Connection counting on your *nix based router/appliance

At my work in the past we’ve had to hunt down infected systems that have caused networks to come to a near standstill and their WAN IP/email DNS name to become blacklisted. On routers with dd-wrt, there’s a nice feature where you can see a connection count per each system. A majority of the time we have discovered that systems with very high connection counts tend to be infected and cause network issues. Unfortunately, dd-wrt doesn’t really cut it anymore for our needs and we had to shift over toward different firmware alternatives (like http://tomato.groov.pl/?page_id=164 or https://www.snbforums.com/threads/fork-asuswrt-merlin-374-43-lts-releases-v22e4-23b8.18914/ ). However, these alternatives tend to not have a connection count feature. After some googling, I’ve found a work around if you can get ssh or telnet access to the device:

cat /proc/net/ip_conntrack | awk '{print $5}'| cut -d: -f1 | sort | uniq -c | sort -nr | fgrep "$(ifconfig br0 | grep "inet addr" | awk '{print $2}' | sed 's/addr://g' | cut -d. -f1-3)"

You can download from my website and run it this way:

wget http://zitstif.no-ip.org/concount; watch -n 1 ‘/bin/sh concount’

Leave a Reply

Your email address will not be published. Required fields are marked *