NETWORK x.x.x.x:50473 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 0, flags aA N
TCP INTERNAL-NETWORK x.x.x.x:50400 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 0, flags aA N
TCP INTERNAL-NETWORK x.x.x.x:50388 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 0, flags aA N
TCP INTERNAL-NETWORK x.x.x.x:50370 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 0, flags aA N
TCP INTERNAL-NETWORK x.x.x.x:54161 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:06, bytes 0, flags aA N
TCP INTERNAL-NETWORK x.x.x.x:62458 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:02, bytes 0, flags aA N
TCP INTERNAL-NETWORK x.x.x.x:55483 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:20, bytes 0, flags aA N
TCP INTERNAL-NETWORK x.x.x.x:64221 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 0, flags aA N
TCP INTERNAL-NETWORK x.x.x.x:50491 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:01, bytes 0, flags aA N
TCP INTERNAL-NETWORK x.x.x.x:61975 INTERNAL-NETWORK x.x.x.x:80, idle 0:00:04, bytes 0, flags aA N
TCP INTERNAL-NETWORK x.x.x.x:42426 INTERNAL-NETWORK x.x.x.x:80, idle 0:00:04, bytes 0, flags aA N
TCP INTERNAL-NETWORK x.x.x.x:42020 INTERNAL-NETWORK x.x.x.x:80, idle 0:00:06, bytes 0, flags aA N
For UDP
(base) RAJATSH-M-V7QW:Desktop rajatsh$ grep "UDP.*INTERNAL-NETWORK.*INTERNAL-NETWORK" connu
If you have large values to sort, it will be good idea to use regex to filter out unwanted values,
normally one would not like to consider lots of connection with small bytes count, as sort memory usage
and CPU time will grow with file size. In general you can think of regex as a preprocessing step to narrow down the search space.
example for around 4Gbytes file
-rw-r--r--@ 1 rajatsh staff 4.0G Sep 10 23:37 conn2
39 million connections
(base) RAJATSH-M-V7QW:Desktop rajatsh$ wc -l conn2
39398150 conn2
It took 26 minutes with 8Gbytes of memory usage.
time sort -nrk9 conn2 | head -30
real 26m3.030s
user 4m37.467s
sys 15m23.332s
memory usage:
(base) RAJATSH-M-V7QW:Desktop rajatsh$ top | grep sort
86528 sort 0.0 07:06.73 1/1 0 12 8667M 0B 6392M 86528 44777 running *0[1] 0.00000 0.00000 501 76806619 633 19612 92
790141 13642 4685894 4 0 0.0 0 0 180 rajatsh N/A N/A N/A N/A N/A N/A
*** Time command is optional, i am using it to check the CPU usage of the program..
- Mark as Read
- Mark as New
- Bookmark
- Permalink
- Report Inappropriate Content
Awesome.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: