Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
503
Views
2
Helpful
2
Comments

ASA/FTD top talkers using CLI

Rajat Sharma
Cisco Employee
Cisco Employee

‎10-23-2024 10:46 AM - edited ‎12-31-2024 05:41 AM

One common task while troubleshooting ASA/FTD connections is to identify the connections with highest bytes count. Easiest way is to filter the connections using REGEX on device CLI. This document is using “show conn” output, “show conn long” and “show long detail” has multi-line outputs and different processing is needed.

Masking the ip addresses in output

ciscoasa# sh conn | ?

append Append to file

begin Begin with the line that matches

count Count number of lines which match regexp

exclude Exclude lines that match

grep Include/exclude lines that match

include Include lines that match

redirect Redirect to file

General Approach

For example following command shows all connections which have bytes count of minimum two digits.

ciscoasa# sh conn | grep (bytes .*..,)

 

UDP outside x.x.x.x:123 inside x.x.x.x:52247, idle 0:00:55, bytes 48, flags -

TCP outside x.x.x.x:443 inside x.x.x.x:38940, idle 0:00:27, bytes 7297, flags UFRxIO

UDP outside x.x.x.x:123 inside x.x.x.x:59754, idle 0:00:35, bytes 48, flags -

UDP outside x.x.x.x:123 inside x.x.x.x:49357, idle 0:01:06, bytes 48, flags -

TCP outside x.x.x.x:443 inside x.x.x.x:45818, idle 0:00:02, bytes 1815578, flags UxIO

TCP outside x.x.x.x:8305 inside x.x.x.x:36269, idle 0:00:05, bytes 468661, flags UxIO

UDP outside x.x.x.x:123 inside x.x.x.x:57734, idle 0:00:45, bytes 48, flags -

UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:00, bytes 142503242, flags -

TCP outside x.x.x.x:8305 inside x.x.x.x:34791, idle 0:00:09, bytes 198211, flags UxIO

TCP outside x.x.x.x:61352 inside x.x.x.x:22, idle 0:25:23, bytes 135371, flags UxIOB

 

You can start from low value and move up by adding more “.” characters in regex

 

ciscoasa# sh conn | grep (bytes .*…,)

 

TCP outside x.x.x.x:443 inside x.x.x.x:45818, idle 0:00:01, bytes 1816454, flags UxIO

TCP outside x.x.x.x:8305 inside x.x.x.x:36269, idle 0:00:03, bytes 478265, flags UxIO

UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:00, bytes 142581070, flags -

TCP outside x.x.x.x:8305 inside x.x.x.x:34791, idle 0:00:02, bytes 199279, flags UxIO

TCP outside x.x.x.x:61352 inside x.x.x.x:22, idle 0:26:55, bytes 135371, flags UxIOB

 

ciscoasa# sh conn | grep (bytes .*….,)

 

TCP outside x.x.x.x:443 inside x.x.x.x:45818, idle 0:00:03, bytes 1816508, flags UxIO

TCP outside x.x.x.x:8305 inside x.x.x.x:36269, idle 0:00:00, bytes 478447, flags UxIO

UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:00, bytes 142584266, flags -

TCP outside x.x.x.x:8305 inside x.x.x.x:34791, idle 0:00:02, bytes 199509, flags UxIO

TCP outside x.x.x.x:61352 inside x.x.x.x:22, idle 0:27:01, bytes 135371, flags UxIOB

 

ciscoasa# sh conn | grep (bytes .*…..,)

 

TCP outside x.x.x.x:443 inside x.x.x.x:45818, idle 0:00:00, bytes 1816562, flags UxIO

TCP outside x.x.x.x:8305 inside x.x.x.x:36269, idle 0:00:03, bytes 478571, flags UxIO

UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:00, bytes 142586935, flags -

TCP outside x.x.x.x:8305 inside x.x.x.x:34791, idle 0:00:02, bytes 199551, flags UxIO

