The Joel on Software Discussion Group (CLOSED)

A place to discuss Joel on Software. Now closed.

This community works best when people use their real names. Please register for a free account.

Other Groups:
Joel on Software
Business of Software
Design of Software (CLOSED)
.NET Questions (CLOSED)
Fog Creek Copilot

The Old Forum

Your hosts:
Albert D. Kallal
Li-Fan Chen
Stephen Jones

Logging the IPs Connecting to an Application


I have inherited an old application that received connections via sockets from other servers - both internal and from across the Internet.

The application is hosted on a Linux box.

I use 'netstat' to find out which servers connecting to the application.

But 'netstat' give the real-time data - i.e. only those servers connected when I run the 'netstat' command.

Is there a way to create logging in 'netstat' , so I can get a continous read on the IPs connecting? Or is there another better way.

As the application uses sockets, a web server is out of question. Besides I do not want to touch the app - no time.
Monday, February 20, 2006
If it's hitting via http, you could use the Apache access logs.  Not sure about different socket-level options.
KC Send private email
Monday, February 20, 2006
Linux does allow some degree of IP accounting that would probably let you keep track of who has connected.  I've never used it so I don't have any details, or really even a good starting point.  Most firewalls can be set to log traffic though.

Alternatively you might considering modifying the application's source to log who it connects from.  That information is available without a lot of difficulty right around the time the accept() call is made.
Clay Dowling Send private email
Monday, February 20, 2006
Can the application be set up to accept connections through inetd?
Monday, February 20, 2006
If it's your source code you can get the peer information from the socket. Then log it.

Using a proxy is another good suggestion. Connect to the proxy. Log. Then passthrough to the app.

If you have access to your firewall or other security software, they will probably keep a log.
son of parnas
Monday, February 20, 2006
You can create a script by which netstat will continuously send to a file.  This check netstats every 10 seconds for 111 iterations (because of processing time it will be > 111*10 seconds)

netstat -i 10 |&    # every 10 seconds send to process
while read -p        # now read it back
      TIMESTMP=`date '+%y%m%d.%H:%M:%S'`
      print "$TIMESTMP:$REPLY"  >> /tmp/netstat.log
      if [ $LOOPCNT -gt "111" ]
            exit 0

Disclaimer: I am doing this from memory.  If cut/paste works we are both lucky.
This is a ksh on a sun box - adjust as appropriate.
Monday, February 20, 2006
I don't think a netstat loop will be accurate enough as you can process hundreds of connections a second.
son of parnas
Monday, February 20, 2006
how about loggin the remote address at the socket level.
doing netstat every 10 seconds means you'll miss some connections.

you can do this after the socket has been 'accepted'
Lemon Obrien from portable Send private email
Monday, February 20, 2006
The Linux firewalling stuff will allow you to do this. Google iptables (this looks promising: ).
Mark L. Smith Send private email
Monday, February 20, 2006
This was an example of how to do it with netstats.  Please feel free to update as necessary.
Monday, February 20, 2006
I know you said you didn't have time to mess with the app but it might be faster, and easier, to just add logging to the app.

Just look for the code where incoming connections are accepted.  In C it'll be something like this:

int desc = accept( control_port, (struct sockaddr *)&sock, &size);

Right after that can you can log the IP from the socket info.  It's two lines of code really:

ip = ntohl(sock.sin_addr.s_addr);

sprintf(buf, "Client connected from IP: %d.%d.%d.%d\n",
    (ip >> 24) & 0xff,
    (ip >> 16) & 0xff,
    (ip >> 8) & 0xff,
    (ip) & 0xff);
Monday, February 20, 2006
Instead of all that bitshifting, just use inet_ntoa.
Monday, February 20, 2006
I 2nd the notion to use IPTables. 

iptables -t filter -A INPUT -i eth0 -j LOG --log-prefix="put what ever you want here:"

This will put messages in your syslog with the IP address and port number.  Replace eth0 with that of your network interface.
Eric (another ISV guy with his company)
Tuesday, February 21, 2006
"Instead of all that bitshifting, just use inet_ntoa."

Good point.
Tuesday, February 21, 2006

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
Powered by FogBugz