How to Display Connection Establishment Time in Linux netstat Output


2 views

When analyzing network connections using netstat, many administrators wonder about connection establishment times. The standard netstat utility in Linux doesn't natively display timestamps because this information isn't stored at the kernel level in a way that netstat can access.

While netstat itself can't show this data, here are several approaches to obtain connection establishment times:

1. Using ss from iproute2

The modern ss command (part of iproute2) provides more detailed socket information:

ss -tulnope

This shows process information and timers, including approximate connection duration.

2. Leveraging Systemd Journal for Connection Tracking

For systems using systemd, you can query the journal for network-related events:

journalctl -u systemd-networkd --since "1 hour ago" | grep -i "connection"

3. Kernel Connection Tracking with conntrack

The conntrack tool provides connection tracking information:

conntrack -L

For persistent connection timestamp tracking, consider implementing a custom logger:

#!/bin/bash
while true; do
    date >> /var/log/connection_times.log
    ss -tnp >> /var/log/connection_times.log
    sleep 60
done

The Linux kernel's networking stack doesn't maintain connection establishment timestamps in the structures that netstat queries. This information would require additional memory overhead for all connections, which wasn't deemed necessary in the original design.

For production environments needing comprehensive connection auditing:

  • Implement eBPF programs to track socket creation
  • Use network monitoring tools like Zeek or Suricata
  • Consider commercial solutions that hook into kernel networking events

The standard netstat command in Linux doesn't include connection establishment timestamps in its output by default. This information is technically available in the kernel's connection tracking system, but requires specific tools or modifications to extract.

Here are three practical methods to obtain connection establishment times:

Method 1: Using ss from iproute2

The modern ss command (replacement for netstat) can display timestamps:

ss -tope | grep ESTAB

Example output:

ESTAB   0    0    192.168.1.100:ssh    192.168.1.1:12345   users:(("sshd",pid=1234,fd=3)) timer:(keepalive,7min,0) ts sack cubic wscale:7,7 rto:204 rtt:0.5/0.5 atime:1634567890

Method 2: Parsing /proc/net/tcp with Custom Script

Create a bash script to parse kernel TCP information:

#!/bin/bash
awk 'NR>1 {printf "%s ", strftime("%F %T", $9)}' /proc/net/tcp

Method 3: Using conntrack-tools

For tracked connections, use:

conntrack -L | grep ESTABLISHED

This shows creation timestamps in Unix epoch format that can be converted.

For comprehensive monitoring, use this SystemTap script to log all new connections with timestamps:

probe kernel.function("tcp_set_state")
{
    if ($newstate == TCP_ESTABLISHED) {
        printf("%s %s:%d -> %s:%d\n", ctime(gettimeofday_s()),
               ip_ntop(AF_INET, __ip_sk_daddr($sk)),
               __tcp_sk_dport($sk),
               ip_ntop(AF_INET, __ip_sk_raddr($sk)),
               __tcp_sk_rport($sk))
    }
}

Remember that TCP timestamps reflect:

  • Kernel's view of connection time
  • May not match application-level handshake completion
  • For very short-lived connections, might not appear at all