TCP outside x.x.x.x:61352 inside x.x.x.x:22, idle 0:27:06, bytes 135371, flags UxIOB

 

ciscoasa# sh conn | grep (bytes .*……,)

 

TCP outside x.x.x.x:443 inside x.x.x.x:45818, idle 0:00:00, bytes 1816591, flags UxIO

TCP outside x.x.x.x:8305 inside x.x.x.x:36269, idle 0:00:00, bytes 478827, flags UxIO

UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:00, bytes 142589763, flags -

TCP outside x.x.x.x:8305 inside x.x.x.x:34791, idle 0:00:06, bytes 199551, flags UxIO

TCP outside x.x.x.x:61352 inside x.x.x.x:22, idle 0:27:09, bytes 135371, flags UxIOB

 

ciscoasa# sh conn | grep (bytes .*…….,)

 

TCP outside x.x.x.x:443 inside x.x.x.x:45818, idle 0:00:00, bytes 1816616, flags UxIO

UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:01, bytes 142590451, flags -

 

If you get lots of connections with same number of digits in bytes, you can use bracket expression on the first number to further isolate

e.g

 

Filter with first digit between 5 and 9

 

ciscoasa# sh conn | grep (bytes [5-9]*…….,)

 

Filter with first digit between 1 and 4

 

ciscoasa# sh conn | grep (bytes [1-4]*…….,)

 

Filter with first digit is 8 or 9

 

ciscoasa# sh conn | grep (bytes [89]*…….,)

 

few examples

 

ciscoasa# sh conn | grep (bytes [1-9]*……..,)

 

UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:00, bytes 145016668, flags -

 

ciscoasa# sh conn | grep (bytes [9]*……..,)

 

ciscoasa# sh conn | grep (bytes [1]*……..,)

 

UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:01, bytes 145029371, flags -

 

ciscoasa# sh conn | grep (bytes [1-5]*……..,)

 

UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:00, bytes 145045409, flags -

 

ciscoasa# sh conn | grep (bytes [6-9]*……..,)

 

ciscoasa# sh conn | grep (bytes [12]*……..,)

 

UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:01, bytes 145050711, flags -

 

ciscoasa# sh conn | grep (bytes [123]*……..,)

 

UDP outside x.x.x.x:514 inside x.x.x.x:56219, idle 0:00:00, bytes 145062292, flags -

 

Example, find largest bytes connections inspected by snort

Another common use case would be to filter the connection with specific flags and find largest bytes count e.g to

find the largest bytes connections inspected by snort.

On CLI of ASA/FTD you can do the following to filter with certain minimum bytes and flags

 

ciscoasa# sh conn | grep (bytes .……..,.flags.UxI.)

 

TCP outside x.x.x.x:8305 inside x.x.x.x:39995, idle 0:00:04, bytes 28538458, flags UxIO

TCP outside x.x.x.x:8305 inside x.x.x.x:47339, idle 0:00:00, bytes 54874405, flags UxIO

 

ciscoasa# sh conn | grep (bytes .…..,.flags.UxI.)

 

TCP outside x.x.x.x:443 inside x.x.x.x:45818, idle 0:00:02, bytes 4728683, flags UxIO

TCP outside x.x.x.x:8305 inside x.x.x.x:41563, idle 0:00:07, bytes 6444613, flags UxIO

TCP outside x.x.x.x:8305 inside x.x.x.x:39995, idle 0:00:03, bytes 28539047, flags UxIO

TCP outside x.x.x.x:8305 inside x.x.x.x:47339, idle 0:00:03, bytes 54883832, flags UxIO

TCP outside x.x.x.x:8305 inside x.x.x.x:47487, idle 0:00:02, bytes 6488378, flags UxIO

For snort*

ciscoasa# sh conn | grep (bytes .…..,.flags.N.)

Filter Specific IP, ports, flags

You can do filtering for specific IP address, port numbers, bytes, flags etc.

