Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Can anyone program perl and fix a script?

62 views
Skip to first unread message

Ohmster

unread,
Mar 20, 2008, 7:31:58 PM3/20/08
to
I would like to use Patrick Lagac'e' Conntrack-Viewer in Fedora 6 to see
who is logged in on NAT and what they are doing. I use the Linux box as
a firewall and router. Used to be one could simply do a:
sudo cat /proc/net/ip_conntrack

But that makes so much screen output that it is so hard to read. I can
shorten the output with something like:
sudo cat /proc/net/ip_conntrack |grep 192.168.0.94

But that still is way to much information to weed through. I did find a
bitching perl script that will show you the output in an easy to read
format called conntrack-viewer 1.3. It can be found on this page:
http://cv.intellos.net/

But it does not work with Fedora. I was so disappointed. I wrote the
author Patrick a note and he says yes, it is broken with Fedora and he
has not had a chance to fix it yet. New job, school and all, might be a
long time in coming to get it working with Fedora. Here is what he said:

-------------------------------------------------------------------
Greetings Paul,
You did nothing wrong, this situation is normal.

I had develop this script under Redhat 9 (which is pretty old now).
After that i started working in a companie using only Solaris and AIX,
no Linux. When Fedora came out, i received few emails regarding the same
issue, but i didn't had any Redhat/Fedora machine around me. At less
than 5$ per month for hosting outside, i didn't see any good reasons to
maintain a Linux box at home.

I just start a new job, and we are using Redhat Entreprise and AIX, so i
guess i will have the opportunity to fix the code to work on Fedora. For
now i am extremely busy reading tons of doc (new job!), school... so it
won't be fix at short term. I should have more time around june.

Regards
Patrick
-------------------------------------------------------------------

Well, that shoots me out of the water but if anyone here is good with
perl scripts, maybe they can find the error and help me to fix it. I had
to run the perl script as root and did so with:
$ sudo ./conntrack-viewer.pl -m

This gave me a ton of erroneous output but nothing useful. I had to save
a putty.log in an ssh session just to capture the screen output for the
author. You can see it here:
http://www.ohmster.com/~ohmster/temp/putty.log

If anybody wants the conntrack perl script and cannot get it from the
very busy server, I have it here if you want it:
http://www.ohmster.com/~ohmster/misc/conntrack-viewer-1.3.tar.gz

Can somebody figure out what is wrong with this perl script and make it
work with Fedora please? Thank you so much.

Cheers,
--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body
(That is MESSAGE BODY, not Subject!)
to pass my spam filter.

Michael Heiming

unread,
Mar 20, 2008, 8:31:20 PM3/20/08
to
In alt.os.linux Ohmster <ohm...@dev.nul.invalid>:

> I would like to use Patrick Lagac'e' Conntrack-Viewer in Fedora 6 to see
> who is logged in on NAT and what they are doing. I use the Linux box as
> a firewall and router. Used to be one could simply do a:
> sudo cat /proc/net/ip_conntrack

> But that makes so much screen output that it is so hard to read. I can
> shorten the output with something like:
> sudo cat /proc/net/ip_conntrack |grep 192.168.0.94

> http://www.ohmster.com/~ohmster/temp/putty.log

Man, is that a slow download and it contains 99,9% of the same
warning message...

> If anybody wants the conntrack perl script and cannot get it from the
> very busy server, I have it here if you want it:
> http://www.ohmster.com/~ohmster/misc/conntrack-viewer-1.3.tar.gz

> Can somebody figure out what is wrong with this perl script and make it
> work with Fedora please? Thank you so much.

Works for me on CentOS5, which is RHEL5. You need either remove
the "-w" switch in the shebang to get rid of the warnings, or
declare the vars properly "my (..);" to avoid them.

Anything else seems to work for me. Though I am by no means a
perl guru, the script doesn't look like rocket science to me.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvp...@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 80: That's a great computer you have there;
have you considered how it would work as a BSD machine?

Bit Twister

unread,
Mar 20, 2008, 8:48:51 PM3/20/08
to
On Thu, 20 Mar 2008 18:31:58 -0500, Ohmster wrote:


> Can somebody figure out what is wrong with this perl script and make it
> work with Fedora please? Thank you so much.

I do not have fedora up, your log was binary so I did not bother to
look at it, but this might help.

Under the first line, add
use strict;
use warnings;
use diagnostics ;

under "# Default value" change it to look like the following:

my $dnsresolution=1;
my $masqueradeonly=0;
my $directonly=0;
my $showheader=1;
my $titre="Active Connections according to /proc/net/ip_conntrack";

my $dstaddr;
my $dstname;
my $dstport;
my $dstportname;
my @ip_conntrack_brut ;
my $nbspace;
my $plpl;
my $portname;
my $proto;
my $spacedestination;
my $spaceport;
my $spacesource;
my $spacestate;
my $srcaddr;
my $srcname;
my $srcport;
my $srcportname;
my $state;

Next search for open (PROCNETBUFF and change it to
open (PROCNETBUFF,"< /proc/net/ip_conntrack") or die "Opening /proc/net/ip_conntrack $!\n";


Now, save, exit and test again.

Ohmster

unread,
Mar 21, 2008, 2:41:11 AM3/21/08
to

I added all that stuff like you said although the first part
$dnsresolution is allready there, just have to add the "my" in front of
it and add all the rest of the lines under the space with the word "my"
in front.

The PROCNETBUFF like was there and I modified it like you said, saved,
and ran it again. This is what happened:

[ohmster@ohmster conntrack-viewer-1.3]$ sudo ./conntrack-viewer.pl


Active Connections according to /proc/net/ip_conntrack

Proto Source Address Remote Address Service
State Masq Name Resolution
Use of uninitialized value in getservbyport at ./conntrack-viewer.pl
line 136 (#1)
(W uninitialized) An undefined value was used as if it were already
defined. It was interpreted as a "" or a 0, but maybe it was a
mistake.
To suppress this warning assign a defined value to your variables.

To help you figure out what was undefined, perl tells you what
operation
you used the undefined value in. Note, however, that perl optimizes
your
program and the operation displayed in the warning may not
necessarily
appear literally in your program. For example, "that $foo" is
usually optimized into "that " . $foo, and the warning will refer to
the concatenation (.) operator, even though there is no . in your
program.

Use of uninitialized value in getservbyport at ./conntrack-viewer.pl
line 137 (#1)
Use of uninitialized value in length at ./conntrack-viewer.pl line 150
(#1)
Use of uninitialized value in length at ./conntrack-viewer.pl line 155
(#1)
Use of uninitialized value in length at ./conntrack-viewer.pl line 165
(#1)
Use of uninitialized value in concatenation (.) or string at
./conntrack-viewer.pl line 173 (#1)
Use of uninitialized value in string at ./conntrack-viewer.pl line 173
(#1)
tcp 6 431999 ESTABLISHED src=192.168.0.90 dst=86.155.151.74
sport=52559 dport=27653 packets=247 bytes=169979 src=86.155.151.74
dst=192.168.15.100 sport=27653 dport=52559 packets=208 bytes=9436 mark=0
secmark=0 use=1
Use of uninitialized value in string ne at ./conntrack-viewer.pl line
176 (#1)
Use of uninitialized value in subroutine entry at ./conntrack-viewer.pl
line
184 (#1)
Use of uninitialized value in gethostbyaddr at ./conntrack-viewer.pl
line 184 (#1)
Use of uninitialized value in subroutine entry at ./conntrack-viewer.pl
line
185 (#1)
Use of uninitialized value in gethostbyaddr at ./conntrack-viewer.pl
line 185 (#1)
: : [???]
UNRESOLVED! > UNRESOLVED!
tcp 6 313426 ESTABLISHED src=192.168.0.90 dst=81.190.213.86
sport=59106 dport=25342 packets=23 bytes=1935 src=81.190.213.86
dst=192.168.15.100 sport=25342 dport=59106 packets=22 bytes=2450 mark=0
secmark=0 use=1
: : [???]
UNRESOLVED! > UNRESOLVED!
udp 17 3 src=192.168.0.90 dst=82.4.239.209 sport=65094 dport=65094
packets=1 bytes=105 src=82.4.239.209 dst=192.168.15.100 sport=65094
dport=65094 packets=0 bytes=0 mark=0 secmark=0 use=1
: : [???]
UNRESOLVED! > UNRESOLVED!

[ohmster@ohmster conntrack-viewer-1.3]$

(I had to stop it with control-c)

Is that what is supposed to happen? I looked so nice on the author's
page.

> Now, save, exit and test again.

