Yesterday a colleague at my company was doing some testing with a potential partner and they needed to open a TCP port on one of our development servers so an application could bind to that port. At first I wasn’t sure how I should do this since the port didn’t need to do anything but listen for incoming connections and the remote application would simply connect to that port. To get something up immediately for them I simply had our web server listen on the requested port which worked however I did not want the web server running on this port for long so I needed to come up with another solution to simply open the port, listen for connections, and possibly log those connections so we could troubleshoot if necessary. I ended up finding an application called tcpsnoop which I explain how to compile and use below.
Compile & Use tcpsnoop To Listen On a Specified TCP Port And Log Connections:
- Download tcpsnoop:First you need to download tcpsnoop which I was able to obtain from here. You actually need a couple other files to compile tcpsnoop so I went ahead and uploaded them all so they could be downloaded directly from this article. Download tcpsnoop.c, tcpsnoop.h, and MakeFile by clicking each of their names.
- Compile tcpsnoop:Now use gcc to compile the tcpsnoop application from your Linux server using the below command. Issue the below command from the directory where all three of the downloaded files are located. It should not return any errors and will produce a new file called tcpsnoop that is the actually application you are going to use.Compile tcpsnoop Using gcc:
- [root@dev tcp]# gcc tcpsnoop.c -o tcpsnoop
- Modify Permissions:The tcpsnoop daemon cannot be run as root so if you compiled it with root like I did then you might need to modify the permissions to make it executable by all or owned by someone else. Use the below command to make it executable by all but only be able to be modified by the root user.Modify tcpsnoop Permissions With chmod:
- [root@dev tcp]# chmod 755 tcpsnoop
After you have modified the permissions move the tcpsnoop file into /usr/local/bin so it will be in other users path.
- Launch tcpsnoop Daemon:Now lets launch the tcpsnoop daemon and then verify that it is running. Use syntax similar to the below to launch tcpsnoop but make sure to modify the log file and port to the settings you want.Launch tcpsnoop Daemon:
- [someuser@dev tcp]# tcpsnoop -d -p 45999 -f /var/log/tcpsnoop.log
Before you issue the above command make sure you have “su’d” to another user. You may also have to touch the log file and make it writable by the user that is going to run tcpsnoop.
- Verify Connections:Now lets verify the daemon is actually accepting connections by first seeing if the TCP port shows open on the server by using netstat as shown below.Verify TCP Port Is Listening Using netstat:
- [someuser@dev tcp]# netstat -an | grep 45999
- tcp 0 0 0.0.0.0:45999 0.0.0.0:* LISTEN
As you can see above the server is now listening on port 45999. Before attempting to connect to the port make sure you have made any necessary firewall rule changes and/or iptables modifications to allow incoming connections on the port you specify. Next lets telnet from an external computer to this server and specify the port that tcpsnoop is listening on. Below I show the telnet command from a windows desktop followed by using tail to verify incoming connections are logged.
Telnet From Windows Command Prompt To Server Running tcpsnoop:
- C:\>telnet server.example.com 45999
Tail tcpsnoop Log File To Verify Connections Are Logged:bash
- [someuser@dev tcp]$ tail -f /var/log/tcpsnoop.log
- # Received connection from 192.168.1.44 (AdvMSS 1460, PMTU 1500, options (2): SACK )
- 10.140127 10140 0 2 2147483647 5840 0 750000 0 0 0 0 0
- 10.363134 10370 0 2 2147483647 5840 0 750000 0 0 0 0 0
- 10.581438 10590 0 2 2147483647 5840 0 750000 0 0 0 0 0
- 10.780762 10790 0 2 2147483647 5840 0 750000 0 0 0 0 0
- # Closed connection from 192.168.1.44.
Once the telnet connection to the server from the Windows or other computer is active hit Enter on your keyboard a couple times to send some data to be logged. In the above example each of the lines in the log file after the connection received message is me hitting enter.
That is it. You now have a TCP port open that will log all incoming connections. If you want to stop the daemon simply located the PID (Process ID) using “ps -ef | grep tcpsnoop” and then kill the PID using “kill -9 <PID HERE>”.