 

ciscoasa# sh conn | grep TCP.10.48.26.bytes .*….,

 

TCP outside 10.48.26.239:8305 inside 192.168.1.94:41563, idle 0:00:09, bytes 16538192, flags UxIO

TCP outside 10.48.26.239:8305 inside 192.168.1.94:39995, idle 0:00:01, bytes 74024746, flags UxIO

TCP outside 10.48.26.239:8305 inside 192.168.1.96:47339, idle 0:00:02, bytes 140058784, flags UxIO

TCP outside 10.48.26.239:8305 inside 192.168.1.96:47487, idle 0:00:04, bytes 16537852, flags UxIO

 

ciscoasa# sh conn | grep TCP.10.48.26.bytes .*……,

 

TCP outside 10.48.26.239:8305 inside 192.168.1.94:41563, idle 0:00:04, bytes 16539300, flags UxIO

TCP outside 10.48.26.239:8305 inside 192.168.1.94:39995, idle 0:00:02, bytes 74025087, flags UxIO

TCP outside 10.48.26.239:8305 inside 192.168.1.96:47339, idle 0:00:02, bytes 140059424, flags UxIO

TCP outside 10.48.26.239:8305 inside 192.168.1.96:47487, idle 0:00:04, bytes 16537901, flags UxIO

 

ciscoasa# sh conn | grep TCP.10.48.26.bytes .*………,

 

TCP outside 10.48.26.239:8305 inside 192.168.1.96:47339, idle 0:00:02, bytes 140059489, flags UxIO

 

ciscoasa# sh conn | grep UDP.:123.bytes .*,

 

UDP outside 173.38.201.115:123 inside 192.168.1.222:123, idle 0:01:40, bytes 96, flags -

if you need to check to the box traffic, you can use show conn all and do something like the following

For TCP

Filter Specific Interfaces

 

ciscoasa# sh conn all | grep (TCP.inside.Identity)

 

TCP inside 192.168.1.119:50854 NP Identity Ifc 192.168.1.1:179, idle 0:00:36, bytes 72263, flags UOB

TCP inside 192.168.1.219:29174 NP Identity Ifc 192.168.1.1:179, idle 0:00:25, bytes 73023, flags UOB

TCP inside 192.168.1.38:5201 NP Identity Ifc 192.168.1.1:63333, idle 0:00:00, bytes 0, flags

TCP inside 192.168.1.38:5201 NP Identity Ifc 192.168.1.1:28291, idle 0:00:00, bytes 0, flags

TCP inside 192.168.1.194:179 NP Identity Ifc 192.168.1.1:12854, idle 0:00:14, bytes 75037, flags UO

TCP inside 2a00:1028:1:207:8000::23:179 NP Identity Ifc 2a00:1028:1:207:8000::14:53955, idle 0:00:07, bytes 72196, flags UO

TCP inside 192.168.1.115:179 NP Identity Ifc 192.168.1.1:23889, idle 0:00:29, bytes 29098, flags UO

TCP inside 192.168.1.190:179 NP Identity Ifc 192.168.1.1:2209, idle 0:00:02, bytes 0, flags saA

TCP inside 192.168.1.38:5201 NP Identity Ifc 192.168.1.1:18834, idle 0:00:00, bytes 0, flags

Using the “show conn” output file

You can apply similar logic on file as well. I am using a “sh conn” file with around 600k connections,first you can filter the connections with bytes regex, so you are running sort on useful data.

(base) RAJATSH-M-V7QW:Desktop rajatsh$ wc -l connu

628849 connu

(base) RAJATSH-M-V7QW:Desktop rajatsh$ ls -lh connu

-rw-r–r– 1 rajatsh staff 65M Oct 20 12:35 connu

Numeric sort on the column 9 which is bytes value, with default field separator of blank space.

Please note if your file has additional spaces, column value will be different.

