[ARGUS] Get active connections

Steve McInerney spm at healthinsite.gov.au
Sun Jun 27 18:43:11 EDT 2004


It might be easier to repeatedly poll netstat with an appropriate egrep 
to filter the traffic you wish to see?


This is one I use as a Q&D on Solaris fairly regulary:
netstat -an | egrep "^[^ ]+\.80.+ESTAB"

then pipe thru "wc -l" to count. Compare with "$ALARM_LIMIT" and you're 
away.
Where "80" is the port number to watch.


Perhaps it might help to further define the problem set? Are you after 
real time or post analysis? The above is for near to real time.


HTH?


- Steve

StoneBeat wrote:
> Hi,
> 
> first of all i want to tell i am new on this list and i don't know if it
> is the correct place to ask my question.
> 
> I'm new with Argus and i'm a bit confussed with the multiple tools
> associated with it.
> 
> I want to know how can i get the number of active connections TCP
> established.
> 
> I'm sniffing a spanned mirror and i want to do a program that got active
> conections on the sniffed network and, if a threshold is exceeded, (for
> example i get 1000 active conections) printed out an alarm (simmilar as
> the result of netstat of the active network connections).
> 
> I want to know how can my program interact with Argus to get the number
>  of active connections.
> 
> Thanks in advance



More information about the argus mailing list