I often use Linux’s netstat command to do things like figuring out which ports are listening on a computer and what are the active connections on a computer. It’s very handy for troubleshooting networking problems.
Today I wanted to figure out what sites a certain user on my network was connecting to and how much traffic the user was using. I connected to the router with SSH and ran netstat with no options. I was surprised to see only my SSH connection. Then I remembered that the user in question gets onto the internet with a masqueraded address. Well, duh!
I figured netstat was still the command that I needed to use but that I just needed to pass some option. So, I looked at the man page for netstat and sure enough I found the -M option, whose description is “Display a list of masqueraded connections.”
I tried netstat -M and got the following error message: “netstat: no support for `ip_masquerade’ on this system.”
That sucks! After some googling, I found out that netstat -M only works on pre-2.4 kernels. On 2.4 and later kernels, you need to use this:
cat /proc/net/ip_conntrack
The format of ip_conntrack is kind of cryptic but if you look at it for a few moments, you can figure it out. You can also use grep to filter out the stuff you don’t need. For example, to see only the connections involving a particular address, say 192.168.1.10, you can do this:
cat /proc/net/ip_conntrack | grep 192.168.1.10
Apparently, there is a command out there that can nicely format the contents of ip_conntrack. It’s called conntrack viewer. Unfortunately, I couldn’t connect to that site today. Perhaps the link is dead.
thanks, this helped me!