List all IP addresses connected to your Server

By mkyong | Updated: November 17, 2016

Viewed: 22,626 (+179 pv/w)

Below is an Unix command to list all the IP addresses connected to your server on port 80.


netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head

Output – Total connections by IP, from highest to lowest.


     97 114.198.236.100
     56 67.166.157.194
     44 170.248.43.76
     38 141.0.9.20
     37 49.248.0.2
     37 153.100.131.12
     31 223.62.169.73
     30 65.248.100.253
     29 203.112.82.128
     29 182.19.66.187

Note
This command is useful to detect if your server is under attack, and null route those IPs. Read this null route attacker IP story.

Let break above lengthy command into pieces :

1. netstat -tn 2>/dev/null

Uses netstat to list all network connections, ins and outs.

-n – Display numeric only, don’t resolve into name.
-t – Display only TCP connections.

Output


#Examples - 7 connections
tcp        0      0 64.91.*.*:80            114.198.236.100:12763       TIME_WAIT   
tcp        0      0 64.91.*.*:80            175.136.226.244:51950       TIME_WAIT   
tcp        0      0 64.91.*.*:80            175.136.226.244:51951       TIME_WAIT   
tcp        0      0 64.91.*.*:23            202.127.210.2:14517         TIME_WAIT   
tcp        0      0 64.91.*.*:80            149.238.193.121:65268       TIME_WAIT   
tcp        0      0 64.91.*.*:80            114.198.236.100:44088       ESTABLISHED
tcp        0      0 64.91.*.*:80            175.136.226.244:51952       TIME_WAIT

2>/dev/null
Redirect all unwanted output to /dev/null, a special place to absorb all output and clear it.

2. grep :80

Only display the IP address that connected to server on port 80.


tcp        0      0 64.91.*.*:80            114.198.236.100:12763       TIME_WAIT   
tcp        0      0 64.91.*.*:80            175.136.226.244:51950       TIME_WAIT   
tcp        0      0 64.91.*.*:80            175.136.226.244:51951       TIME_WAIT   
tcp        0      0 64.91.*.*:80            149.238.193.121:65268       TIME_WAIT   
tcp        0      0 64.91.*.*:80            114.198.236.100:44088       ESTABLISHED
tcp        0      0 64.91.*.*:80            175.136.226.244:51952       TIME_WAIT

3. awk ‘{print $5}’

Uses awk to display the 5th field only.


114.198.236.100:12763  
175.136.226.244:51950
175.136.226.244:51951
149.238.193.121:65268
114.198.236.100:44088
175.136.226.244:51952

4. cut -d: -f1

Uses cut to extract the content.

-d – Character immediately following the -d option is use as delimiter, default is tab.
-f – Specifies a field list, separated by a delimiter.


114.198.236.100
175.136.226.244
175.136.226.244
149.238.193.121
114.198.236.100
175.136.226.244

5. sort | uniq -c | sort -nr

Sort the list, group it and sort it again in reverse order.

sort


114.198.236.100
114.198.236.100
149.238.193.121
175.136.226.244
175.136.226.244
175.136.226.244

uniq -c – Group it.


2 114.198.236.100
1 149.238.193.121
3 175.136.226.244

sort -nr – sort by numeric, and reverse order (highest display first)


3 175.136.226.244
2 114.198.236.100
1 149.238.193.121

Done.

6. head

This is optional, to display the first 10 result.

References

About Author

mkyong

Founder of Mkyong.com, love Java and open source stuff. Follow him on Twitter. If you like my tutorials, consider make a donation to these charities.

Comments

10 Comments

Most Voted

Newest Oldest

Inline Feedbacks

View all comments

flaxious

6 years ago

I just Love your step by step explanation, thank you very much!

mrmister

7 years ago

Hi, do ther is some way to see who was connected to my server in some time period and save that information in text file?

Mahmoud

10 years ago

you saved my day 🙂
I had to change it a little bit for my needs:
netstat -na | grep 8001 | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr

Fedor Petryk

5 years ago

awesome

Suyash Jain

9 years ago

Hi,

You does not require to go for so much deep , you can achieve the same with this . and it works for ipv6 also.

http://www.suyashjain.com/toppings/netstat-tricks-1/

Thanks

mrmagne

10 years ago

Hi,

When i run your command, i get this:

1420
1 66.249.75.226

What od the number 1420 represent

Nelson Eduardo

6 years ago

Reply to mrmagne

netstat show some IPv4 expressed through IPv6. So rever cut first and move to second last. All valid IPs include the port, so the “grep:”

$ netstat -tn 2>/dev/null | awk ‘{print $5}’ | grep : | rev | cut -d: -f2- | rev | sort | uniq -c | sort -nr

Add next command to drop loopback.
grep -v -e ‘::1’ -e ‘127.0.0.1’

stefa

1 year ago

hi. 5 years later lol – bump? i wonder if anyone still browsing this> anyway this info only showing me ipv6 addresses, ubuntu 22.04. thanks for the information and article!

-1

Loris

2 years ago

Is there a way to add the hostname for each ip?

-1

Mary

5 years ago

Someone from a server is in all my phones and devices. I’ve factory reset my phones. It is still a problem. Please help me

-1

	This comment is spam
	This comment is irrelevant
	This comment is abusive
	Other