How to Check Active TCP Connections for a Specific Port in Linux: Practical Methods and Code Examples


2 views

When monitoring network services, developers often need real-time visibility into active TCP connections for specific ports. This is crucial for:

  • Load balancing decisions
  • Service health monitoring
  • Debugging connection leaks
  • Capacity planning

The simplest approach combines netstat with grep:

netstat -ant | grep ':80 ' | grep ESTABLISHED | wc -l

Breaking this down:

-a : Show all connections
-n : Show numeric addresses
-t : TCP connections only
grep ':80 ' : Filters for port 80 (note the trailing space)
grep ESTABLISHED : Only active connections
wc -l : Counts matching lines

For modern Linux systems, ss (socket statistics) is faster:

ss -ant '( sport = :80 )' | grep -c ESTAB

Alternatively for both source and destination ports:

ss -ant '( dport = :80 or sport = :80 )' | grep -c ESTAB

To continuously monitor port 1935 connections every 2 seconds:

watch -n 2 "ss -ant '( sport = :1935 )' | grep -c ESTAB"

For counting new connections (not persistent):

iptables -A INPUT -p tcp --dport 1935 -j ACCEPT
iptables -L -v -n | grep 'dpt:1935'

For low-level programmatic access:

grep ' 01 ' /proc/net/tcp | awk '$2 ~ /:0077/ || $3 ~ /:0077/' | wc -l

Note: Ports are in hexadecimal (1935 = 0x78F)

Create a monitoring script (monitor_ports.sh):

#!/bin/bash
PORTS=(80 443 1935)
INTERVAL=5

while true; do
  clear
  date
  echo "Active Connections:"
  for port in "${PORTS[@]}"; do
    count=$(ss -ant "( sport = :$port )" | grep -c ESTAB)
    hex=$(printf "%04X" $port)
    proc_count=$(grep ' 01 ' /proc/net/tcp | awk -v p="$hex" '$2 ~ ":"p"$" || $3 ~ ":"p"$"' | wc -l)
    printf "Port %-5d: %4d (ss) | %4d (/proc)\n" $port $count $proc_count
  done
  sleep $INTERVAL
done
  • For high-traffic servers, ss performs better than netstat
  • The /proc method has lower overhead but requires hex conversion
  • Persistent connection counting requires stateful inspection tools
  • Consider connection rate limiting with iptables' connlimit module

When debugging network services or monitoring server load, you often need to track the number of active TCP connections on specific ports. While packet counters are useful for traffic analysis, connection state monitoring requires different approaches.

The modern replacement for netstat provides precise filtering capabilities:

ss -ant state established '( sport = :1935 or dport = :1935 )' | wc -l

This command shows established connections where either source or destination port is 1935 (RTMP), then counts them.

For scripting purposes, parse the kernel's TCP connection table:

grep -E ':00787 .* 01' /proc/net/tcp | wc -l

Where '01' represents ESTABLISHED state and '00787' is port 1935 in hex (0x787).

While iptables primarily counts packets, we can leverage connection tracking:

iptables -A INPUT -p tcp --dport 1935 -m state --state ESTABLISHED -j ACCEPT
iptables -L -v -n | grep ESTABLISHED

Here's a complete script that polls connection counts every 5 seconds:

#!/bin/bash
PORT=1935
HEX_PORT=$(printf '%04X' $PORT)

while true; do
  CONN_COUNT=$(grep -E ":${HEX_PORT} .* 01" /proc/net/tcp | wc -l)
  echo "$(date) - $CONN_COUNT active connections on port $PORT"
  sleep 5
done

For high-traffic servers, avoid frequent netstat/ss calls as they can be expensive. Instead, consider:

  • Kernel connection tracking via conntrack
  • eBPF-based monitoring tools
  • Prometheus node_exporter TCP metrics

For production environments, you might want to:

# Track connections per IP
ss -ant 'sport = :1935' state established | awk '{print $5}' | cut -d: -f1 | sort | uniq -c

# Monitor connection churn rate
conntrack -E -p tcp --dport 1935