Ohmster

unread,
Mar 21, 2008, 2:44:26 AM3/21/08
to
On 2008-03-21, Michael Heiming <michael...@www.heiming.de> wrote:
> In alt.os.linux Ohmster <ohm...@dev.nul.invalid>:i>

[..]


>> http://www.ohmster.com/~ohmster/temp/putty.log
>
> Man, is that a slow download and it contains 99,9% of the same
> warning message...

It is a cablemodem but my roommate likes to dog it with bittorrent. I
want this script to see how bad it is and then do something about it. I
currently use iftop for now.

>> If anybody wants the conntrack perl script and cannot get it from the
>> very busy server, I have it here if you want it:
>> http://www.ohmster.com/~ohmster/misc/conntrack-viewer-1.3.tar.gz
>
>> Can somebody figure out what is wrong with this perl script and make it
>> work with Fedora please? Thank you so much.
>
> Works for me on CentOS5, which is RHEL5. You need either remove
> the "-w" switch in the shebang to get rid of the warnings, or
> declare the vars properly "my (..);" to avoid them.

What do you mean get rid of the -w, where is this -w that you are
talking about? I don't know how to declare the vars properly and am
asking for help in understanding it or at least how do you do that.

> Anything else seems to work for me. Though I am by no means a
> perl guru, the script doesn't look like rocket science to me.
>

Thanks.

Bit Twister

unread,
Mar 21, 2008, 5:11:01 AM3/21/08
to
On Fri, 21 Mar 2008 01:44:26 -0500, Ohmster wrote:

> What do you mean get rid of the -w, where is this -w that you are
> talking about?

End of first line :-D

You will need to change your new conntrack-viewer.p to look as follows:

#!/usr/bin/perl
# use strict;
# use warnings;
# use diagnostics ;
#
# ======================================================

> I don't know how to declare the vars properly and am
> asking for help in understanding it or at least how do you do that.


When you use -w or
use strict;
use warnings;

The variable has to be declared before being used, Example:
my $dstport;

and depending on what you are doing, set the var to a known state/value.
Example:


my $dstport="";

You might want to use "locate" or "find" to find *.pl programs for coding
examples.

Theo v. Werkhoven

unread,
Mar 21, 2008, 5:12:55 AM3/21/08
to
The carbonbased lifeform Ohmster inspired alt.os.linux with:

> I would like to use Patrick Lagac'e' Conntrack-Viewer in Fedora 6 to see
> who is logged in on NAT and what they are doing. I use the Linux box as
> a firewall and router. Used to be one could simply do a:
> sudo cat /proc/net/ip_conntrack
[ >8 unwilling perl script story ]

Alternatively, try netstat-nat in this perl program's stead.
http://www.tweegy.nl/projects/netstat-nat/index.html

Theo
--
theo at van-werkhoven.nl ICQ:277217131 SuSE Linux
linuxcounter.org: 99872 Jabber:muadib at jabber.xs4all.nl AMD XP3000+ 1024MB
"ik _heb_ niets tegen Microsoft, ik heb iets tegen
de uitwassen *van* Microsoft"

Michael Heiming

unread,
Mar 21, 2008, 5:55:48 AM3/21/08
to
In alt.os.linux Ohmster <ohm...@dev.nul.invalid>:

> On 2008-03-21, Michael Heiming <michael...@www.heiming.de> wrote:
>> In alt.os.linux Ohmster <ohm...@dev.nul.invalid>:i>

[ perl script not working as expected ]
>>> http://www.ohmster.com/~ohmster/misc/conntrack-viewer-1.3.tar.gz
[..]


>> Works for me on CentOS5, which is RHEL5. You need either remove
>> the "-w" switch in the shebang to get rid of the warnings, or
>> declare the vars properly "my (..);" to avoid them.

> What do you mean get rid of the -w, where is this -w that you are
> talking about? I don't know how to declare the vars properly and am
> asking for help in understanding it or at least how do you do that.

There is only one time "-w" in the script, the first line the
shebang "#!/usr/bin/perl -w" this means to show warnings, if you
remove "-w" it will not display them anymore. Though the better
way is to declare them, just as Bit Twister showed you.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvp...@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'

#bofh excuse 445: Browser's cookie is corrupted -- someone's
been nibbling on it.

Bit Twister

unread,
Mar 21, 2008, 2:43:03 PM3/21/08
to
On Thu, 20 Mar 2008 18:31:58 -0500, Ohmster wrote:
>
> But that still is way to much information to weed through. I did find a
> bitching perl script that will show you the output in an easy to read
> format called conntrack-viewer 1.3. It can be found on this page:
> http://cv.intellos.net/
>
> But it does not work with Fedora.
>
> Can somebody figure out what is wrong with this perl script and make it
> work with Fedora please? Thank you so much.

Well, I played with it on Mandriva Linux. It does not work like I
think it should, but I did not spend very much time on in.
I think it would be nice for it to show which service port
:ssh instead of :22.

Here is hack to test the function call for you to play with

$ cat r.pl

#!/usr/bin/perl


use strict;
use warnings;
use diagnostics ;

use Socket;

my $line = "tcp 6 119 TIME_WAIT src=192.168.1.131 dst=62.140.213.93 sport=5
5976 dport=80 packets=5 bytes=661 src=62.140.213.93 dst=192.168.1.131 sport=80 d
port=55976 packets=5 bytes=1219 [ASSURED] mark=0 secmark=0 use=1" ;
# my $line = "udp 17 28 src=192.168.1.131 dst=208.67.222.222 sport=1148 dpo
rt=53 packets=1 bytes=74 src=208.67.222.222 dst=192.168.1.131 sport=53 dport=114
8 packets=1 bytes=106 mark=0 secmark=0 use=1" ;

my @word = "" ;
my $tmp = "" ;
my $port = 0 ;
my $protocol = "";
my $rname = "" ;


$_ = $line ; # copy line into $_
$_ =~ s/=/ /g ; # change all = signs to spaces
@word = split (" ", $_) ; # parse $_ into word array using space separator


print "word[6] = $word[6] \n" ; # print 7'th word in the line

$protocol = $word[0] ;
$port = $word[9] ;
$rname = getservbyport ($port, $protocol ) ;

if ($rname) {} else { $rname = $port ; }

print " $rname\n" ;
#***************** end r.pl *************************************

Here is something to test on Fedora.
You can save it and run
diff -bBw original.pl this_file.pl
to see changes made. Be careful about line wrap.


#!/usr/bin/perl
use strict;
use warnings;


use diagnostics ;
#
# ======================================================

# CONNTRACK-VIEWER version 1.3
# http://cv.intellos.net
#
# by Patrick Lagace pa...@sympatico.ca
#
# ======================================================
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#

use Socket;

# Default value


my $dnsresolution=1;
my $masqueradeonly=0;
my $directonly=0;
my $showheader=1;
my $titre="Active Connections according to /proc/net/ip_conntrack";

my $dstaddr="";
my $dstname="";
my $dstport=0;
my $dstportname="";
my $fn="/proc/net/ip_conntrack" ;
# $fn="test.data" ; # create with cp /proc/net/ip_conntrack > test.data
my $i=0;
my @ip_conntrack_brut ;
my $nbspace=0;
my $plpl=0;
my $portname="";
my $proto="";
my $spacedestination="";
my $spaceport="";
my $spacesource="";
my $spacestate="";
my $srcaddr="";
my $srcname="";
my $srcport=0;
my $srcportname="";
my $state="";
my @word="" ;

# ======================================================
# READ THE COMMAND LINE SWITCH
# ======================================================
if (($#ARGV)>-1){
for ($a=0;$a<($#ARGV+1);$a=$a+1){
if ($ARGV[$a] eq "-n"){
$dnsresolution=0;
} elsif ($ARGV[$a] eq "-nh"){
$showheader=0;
} elsif ($ARGV[$a] eq "-m"){
$masqueradeonly=1;
$titre="Active MASQUERADED Connections according to /proc/net/ip_conntrack";
} elsif ($ARGV[$a] eq "-d"){
$directonly=1;
$titre="Active DIRECT Connections according to /proc/net/ip_conntrack";
} else {
print "USAGE: ./conntrack-viewer [-n][-m][-d][-nh][-h]\n";
print "-n Numeric form only, no dns resolution (this is faster)\n";
print "-m Masqueraded connections only\n";
print "-d Direct connections only\n";
print "-nh Results only, hide header\n";
print "-h Print this help\n";
exit 1;
}
}
}


