netstat question, why is there no IP (blank line) in most hits?

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
Commonly when I enter this:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

I get a line with the most connects made, but with no IP, like this:

---------------------
2 148.240.236.219
2 166.128.79.2
2 206.188.135.116
2 58.8.87.223
2 64.92.45.125
2 70.112.225.111
2 71.238.45.191
2 71.65.203.244
2 74.186.222.228
2 75.105.0.38
2 88.131.106.31
2 99.14.205.173
3 69.107.105.99
3 76.173.219.81
3 96.48.232.14
4 193.47.80.49
4 203.45.130.8
4 206.188.138.182
4 69.183.221.125
4 72.224.97.139
4 75.104.128.36
4 75.104.128.54
4 99.196.32.58
5 75.105.0.52
6 173.55.127.124
6 63.226.253.233
7 121.215.41.197
8 127.0.0.1
11 67.213.196.54
11 67.60.32.242
11 72.24.112.102
14 96.235.209.214
16 64.40.121.180
16 99.197.64.56
20 66.131.2.209
111
---------------------

I am referring to the entry with "111" connections above.

Anyone know why this is, and what we could do to find out who is making the most connects?

Thanks for any assistance.
 

garrettp

Well-Known Member
PartnerNOC
Jun 18, 2004
312
1
166
cPanel Access Level
DataCenter Provider
Your one-liner may be flawed. I tested it on my system and since awk is simply printing the 5th token on each line, you don't always get just an IP. What does a regular netstat -ntu output show? uniq -c is counting the unique entities so it sounds to me like it's finding 111 blanks for the 5th token that awk is returning.
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
Thanks for your reply about this, it is very much appreciated. Too bad I just don't have any idea what you are referring to. Not sure at all what you mean by "Your one-liner may be flawed.".

Perhaps you are referring to this? --> netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

I've just looked at a very similar situation, and I looked at netstat -ntu, but I really don't see any comparison between the two.

When you say, "5th token that awk is returning", are you referring to this part of the statement? ---> "sort -n"
 

Spiral

BANNED
Jun 24, 2005
2,018
8
193
Actually, I'd probably use something more like this:
Code:
# netstat -ntu | awk '{print $5}' | cut -d':' -f1 | grep "^[0-9]" | sort -g | uniq -c
 

jols

Well-Known Member
Mar 13, 2004
1,107
3
168
Thanks again Spiral. Only problem is, I don't get a sorted list with that one. At least, not sorted by the number of connections.
 

Spiral

BANNED
Jun 24, 2005
2,018
8
193
I left the final "| sort -n" off the end of the line in the last post ....

Just simply put that on the end and you got it.
 

voshka

Active Member
Apr 4, 2010
30
0
56
I have the same problem
it wasn't such this
it has started from today
the dos_deflate has recognized this conection as a dos atack and email me thousents of times

Banned the following ip addresses on Sun Apr 4 12:13:01 EDT 2010

409 with 409 connections