 

base) RAJATSH-M-V7QW:Desktop rajatsh$ time grep “bytes .*………,” connu | sort -nrk9 | head -30

 

TCP internet x.x.x.x:52423 outside x.x.x.x:8305, idle 0:37:51, bytes 234329823085, flags UIOoN1

TCP internet x.x.x.x:34113 outside x.x.x.x:8305, idle 0:38:09, bytes 210493179767, flags UIO N1

TCP internet x.x.x.x:36580 outside x.x.x.x:443, idle 0:00:00, bytes 15847987764, flags UIOoN1

TCP internet x.x.x.x:52376 outside x.x.x.x:443, idle 0:00:00, bytes 14810575645, flags UIOoN1

TCP internet x.x.x.x:44424 outside x.x.x.x:443, idle 0:00:00, bytes 12760598833, flags UIOoN1

TCP internet x.x.x.x:40032 outside x.x.x.x:443, idle 0:00:00, bytes 11037655427, flags UIOoN1

TCP internet x.x.x.x:46510 outside x.x.x.x:443, idle 0:00:00, bytes 7913673073, flags UIOoN1

TCP internet x.x.x.x:10001 outside x.x.x.x:36136, idle 0:00:00, bytes 6876346568, flags UIO N1

TCP internet x.x.x.x:41674 outside x.x.x.x:443, idle 0:17:54, bytes 6824429435, flags UIOoN1

UDP internet x.x.x.x:55030 outside x.x.x.x:59872, idle 0:00:00, bytes 6124057215, flags - N1

TCP internet x.x.x.x:46446 outside x.x.x.x:443, idle 0:00:01, bytes 6113582214, flags UIOoN1

TCP internet x.x.x.x:8000 outside x.x.x.x:60752, idle 0:00:00, bytes 5734013551, flags UIO N1

TCP internet x.x.x.x:35374 outside x.x.x.x:443, idle 0:00:04, bytes 4630486373, flags UIOoN1

TCP internet x.x.x.x:10201 outside x.x.x.x:52302, idle 0:00:00, bytes 4463234926, flags UIO N1

UDP internet x.x.x.x:54512 outside x.x.x.x:48078, idle 0:00:00, bytes 4324907121, flags - N1

TCP internet x.x.x.x:19219 outside x.x.x.x:443, idle 0:00:00, bytes 4306351549, flags UIOoN1

TCP internet x.x.x.x:52912 outside x.x.x.x:443, idle 0:00:00, bytes 4248417202, flags UIOoN1

TCP internet x.x.x.x:443 outside x.x.x.x:59700, idle 0:00:00, bytes 4166659235, flags UOo

TCP internet x.x.x.x:443 outside x.x.x.x:44570, idle 0:00:22, bytes 4064883107, flags UIOo

TCP internet x.x.x.x:443 outside x.x.x.x:16299, idle 0:00:00, bytes 3900868072, flags UIOo

TCP internet x.x.x.x:56789 outside x.x.x.x:443, idle 0:00:00, bytes 3889361205, flags UIOoN1

TCP internet x.x.x.x:443 outside x.x.x.x:25117, idle 0:00:00, bytes 3811128475, flags UOo

TCP internet x.x.x.x:23138 outside x.x.x.x:443, idle 0:00:00, bytes 3721076954, flags UIOoN1

TCP internet x.x.x.x:36832 outside x.x.x.x:443, idle 0:00:00, bytes 3611308750, flags UIOoN1

TCP internet x.x.x.x:52472 outside x.x.x.x:443, idle 0:00:00, bytes 3605029000, flags UIOoN1

TCP internet x.x.x.x:57060 outside x.x.x.x:443, idle 0:00:04, bytes 3405916155, flags UIOoN1

TCP internet x.x.x.x:46312 outside x.x.x.x:443, idle 0:00:00, bytes 3343244422, flags UIOoN1

TCP internet x.x.x.x:443 outside x.x.x.x:3327, idle 0:00:01, bytes 3291889440, flags UOo

TCP internet x.x.x.x:5044 outside x.x.x.x:45068, idle 0:00:10, bytes 3001475756, flags UIOoN1