# ======================================================
# GET IP_CONNTRACK CONTENT
# ======================================================

open (PROCNETBUFF,"< $fn") or die "Opening $fn $!\n";
@ip_conntrack_brut = <PROCNETBUFF>;
close (PROCNETBUFF);


# ======================================================
# HEADER DISPLAY
# ======================================================
if ($showheader){
print "$titre\n";
print "Proto Source Address Remote Address Service State ";
if (!$masqueradeonly && !$directonly){
print "Masq";
}
if ($dnsresolution){
print " Name Resolution";
}
print "\n";
}


# ======================================================
# INTERPRETATING EACH LINE
# ======================================================
foreach (@ip_conntrack_brut){

$_ =~ s/=/ /g ; # change all = signs to spaces
@word = split (" ", $_) ; # parse $_ into word array using space separator
$proto = $word[0]; # save protocol

if ($proto eq "tcp"){
# tcp 6 119 TIME_WAIT src 192.168.1.131 dst 72.3.246.59 sport 51144 dport
# 0 1 2 3 4 5 6 7 8 9 10
# 80 packets 6 bytes 819 src 72.3.246.59 dst 192.168.1.131
# 11 12 13 14 15 16 17 18 19
# sport 80 dport 51144 packets 5 bytes 1497 [ASSURED] mark 0 secmark 0 use 1
# 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

$state = $word[3];
$srcaddr = $word[17];
$dstaddr = $word[19];
$srcport = $word[21];
$dstport = $word[23];
$plpl = $word[34];

} elsif ($proto eq "udp"){
# udp 17 29 src 192.168.1.131 dst 192.168.1.131 sport 49837 dport 53
# 0 1 2 3 4 5 6 7 8 9 10
# packets 1 bytes 67 src 192.168.1.131 dst 192.168.1.131 sport 53 dport 49837
# 11 12 13 14 15 16 17 18 19 20 21 22
# packets 1 bytes 294 mark 0 secmark 0 use 1
# 23 24 25 26 27 28 29 30 31 32

if ($word[15] ne "src") { # there is an extra state field in this line
$state = $word[15] ; # between word 14 and 15, so we need to
$i = 1 ; # move the rest down 1 location.
}
else {
$state = " ";
$i = 0 ;
}
$srcaddr = $word[16+$i];
$dstaddr = $word[18+$i];
$srcport = $word[20+$i];
$dstport = $word[22+$i];
$plpl = $word[32+$i];
}
$srcportname="";
$dstportname="";
if ($srcportname = getservbyport $srcport,$proto){ } else {$srcportname = "[???]";};
if ($dstportname = getservbyport $dstport,$proto){ } else {$dstportname = "[???]";};
if ($srcportname eq "[???]" && $dstportname eq "[???]"){$portname="[???]";}
if ($srcportname ne "[???]" && $dstportname eq "[???]"){$portname=$srcportname;}
if ($srcportname eq "[???]" && $dstportname ne "[???]"){$portname=$dstportname;}
if ($srcportname ne "[???]" && $dstportname ne "[???]"){$portname=$srcportname."-".$dstportname."\t";}


# ======================================================
# CALCULATE THE SPACE TO COMPLETE EACH COLUMN
# ======================================================
$spacesource="";
for($nbspace=1;$nbspace<25-((length $srcaddr)+(length $srcport));$nbspace=$nbspace+1){
$spacesource=$spacesource." ";
}

$spacedestination="";
for($nbspace=1;$nbspace<25-((length $dstaddr)+(length $dstport));$nbspace=$nbspace+1){
$spacedestination=$spacedestination." ";
}

$spaceport="";
for($nbspace=1;$nbspace<13-(length $portname);$nbspace=$nbspace+1){
$spaceport=$spaceport." ";
}

$spacestate="";
for($nbspace=1;$nbspace<15-(length $state);$nbspace=$nbspace+1){
$spacestate=$spacestate." ";
}

# ======================================================
# DISPLAYS THE RESULTS
# ======================================================
if (($masqueradeonly && ($srcaddr ne $plpl)) || (!$masqueradeonly && !$directonly)){
print "$proto\t$srcaddr:$srcport"."$spacesource"."$dstaddr:$dstport"."$spacedestination"."$portname".$spaceport."$state"."$spacestate";

if (!$masqueradeonly && !$directonly){
if ($srcaddr ne $plpl){
print "M\t";
}else{
print " \t";
}
}

if ($dnsresolution){
if ($srcname = gethostbyaddr(inet_aton($srcaddr),AF_INET)){ } else {$srcname = "UNRESOLVED!";};
if ($dstname = gethostbyaddr(inet_aton($dstaddr),AF_INET)){ } else {$dstname = "UNRESOLVED!";};
print "$srcname > $dstname";
}
print "\n";
}elsif ($directonly && ($srcaddr eq $plpl)) {
print "$proto\t$srcaddr:$srcport"."$spacesource"."$dstaddr:$dstport"."$spacedestination"."$portname".$spaceport."$state";

if ($dnsresolution){
if ($srcname = gethostbyaddr(inet_aton($srcaddr),AF_INET)){ } else {$srcname = "UNRESOLVED!";};
if ($dstname = gethostbyaddr(inet_aton($dstaddr),AF_INET)){ } else {$dstname = "UNRESOLVED!";};
print "$spacestate"."$srcname > $dstname";
}
print "\n";
}
}

exit;

__END__

Ohmster

unread,
Mar 22, 2008, 1:14:24 PM3/22/08
to
"Theo v. Werkhoven" <th...@van-werkhoven.nl.invalid> wrote in
news:slrnfu6v0...@ferrets4me.xs4all.nl:

> The carbonbased lifeform Ohmster inspired alt.os.linux with:
>> I would like to use Patrick Lagac'e' Conntrack-Viewer in Fedora 6 to see
>> who is logged in on NAT and what they are doing. I use the Linux box as
>> a firewall and router. Used to be one could simply do a:
>> sudo cat /proc/net/ip_conntrack
> [ >8 unwilling perl script story ]
>
> Alternatively, try netstat-nat in this perl program's stead.
> http://www.tweegy.nl/projects/netstat-nat/index.html
>
> Theo

Oh that worked pretty good. I downloaded the Suse source RPM and built it
on my Fedora box and it works quite well. It does not show the servive like
conntrack-viewer does, i.e.: kazzaa, icq, pop3, unless I have not figured
out how to work it yet, but it does seem to work. Wish it would show the
amount of traffic per connection but if-top does that pretty good. I can
use netstat-nat to see what connections belong to who and iftop to see the
traffic flow.

Thanks Theo.

--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body

(That is Message Body, not Subject!)

Ohmster

unread,
Mar 22, 2008, 1:30:19 PM3/22/08
to
Bit Twister <BitTw...@mouse-potato.com> wrote in news:slrnfu80dm.4...@wm81.home.test:

>> Can somebody figure out what is wrong with this perl script and make it
>> work with Fedora please? Thank you so much.
>
> Well, I played with it on Mandriva Linux. It does not work like I
> think it should, but I did not spend very much time on in.
> I think it would be nice for it to show which service port
>:ssh instead of :22.
>
> Here is hack to test the function call for you to play with
>
> $ cat r.pl

Oh my goodness, you really went at it Bit Twister! I agree, it would be neat to see
the service like kazzaa, pop3, icq, etc, rather than port 22. I tried out Theo's
netstat-nat and it works pretty good, it does give service names for what it knows
like http and of course a lot of port numbers and it lists tcp connections first, then
udp connections. Does not show how much traffic on each connection though.
That would be neat to know just what connections are eating up the bandwidth but
iftop does that job pretty good.

I don't think the linewrap was a problem here Bit, you did not wrap it or so it
seems and from what I see, it looks good. I was able to copy and paste the
whole shebang into vim and saved it as natview, then chomodded it to executable
and ran it, even as root in case that was necessary but the results were not good.
This is *way* over my head and I don't expect you to fix it but here are the results
of running "natview" on my machine:


-------------------------------------------------------------------
[ohmster@ohmster scripts]$ sudo ./natview
Bareword found where operator expected at ./natview line 11, near "53 packets" (#1)
(S syntax) The Perl lexer knows whether to expect a term or an operator.
If it sees what it knows to be a term when it was expecting to see an
operator, it gives you this warning. Usually it indicates that an
operator or delimiter was omitted, such as a semicolon.

