Thought I will write a tiny post about how to easily monitor NEW (or any other state) connections per second on a Linux firewall. The approach I have chosen seems to be really easy and simple one-liner.
Kernel modules and packages you are going to need:
- ip_conntrack iptables kernel module loaded or compiled in to the kernel
- conntrack-tools package installed
- libnetfilter_conntrack package installed
- pv (if not installed already) package installed
Depending on your distribution (I have tested it on Fedora 14 and Centos5.5 and 5.6),
obviously Fedora has the above two packages in its repository, but for example Centos does
not, so if you use Centos, you can get them from:
pv package is available from Fedora repository, but Centos does not have it, so you might need
to add epel repo or just get the RPM from epel repo online (most people have epel repo configured already).
Once you have got required module and libraries in place, then just simply run:
conntrack -E -e NEW | pv -l -i 1 -r > /dev/null
The self updating output should look similar like the one below:
[ 50/s ]
A little explanation of the command line above:
conntrack -E -e NEW- display a real-time event log with event-mask ‘NEW’
pv -l -i 1 -r- pv is a pipe viewer
-lturns the line mode for counting lines instead of bytes, waits 1 second between updates (
-i 1) and
-rturns the rate counter on
> /dev/null- redirects the output from
conntrack -E -e NEWto
/dev/nullat the end
I find it a very simple ‘one-liner’ which comes in handy sometimes when I want to quickly count the NEW connections per second my firewalls are dealing with.
If you know better or other ways of doing it, please post that in the comments section below.