UDP internet x.x.x.x:3480 outside x.x.x.x:50034, idle 0:00:00, bytes 2978517854, flags -o

real 0m1.643s

user 0m1.461s

sys 0m0.034s

top talkers inspected by snort

 

base) RAJATSH-M-V7QW:Desktop rajatsh$ time grep “bytes .………,.flags.N.” connu | sort -nrk9 | head -20

 

TCP internet x.x.x.x:52423 INTERNAL-NETWORK x.x.x.x:8305, idle 0:37:51, bytes 234329823085, flags UIOoN1

TCP internet x.x.x.x:34113 INTERNAL-NETWORK x.x.x.x:8305, idle 0:38:09, bytes 210493179767, flags UIO N1

TCP internet x.x.x.x:36580 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 15847987764, flags UIOoN1

TCP internet x.x.x.x:52376 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 14810575645, flags UIOoN1

TCP internet x.x.x.x:44424 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 12760598833, flags UIOoN1

TCP internet x.x.x.x:40032 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 11037655427, flags UIOoN1

TCP internet x.x.x.x:46510 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 7913673073, flags UIOoN1

TCP internet x.x.x.x:10001 INTERNAL-NETWORK x.x.x.x:36136, idle 0:00:00, bytes 6876346568, flags UIO N1

TCP internet x.x.x.x:41674 INTERNAL-NETWORK x.x.x.x:443, idle 0:17:54, bytes 6824429435, flags UIOoN1

UDP internet x.x.x.x:55030 INTERNAL-NETWORK x.x.x.x:59872, idle 0:00:00, bytes 6124057215, flags - N1

TCP internet x.x.x.x:46446 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:01, bytes 6113582214, flags UIOoN1

TCP internet x.x.x.x:8000 INTERNAL-NETWORK x.x.x.x:60752, idle 0:00:00, bytes 5734013551, flags UIO N1

TCP internet x.x.x.x:35374 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:04, bytes 4630486373, flags UIOoN1

TCP internet x.x.x.x:10201 INTERNAL-NETWORK x.x.x.x:52302, idle 0:00:00, bytes 4463234926, flags UIO N1

UDP internet x.x.x.x:54512 INTERNAL-NETWORK x.x.x.x:48078, idle 0:00:00, bytes 4324907121, flags - N1

TCP internet x.x.x.x:19219 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 4306351549, flags UIOoN1

TCP internet x.x.x.x:52912 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 4248417202, flags UIOoN1

TCP internet x.x.x.x:56789 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 3889361205, flags UIOoN1

TCP internet x.x.x.x:23138 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 3721076954, flags UIOoN1

TCP internet x.x.x.x:36832 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 3611308750, flags UIOoN1

real 0m1.641s

user 0m1.458s

sys 0m0.042s

To sort only UDP connections passing through snort*

 

(base) RAJATSH-M-V7QW:Desktop rajatsh$ time grep “UDP.bytes .………,.flags.N.*” connu | sort -nrk9 | head -20

 

UDP internet x.x.x.x:55030 INTERNAL-NETWORK x.x.x.x:59872, idle 0:00:00, bytes 6124057215, flags - N1

UDP internet x.x.x.x:54512 INTERNAL-NETWORK x.x.x.x:48078, idle 0:00:00, bytes 4324907121, flags - N1

UDP internet x.x.x.x:1194 INTERNAL-NETWORK x.x.x.x:1194, idle 0:00:02, bytes 2552032864, flags - N2

UDP internet x.x.x.x:53922 INTERNAL-NETWORK x.x.x.x:49640, idle 0:00:00, bytes 2489273937, flags -oN1

UDP internet x.x.x.x:162 INTERNAL-NETWORK x.x.x.x:2048, idle 0:00:07, bytes 2387712788, flags -oN1

UDP internet x.x.x.x:47808 INTERNAL-NETWORK x.x.x.x:47808, idle 0:00:02, bytes 2265836395, flags - N2

