| View previous topic :: View next topic |
| Author |
Message |
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
 Posted: Tue Nov 14, 2006 4:05 pm Post subject: Need help parsing netstat [SOLVED] |
 |
|
I'm trying to create a function that uses the netstat command to show you
how many connections are made by a single IP Address. I tried writing my
own function to do this but it fails.
Edit: This issue has already been solved. Here's the final code.
| Code: | <pre>
<?php
/**
* Function: get_client_connects()
* Created by: Josh (TRUSTAbyss)
*/
function get_client_connects($ip, $port) {
exec("netstat -n", $array);
$output = array();
foreach ($array as $string) {
preg_match("/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+[.:][0-9]+.+[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+[.:][0-9]+)/", $string, $matches);
unset($matches[0]);
foreach ($matches as $result) {
$string = preg_replace("/\s+/", " ", $result);
$string = explode(" ", $string);
if (preg_match("/($port)$/", $string[0]) AND (preg_match("/$ip/", $string[1]))) {
$output[] = $string[1];
}
}
}
return count($output);
}
// Syntax: get_client_connects(ip, port)
$ip = $_SERVER['REMOTE_ADDR'];
// Lets display connections from current user
echo get_client_connects($ip, 80) . " Connection(s) From " . $ip . "\n";
// Lets display all connections on port 80!
echo get_client_connects(".", 80) . " Connection(s) From Total";
?>
</pre>
|
Last edited by TRUSTAbyss on Thu Nov 16, 2006 5:27 am; edited 8 times in total |
|
| Back to top |
   |
 |
roganty
-
Joined: 08 Jun 2004
Posts: 357
Location: Bristol, UK
|
| Posted: Tue Nov 14, 2006 5:27 pm Post subject: Re: Need help parsing netstat |
|
|
A couple of suggestions
You may want to replace str_replace and ereg_replace with preg_replace
That way, if you had lots of spaces then you would end up with a single +
Also, preg_replace is faster than ereg_replace
| Code: | $string = preg_replace("/\s+/", "+", $string);
$matches[] = preg_replace("/\++/", "+", $string); //probably not needed! |
That should find any number of white spaces, and replace it with a "+"
It will then find any number of a + and replace it with a single +
Linux has the netstat command
only the arguments, and what is displayed is different
| Code: | $ netstat -n --tcp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.73.2:32778 207.46.111.65:1863 ESTABLISHED
tcp 0 0 192.168.73.2:32779 207.46.108.87:1863 ESTABLISHED
|
The two connections displayed above are for msn messenger
_________________
Anthony R
Roganty | Links-Links.co.uk
Last edited by roganty on Wed Nov 15, 2006 11:17 am; edited 1 time in total |
|
| Back to top |
|
|
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
| Posted: Wed Nov 15, 2006 5:10 am Post subject: |
|
|
Is there a way to tell which connections are coming from Abyss Web Server? I
need this function to work on all systems that use netstat. I basicly want to get
a replacement for PHP's function "connection_aborted()"
PHP's function does not work under CGI so I'm stuck with trying to get the
netstat command to check for a connection drop. Thanks for any help.
Mac OS X: netstat -n (It's different on a Mac, suggestions?)
