Solved: Re: Top connections fw tab -u -t connections | awk...

C_M · ‎2020-01-21

Runnning this command is supposed to show top connecting ips.

I'm having trouble with converting the hex to ip addresses. Any success?

I'm using sites and they are just giving me incomplete numbers.

HeikoAnkenbrand · ‎2020-01-22

This will give you the IP address in decimal for R80.30. 🙂

Top source:

fw tab -u -t connections -f |awk '{print $19}' |grep -v "+" |grep -v "^$" | sed 's/;/ /g' | sort -n | uniq -c | sort -nr | head

Top destination:

fw tab -u -t connections -f |awk '{print $23}' |grep -v "+" |grep -v "^$" | sed 's/;/ /g' | sort -n | uniq -c | sort -nr | head

Picture:

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

PhoneBoy · ‎2020-01-21

Think of the hex number as having dots after every second number.
Convert each of those numbers to hex, you have your IP address.

For example: c0000264 = c0.00.02.64 = 192.0.2.100

SSlater · ‎2020-01-21

I use the following site, and it converts every time for me:

https://www.browserling.com/tools/hex-to-ip

When using your command example above, the output is correct, and converted correctly using the site above.

[Expert@LabR8030:0]# fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head
1 ac1aa202,
1 0a0101fb,
1 0a01010f,

Do not include the leading '1' when inputting to the website.

However, the nature of your task has been provided by Check Point in a more verbose tool.

I would highly recommend using the "ConnStat" Tool, provided by Check Point.

It will provide top-talkers, top-rules, top-services, etc...

Please find sk85780 - How to use the 'connstat' utility.

C_M · ‎2020-01-22

Thanks, how do you specify which firewall to run it on?

PhoneBoy · ‎2020-01-22

connstat runs on a Windows machine.
It processes output taken from whatever firewall you dump the connections table from.

HeikoAnkenbrand · ‎2020-01-22

Hi @C_M,

This will give you the IP address in decimal for R80.30. 🙂

Top source:

fw tab -u -t connections -f |awk '{print $19}' |grep -v "+" |grep -v "^$" | sed 's/;/ /g' | sort -n | uniq -c | sort -nr | head

Top destination:

fw tab -u -t connections -f |awk '{print $23}' |grep -v "+" |grep -v "^$" | sed 's/;/ /g' | sort -n | uniq -c | sort -nr | head

Picture:

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

C_M · ‎2020-01-22

Great, thanks!

C_M · ‎2020-01-22

When I ran it I didn't get any IPs.

mike123 · ‎2020-01-22

nice

HeikoAnkenbrand · ‎2020-01-22

Hi @C_M

I created and tested this with R80.30.
If you are using R80.10 or R80.20, you need an other field in "...awk '{print $XX}' .... for the source IP. Depending on the version the fields are different in the state table.

22:07:24 5 N/A N/A 149.213.248.222 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; : -----------------------------------(+); Direction: 1; Source: 49.21.28.22; SPort: 22; Dest: 49.23.28.8; DPort: 1981; Protocol: tcp; CPTFMT_sep_1: ->; .....

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

HeikoAnkenbrand · ‎2020-01-22

Or use this one-liner in your script to convert a hex IP in a dec IP:

printf '%d.%d.%d.%d\n' $(echo $ip | sed 's/../0x& /g')

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

Greg_Dunlap · ‎2020-04-06

don't know if you run into this a lot. but sometimes its quicker to dump the conn table in hex to a file and convert it.

i wrote a python tool to do this

https://github.com/celticcow/hex2ip

you take the output of fw tab -t connections -u > file.txt
run the ./hex.py -f file.txt and it outputs the single connection entries

souce_ip source_port -> dest_ip dest_port protocl_number lifetime

so you can send that to a file and sort it at leasure.

Millo · ‎2022-03-30

Hi everyone

someone can help me to understand the number near the exadecimal value (for instance 111744) showed by command?

Seems to be not the number of connection for that ip cause it's pretty higher than the #VALS number of connection showed by fw tab -t connections -s.

[Expert@FW]# fw tab -t connections -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost connections 8158 57162 320240 171450

[Expert@FW]# fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head
111744 0aef9e40,
57800 0ac04318,
53923 0ac0431a,
734 0aef0ae6,
636 0aef0568,
634 0a0ab464,
382 0a33dc74,
276 0aef070a,
272 0aef0ae9,
254 0a130f39,

Zolo · ‎2024-09-07

Hello Millo,

Better late than never 😀

I think the the difference arises from the fact that the connection table also contains slinks.
So if you add the SLINKS and VALS values (228612), 111744 is not that high anymore 😁

Only the SLINKS:
fw tab -t connections -u | grep "\->" | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head

Only the VALS:
fw tab -t connections -u | grep -v "\->" | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head

VALS & SLINKS together:
fw tab -t connections -u | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head

Are you a member of CheckMates?

Top connections fw tab -u -t connections | awk '{ print $2 }' | sort -n | uniq -c | sort -nr | head