(Missing operator before packets?)
Bareword found where operator expected at ./natview line 11, near "1 bytes" (#1)
(Missing operator before bytes?)
Bareword found where operator expected at ./natview line 11, near "74 src" (#1)
(Missing operator before src?)
Bareword found where operator expected at ./natview line 11, near
"208.67.222.222 dst" (#1)
(Missing operator before dst?)
Bareword found where operator expected at ./natview line 11, near
"192.168.1.131 sport" (#1)
(Missing operator before sport?)
Bareword found where operator expected at ./natview line 11, near "53 dport" (#1)
(Missing operator before dport?)
Number found where operator expected at ./natview line 12, near "8" (#1)
(Missing semicolon on previous line?)
Bareword found where operator expected at ./natview line 12, near "8 packets" (#1)
(Missing operator before packets?)
Bareword found where operator expected at ./natview line 12, near "1 bytes" (#1)
(Missing operator before bytes?)
Bareword found where operator expected at ./natview line 12, near "106 mark" (#1)
(Missing operator before mark?)
Bareword found where operator expected at ./natview line 12, near "0 secmark" (#1)
(Missing operator before secmark?)
String found where operator expected at ./natview line 14, near "my @word = ""
(Might be a runaway multi-line "" string starting on line 12) (#1)
(Missing semicolon on previous line?)

Possible unintended interpolation of @word in string at ./natview line 12 (#2)
(W ambiguous) You said something like `@foo' in a double-quoted string
but there was no array @foo in scope at the time. If you wanted a
literal @foo, then write it as \@foo; otherwise find out what happened
to the array you apparently lost track of.

String found where operator expected at ./natview line 15, near "my $tmp = ""
(Might be a runaway multi-line "" string starting on line 14) (#1)
(Missing semicolon on previous line?)
String found where operator expected at ./natview line 17, near "my $protocol = ""
(Might be a runaway multi-line "" string starting on line 15) (#1)
(Missing semicolon on previous line?)
String found where operator expected at ./natview line 18, near "my $rname = ""
(Might be a runaway multi-line "" string starting on line 17) (#1)
(Missing semicolon on previous line?)
String found where operator expected at ./natview line 23, near "@word = split (""
(Might be a runaway multi-line "" string starting on line 18) (#1)
(Missing semicolon on previous line?)
Possible unintended interpolation of @word in string at ./natview line 18 (#2)
String found where operator expected at ./natview line 26, near "print ""
(Might be a runaway multi-line "" string starting on line 23) (#1)
(Missing semicolon on previous line?)
Bareword found where operator expected at ./natview line 26, near "print "word" (#1)
(Do you need to predeclare print?)
Backslash found where operator expected at ./natview line 26, near "] \" (#1)
(Missing operator before \?)
String found where operator expected at ./natview line 34, near "print ""
(Might be a runaway multi-line "" string starting on line 26) (#1)
(Missing semicolon on previous line?)
Scalar found where operator expected at ./natview line 34, near "print "
$rname" (#1)

syntax error at ./natview line 11, near "53 packets"
"use" not allowed in expression at ./natview line 12, near "0 "
Global symbol "@word" requires explicit package name at ./natview line 12.
Global symbol "$tmp" requires explicit package name at ./natview line 14.
Global symbol "$port" requires explicit package name at ./natview line 15.
Global symbol "$protocol" requires explicit package name at ./natview line 15.
Global symbol "$rname" requires explicit package name at ./natview line 17.
Global symbol "@word" requires explicit package name at ./natview line 18.
Global symbol "@word" requires explicit package name at ./natview line 26.
Global symbol "$protocol" requires explicit package name at ./natview line 26.
Global symbol "@word" requires explicit package name at ./natview line 26.
Global symbol "$port" requires explicit package name at ./natview line 26.
Global symbol "@word" requires explicit package name at ./natview line 26.
Global symbol "$rname" requires explicit package name at ./natview line 26.
Global symbol "$port" requires explicit package name at ./natview line 26.
Global symbol "$protocol" requires explicit package name at ./natview line 26.
Global symbol "$rname" requires explicit package name at ./natview line 26.
Global symbol "$rname" requires explicit package name at ./natview line 26.
Global symbol "$port" requires explicit package name at ./natview line 26.
./natview has too many errors (#3)
(F) Probably means you had a syntax error. Common reasons include:

A keyword is misspelled.
A semicolon is missing.
A comma is missing.
An opening or closing parenthesis is missing.
An opening or closing brace is missing.
A closing quote is missing.

Often there will be another error message associated with the syntax
error giving more information. (Sometimes it helps to turn on -w.)
The error message itself often tells you where it was in the line when
it decided to give up. Sometimes the actual error is several tokens
before this, because Perl is good at understanding random input.
Occasionally the line number may be misleading, and once in a blue moon
the only way to figure out what's triggering the error is to call
perl -c repeatedly, chopping away half the program each time to see
if the error went away. Sort of the cybernetic version of S<20
questions>.

Uncaught exception from user code:
syntax error at ./natview line 11, near "53 packets"
"use" not allowed in expression at ./natview line 12, near "0 "
Global symbol "@word" requires explicit package name at ./natview line 12.
Global symbol "$tmp" requires explicit package name at ./natview line 14.
Global symbol "$port" requires explicit package name at ./natview line 15.
Global symbol "$protocol" requires explicit package name at ./natview line 15.
Global symbol "$rname" requires explicit package name at ./natview line 17.
Global symbol "@word" requires explicit package name at ./natview line 18.
Global symbol "@word" requires explicit package name at ./natview line 26.
Global symbol "$protocol" requires explicit package name at ./natview line 26.
Global symbol "@word" requires explicit package name at ./natview line 26.
Global symbol "$port" requires explicit package name at ./natview line 26.
Global symbol "@word" requires explicit package name at ./natview line 26.
Global symbol "$rname" requires explicit package name at ./natview line 26.
Global symbol "$port" requires explicit package name at ./natview line 26.
Global symbol "$protocol" requires explicit package name at ./natview line 26.
Global symbol "$rname" requires explicit package name at ./natview line 26.
Global symbol "$rname" requires explicit package name at ./natview line 26.
Global symbol "$port" requires explicit package name at ./natview line 26.
./natview has too many errors.
at ./natview line 34
[ohmster@ohmster scripts]$
-------------------------------------------------------------------

I sure as hell do appreciate your effort though, Bit Twister.
Thank you very much.

--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body

(That is Message Body, not Subject!)

Bit Twister

unread,
Mar 22, 2008, 7:41:02 PM3/22/08
to
On Sat, 22 Mar 2008 12:30:19 -0500, Ohmster wrote:
> Bit Twister <BitTw...@mouse-potato.com> wrote in news:slrnfu80dm.4...@wm81.home.test:
>
>>> Can somebody figure out what is wrong with this perl script and make it
>>> work with Fedora please? Thank you so much.

I need you to post the distribution release
cat /etc/redhat-release

and I also need a conntrack sample to parse. Get into a root terminal,

You may have to spin up a browser, pick
some web page say http://www.news.com/
and just after it comes up, in the root terminal do a

cat /proc/net/ip_conntrack > test.data


Verify test.data has udp and tcp lines before posting test.data.

Bit Twister

unread,
Mar 24, 2008, 8:04:05 PM3/24/08
to
On Sat, 22 Mar 2008 12:30:19 -0500, Ohmster wrote:
>
> Oh my goodness, you really went at it Bit Twister! I agree, it would be neat to see
>
>
> -------------------------------------------------------------------
> [ohmster@ohmster scripts]$ sudo ./natview
> Bareword found where operator expected at ./natview line 11, near
"53 packets" (#1)

Here try this one, starting with line #!/usr/bin/perl


#!/usr/bin/perl
use strict ; # force definations for all vars an subroutines
use warnings ; # force check of unset variables in expressions
use diagnostics ; # give var/code line number on faults


#
# ======================================================
# CONNTRACK-VIEWER version 1.3
# http://cv.intellos.net
#
# by Patrick Lagace pa...@sympatico.ca
#

# =========================================================================


#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#

# Modified Sun Mar 23 2008 to support ip_conntrack or nf_conntrack formats
#
# ===========================================================================
#

use Socket; # gethostbyaddr, getservbyport functions

# default values
my $deb_flg=0; # Debugging flag
my $directonly=0;
my $dnsresolution=1;
my $masqueradeonly=0;
my $showheader=1;


my $dstaddr=""; # destination ip address
my $dstname=""; # destination port name
my $dstport=0; # destination port number
my $dstportname=""; # destination port name
my $fn=""; # connection information name
my @ip_conntrack_brut="" ; # array for connection strings
my $mdstaddr=""; # masq destination ip address
my $mdstport=0; # masq destination port number
my $msrcaddr=""; # masq source address
my $msrcport=0; # masq source port
my $mstaddr=""; # masq source ip address
my $nbspace=0; # temp number of spaces storage
my $offset=0 ; # offset to protocol column (zero relative)
my $portname=""; # port name
my $proto=""; # protocol (tcp, udp, unknown,...)
my $spacedestination=""; # temp destination string for printing
my $spaceport=""; # temp port string for printing
my $spacesource=""; # temp source string for printing
my $spacestate=""; # temp state string for printing
my $srcaddr=""; # source address
my $srcname=""; # spirce name
my $srcport=0; # source port
my $srcportname=""; # source port name
my $state=""; # connection state
my $titre=""; # display header
my $tmp=""; # temp string storage
my @word="" ; # temp Word array for parsing

