netstat question, why is there no IP (blank line) in most hits?

[jols]

Commonly when I enter this:

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

I get a line with the most connects made, but with no IP, like this:

---------------------
2 148.240.236.219
2 166.128.79.2
2 206.188.135.116
2 58.8.87.223
2 64.92.45.125
2 70.112.225.111
2 71.238.45.191
2 71.65.203.244
2 74.186.222.228
2 75.105.0.38
2 88.131.106.31
2 99.14.205.173
3 69.107.105.99
3 76.173.219.81
3 96.48.232.14
4 193.47.80.49
4 203.45.130.8
4 206.188.138.182
4 69.183.221.125
4 72.224.97.139
4 75.104.128.36
4 75.104.128.54
4 99.196.32.58
5 75.105.0.52
6 173.55.127.124
6 63.226.253.233
7 121.215.41.197
8 127.0.0.1
11 67.213.196.54
11 67.60.32.242
11 72.24.112.102
14 96.235.209.214
16 64.40.121.180
16 99.197.64.56
20 66.131.2.209
111
---------------------

I am referring to the entry with "111" connections above.

Anyone know why this is, and what we could do to find out who is making the most connects?

Thanks for any assistance.

 

[garrettp]

Your one-liner may be flawed. I tested it on my system and since awk is simply printing the 5th token on each line, you don't always get just an IP. What does a regular netstat -ntu output show? uniq -c is counting the unique entities so it sounds to me like it's finding 111 blanks for the 5th token that awk is returning.

 

[jols]

Thanks for your reply about this, it is very much appreciated. Too bad I just don't have any idea what you are referring to. Not sure at all what you mean by "Your one-liner may be flawed.".

Perhaps you are referring to this? --> netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

I've just looked at a very similar situation, and I looked at netstat -ntu, but I really don't see any comparison between the two.

When you say, "5th token that awk is returning", are you referring to this part of the statement? ---> "sort -n"

 

[Spiral]

Actually, I'd probably use something more like this:

# netstat -ntu | awk '{print $5}' | cut -d':' -f1 | grep "^[0-9]" | sort -g | uniq -c

 

[jols]

Thanks again Spiral. Only problem is, I don't get a sorted list with that one. At least, not sorted by the number of connections.

 

[Spiral]

I left the final "| sort -n" off the end of the line in the last post ....

Just simply put that on the end and you got it.

 

[jols]

Thanks much!

 

[voshka]

I have the same problem
it wasn't such this
it has started from today
the dos_deflate has recognized this conection as a dos atack and email me thousents of times

Banned the following ip addresses on Sun Apr 4 12:13:01 EDT 2010

409 with 409 connections