I would like to use Patrick Lagac'e' Conntrack-Viewer in Fedora 6 to see
who is logged in on NAT and what they are doing. I use the Linux box as
a firewall and router. Used to be one could simply do a:
sudo cat /proc/net/ip_conntrack

But that makes so much screen output that it is so hard to read. I can
shorten the output with something like:
sudo cat /proc/net/ip_conntrack |grep 192.168.0.94

But that still is way to much information to weed through. I did find a
bitching perl script that will show you the output in an easy to read
format called conntrack-viewer 1.3. It can be found on this page:
http://cv.intellos.net/

But it does not work with Fedora. I was so disappointed. I wrote the
author Patrick a note and he says yes, it is broken with Fedora and he
has not had a chance to fix it yet. New job, school and all, might be a
long time in coming to get it working with Fedora. Here is what he said:

-------------------------------------------------------------------
Greetings Paul,
You did nothing wrong, this situation is normal.

I had develop this script under Redhat 9 (which is pretty old now).
After that i started working in a companie using only Solaris and AIX,
no Linux. When Fedora came out, i received few emails regarding the same
issue, but i didn't had any Redhat/Fedora machine around me. At less
than 5$ per month for hosting outside, i didn't see any good reasons to
maintain a Linux box at home.

I just start a new job, and we are using Redhat Entreprise and AIX, so i
guess i will have the opportunity to fix the code to work on Fedora. For
now i am extremely busy reading tons of doc (new job!), school... so it
won't be fix at short term. I should have more time around june.

Regards
Patrick
-------------------------------------------------------------------

Well, that shoots me out of the water but if anyone here is good with
perl scripts, maybe they can find the error and help me to fix it. I had
to run the perl script as root and did so with:
$ sudo ./conntrack-viewer.pl -m

This gave me a ton of erroneous output but nothing useful. I had to save
a putty.log in an ssh session just to capture the screen output for the
author. You can see it here:
http://www.ohmster.com/~ohmster/temp/putty.log

If anybody wants the conntrack perl script and cannot get it from the
very busy server, I have it here if you want it:
http://www.ohmster.com/~ohmster/misc...wer-1.3.tar.gz

Can somebody figure out what is wrong with this perl script and make it
work with Fedora please? Thank you so much.

Cheers,
--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body
(That is MESSAGE BODY, not Subject!)
to pass my spam filter.

In alt.os.linux Ohmster <ohmster@dev.nul.invalid>:
> I would like to use Patrick Lagac'e' Conntrack-Viewer in Fedora 6 to see
> who is logged in on NAT and what they are doing. I use the Linux box as
> a firewall and router. Used to be one could simply do a:
> sudo cat /proc/net/ip_conntrack

> But that makes so much screen output that it is so hard to read. I can
> shorten the output with something like:
> sudo cat /proc/net/ip_conntrack |grep 192.168.0.94

> http://www.ohmster.com/~ohmster/temp/putty.log

Man, is that a slow download and it contains 99,9% of the same
warning message...

> If anybody wants the conntrack perl script and cannot get it from the
> very busy server, I have it here if you want it:
> http://www.ohmster.com/~ohmster/misc...wer-1.3.tar.gz

> Can somebody figure out what is wrong with this perl script and make it
> work with Fedora please? Thank you so much.

Works for me on CentOS5, which is RHEL5. You need either remove
the "-w" switch in the shebang to get rid of the warnings, or
declare the vars properly "my (..);" to avoid them.

Anything else seems to work for me. Though I am by no means a
perl guru, the script doesn't look like rocket science to me.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 80: That's a great computer you have there;
have you considered how it would work as a BSD machine?

On Thu, 20 Mar 2008 18:31:58 -0500, Ohmster wrote:


> Can somebody figure out what is wrong with this perl script and make it
> work with Fedora please? Thank you so much.

I do not have fedora up, your log was binary so I did not bother to
look at it, but this might help.

Under the first line, add
use strict;
use warnings;
use diagnostics ;

under "# Default value" change it to look like the following:

my $dnsresolution=1;
my $masqueradeonly=0;
my $directonly=0;
my $showheader=1;
my $titre="Active Connections according to /proc/net/ip_conntrack";

my $dstaddr;
my $dstname;
my $dstport;
my $dstportname;
my @ip_conntrack_brut ;
my $nbspace;
my $plpl;
my $portname;
my $proto;
my $spacedestination;
my $spaceport;
my $spacesource;
my $spacestate;
my $srcaddr;
my $srcname;
my $srcport;
my $srcportname;
my $state;

Next search for open (PROCNETBUFF and change it to
open (PROCNETBUFF,"< /proc/net/ip_conntrack") or die "Opening /proc/net/ip_conntrack $!\n";


Now, save, exit and test again.

