Formatted Connection Table - ONELINER

HeikoAnkenbrand — Tue, 24 Aug 2021 14:41:16 GMT

It is not nice when the "fw ctl conntab" is displayed in an unformatted format. In this way, one always searches for the correct connections with the parameters in the output. I have created a nice overview "sorted by rule numbers". An easy connection table version:-)

When you execute this oneliner, a new cli command "econntab" is created:

cat <<EOT > /usr/bin/econntab printf '%.s-' {1..132};echo -e "\nRule Proto Source IP S-Port Destination IP D-Port Timeout State";printf '%.s-' {1..132};fw ctl conntab | awk '{print \$6 " "\$2 \$3 \$4 " "\$5 " "\$8}' | sed -e 's/src=//g' | sed -e 's/\],dest=\[/ /g' | sed -e 's/\],/ /g' | sed -e 's/)\;//g' | sed -e 's/\[//g' | sed -e 's/rule\=/ /g' | sed -e 's/\,/ /g' | sed -e 's/state\=/ /g' | sed -e 's/Ifn[c,s]in\=[0-9]*//g' | sed -e 's/Ifn[c,s]out\=[0-9]*//g' | awk '{printf "%.6s \t%10s \t%15s \t%6s \t%15s \t%7s \t%10s \t%20s \n", \$1, \$6, \$2, \$3 ,\$4, \$5, \$7 ,\$8}' 2>&1 | sort -n | uniq EOT chmod 770 /usr/bin/econntab

After that, you only need to execute the following cli command in expert mode:

# econntab

With grep you can search for many interesting parameters of the connection table:

# econntab | grep SYN_SENT                                                            --> connections that have only sent one TCP SYN packet
# econntab | grep FIN                                                                         --> connections that are in the process of being disconnected
# econntab | grep ^'61'                                   --> for example all connections of the rule 61
# econntab | grep 1.1.1.1                                                                    --> all connections for IP 1.1.1.1
# econntab | grep ICPM                                                                      --> all ICPM connections
# econntab | grep ' 443 ' | grep "SYN"                                              --> all https connections in "SYN" state
# econntab | grep ' [0-9]/'                                                                  --> all connections that time out in the next 10 seconds
# econntab | grep -E '^[1-9][0-9][0-9][0-9][0-9][0-9]'                   --> all implied rules
# econntab | grep -v -E '^[1-9][0-9][0-9][0-9][0-9][0-9]'               --> all without implied rules
# econntab | grep '00000070'                                                             --> VRRP connections
# econntab | grep '0000002f'                                                             --> GRE connections

PS:
If you see rules >100000, this is not an error, but it is an implied rule.

Re: Formatted Connection Table - ONELINER

IgorWeller — Tue, 24 Aug 2021 19:25:30 GMT

@HeikoAnkenbrand very nice script. 👍

There is a small issue present. In the state field I see an Ifncin=21 in some lines.

Re: Formatted Connection Table - ONELINER

HeikoAnkenbrand — Wed, 25 Aug 2021 05:57:36 GMT

I have added the following to the latest version to eliminate the bug.

| sed -e 's/Ifn[c,s]in\=[0-9]*//g' | sed -e 's/Ifn[c,s]out\=[0-9]*//g'

Re: Formatted Connection Table - ONELINER

Ralf_Schirmer — Thu, 26 Aug 2021 07:10:08 GMT

Great oneliner!

Re: Formatted Connection Table - ONELINER

JuPo — Tue, 21 Dec 2021 22:40:58 GMT

@HeikoAnkenbrand love the script.

BTW Is there any reason for not making the oneliner shorter using sed 's///g;s///g;s///g' instead of sed s///g | s///g | s ///g ?

printf '%.s-' {1..132};echo -e "\nRule Proto Source IP S-Port Destination IP D-Port Timeout State";printf '%.s-' {1..132};fw ctl conntab | awk '{print \$6 " "\$2 \$3 \$4 " "\$5 " "\$8}' | sed -e 's/src=//g;s/\],dest=\[/ /g;s/\],/ /g;s/)\;//g;s/\[//g;s/rule\=/ /g;s/\,/ /g;s/state\=/ /g;s/Ifn[c,s]in\=[0-9]*//g;s/Ifn[c,s]out\=[0-9]*//g' | awk '{printf "%.6s \t%10s \t%15s \t%6s \t%15s \t%7s \t%10s \t%20s \n", \$1, \$6, \$2, \$3 ,\$4, \$5, \$7 ,\$8}' 2>&1 | sort -n | uniq

topic Re: Formatted Connection Table - ONELINER in Scripts

Formatted Connection Table - ONELINER

Re: Formatted Connection Table - ONELINER

Re: Formatted Connection Table - ONELINER

Re: Formatted Connection Table - ONELINER

Re: Formatted Connection Table - ONELINER