linuxgravity.com

Ever found yourself in need of knowing all or some specific incoming and outgoing network connections? There is this little utility that will just happily log inbound or outbound network conections based on rules you set up .
tcpspy is an administrator’s tool that logs information about incoming and outgoing TCP/IP connections including local address, remote address, and the username of the user responsible for the connection. Connections are selected for logging with rules, similar to the filter expressions accepted by tcpdump and other libpcap-based applications (tcpspy does not, however, use libpcap).

First install the monitoring tool. For apt-based systems, we install it as:

aptitude install tcpspy

Once installed it will start as a daemon and begin logging all incoming and outgoing connections to syslog.

If you want to log a particular type of connection, say all connections to port 22 (ssh), then the rules file comes in handy. In /etc/tcpspy.rules, just put in:

lport 22

will accomplish that. It’s that easy. Of course, you need to restart tcpspy service.

/etc/init.d/tcpsy restart

Or I can replace 22 with ssh or using any other service in /etc/services to log connections for that service

Limiting monitoring from specific network is also incredibly easy. Let’s suppose for a moment that I want to log all tcp connections from my local network, 192.168.22.0, I would just simply put the following in /etc/tcpspy.rules

raddr 192.168.22.0

The fun does not stop there. I can even log connections initiated or accepted by a specific local user, like so

user “username”

For more info, visit http://directory.fsf.org/project/tcpspy/ or see the manual pages for tcpsy.

Please stay tuned for more fun and exciting stuff to come.

Learning should be FUN