On 2008-03-21, Bit Twister <BitTwister@mouse-potato.com> wrote:
> On Thu, 20 Mar 2008 18:31:58 -0500, Ohmster wrote:
>
>
>> Can somebody figure out what is wrong with this perl script and make it
>> work with Fedora please? Thank you so much.
>
> I do not have fedora up, your log was binary so I did not bother to
> look at it, but this might help.
>
> Under the first line, add
> use strict;
> use warnings;
> use diagnostics ;
>
> under "# Default value" change it to look like the following:
>
> my $dnsresolution=1;
> my $masqueradeonly=0;
> my $directonly=0;
> my $showheader=1;
> my $titre="Active Connections according to /proc/net/ip_conntrack";
>
> my $dstaddr;
> my $dstname;
> my $dstport;
> my $dstportname;
> my @ip_conntrack_brut ;
> my $nbspace;
> my $plpl;
> my $portname;
> my $proto;
> my $spacedestination;
> my $spaceport;
> my $spacesource;
> my $spacestate;
> my $srcaddr;
> my $srcname;
> my $srcport;
> my $srcportname;
> my $state;
>
> Next search for open (PROCNETBUFF and change it to
> open (PROCNETBUFF,"< /proc/net/ip_conntrack") or die "Opening /proc/net/ip_conntrack $!\n";

I added all that stuff like you said although the first part
$dnsresolution is allready there, just have to add the "my" in front of
it and add all the rest of the lines under the space with the word "my"
in front.

The PROCNETBUFF like was there and I modified it like you said, saved,
and ran it again. This is what happened:

[ohmster@ohmster conntrack-viewer-1.3]$ sudo ./conntrack-viewer.pl
Active Connections according to /proc/net/ip_conntrack
Proto Source Address Remote Address Service
State Masq Name Resolution
Use of uninitialized value in getservbyport at ./conntrack-viewer.pl
line 136 (#1)
(W uninitialized) An undefined value was used as if it were already
defined. It was interpreted as a "" or a 0, but maybe it was a
mistake.
To suppress this warning assign a defined value to your variables.

To help you figure out what was undefined, perl tells you what
operation
you used the undefined value in. Note, however, that perl optimizes
your
program and the operation displayed in the warning may not
necessarily
appear literally in your program. For example, "that $foo" is
usually optimized into "that " . $foo, and the warning will refer to
the concatenation (.) operator, even though there is no . in your
program.

Use of uninitialized value in getservbyport at ./conntrack-viewer.pl
line 137 (#1)
Use of uninitialized value in length at ./conntrack-viewer.pl line 150
(#1)
Use of uninitialized value in length at ./conntrack-viewer.pl line 155
(#1)
Use of uninitialized value in length at ./conntrack-viewer.pl line 165
(#1)
Use of uninitialized value in concatenation (.) or string at
./conntrack-viewer.pl line 173 (#1)
Use of uninitialized value in string at ./conntrack-viewer.pl line 173
(#1)
tcp 6 431999 ESTABLISHED src=192.168.0.90 dst=86.155.151.74
sport=52559 dport=27653 packets=247 bytes=169979 src=86.155.151.74
dst=192.168.15.100 sport=27653 dport=52559 packets=208 bytes=9436 mark=0
secmark=0 use=1
Use of uninitialized value in string ne at ./conntrack-viewer.pl line
176 (#1)
Use of uninitialized value in subroutine entry at ./conntrack-viewer.pl
line
184 (#1)
Use of uninitialized value in gethostbyaddr at ./conntrack-viewer.pl
line 184 (#1)
Use of uninitialized value in subroutine entry at ./conntrack-viewer.pl
line
185 (#1)
Use of uninitialized value in gethostbyaddr at ./conntrack-viewer.pl
line 185 (#1)
: : [???]
UNRESOLVED! > UNRESOLVED!
tcp 6 313426 ESTABLISHED src=192.168.0.90 dst=81.190.213.86
sport=59106 dport=25342 packets=23 bytes=1935 src=81.190.213.86
dst=192.168.15.100 sport=25342 dport=59106 packets=22 bytes=2450 mark=0
secmark=0 use=1
: : [???]
UNRESOLVED! > UNRESOLVED!
udp 17 3 src=192.168.0.90 dst=82.4.239.209 sport=65094 dport=65094
packets=1 bytes=105 src=82.4.239.209 dst=192.168.15.100 sport=65094
dport=65094 packets=0 bytes=0 mark=0 secmark=0 use=1
: : [???]
UNRESOLVED! > UNRESOLVED!

[ohmster@ohmster conntrack-viewer-1.3]$

(I had to stop it with control-c)

Is that what is supposed to happen? I looked so nice on the author's
page.