#

# ======================================================
# Main code starts here
# ======================================================

# ==========================================
# Figure out which conntrack file to use.
# ==========================================

if ( -e "/proc/net/nf_conntrack") {
$fn = "/proc/net/nf_conntrack" ;
$offset = 2 ; # set offset to protocol column (zero relative)
} elsif ( -e "/proc/net/ip_conntrack") {
$fn = "/proc/net/ip_conntrack" ;
$offset = 0 ; # set offset to protocol column
} else {
print "\nThis distribution has neither /proc/net/nf_conntrack\n" ;
print "or /proc/net/ip_conntrack.\n" ;
print "Program will have to be modified or it will not run\n" ;
print "on this distribution.\n" ;
exit 1 ;
}

# ======================================================


# READ THE COMMAND LINE SWITCH
# ======================================================
if (($#ARGV)>-1){
for ($a=0;$a<($#ARGV+1);$a=$a+1){
if ($ARGV[$a] eq "-n"){
$dnsresolution=0;
} elsif ($ARGV[$a] eq "-nh"){
$showheader=0;
} elsif ($ARGV[$a] eq "-m"){
$masqueradeonly=1;

$titre="Active MASQUERADED Connections according to $fn";


} elsif ($ARGV[$a] eq "-d"){
$directonly=1;

$titre="Active DIRECT Connections according to $fn";
} elsif ($ARGV[$a] eq "debug"){
$deb_flg = 1 ;
} else {
print "USAGE: ./conntrack-viewer.pl debug [-n][-m][-d][-nh][-h]\n";


print "-n Numeric form only, no dns resolution (this is faster)\n";
print "-m Masqueraded connections only\n";
print "-d Direct connections only\n";
print "-nh Results only, hide header\n";
print "-h Print this help\n";

print "debug Assumes test.data contains test data created by a\n";
print " cat $fn > test.data\n";
exit 1;
}
}
}

if ($deb_flg == 1) {
$fn = "test.data" ; # see "conntrack-viewer.pl -h" for creation
}

#

# ======================================================
# GET IP_CONNTRACK CONTENT
# ======================================================

open (PROCNETBUFF,"< $fn") or die "Opening $fn $!\n";
@ip_conntrack_brut = <PROCNETBUFF>;
close (PROCNETBUFF);

# ======================================================
# HEADER DISPLAY SETUP
# ======================================================

$titre="Active Connections according to $fn ";

if ($showheader){
print "$titre\n";
print "Proto Source Address Remote Address Service State ";
if (!$masqueradeonly && !$directonly){
print "Masq";
}
if ($dnsresolution){
print " Name Resolution";
}
print "\n";
}


# ======================================================
# INTERPRETATING EACH LINE
# ======================================================

foreach (@ip_conntrack_brut){

chomp ; # remove newline char.
$tmp = $_ ; # save conntrack line
@word = split (" ", $tmp) ; # parse based on spaces

$proto = $word[0+$offset] ; # save protocol (tcp, udp, unknown...)

if ($proto eq "tcp"){ # then fetch tcp's state
$state = $word[3+$offset] ;
}
else {
$state = " "; # other protocols have no state
}

($srcaddr, $msrcaddr) = ($tmp =~ /\ssrc=(\S+)\b/gi) ;
($dstaddr, $mdstaddr) = ($tmp =~ /\sdst=(\S+)\b/gi) ;


# ====================================================
# just in case line does not have sport/dport fields,
# like an unknown protocol line, we'll add them to the
# end of line and then parse it.
# ====================================================

$_ = sprintf ("$tmp sport=0 dport=0 sport=0 dport=0") ;
($srcport, $msrcport) = ($_ =~ /\ssport=(\S+)\b/gi) ;
($dstport, $mdstport) = ($_ =~ /\sdport=(\S+)\b/gi) ;

if (($masqueradeonly && ($srcaddr ne $msrcaddr)) || (!$masqueradeonly && !$directonly)){


print "$proto\t$srcaddr:$srcport"."$spacesource"."$dstaddr:$dstport"."$spacedestination"."$portname".$spaceport."$state"."$spacestate";

if (!$masqueradeonly && !$directonly){

if ($srcaddr ne $msrcaddr ){


print "M\t";
}else{
print " \t";
}
}

if ($dnsresolution){
if ($srcname = gethostbyaddr(inet_aton($srcaddr),AF_INET)){ } else {$srcname = "UNRESOLVED!";};
if ($dstname = gethostbyaddr(inet_aton($dstaddr),AF_INET)){ } else {$dstname = "UNRESOLVED!";};
print "$srcname > $dstname";
}
print "\n";

}elsif ($directonly && ($srcaddr eq $msrcaddr)) {


print "$proto\t$srcaddr:$srcport"."$spacesource"."$dstaddr:$dstport"."$spacedestination"."$portname".$spaceport."$state";

if ($dnsresolution){
if ($srcname = gethostbyaddr(inet_aton($srcaddr),AF_INET)){ } else {$srcname = "UNRESOLVED!";};
if ($dstname = gethostbyaddr(inet_aton($dstaddr),AF_INET)){ } else {$dstname = "UNRESOLVED!";};
print "$spacestate"."$srcname > $dstname";
}
print "\n";
}

} # end foreach (@ip_conntrack_brut)

exit;


__END__
#==================== end conntrack-viewer.pl ================================

Ohmster

unread,
Mar 26, 2008, 1:32:42 AM3/26/08
to
On 2008-03-22, Bit Twister <BitTw...@mouse-potato.com> wrote:
> On Sat, 22 Mar 2008 12:30:19 -0500, Ohmster wrote:
>> Bit Twister <BitTw...@mouse-potato.com> wrote in news:slrnfu80dm.4...@wm81.home.test:
>>
>>>> Can somebody figure out what is wrong with this perl script and make it
>>>> work with Fedora please? Thank you so much.
>
> I need you to post the distribution release
> cat /etc/redhat-release

[ohmster@ohmster ~]$ cat /etc/redhat-release
Fedora Core release 6 (Zod)
[ohmster@ohmster ~]$

> and I also need a conntrack sample to parse. Get into a root terminal,
>
> You may have to spin up a browser, pick
> some web page say http://www.news.com/
> and just after it comes up, in the root terminal do a
>
> cat /proc/net/ip_conntrack > test.data
>
>
> Verify test.data has udp and tcp lines before posting test.data.
>

Okay I got it, did not have to run a browser, my PC and my roommie's
computer are on the net all the time, both udp and tcp content are
present but I really don't understand the line wrap in this file,
test.data. It seems to go on forever. Oh, it saved as a standard UNIX
ANSI text file and can be viewed with no line wrap. I might do best to
zip it and give you a link or just post to web and give link. Oh, it
shows up real well in a web browser, here ya go Bit:
http://www.ohmster.com/~ohmster/test/test.data

What do you think? Thanks for your help.

--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body

(That is MESSAGE BODY, not Subject!)

Ohmster

unread,
Mar 26, 2008, 1:50:43 AM3/26/08
to
On 2008-03-25, Bit Twister <BitTw...@mouse-potato.com> wrote:
> On Sat, 22 Mar 2008 12:30:19 -0500, Ohmster wrote:
>>
>> Oh my goodness, you really went at it Bit Twister! I agree, it would be neat to see
>>
>>
>> -------------------------------------------------------------------
>> [ohmster@ohmster scripts]$ sudo ./natview
>> Bareword found where operator expected at ./natview line 11, near
> "53 packets" (#1)
>
> Here try this one, starting with line #!/usr/bin/perl
[..]

Wow, boy oh boy did that ever work, Bit! Does yours do the command line
switches too, Bit?

