Netstat is the most frequent tool used for monitoring network connections on a Linux servers. Netstat returns a variety of information on active connections such as their current status, what hosts are involved, and which programs are involved. You can also see information about the routing table and even get statistics on your network interfaces. Netstat is a good all-around utility and it is an essential tool for the Linux administrators.
If you just type netstat, it would display a long list of information that’s usually more than you want to go through at any given time. The trick is that how to keeping the information useful and what you’re looking for and how to tell netstat to only display that information.

Below is some of the command to find out number of connections to server usingnetstat, grep, cut, awk, uniq, sort.

To find out the number of connections from an IP.
netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | uniq -c | sort -n

In the above command AWK print out the 5th column of netstat output, the CUT part cuts every line at the first space character and take the first piece, than we just have to SORT the results and take the UNIQUE values.

To find out the largest number of established connections.
netstat -na | grep ‘ESTABLISHED’ | awk ‘{print $4}’ | cut -d: -f1 | uniq -c | sort -rn

In the above command GREP is been used to find the line containing “ESTABLISHED“, AWK print out the 4th column of netstat output. CUT part cuts every line at the first space character and take the first piece, than we just have to SORT the results and take the UNIQUE values.

To check max number of connections to server.
netstat -nap |grep ‘tcp|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n | tail

In the above command GREP is been used to find the line containing “tcp/udp” [ if you want to sort such lines which are matching two or more different pattern then simply define all patterns in single quote and separate them using |] , AWK print out the 5th column of netstat output. CUT part cuts every line at the first space character and take the first piece, than we just have to SORT the results and take the UNIQUE values.TAIL command print the last part (10 lines) of the output.

To find out the largest number of established connections with port number.
netstat -na | grep ‘ESTABLISHED’ | awk ‘{print $4}’ | uniq -c | sort -rn

To find out the number of connections to port 80 [http] from each IP.
netstat -plan|grep :80|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -n

Similarly, you can find out the number of connections to port 25 from each IP as.
netstat -plan|grep :25|awk {‘print $5′}|cut -d: -f 1|sort|uniq -c|sort -n

NETSTAT is the most useful tool to detect and determine whether a server is under DoS or DDoS attack (Distributed Denial of Service).

Article from