| Code: | Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.1.2.80 128.147.38.10.42419 ESTABLISHED
tcp4 0 0 192.168.1.2.80 128.147.38.10.41943 ESTABLISHED
tcp4 0 0 192.168.1.2.21 128.147.28.1.4327 ESTABLISHED
tcp4 0 0 127.0.0.1.1033 127.0.0.1.1017 ESTABLISHED
tcp4 0 0 127.0.0.1.1017 127.0.0.1.1033 ESTABLISHED
tcp4 0 0 127.0.0.1.1033 127.0.0.1.1021 ESTABLISHED
tcp4 0 0 127.0.0.1.1021 127.0.0.1.1033 ESTABLISHED |
Note: I used the code tag to keep the formating. |
|
| Back to top |
|
|
roganty
-
Joined: 08 Jun 2004
Posts: 357
Location: Bristol, UK
|
| Posted: Wed Nov 15, 2006 11:36 am Post subject: |
|
|
| Code: | $ netstat -n -t -p
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.73.2:32779 207.46.111.37:1863 ESTABLISHED 2185/gaim
tcp 0 0 192.168.73.2:32866 64.233.183.103:80 ESTABLISHED 2206/firefox-bin
tcp 0 0 192.168.73.2:32778 207.46.108.65:1863 ESTABLISHED 2185/gaim |
runnig netstat -n -t -p as root displays the same info
-t is the same as --tcp
-p displays the program
and this is what I get after visiting my site locally
| Code: | # netstat -n -t -p
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.73.2:32779 207.46.111.37:1863 ESTABLISHED 2185/gaim
tcp 0 0 192.168.73.2:32939 64.233.183.103:80 ESTABLISHED 2206/firefox-bin
tcp 0 0 192.168.73.2:32941 192.168.73.2:80 ESTABLISHED 2206/firefox-bin
tcp 0 0 192.168.73.2:32942 192.168.73.2:80 TIME_WAIT -
tcp 0 0 192.168.73.2:32943 192.168.73.2:80 TIME_WAIT -
tcp 0 0 192.168.73.2:32944 212.78.206.150:80 ESTABLISHED 2416/php
tcp 0 0 192.168.73.2:32778 207.46.108.65:1863 ESTABLISHED 2185/gaim
tcp 0 0 192.168.73.2:80 192.168.73.2:32941 ESTABLISHED 1942/abyssws |
| Code: | # netstat -n -p -t -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:32768 0.0.0.0:* LISTEN 1495/xinetd
tcp 0 0 0.0.0.0:806 0.0.0.0:* LISTEN 1048/rpc.statd
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1000/mysqld
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 1828/smbd
tcp 0 0 0.0.0.0:9999 0.0.0.0:* LISTEN 1942/abyssws
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 977/portmap
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1942/abyssws
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 1957/perl
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 1265/X
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 1560/cupsd
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 1828/smbd
tcp 0 0 192.168.73.2:32779 207.46.111.37:1863 ESTABLISHED 2185/gaim
tcp 0 0 192.168.73.2:32957 64.233.183.147:80 ESTABLISHED 2206/firefox-bin
tcp 0 0 192.168.73.2:32939 64.233.183.103:80 ESTABLISHED 2206/firefox-bin
tcp 0 0 192.168.73.2:32968 192.168.73.2:80 TIME_WAIT -
tcp 0 0 192.168.73.2:32969 192.168.73.2:80 TIME_WAIT -
tcp 0 0 192.168.73.2:32778 207.46.108.65:1863 ESTABLISHED 2185/gaim |
-a shows both listening and non-listening sockets
_________________
Anthony R
Roganty | Links-Links.co.uk |
|
| Back to top |
|
|
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
| Posted: Wed Nov 15, 2006 11:42 am Post subject: |
|
|
| It doesn't work on Mac OS X. I get a blank page. |
|
| Back to top |
|
|
roganty
-
Joined: 08 Jun 2004
Posts: 357
Location: Bristol, UK
|
| Posted: Wed Nov 15, 2006 11:45 am Post subject: |
|
|
| TRUSTAbyss wrote: | | It doesn't work on Mac OS X. I get a blank page. |
you could try either
or
to display the help page on commands that you can pass to netstat
_________________
Anthony R
Roganty | Links-Links.co.uk |
|
| Back to top |
|
|
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
| Posted: Wed Nov 15, 2006 11:49 am Post subject: |
|
|
Thanks for all the help Roganty. Since all the rows for every netstat command
are the same, all I had to do is match the two IP Addresses listed using a very
simple Regular Expression to match the two IPs.
Here's the Regular Expression:
| Code: | | ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+[.:][0-9]+.+[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+[.:][0-9]+) |
We know that since the two IP Address columns have ports at the end, all I needed
was a simple regular expression to match the two columns. Simple!
Sincerely, Josh (TRUSTAbyss)
Last edited by TRUSTAbyss on Thu Nov 16, 2006 4:50 am; edited 5 times in total |
|
| Back to top |
|
|
roganty
-
Joined: 08 Jun 2004
Posts: 357
Location: Bristol, UK
|
| Posted: Wed Nov 15, 2006 12:18 pm Post subject: |
|
|
| TRUSTAbyss wrote: | Since the rows are the same on every Operating System, do you know how to
parse it to create a function that shows IP Addresses connected on port 80? I
really need this function for a project I'm working on.
My code at the top isn't very professional and I need an alternative solution
that works on all systems. :-) |
It gets the job done!