>> Usage

usage: ./conntrack-viewer [-n][-m][-d][-nh][-h]


-n Numeric form only, no dns resolution (this is faster)

-m Shows Masqueraded connections only, no direct connections
-d Shows Direct connections only, no masqueraded connections
-nh NoHeader, shows only the results without any header
-h Print this help

The output is going to wrap like crap in here, let me see if I can do
the web thingy again...
Wow, look how cool!

usage: ./conntrack-viewer [-n][-m][-d][-nh][-h]


-n Numeric form only, no dns resolution (this is faster)

-m Shows Masqueraded connections only, no direct connections
-d Shows Direct connections only, no masqueraded connections
-nh NoHeader, shows only the results without any header
-h Print this help

sudo conntrack-viewer.pl
http://www.ohmster.com/~ohmster/test/plain.data

sudo conntrack-viewer.pl -n
http://www.ohmster.com/~ohmster/test/n.data

sudo conntrack-viewer.pl -m
http://www.ohmster.com/~ohmster/test/m.data

sudo conntrack-viewer.pl -d
http://www.ohmster.com/~ohmster/test/d.data

sudo conntrack-viewer.pl -nh
http://www.ohmster.com/~ohmster/test/nh.data

sudo conntrack-viewer.pl -h
http://www.ohmster.com/~ohmster/test/h.data

It shows the service and everything! I already have it aliased to
natview as "sudo conntrack-viewer.pl" to make it easy to run. I chmodded
it to executable and keep it in my scripts directory that is in my path
and now with the alias, it will be easier to run. Oh thanks dude, you
are...

... DA MAN!


--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body

(That is MESSAGE BODY, not Subject!)

Ohmster

unread,
Mar 26, 2008, 2:40:30 AM3/26/08
to
Michael Heiming <michael...@www.heiming.de> wrote in news:4adcb5-
6l5...@news.heiming.de:

> There is only one time "-w" in the script, the first line the
> shebang "#!/usr/bin/perl -w" this means to show warnings, if you
> remove "-w" it will not display them anymore. Though the better
> way is to declare them, just as Bit Twister showed you.

Ooooh Duuuuuuuuude, Twit Bister is DA MAN! Dija see he got it working?!!
Holy crap, this is great. :)

--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body

(That is Message Body, not Subject!)

Bit Twister

unread,
Mar 26, 2008, 4:25:23 AM3/26/08
to
On Wed, 26 Mar 2008 00:50:43 -0500, Ohmster wrote:

> It shows the service and everything! I already have it aliased to
> natview as "sudo conntrack-viewer.pl" to make it easy to run. I chmodded
> it to executable and keep it in my scripts directory that is in my path
> and now with the alias, it will be easier to run.

Glad it works on Fedora 6.
I modified it to work on any distribution which has
/proc/net/ip_conntrack or /proc/net/nf_conntrack

If you get perl diagnostic messages, you will need to do the following:
conntrack-viewer.pl -h
as root, run the cat command given at bottom of help screen
post the perl diagnostic messages
and the line in test.data causing the problem.
if the perl crash is reproducible.

verify error line is in test.data with the command
conntrack-viewer.pl debug

Ohmster

unread,
Mar 26, 2008, 8:49:39 PM3/26/08
to
Bit Twister <BitTw...@mouse-potato.com> wrote in
news:slrnfuk23j.7...@wm81.home.test:

Work it does, although Fedora 6 is now getting a bit long in the tooth.
We are up to Fedora 8 now, aren't we? I really have not had any perl
diagnostic messages, it seems to work so nice. It might be cool if you
could color the output to green on black say, maybe color some well known
services like http, kazzaa, or whatever. This is just eye candy and
window dressing but if you wanted to do it, the output would be pretty
neat.

So far so good Bit Twiseter, but I will keep your advice handy and use it
to contact you if I have any problems. I did notify the original author
of conntrack-viewer-1.3 of your terrific progress and gave Patrick the
MIDs of your new script and my results posts, hoping that he would check
them out and post the updated version on his site for the benefit of
others until he can update his own. So far, no response from patrick at
patricklagace dot com. Thanks Bit!


--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body

(That is Message Body, not Subject!)

Ohmster

unread,
Mar 26, 2008, 9:42:06 PM3/26/08
to
On 2008-03-25, Bit Twister <BitTw...@mouse-potato.com> wrote:
> On Sat, 22 Mar 2008 12:30:19 -0500, Ohmster wrote:

[..]


> Here try this one, starting with line #!/usr/bin/perl
>
>
> #!/usr/bin/perl
> use strict ; # force definations for all vars an subroutines
> use warnings ; # force check of unset variables in
> expressions
> use diagnostics ; # give var/code line number on faults
> #
> # ======================================================
> # CONNTRACK-VIEWER version 1.3
> # http://cv.intellos.net
> #
> # by Patrick Lagace pa...@sympatico.ca

[..]

Hey Bit Twister,

Your script changes work great, they even show the service that is using
the connection. I put my own NAT IP and my roommate's IP into the hosts
file so I can see at a glance who running what, it would be nice to
filter only for Dave or ohmster but the service is my question. We get
domain, http, pop3, gwha-netbios-ssn, and a whole lot of these, [???]
things. Where does this service list come from and is there a way to add
bittorrent to the list of services or is the bittorrent port range to
great for that? This is my primary interest in this script, to find out
when my roommie is dogging the entire net with bittorrent so I can warn
him to tone it down or just kill his NAT. I can do something like:
iptables -I FORWARD 1 -s dave -j DROP

and his Internet is gone, restore it with this:
iptables -D FORWARD -s dave -j DROP

This is possible only because dave is in my hosts file.
[ohmster@ohmster text]$ cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost
192.168.15.100 ohmster.ohmster.com ohmster #eth0 to Internet
192.168.0.1 ohmster.ohmster.com ohmster #eth1 to LAN
192.168.0.2 paula
192.168.0.3 missy
192.168.0.90 dave
[ohmster@ohmster text]$

Is there a way to use conntrack-viewer.pl to show who is using
bittorrent or Azureus to dog my net with torrents?

Thanks Bit, you did a great job!

--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body

(That is MESSAGE BODY, not Subject!)

Bit Twister

unread,
Mar 27, 2008, 4:43:35 AM3/27/08
to
On Thu, 27 Mar 2008 02:42:06 +0100 (CET), Ohmster wrote:
>
> Hey Bit Twister,

Hey Theo :-)

> Your script changes work great, they even show the service that is using
> the connection. I put my own NAT IP and my roommate's IP into the hosts
> file so I can see at a glance who running what,

Hehehe, saw your post where you were thinking of becoming a system admin.
You are seeing the tip of the iceberg about one of the admin duties.

As you are finding out, some small script hacks can make your life
much easier. Take your request for color coding a viewer line.
If you have ever executed wireshark, you might notice color coding of
lines.

You could add a color variable to the print line. Code above print
line can test for ports of interest and set the color variable to
desired color.

Yeah, I know you are not a programmer/coder. You can learn to hack out some
code to make the computer work for you, or, let the computer work you.

http://tldp.org/LDP/abs/html/index.html is not a bad read for the
beginning coder.

You could take that little test script
http://groups.google.com/group/alt.os.linux/msg/3eb055f13124627d
and use it to hack around learning to do perl. Then copy viewer.pl
into your account, and start hacking away at it using some test.data
and the debug switch.

If you were to do a locate \.pm and/or locate \.pl
you would find lots of perl code to look at for examples of a perl commands.

I got stuck with a perl application as part of a layoff.
I rushed out and bought O'REILLY The Perl CD Bookshelf which has
Perl in a Nutshell
Learning Perl
Learning Perl on Win32 Systems
Programming Perl
Advanced Perl Programming
Perl Cookbook

Search All Six Books

There is a cd which allows you to searh/play around in all six books.

For the system functions and whatnot I install the perl-doc package.

That allows me to research commands/functions/... Snippet example follows:
$ perldoc -f gethostbyaddr
gethostbyaddr ADDR,ADDRTYPE
getnetbyaddr ADDR,ADDRTYPE
getprotobynumber NUMBER
getservbyport PORT,PROTO
getpwent
getgrent
gethostent
getnetent
getprotoent
getservent

<snip>

These routines perform the same functions as their counterparts
in the system library. In list context, the return values from
the various get routines are as follows:

($name,$passwd,$uid,$gid,
$quota,$comment,$gcos,$dir,$shell,$expire) = getpw*
($name,$passwd,$gid,$members) = getgr*
($name,$aliases,$addrtype,$length,@addrs) = gethost*
($name,$aliases,$addrtype,$net) = getnet*
($name,$aliases,$proto) = getproto*
($name,$aliases,$port,$proto) = getserv*
<snip>
$uid = getpwnam($name);
$name = getpwuid($num);
$name = getpwent();
$gid = getgrnam($name);

That " These routines perform the same functions as their counterparts
in the system library."

