{"id":1190,"date":"2017-02-07T21:21:14","date_gmt":"2017-02-08T02:21:14","guid":{"rendered":"http:\/\/zitstif.no-ip.org\/?p=1190"},"modified":"2017-04-04T20:01:25","modified_gmt":"2017-04-05T01:01:25","slug":"connection-counting-on-your-nix-based-routerappliance","status":"publish","type":"post","link":"http:\/\/zitstif.no-ip.org\/?p=1190","title":{"rendered":"Connection counting on your *nix based router\/appliance"},"content":{"rendered":"

At my work in the past we’ve had to hunt down infected systems that have caused networks to come to a near standstill and their WAN IP\/email DNS name to become blacklisted. On routers with dd-wrt, there’s a nice feature where you can see a connection count per each system. A majority of the time we have discovered that systems with very high connection counts tend to be infected and cause network issues. Unfortunately, dd-wrt doesn’t really cut it anymore for our needs and we had to shift over toward different firmware alternatives (like http:\/\/tomato.groov.pl\/?page_id=164<\/a> or https:\/\/www.snbforums.com\/threads\/fork-asuswrt-merlin-374-43-lts-releases-v22e4-23b8.18914\/<\/a> ). However, these alternatives tend to not have a connection count feature. After some googling, I’ve found a work around if you can get ssh or telnet access to the device:<\/p>\n

cat \/proc\/net\/ip_conntrack | awk '{print $5}'| cut -d: -f1 | sort | uniq -c | sort -nr | fgrep \"$(ifconfig br0 | grep \"inet addr\" | awk '{print $2}' | sed 's\/addr:\/\/g' | cut -d. -f1-3)\"<\/pre>\n
You can download from my website and run it this way:<\/p>\n
wget http:\/\/zitstif.no-ip.org\/concount; watch -n 1 ‘\/bin\/sh concount’<\/p>\n","protected":false},"excerpt":{"rendered":"
At my work in the past we’ve had to hunt down infected systems that have caused networks to come to a near standstill and their WAN IP\/email DNS name to become blacklisted. On routers with dd-wrt, there’s a nice feature where you can see a connection count per each system. A majority of the time … Continue reading Connection counting on your *nix based router\/appliance<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,3],"tags":[844,846,507,847,727,345,845],"class_list":["post-1190","post","type-post","status-publish","format-standard","hentry","category-code","category-posts","tag-concount","tag-ifconfig","tag-malware","tag-malware-hunting","tag-wget","tag-zitstif","tag-zitstif-com"],"_links":{"self":[{"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=\/wp\/v2\/posts\/1190","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1190"}],"version-history":[{"count":6,"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=\/wp\/v2\/posts\/1190\/revisions"}],"predecessor-version":[{"id":1202,"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=\/wp\/v2\/posts\/1190\/revisions\/1202"}],"wp:attachment":[{"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1190"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1190"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/zitstif.no-ip.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1190"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}