Just adding the -t flag to exec() displays the number of connections to the server for me
I will see what I can do, what would help would be to have the output of netstat -n from a windows computer
_________________
Anthony R
Roganty | Links-Links.co.uk |
|
| Back to top |
|
|
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
| Posted: Wed Nov 15, 2006 12:20 pm Post subject: |
|
|
| I figured it out. My post has been edited. Thanks for the help. |
|
| Back to top |
|
|
roganty
-
Joined: 08 Jun 2004
Posts: 357
Location: Bristol, UK
|
| Posted: Wed Nov 15, 2006 12:56 pm Post subject: |
|
|
| TRUSTAbyss wrote: | | I figured it out. My post has been edited. Thanks for the help. |
Until you posted that regex I was going to search through the headers looking for "Local Address" and "Foreign Address" and then get the ip address from those columns.
Unless you want to see the function I will not post it.
May I suggest that you add a new argument to your client_connects() function so that optional flags can be passed to the exec() function
| Code: | function client_connects($ip, $port, $arg=""){
exec("netstat -n $arg", $array);
}
client_connects($_SERVER['REMOTE_ADDR'], 80, "-t"); |
using no flags on a *nix system displays a list of all open sockets
the -n flag shows the numerical address
the -t flag (or --tcp) just limits the output to open tcp sockets
_________________
Anthony R
Roganty | Links-Links.co.uk |
|
| Back to top |
|
|
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
| Posted: Wed Nov 15, 2006 1:16 pm Post subject: |
|
|
I would like to see the type of function you wrote so that I have an idea how
to code my own. |
|
| Back to top |
|
|
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
| Posted: Wed Nov 15, 2006 2:23 pm Post subject: |
|
|
Hello everyone,
My function is complete and it works on all Operating Systems. You can find
out how many connections are made to a specific server from one client. This
actually makes it possible to limit access by one connection now.
I hope you guy's like the function and find it useful. Enjoy!
Example Syntax:
get_client_connects(ip, 80) For Web
get_client_connects(ip, 21) For FTP
Here's the PHP code:
| Code: | <pre>
<?php
/**
* Function: get_client_connects()
* Created by: Josh (TRUSTAbyss)
*/
function get_client_connects($ip, $port) {
exec("netstat -n", $array);
$output = array();
foreach ($array as $string) {
preg_match("/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+[.:][0-9]+.+[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+[.:][0-9]+)/", $string, $matches);
unset($matches[0]);
foreach ($matches as $result) {
$string = preg_replace("/\s+/", " ", $result);
$string = explode(" ", $string);
if (preg_match("/($port)$/", $string[0]) AND (preg_match("/$ip/", $string[1]))) {
$output[] = $string[1];
}
}
}
return count($output);
}
// Syntax: get_client_connects(ip, port)
$ip = $_SERVER['REMOTE_ADDR'];
// Lets display connections from current user
echo get_client_connects($ip, 80) . " Connection(s) From " . $ip . "\n";
// Lets display all connections on port 80!
echo get_client_connects(".", 80) . " Connection(s) From Total";
?>
</pre> |
Sincerely, Josh (TRUSTAbyss)
Last edited by TRUSTAbyss on Thu Nov 16, 2006 5:27 am; edited 2 times in total |
|
| Back to top |
|
|
roganty
-
Joined: 08 Jun 2004
Posts: 357
Location: Bristol, UK
|
| Posted: Wed Nov 15, 2006 11:39 pm Post subject: |
|
|
| TRUSTAbyss wrote: | | I would like to see the type of function you wrote so that I have an idea how to code my own. |
I was at work, so I wasn't able to post the function.
But I'm home now!
| Code: | <?php
function client_connects($ip, $port, $arg=""){
$output = array();
$tmpoutput = array();
$count = 0;
$lines = array();
exec("netstat -n $arg", $array);
foreach($array as $string) {
$string = preg_replace("/\s+/", "+", $string);
$lines[] = explode("+", $string);
}
$c = count($lines);
for( $i = 0; $i < $c; $i++ ){
$a = 0;
$array = $lines[$i];
$tmpoutput[$i] = array();
foreach( $array as $value ){
if( preg_match("/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+:+[0-9]+)/", $value, $matches) ){
$tmpoutput[$i][] = $matches[1];
if( $a == 3 && $matches[1] == "$ip:$port" ) $count++;
}
$a++;
}
}
foreach( $tmpoutput as $value ){
if(! empty($value) ) $output[] = $value;
}
//return $output;
return $count;
}
/*
* Syntax: clients_connects(IP, Port[, Optional Flags])
*/
//echo "<pre>" .print_r(client_connects($_SERVER['REMOTE_ADDR'], 80, "-t"), true). "</pre>";
/*Windows*/
echo "<pre>" .($nums = client_connects($_SERVER['REMOTE_ADDR'], 80)). " Connection" .($nums>1 ? "s" : ""). "</pre>";
/*Linux (Maybe MacOS)*/
#echo "<pre>" .($nums = client_connects($_SERVER['REMOTE_ADDR'], 80, "-t")). " Connection" .($nums>1 ? "s" : ""). "</pre>";
?> |
_________________
Anthony R
Roganty | Links-Links.co.uk |
|
| Back to top |
|
|
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
| Posted: Thu Nov 16, 2006 4:22 am Post subject: |
|
|
Nice function! My function doesn't require the Operating System Checks, since it
looks for two IP columns, and since all OS's have the same rows for the netstat,
I created a function to just split the two IP columns. Pretty simple!