Tells me I can do something like
$ man -k getpwuid
getpwuid (3p) - search user database for a user ID
getpwuid [getpwnam] (3) - get password file entry
getpwuid_r [getpwnam] (3) - get password file entry
getpwuid_r [getpwuid] (3p) - search user database for a user ID

to do more research on the system function of interest.

The reverse is true. You use man -k to find the system library
function then use perldoc to get perl information about the system function.

> it would be nice to
> filter only for Dave or ohmster but the service is my question.

Sounds like an easy command line flag like -src ip_here.
You put the ip_here into, say, $a_srcaddr and set a flag, say, $only_ip.


You add an if statement to set $a_srcaddr = $srcaddr if $only_ip eq 0;

Then an statement around output code like
if ($srcaddr eq $a_srcaddr ) {
[ all that output print code here. ]
}


> We get domain, http, pop3, gwha-netbios-ssn, and a whole lot of
> these, [???] things. Where does this service list come from

getservbyport looks port number by protocol in /etc/services.

> and is there a way to add bittorrent to the list of services

grep torrent /etc/services and see what you can see.

> or is the bittorrent port range to great for that?

If port number is not in /etc/services you get the "[???]" field. :(

> This is my primary interest in this script, to find out
> when my roommie is dogging the entire net with bittorrent so I can warn
> him to tone it down or just kill his NAT. I can do something like:
> iptables -I FORWARD 1 -s dave -j DROP

Saw an article awhile back about comcast inserting a re[send,set,..]
or something record to automagically throttle their torrent users. :)

> and his Internet is gone, restore it with this:
> iptables -D FORWARD -s dave -j DROP

Sounds like you need a filter rule in iptables to throttle torrent connection.
As you have seen, it will be a bit of a chore to figure out if it is a
torrent connection or not.

Saw an article on port knocking which would play with iptables rules.
Might want to fetch knock source to see what you can see about the
daemon/service (knockd) and client (knock).
Downside is having to lean another programming language. :(

> Is there a way to use conntrack-viewer.pl to show who is using
> bittorrent or Azureus to dog my net with torrents?

At best, viewer would have to be on the node to run down who is running
what app on a given connection.

Once you are no longer on the node it gets a bit harder
and it becomes a simple matter of programming. :-D

It would not be too _hard_ to create a daemon/service to accept request
to provide user id for a given connection. If there is no Network Address
Translation between the two nodes. :(

Hard is a relative term. If you know what you are doing, you start coding.
If not, you grab the source of programs which have elements of what
you need, find the function in the app's source then look up that
function in the language you are coding in.

Doing a netstat -anp
seems to get lots of the info you wanted so netstat would be the source
code to look through to find the functions looking up connection, pid and
application.

Other commands to play with
netstat -pt
netstat -tupan
netstat -pvlA inet 2

Ohmster

unread,
Mar 27, 2008, 11:38:59 AM3/27/08
to
On 2008-03-27, Bit Twister <BitTw...@mouse-potato.com> wrote:
> On Thu, 27 Mar 2008 02:42:06 +0100 (CET), Ohmster wrote:
>>
>> Hey Bit Twister,
>
> Hey Theo :-)
>
>> Your script changes work great, they even show the service that is using
>> the connection. I put my own NAT IP and my roommate's IP into the hosts
>> file so I can see at a glance who running what,
>
> Hehehe, saw your post where you were thinking of becoming a system admin.
> You are seeing the tip of the iceberg about one of the admin duties.

Well, when you get older and start pushing 50, you tend to want work
where you can make your brains and experience pay off rather than your
back and muscles. Especially with mortgages and bills that just don't
ever stop. :)

Pipe dream I think though. It is quite clear from just trying to
comprehend everything that you have talked about in this post in detail
that I do not have the necessary experience to do any kind of senior
admin job. :(

I know basic stuff, how to setup a network, servers, daemons, mail,
services, and some general admin duties but nothing like a university or
a company like HP might be looking for. I also know where to go for help
and I think that counts for a lot, like here, for one thing, but that
would not get the job done in a timely manner with such an approach.

I had really hoped to learn enough as time went by to maybe get a job in
a small library or something and a small network when I got older but
serious admin, programming, hacks, and scripting is not something you
can just "pick up" and get good at. It takes years of study and hands on
to excell at it. You sure have a tidy pocket of knowledge and experience
under your belt, Bit Twister and have helped me a lot in the past.
Thanks buddy.

This post is so rich in content that I will save it and go back over it
again and again to leech more out of it and trim much of it for my
followup here.

[..]


> Yeah, I know you are not a programmer/coder. You can learn to hack out some
> code to make the computer work for you, or, let the computer work you.

True.

> http://tldp.org/LDP/abs/html/index.html is not a bad read for the
> beginning coder.

I love the CLI and shell scripts. This is an excellent reference and
primer, I have it bookmarked now.

> You could take that little test script
> http://groups.google.com/group/alt.os.linux/msg/3eb055f13124627d
> and use it to hack around learning to do perl. Then copy viewer.pl
> into your account, and start hacking away at it using some test.data
> and the debug switch.
>
> If you were to do a locate \.pm and/or locate \.pl
> you would find lots of perl code to look at for examples of a perl commands.

I bookmarked the test script and tried the locate commands, wow, that is
a lot of output, there is quite a bit of perl stuff on my system to
examine, it would seem. I did not know you could use locate that way to
find files by extension. I would have thought "locate *.pm", which seems
to work. How come you use a backslash for a wildcard instead of an
asterisk and is that widely accepted?

> I got stuck with a perl application as part of a layoff.
> I rushed out and bought O'REILLY The Perl CD Bookshelf which has
> Perl in a Nutshell
> Learning Perl
> Learning Perl on Win32 Systems
> Programming Perl
> Advanced Perl Programming
> Perl Cookbook

All good books, I use Linux In A Nutshell myself.

What follows next is too complex for me to address right now, time to
trim.

[..]

>> it would be nice to
>> filter only for Dave or ohmster but the service is my question.

[.]

Too much coding that I don't understand enough to comment on right now,
snipped.

>> We get domain, http, pop3, gwha-netbios-ssn, and a whole lot of
>> these, [???] things. Where does this service list come from
>
> getservbyport looks port number by protocol in /etc/services.

Holy crap, that is a huge list of ports and services. What a neat
resource!

>> and is there a way to add bittorrent to the list of services
>
> grep torrent /etc/services and see what you can see.

Nothing. I would have to lookup bittorrent and see if it sticks to any
standard ports or if it opens tons of random high order ports. If there
were a few, could I edit /etc/services to include the torrent ports?

>> or is the bittorrent port range to great for that?
>
> If port number is not in /etc/services you get the "[???]" field. :(

Understood.

>> This is my primary interest in this script, to find out
>> when my roommie is dogging the entire net with bittorrent so I can warn
>> him to tone it down or just kill his NAT. I can do something like:
>> iptables -I FORWARD 1 -s dave -j DROP
>
> Saw an article awhile back about comcast inserting a re[send,set,..]
> or something record to automagically throttle their torrent users. :)

He does throttle it down to 100K down and 50K up now. In the beginning
he ran it wide open and even with cablemodem service at 12Mbps down and
380Kbps up, he was still soaking up all the bandwidth, it would take
over 30 second per click on my mouse to see any page or links.

Now he only throttles it up at night if I am asleep he says and turns it
back down again.

>> and his Internet is gone, restore it with this:
>> iptables -D FORWARD -s dave -j DROP
>
> Sounds like you need a filter rule in iptables to throttle torrent connection.
> As you have seen, it will be a bit of a chore to figure out if it is a
> torrent connection or not.

wondershaper is supposed to do that and I do run it now. I am not sure
if it can be configured further, I think it can, to handle QOS and
bandwidth for a specific IP on the LAN. Before wondershaper, FTP
and HTTP downloads would eat my bandwidth so bad that I had to do
something and wondershaper did just the trick. Have you seen the
wondershaper script?
http://lartc.org/wondershaper/
http://freshmeat.net/projects/wshaper/

[..]

Port knocking is too complicated for me to address at this moment, will
study and be back with more questions later, I am sure.

> Saw an article on port knocking which would play with iptables rules.
> Might want to fetch knock source to see what you can see about the
> daemon/service (knockd) and client (knock).
> Downside is having to lean another programming language. :(
>
>> Is there a way to use conntrack-viewer.pl to show who is using
>> bittorrent or Azureus to dog my net with torrents?

