Sometimes we find ourselves in constrained environments where installing packages like tcpdump isn't possible due to company policies or security restrictions. On CentOS systems, there are several alternative approaches to monitor TCP connections when you need to investigate network activity.
The ss command (socket statistics) is part of iproute2 and comes pre-installed on most Linux distributions. It's more modern than netstat and provides detailed connection information.
# Monitor all TCP connections ss -tunapl # Filter connections to specific IP ss -tunapl dst 192.168.1.100 # Continuous monitoring (refresh every 2 seconds) watch -n 2 ss -tunapl
The kernel exposes TCP connection information through the proc filesystem. While the output is raw, it's comprehensive and always available.
# View raw TCP connection table
cat /proc/net/tcp
# Human-readable format with timers
cat /proc/net/tcp | while read line; do
echo $line | awk '{print "Local: " $2 " Remote: " $3 " State: " $4}';
done
If SystemTap is available (often installed by default), you can create simple scripts to trace TCP connections:
# Basic TCP connection monitor
stap -e 'probe kernel.trace("tcp_accept") {
printf("%s: %s -> %s\n", pn(), ipstr(saddr), ipstr(daddr))
}'
# Capture connect attempts
stap -e 'probe kernel.trace("tcp_connect") {
printf("Connect attempt to %s\n", ipstr(daddr))
}'
For containerized environments or when you need to monitor specific network namespaces:
# List all network namespaces ls -l /var/run/netns/ # Inspect connections in specific namespace nsenter --net=/var/run/netns/your_namespace ss -tunapl
For persistent monitoring, create a basic bash script to log connection attempts:
#!/bin/bash
while true; do
TIMESTAMP=$(date +"%Y-%m-%d %T")
CONNS=$(ss -tn state established dst 192.168.1.100 | wc -l)
echo "$TIMESTAMP - Connections to target: $CONNS" >> /var/log/tcp_monitor.log
sleep 5
done
When troubleshooting network issues or monitoring outbound connections on a CentOS server, tcpdump is often the go-to tool. However, in restricted environments where software installation isn't permitted, we need alternative approaches to examine TCP connections.
CentOS provides several built-in tools that can help monitor TCP connections without requiring additional packages:
# View active connections (including foreign IPs)
ss -tunap
# Monitor connections in real-time (refresh every 2 seconds)
watch -n 2 "ss -tuna"
# Filter connections to specific IP
ss -tuna dst 192.168.1.100The Linux /proc filesystem exposes network connection information that we can parse:
# List all TCP connections
cat /proc/net/tcp
# More readable format with awk
awk 'NR>1 {printf "%-20s %-20s %-15s\\n", $2,$3,$10}' /proc/net/tcpFor continuous monitoring, we can create a simple bash script to log connections:
#!/bin/bash
while true; do
timestamp=$(date '+%Y-%m-%d %H:%M:%S')
connections=$(ss -tuna | grep '192.168.1.100')
if [ -n "$connections" ]; then
echo "[$timestamp] Detected connection: $connections" >> /var/log/conn_monitor.log
fi
sleep 5
doneSome connection attempts might appear in system logs:
# Check kernel messages
dmesg | grep -i tcp
# Examine system logs
journalctl -k --grep="tcp"For deep inspection, we can use ftrace to monitor TCP events:
# Enable tracing
echo 1 > /sys/kernel/debug/tracing/events/tcp/tcp_probe/enable
# View trace output (requires root)
cat /sys/kernel/debug/tracing/trace_pipe- Some methods may impact system performance during heavy traffic
- Results may vary based on CentOS version and kernel configuration
- For security-sensitive environments, consider requesting temporary exceptions for tools like tcpdump