cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Nickel

Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head

Jump to solution

Runnning this command is supposed to show top connecting ips.

I'm having trouble with converting the hex to ip addresses. Any success?

 

I'm using sites and they are just giving me incomplete numbers.

1 Solution

Accepted Solutions
Highlighted

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

Jump to solution

Hi @C_M,

This will give you the IP address in decimal for R80.30. 🙂

Top source:

 

fw tab -u -t connections -f |awk '{print $19}' |grep -v "+" |grep -v "^$" | sed 's/;/ /g' | sort -n | uniq -c | sort -nr | head

 

Top destination:

 

fw tab -u -t connections -f |awk '{print $23}' |grep -v "+" |grep -v "^$" | sed 's/;/ /g' | sort -n | uniq -c | sort -nr | head

 

Picture:

bild1.JPG

View solution in original post

Tags (1)
10 Replies
Highlighted
Admin
Admin

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

Jump to solution
Think of the hex number as having dots after every second number.
Convert each of those numbers to hex, you have your IP address.

For example: c0000264 = c0.00.02.64 = 192.0.2.100
0 Kudos
Highlighted
Employee
Employee

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

Jump to solution

I use the following site, and it converts every time for me:

https://www.browserling.com/tools/hex-to-ip

When using your command example above, the output is correct, and converted correctly using the site above.

[Expert@LabR8030:0]# fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head
1 ac1aa202,
1 0a0101fb,
1 0a01010f,

Do not include the leading '1' when inputting to the website.

 

However, the nature of your task has been provided by Check Point in a more verbose tool.

I would highly recommend using the "ConnStat" Tool, provided by Check Point.

It will provide top-talkers, top-rules, top-services, etc...

Please find sk85780 - How to use the 'connstat' utility.

0 Kudos
Highlighted
Nickel

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

Jump to solution

Thanks, how do you specify which firewall to run it on?

0 Kudos
Highlighted
Admin
Admin

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

Jump to solution
connstat runs on a Windows machine.
It processes output taken from whatever firewall you dump the connections table from.
0 Kudos
Highlighted

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

Jump to solution

Hi @C_M,

This will give you the IP address in decimal for R80.30. 🙂

Top source:

 

fw tab -u -t connections -f |awk '{print $19}' |grep -v "+" |grep -v "^$" | sed 's/;/ /g' | sort -n | uniq -c | sort -nr | head

 

Top destination:

 

fw tab -u -t connections -f |awk '{print $23}' |grep -v "+" |grep -v "^$" | sed 's/;/ /g' | sort -n | uniq -c | sort -nr | head

 

Picture:

bild1.JPG

View solution in original post

Tags (1)
Highlighted
Nickel

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

Jump to solution

Great, thanks!

0 Kudos
Highlighted
Nickel

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

Jump to solution

When I ran it I didn't get any IPs.

0 Kudos
Highlighted
Ivory

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

Jump to solution

nice

0 Kudos
Highlighted

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

Jump to solution

Hi @C_M 

I created and tested this with R80.30.
If you are using R80.10 or R80.20, you need an other field in "...awk '{print $XX}' .... for the source IP. Depending on the version the fields are different in the state table.

22:07:24 5 N/A N/A 149.213.248.222 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; : -----------------------------------(+); Direction: 1; Source: 49.21.28.22; SPort: 22; Dest: 49.23.28.8; DPort: 1981; Protocol: tcp; CPTFMT_sep_1: ->; .....

 

 

Tags (1)
Highlighted

Re: Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | h

Jump to solution

Or use this one-liner in your script to convert a hex IP in a dec IP:

printf '%d.%d.%d.%d\n' $(echo $ip | sed 's/../0x& /g')
Tags (1)
0 Kudos