Saw your answer and it is quite a complicated issue, I can see. The only
other person on my LAN is Dave and I know he would be the one, just
wondering if there were a particular connection or connections that I
might wish to throttle back myself, as the Fedora box *is* the router
and I did it that way purposly instead of using the Linksys for this so
that I could experiment, play, and learn. I did save the post for future
study and will be back and forth with what I learn and more questions.

I will trim it for the sake of posting and thanks again for all of your
terrific help, Bit Twister. A Serious Senior System and Network Admin I
may never be, but I cannot help but to love this stuff and want to learn
more. My next step is probably to move up from Fedora 6 as I do not want
to be left out in the cold with an EOL OS.

[..]

Bit Twister

unread,
Mar 27, 2008, 12:37:31 PM3/27/08
to
On Thu, 27 Mar 2008 16:38:59 +0100 (CET), Ohmster wrote:
>>
>> If you were to do a locate \.pm and/or locate \.pl
>> you would find lots of perl code to look at for examples of a perl commands.
>
> I would have thought "locate *.pm",

Would be needed if using something like ls :)

> which seems to work.

No asterisk needed, try locate .pm
Some times I'll use grep to restrict results

locate .pm | grep test | grep -v webmin

> How come you use a backslash for a wildcard instead of an
> asterisk and is that widely accepted?

In some expressions the period is a wild card for one character so I
pop in backslash as a bad habit in searchs. :(

You may want to bookmark
http://www.greenend.org.uk/rjk/2002/06/regexp.html


> Holy crap, that is a huge list of ports and services. What a neat
> resource!

for malware port numbers there is
http://lists.thedatalist.com/portlist/lookup.php?port=
https://secure.dshield.org/port.html?port=

>> grep torrent /etc/services and see what you can see.
>
> Nothing.

Hmmm, $ grep torrent /etc/services
torrent 6881/tcp # bittorrent

on Mandriva Linux


> My next step is probably to move up from Fedora 6 as I do not want
> to be left out in the cold with an EOL OS.

Saw that Fedora 9 should be out around May. If me, I would play with
the beta just to see what might hurt later.
http://www.phoronix.com/scan.php?page=article&item=fedora9_beta&num=1

Ohmster

unread,
Mar 29, 2008, 12:06:51 AM3/29/08
to
On 2008-03-27, Bit Twister <BitTw...@mouse-potato.com> wrote:
> On Thu, 27 Mar 2008 16:38:59 +0100 (CET), Ohmster wrote:
>>>
>>> If you were to do a locate \.pm and/or locate \.pl
>>> you would find lots of perl code to look at for examples of a perl commands.
>>
>> I would have thought "locate *.pm",
>
> Would be needed if using something like ls :)

Oh duh, yeah that's right. Locate does not need any of that stuff. :P

>> which seems to work.
>
> No asterisk needed, try locate .pm
> Some times I'll use grep to restrict results
>
> locate .pm | grep test | grep -v webmin

Yes yes, very good. It works quite well as you can see:

[ohmster@ohmster bench]$ locate .pm | grep test | grep -v webmin
/usr/lib/perl5/5.8.8/filetest.pm
/usr/lib/perl5/5.8.8/ExtUtils/testlib.pm
/usr/lib/perl5/5.8.8/i386-linux-thread-multi/XS/APItest.pm
[ohmster@ohmster bench]$

>
>> How come you use a backslash for a wildcard instead of an
>> asterisk and is that widely accepted?
>
> In some expressions the period is a wild card for one character so I
> pop in backslash as a bad habit in searchs. :(

Ahhh, I see now.

> You may want to bookmark
> http://www.greenend.org.uk/rjk/2002/06/regexp.html

Oh God, that is an excellent Regex Reference. I bookmarked it, wish to
learn it someday. It is hard as fuck to learn Regex, but I know it would
come in super handy just to know, so far as score sheets and even ad
filters for Firefox like with AdBlock and RIP. Regex really should be
what I learn next, like it or not. I even saved the page and tailored it
a bit with Dreamweaver for my own usage. Neat page, thanks.

>> Holy crap, that is a huge list of ports and services. What a neat
>> resource!
>
> for malware port numbers there is
> http://lists.thedatalist.com/portlist/lookup.php?port=
> https://secure.dshield.org/port.html?port=

Got them.

>>> grep torrent /etc/services and see what you can see.
>>
>> Nothing.
>
> Hmmm, $ grep torrent /etc/services
> torrent 6881/tcp # bittorrent
>
> on Mandriva Linux

Not on Fedora. I will have to do a net search for Torrent ports and see
if I can find a common set of ports or if they are all over the place.

>
>> My next step is probably to move up from Fedora 6 as I do not want
>> to be left out in the cold with an EOL OS.
>
> Saw that Fedora 9 should be out around May. If me, I would play with
> the beta just to see what might hurt later.
> http://www.phoronix.com/scan.php?page=article&item=fedora9_beta&num=1

I have servers that I use and depend on with this linux box, cannot
screw around with beta too much because of it. I am afraid the upgrades
will break my shit but so far, the Fedora upgrades have been sweet.
Thanks again Bit.

Bit Twister

unread,
Mar 29, 2008, 12:17:51 AM3/29/08
to
On Sat, 29 Mar 2008 05:06:51 +0100 (CET), Ohmster wrote:
>
> I have servers that I use and depend on with this linux box, cannot
> screw around with beta too much because of it. I am afraid the upgrades
> will break my shit but so far, the Fedora upgrades have been sweet.

I know money is tight, same here. But, my regular surfing pc serves
as my testbed. I keep a few spare ~12 partitions I use for testing
installs. That way I can test new installs and still have a fallback
in case it goes into the ditch.

$ grep title /boot/grub/menu.lst
title linux
title 2008_1_rc2
title 2008_0
title 2007_1
title Fc7
title Ubuntu 7.10
title hotbu
title fc8
title 2008.1_64
title fedora_iso
title runlevel 1
title XP_Home

Ohmster

unread,
Mar 29, 2008, 11:24:20 PM3/29/08
to
Bit Twister <BitTw...@mouse-potato.com> wrote in
news:slrnfurgne.9...@wm81.home.test:

Hey that's pretty good. You have all of that in grub? Wow. What is runlevel
1, linux single user mode?

--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body

(That is Message Body, not Subject!)

Bit Twister

unread,
Mar 30, 2008, 4:02:57 AM3/30/08
to
On Sun, 30 Mar 2008 05:24:20 +0200 (CEST), Ohmster wrote:
> Bit Twister <BitTw...@mouse-potato.com> wrote in

>> title fedora_iso


>> title runlevel 1
>> title XP_Home
>>
>
> Hey that's pretty good. You have all of that in grub?

Yes. used to have the same kind of thing in lilo. One nice feature
of grub is it will allow you to use the installations menu.lst

title Fc7
root (hd0,11)
configfile /boot/grub/menu.lst

> Wow. What is runlevel 1, linux single user mode?

Yes, you can make it whatever you like.
title failsafe
kernel (hd0,9)/boot/vmlinuz BOOT_IMAGE=failsafe root=LABEL=2008_1 failsafe
initrd (hd0,9)/boot/initrd.img

Ohmster

unread,
Mar 30, 2008, 8:47:37 PM3/30/08
to
On 2008-03-30, Bit Twister <BitTw...@mouse-potato.com> wrote:
> On Sun, 30 Mar 2008 05:24:20 +0200 (CEST), Ohmster wrote:
>> Bit Twister <BitTw...@mouse-potato.com> wrote in
>
>>> title fedora_iso
>>> title runlevel 1
>>> title XP_Home
>>>
>>
>> Hey that's pretty good. You have all of that in grub?
>
> Yes. used to have the same kind of thing in lilo. One nice feature
> of grub is it will allow you to use the installations menu.lst
>
> title Fc7
> root (hd0,11)
> configfile /boot/grub/menu.lst

grub is pretty neat once you get used to it. I cut my eye teeth on lilo
and then grub came along but grub is a lot nicer.

>> Wow. What is runlevel 1, linux single user mode?
>
> Yes, you can make it whatever you like.
> title failsafe
> kernel (hd0,9)/boot/vmlinuz BOOT_IMAGE=failsafe root=LABEL=2008_1 failsafe
> initrd (hd0,9)/boot/initrd.img

I see. You are getting way too much respect from me to get away with
calling you "Twit Bister" unless you really don't mind. I like to play
with words and most "brainy", "engineering people" do the same thing. If
it bothers you, I won't do it anymore. But there is nothing but
reverence here, no disrespect at all Bit.

--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body

(That is MESSAGE BODY, not Subject!)

0 new messages