UDP internet x.x.x.x:54484 INTERNAL-NETWORK x.x.x.x:54220, idle 0:00:00, bytes 2215362703, flags -oN1

UDP internet x.x.x.x:57052 INTERNAL-NETWORK x.x.x.x:48144, idle 0:00:00, bytes 1981823052, flags -oN1

UDP internet x.x.x.x:47808 INTERNAL-NETWORK x.x.x.x:47808, idle 0:00:02, bytes 1517950661, flags - N2

UDP internet x.x.x.x:57522 INTERNAL-NETWORK x.x.x.x:51214, idle 0:00:00, bytes 1293938206, flags -oN1

UDP internet x.x.x.x:1194 INTERNAL-NETWORK x.x.x.x:1194, idle 0:00:00, bytes 1234628116, flags - N2

UDP internet x.x.x.x:2088 INTERNAL-NETWORK x.x.x.x:2088, idle 0:00:00, bytes 1190928830, flags -oN1

UDP internet x.x.x.x:162 INTERNAL-NETWORK x.x.x.x:2048, idle 0:00:01, bytes 977088055, flags -oN1

UDP internet x.x.x.x:2088 INTERNAL-NETWORK x.x.x.x:2088, idle 0:00:00, bytes 975837747, flags - N1

UDP internet x.x.x.x:4500 INTERNAL-NETWORK x.x.x.x:4500, idle 0:00:00, bytes 974765422, flags - N2

UDP internet x.x.x.x:2088 INTERNAL-NETWORK x.x.x.x:2088, idle 0:00:07, bytes 959430559, flags -oN1

UDP internet x.x.x.x:4500 INTERNAL-NETWORK x.x.x.x:4500, idle 0:00:02, bytes 903971878, flags - N2

UDP internet x.x.x.x:4500 INTERNAL-NETWORK x.x.x.x:4500, idle 0:00:03, bytes 895766429, flags - N2

UDP internet x.x.x.x:59578 INTERNAL-NETWORK x.x.x.x:51312, idle 0:00:00, bytes 846297667, flags -oN1

UDP internet x.x.x.x:58232 INTERNAL-NETWORK x.x.x.x:50936, idle 0:00:00, bytes 838767369, flags -oN1

real 0m0.449s

user 0m0.212s

sys 0m0.032s

To sort only TCP connections passing through snort

 

(base) RAJATSH-M-V7QW:Desktop rajatsh$ time grep “TCP.bytes .………,.flags.N.*” connu | sort -nrk9 | head -100

 

TCP internet x.x.x.x:52423 INTERNAL-NETWORK x.x.x.x:8305, idle 0:37:51, bytes 234329823085, flags UIOoN1

TCP internet x.x.x.x:34113 INTERNAL-NETWORK x.x.x.x:8305, idle 0:38:09, bytes 210493179767, flags UIO N1

TCP internet x.x.x.x:36580 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 15847987764, flags UIOoN1

TCP internet x.x.x.x:52376 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 14810575645, flags UIOoN1

TCP internet x.x.x.x:44424 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 12760598833, flags UIOoN1

TCP internet x.x.x.x:40032 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 11037655427, flags UIOoN1

TCP internet x.x.x.x:46510 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 7913673073, flags UIOoN1

TCP internet x.x.x.x:10001 INTERNAL-NETWORK x.x.x.x:36136, idle 0:00:00, bytes 6876346568, flags UIO N1

TCP internet x.x.x.x:41674 INTERNAL-NETWORK x.x.x.x:443, idle 0:17:54, bytes 6824429435, flags UIOoN1

TCP internet x.x.x.x:46446 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:01, bytes 6113582214, flags UIOoN1

TCP internet x.x.x.x:8000 INTERNAL-NETWORK x.x.x.x:60752, idle 0:00:00, bytes 5734013551, flags UIO N1

TCP internet x.x.x.x:35374 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:04, bytes 4630486373, flags UIOoN1

