Firewall changes, datacenter migrations, application re-hostings, server decommissions are just some of the activities where having a record of network connections over time can help avoid confusion and unplanned downtime. To capture all network connections, you would need to run tcpdump. However, this approach requires lots of local disk space and usually you would have to limit your data collection run down to a few minutes.

What you really want is to keep track of persistent or frequent network connections and for this purpose netstat is the best tool. The setup below is fairly straight-forward: a local script, a cron job, MySQL client connecting to remote MySQL server and adding comma-separated data to a table. To quote Felonious Gru, “Now, the rest of the plan is simple: I fly to the moon. I shrink the moon. I grab the moon. I sit on the toilet.

 Step 1:  set up database and table on your MySQL server that will serve as the central collection point for all your network connection data.

Install MySQL server software

If IPTables is used, open MySQL port to the relevant subnets

Create database

Create table

 Step 2:  download the script and add it to root cron

IMPORTANT: You must now edit /var/adm/bin/netstat_port_tracker_v2.sh to insert correct database server name and login credentials.
 Step 3:  Just for the hell of it, you can run the script manually in the “human” mode:

You can also just get a list of all ports that are currently in use. This can be useful when doing an initial config of firewall.

 Step 4:  After the cron job runs, you can connect to the database and view the fruits of your labor:

Here’s another example of a more useful query that excludes some common system processes, allowing to identify remote connections established by user applications:

 

Leave A Reply

Please enter your comment!
Please enter your name here