linux - 如何知道一段时间内服务器和哪些IP进行过连接？

Question

面试碰到的问题，如何知道你的服务器在一段时间内和哪些IP进行过连接，连接是包括tcp、udp之类的通信? linxu应该不会记录传输层的连接日志信息吧?

Answer 1

First of all, I admit that when I started to answer this question, I didn’t even understand the problem. Checking the log is indeed an irresponsible answer. Here I will update my understanding of this question

My suggestion is also to use the netstat command. Manage netstat to see the effect of this command: "netstat - Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships"

Check which IPs the server has been connected to :
1. As far as TCP communication is concerned, I assume that you are asking about the connection through the three-way handshake. Then you can use this command to check the IP address:

netstat -ant | grep 'ESTABLISHED' | awk -F " " '{print }' | awk -F ":" '{print }' | sort -n | uniq -c| sort -t " " -k 1 -nr

This way you can find the established tcp communications and sort them from large to small by the number of links
2. If you are checking UDP communication, you don’t need to consider the status of TCP communication, just query directly:

netstat -anu | awk -F " " '{print }' | awk -F ":" '{print }' | sort -n | uniq -c | sort -t " " -k 1 -nr

1. To view the SYN attack, replace the tcp status search from ESTABLISHED to SYN

Answer 2

man netstat

Answer 3

iptables can also record logs, but it doesn’t seem to be easy to filter.

Answer 4

nf_conntrack will record connections in the recent period:

$sudo cat /proc/net/nf_conntrack

But for the setting of its timeout, please see sysctl.conf

$sudo sysctl -a | grep 'nf_conntrack_.*_timeout'