TCP internet x.x.x.x:51726 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 823645464, flags UIOoN1

TCP internet x.x.x.x:50538 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 823626941, flags UIOoN1

real 0m3.278s

user 0m3.096s

sys 0m0.049s

(base) RAJATSH-M-V7QW:Desktop rajatsh$

Sometimes U-turn connections needs to be examined for bytes count, you can do something like below and pipe to sort.*

 

(base) RAJATSH-M-V7QW:Desktop rajatsh$ grep “TCP.INTERNAL-NETWORK.INTERNAL-NETWORK” connu

 

TCP INTERNAL-NETWORK x.x.x.x:41697 INTERNAL-NETWORK x.x.x.x:80, idle 0:00:20, bytes 0, flags aA N1

TCP INTERNAL-NETWORK x.x.x.x:43699 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:01, bytes 0, flags aA N1

TCP INTERNAL-NETWORK x.x.x.x:50473 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 0, flags aA N

TCP INTERNAL-NETWORK x.x.x.x:50400 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 0, flags aA N

TCP INTERNAL-NETWORK x.x.x.x:50388 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 0, flags aA N

TCP INTERNAL-NETWORK x.x.x.x:50370 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 0, flags aA N

TCP INTERNAL-NETWORK x.x.x.x:54161 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:06, bytes 0, flags aA N

TCP INTERNAL-NETWORK x.x.x.x:62458 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:02, bytes 0, flags aA N

TCP INTERNAL-NETWORK x.x.x.x:55483 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:20, bytes 0, flags aA N

TCP INTERNAL-NETWORK x.x.x.x:64221 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:00, bytes 0, flags aA N

TCP INTERNAL-NETWORK x.x.x.x:50491 INTERNAL-NETWORK x.x.x.x:443, idle 0:00:01, bytes 0, flags aA N

TCP INTERNAL-NETWORK x.x.x.x:61975 INTERNAL-NETWORK x.x.x.x:80, idle 0:00:04, bytes 0, flags aA N

TCP INTERNAL-NETWORK x.x.x.x:42426 INTERNAL-NETWORK x.x.x.x:80, idle 0:00:04, bytes 0, flags aA N

TCP INTERNAL-NETWORK x.x.x.x:42020 INTERNAL-NETWORK x.x.x.x:80, idle 0:00:06, bytes 0, flags aA N

For UDP

(base) RAJATSH-M-V7QW:Desktop rajatsh$ grep “UDP.INTERNAL-NETWORK.INTERNAL-NETWORK” connu

If you have large values to sort, it will be good idea to use regex to filter out unwanted values, normally one would not like to consider lots of connection with small bytes count, as sort memory usage and CPU time will grow with file size. In general you can think of regex as a pre-processing step to narrow down the search space.

example for around 4Gbytes file

-rw-r–r–@ 1 rajatsh staff 4.0G Sep 10 23:37 conn2

39 million connections

(base) RAJATSH-M-V7QW:Desktop rajatsh$ wc -l conn2

39398150 conn2

It took 26 minutes with 8Gbytes of memory usage.

time sort -nrk9 conn2 | head -30

real 26m3.030s

user 4m37.467s

sys 15m23.332s

memory usage:

(base) RAJATSH-M-V7QW:Desktop rajatsh$ top | grep sort

86528 sort 0.0 07:06.73 1/1 0 12 8667M 0B 6392M 86528 44777 running *0[1] 0.00000 0.00000 501 76806619 633 19612 92

790141 13642 4685894 4 0 0.0 0 0 180 rajatsh N/A N/A N/A N/A N/A N/A

*** Time command is optional, i am using it to check the CPU usage of the program***

Comments
Flavio Miranda
VIP
VIP
‎10-23-2024 11:03 AM

Awesome. 

Rajat Sharma
Cisco Employee
Cisco Employee
‎01-06-2025 06:22 AM

thanks! @Flavio Miranda 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents