netstat question, why is there no IP (blank line) in most hits?

**jols** · 03-08-2010 08:32 PM

Commonly when I enter this:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

I get a line with the most connects made, but with no IP, like this:

---------------------
2 148.240.236.219
2 166.128.79.2
2 206.188.135.116
2 58.8.87.223
2 64.92.45.125
2 70.112.225.111
2 71.238.45.191
2 71.65.203.244
2 74.186.222.228
2 75.105.0.38
2 88.131.106.31
2 99.14.205.173
3 69.107.105.99
3 76.173.219.81
3 96.48.232.14
4 193.47.80.49
4 203.45.130.8
4 206.188.138.182
4 69.183.221.125
4 72.224.97.139
4 75.104.128.36
4 75.104.128.54
4 99.196.32.58
5 75.105.0.52
6 173.55.127.124
6 63.226.253.233
7 121.215.41.197
8 127.0.0.1
11 67.213.196.54
11 67.60.32.242
11 72.24.112.102
14 96.235.209.214
16 64.40.121.180
16 99.197.64.56
20 66.131.2.209
111
---------------------

I am referring to the entry with "111" connections above.

Anyone know why this is, and what we could do to find out who is making the most connects?

Thanks for any assistance.

**garrettp** · 03-09-2010 03:58 PM

Your one-liner may be flawed. I tested it on my system and since awk is simply printing the 5th token on each line, you don't always get just an IP. What does a regular netstat -ntu output show? uniq -c is counting the unique entities so it sounds to me like it's finding 111 blanks for the 5th token that awk is returning.

**jols** · 03-20-2010 03:18 AM

Thanks for your reply about this, it is very much appreciated. Too bad I just don't have any idea what you are referring to. Not sure at all what you mean by "Your one-liner may be flawed.".

Perhaps you are referring to this? --> netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

I've just looked at a very similar situation, and I looked at netstat -ntu, but I really don't see any comparison between the two.

When you say, "5th token that awk is returning", are you referring to this part of the statement? ---> "sort -n"

**Spiral** · 03-21-2010 07:50 PM

Actually, I'd probably use something more like this:

Code:

# netstat -ntu | awk '{print $5}' | cut -d':' -f1 | grep "^[0-9]" | sort -g | uniq -c

**jols** · 03-21-2010 08:07 PM

Thanks again Spiral. Only problem is, I don't get a sorted list with that one. At least, not sorted by the number of connections.

**Spiral** · 03-21-2010 08:17 PM

I left the final "| sort -n" off the end of the line in the last post ....

Just simply put that on the end and you got it.

**jols** · 03-22-2010 12:45 AM

Thanks much!

**voshka** · 04-04-2010 05:39 PM

I have the same problem
it wasn't such this
it has started from today
the dos_deflate has recognized this conection as a dos atack and email me thousents of times

Banned the following ip addresses on Sun Apr 4 12:13:01 EDT 2010

409 with 409 connections

LinkBack

Thread Tools

netstat question, why is there no IP (blank line) in most hits?

tricky dns / redirection question.. how can I redirect ".line.com" to "line.com"?

Simple netstat question.

Security issue? netstat -ntu shows blank line in output

Why is netstat using so much cpu? Top Process %CPU 61.0 netstat -npl