topic Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h in Firewall and Security Management

Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head

C_M — Tue, 21 Jan 2020 15:03:05 GMT

Runnning this command is supposed to show top connecting ips.

I'm having trouble with converting the hex to ip addresses. Any success?

I'm using sites and they are just giving me incomplete numbers.

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

PhoneBoy — Wed, 22 Jan 2020 03:23:53 GMT

Think of the hex number as having dots after every second number.
Convert each of those numbers to hex, you have your IP address.

For example: c0000264 = c0.00.02.64 = 192.0.2.100

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

SSlater — Wed, 22 Jan 2020 04:19:23 GMT

I use the following site, and it converts every time for me:

https://www.browserling.com/tools/hex-to-ip

When using your command example above, the output is correct, and converted correctly using the site above.

[Expert@LabR8030:0]# fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head
1 ac1aa202,
1 0a0101fb,
1 0a01010f,

Do not include the leading '1' when inputting to the website.

However, the nature of your task has been provided by Check Point in a more verbose tool.

I would highly recommend using the "ConnStat" Tool, provided by Check Point.

It will provide top-talkers, top-rules, top-services, etc...

Please find sk85780 - How to use the 'connstat' utility.

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

C_M — Wed, 22 Jan 2020 15:03:09 GMT

Thanks, how do you specify which firewall to run it on?

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

PhoneBoy — Wed, 22 Jan 2020 17:38:11 GMT

connstat runs on a Windows machine.
It processes output taken from whatever firewall you dump the connections table from.

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

HeikoAnkenbrand — Wed, 22 Jan 2020 21:17:32 GMT

Hi @C_M,

This will give you the IP address in decimal for R80.30. 🙂

Top source:

fw tab -u -t connections -f |awk '{print $19}' |grep -v "+" |grep -v "^$" | sed 's/;/ /g' | sort -n | uniq -c | sort -nr | head

Top destination:

fw tab -u -t connections -f |awk '{print $23}' |grep -v "+" |grep -v "^$" | sed 's/;/ /g' | sort -n | uniq -c | sort -nr | head

Picture:

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

C_M — Wed, 22 Jan 2020 20:52:08 GMT

Great, thanks!

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

C_M — Wed, 22 Jan 2020 21:01:12 GMT

When I ran it I didn't get any IPs.

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

mike123 — Wed, 22 Jan 2020 21:01:53 GMT

nice

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

HeikoAnkenbrand — Wed, 22 Jan 2020 21:15:40 GMT

Hi @C_M

I created and tested this with R80.30.
If you are using R80.10 or R80.20, you need an other field in "...awk '{print $XX}' .... for the source IP. Depending on the version the fields are different in the state table.

22:07:24 5 N/A N/A 149.213.248.222 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; : -----------------------------------(+); Direction: 1; Source: 49.21.28.22; SPort: 22; Dest: 49.23.28.8; DPort: 1981; Protocol: tcp; CPTFMT_sep_1: ->; .....

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

HeikoAnkenbrand — Wed, 22 Jan 2020 23:17:13 GMT

Or use this one-liner in your script to convert a hex IP in a dec IP:

printf '%d.%d.%d.%d\n' $(echo $ip | sed 's/../0x& /g')

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

Greg_Dunlap — Mon, 06 Apr 2020 19:08:58 GMT

don't know if you run into this a lot. but sometimes its quicker to dump the conn table in hex to a file and convert it.

i wrote a python tool to do this

https://github.com/celticcow/hex2ip

you take the output of fw tab -t connections -u > file.txt
run the ./hex.py -f file.txt and it outputs the single connection entries

souce_ip source_port -> dest_ip dest_port protocl_number lifetime

so you can send that to a file and sort it at leasure.

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

Millo — Wed, 30 Mar 2022 13:17:04 GMT

Hi everyone

someone can help me to understand the number near the exadecimal value (for instance 111744) showed by command?

Seems to be not the number of connection for that ip cause it's pretty higher than the #VALS number of connection showed by fw tab -t connections -s.

[Expert@FW]# fw tab -t connections -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost connections 8158 57162 320240 171450

[Expert@FW]# fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head
111744 0aef9e40,
57800 0ac04318,
53923 0ac0431a,
734 0aef0ae6,
636 0aef0568,
634 0a0ab464,
382 0a33dc74,
276 0aef070a,
272 0aef0ae9,
254 0a130f39,

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

Zolo — Sat, 07 Sep 2024 07:39:30 GMT

Hello Millo,

Better late than never 😀

I think the the difference arises from the fact that the connection table also contains slinks.
So if you add the SLINKS and VALS values (228612), 111744 is not that high anymore 😁

Only the SLINKS:
fw tab -t connections -u | grep "\->" | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head

Only the VALS:
fw tab -t connections -u | grep -v "\->" | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head

VALS & SLINKS together:
fw tab -t connections -u | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head