Just so you know, here's what my function searches for.
| Code: | For Windows/Linux:
127.0.0.1:80 192.168.0.1:1024
For Mac:
127.0.0.1.80 192.168.0.1.1024
|
Thanks for the contribution though, Roganty.
Sincerely, Josh (TRUSTAbyss) |
|
| Back to top |
|
|
loloyd
-
Joined: 03 Mar 2006
Posts: 435
Location: Philippines
|
| Posted: Thu Nov 16, 2006 7:40 pm Post subject: |
|
|
just to let you know, for some unknown reason, i found my netstat -n result looking like this:
| Code: | For Windows/Linux:
127.0.0.1:80 127.0.0.1:4282
127.0.0.1:80 127.0.0.1:4292
...
192.168.1.11:80 66.249.65.7:53837
192.168.1.11:80 66.249.65.7:58199
192.168.1.11:80 192.168.1.11:4278
... |
there could be value in just specifically looking for ":80 " for Windows and just ".80 " for Macs.
_________________
 http://home.loloyd.com/ is online if the logo graphic at left is showing. |
|
| Back to top |
|
|
roganty
-
Joined: 08 Jun 2004
Posts: 357
Location: Bristol, UK
|
| Posted: Thu Nov 16, 2006 10:14 pm Post subject: |
|
|
Mine doesn't require an os check either!
The extra argument passed to the client_connects function is for extra flags to the netstat command
The actual output of netstat -n on my pc (linux) is
| Code: | $netstat -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.73.2:32789 63.245.209.21:80 ESTABLISHED
tcp 0 0 192.168.73.2:32779 207.46.108.65:1863 ESTABLISHED
tcp 0 0 192.168.73.2:32778 207.46.108.19:1863 ESTABLISHED
tcp 0 0 192.168.73.2:32795 66.249.93.147:80 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 14 [ ] DGRAM 4516 /dev/log
unix 3 [ ] STREAM CONNECTED 7092 /tmp/.ICE-unix/dcop1650-1163711136
unix 3 [ ] STREAM CONNECTED 7091
unix 3 [ ] STREAM CONNECTED 7087 /tmp/.ICE-unix/2168
unix 3 [ ] STREAM CONNECTED 7086
unix 3 [ ] STREAM CONNECTED 7081 /tmp/.X11-unix/X0
unix 4 [ ] STREAM CONNECTED 7080
unix 3 [ ] STREAM CONNECTED 7067 /tmp/ksocket-anthony/klauncherrLfW2a.slave-socket
unix 3 [ ] STREAM CONNECTED 7064
unix 3 [ ] STREAM CONNECTED 6999 /tmp/.ICE-unix/dcop1650-1163711136
unix 3 [ ] STREAM CONNECTED 6998
unix 3 [ ] STREAM CONNECTED 6997 /tmp/ksocket-anthony/kateTxdfDa.slave-socket
unix 3 [ ] STREAM CONNECTED 6996
unix 42 [ ] STREAM CONNECTED 6990 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 6989
unix 3 [ ] STREAM CONNECTED 6956 /tmp/ksocket-anthony/kateAbD12a.slave-socket
unix 3 [ ] STREAM CONNECTED 6954
unix 3 [ ] STREAM CONNECTED 6922 /tmp/.famR2hav5
unix 3 [ ] STREAM CONNECTED 6921
unix 3 [ ] STREAM CONNECTED 6906 /tmp/.ICE-unix/2168
unix 3 [ ] STREAM CONNECTED 6905
unix 3 [ ] STREAM CONNECTED 6897 /tmp/.X11-unix/X0
[cut]
|
That is just the first 30 lines out of 125 lines in total
by adding the -t flag to the netstat command the output is limited to just the tcp connections
_________________
Anthony R
Roganty | Links-Links.co.uk |
|
| Back to top |
|
|
|