> Now, save, exit and test again.


--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body
(That is MESSAGE BODY, not Subject!)
to pass my spam filter.

On 2008-03-21, Michael Heiming <michael+USENET@www.heiming.de> wrote:
> In alt.os.linux Ohmster <ohmster@dev.nul.invalid>:i>

[..]
>> http://www.ohmster.com/~ohmster/temp/putty.log
>
> Man, is that a slow download and it contains 99,9% of the same
> warning message...

It is a cablemodem but my roommate likes to dog it with bittorrent. I
want this script to see how bad it is and then do something about it. I
currently use iftop for now.

>> If anybody wants the conntrack perl script and cannot get it from the
>> very busy server, I have it here if you want it:
>> http://www.ohmster.com/~ohmster/misc...wer-1.3.tar.gz
>
>> Can somebody figure out what is wrong with this perl script and make it
>> work with Fedora please? Thank you so much.
>
> Works for me on CentOS5, which is RHEL5. You need either remove
> the "-w" switch in the shebang to get rid of the warnings, or
> declare the vars properly "my (..);" to avoid them.

What do you mean get rid of the -w, where is this -w that you are
talking about? I don't know how to declare the vars properly and am
asking for help in understanding it or at least how do you do that.

> Anything else seems to work for me. Though I am by no means a
> perl guru, the script doesn't look like rocket science to me.
>

Thanks.
--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body
(That is MESSAGE BODY, not Subject!)
to pass my spam filter.

On Fri, 21 Mar 2008 01:44:26 -0500, Ohmster wrote:

> What do you mean get rid of the -w, where is this -w that you are
> talking about?

End of first line :-D

You will need to change your new conntrack-viewer.p to look as follows:

#!/usr/bin/perl
# use strict;
# use warnings;
# use diagnostics ;
#
# ================================================== ====



> I don't know how to declare the vars properly and am
> asking for help in understanding it or at least how do you do that.


When you use -w or
use strict;
use warnings;

The variable has to be declared before being used, Example:
my $dstport;

and depending on what you are doing, set the var to a known state/value.
Example:


my $dstport="";

You might want to use "locate" or "find" to find *.pl programs for coding
examples.

The carbonbased lifeform Ohmster inspired alt.os.linux with:
> I would like to use Patrick Lagac'e' Conntrack-Viewer in Fedora 6 to see
> who is logged in on NAT and what they are doing. I use the Linux box as
> a firewall and router. Used to be one could simply do a:
> sudo cat /proc/net/ip_conntrack
[ >8 unwilling perl script story ]

Alternatively, try netstat-nat in this perl program's stead.
http://www.tweegy.nl/projects/netstat-nat/index.html

Theo
--
theo at van-werkhoven.nl ICQ:277217131 SuSE Linux
linuxcounter.org: 99872 Jabber:muadib at jabber.xs4all.nl AMD XP3000+ 1024MB
"ik _heb_ niets tegen Microsoft, ik heb iets tegen
de uitwassen *van* Microsoft"

In alt.os.linux Ohmster <ohmster@dev.nul.invalid>:
> On 2008-03-21, Michael Heiming <michael+USENET@www.heiming.de> wrote:
>> In alt.os.linux Ohmster <ohmster@dev.nul.invalid>:i>

[ perl script not working as expected ]
>>> http://www.ohmster.com/~ohmster/misc...wer-1.3.tar.gz
[..]
>> Works for me on CentOS5, which is RHEL5. You need either remove
>> the "-w" switch in the shebang to get rid of the warnings, or
>> declare the vars properly "my (..);" to avoid them.

> What do you mean get rid of the -w, where is this -w that you are
> talking about? I don't know how to declare the vars properly and am
> asking for help in understanding it or at least how do you do that.

There is only one time "-w" in the script, the first line the
shebang "#!/usr/bin/perl -w" this means to show warnings, if you
remove "-w" it will not display them anymore. Though the better
way is to declare them, just as Bit Twister showed you.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo zvpunry@urvzvat.qr | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 445: Browser's cookie is corrupted -- someone's
been nibbling on it.

On Thu, 20 Mar 2008 18:31:58 -0500, Ohmster wrote:
>
> But that still is way to much information to weed through. I did find a
> bitching perl script that will show you the output in an easy to read
> format called conntrack-viewer 1.3. It can be found on this page:
> http://cv.intellos.net/
>
> But it does not work with Fedora.
>
> Can somebody figure out what is wrong with this perl script and make it
> work with Fedora please? Thank you so much.

Well, I played with it on Mandriva Linux. It does not work like I
think it should, but I did not spend very much time on in.
I think it would be nice for it to show which service port
:ssh instead of :22.

Here is hack to test the function call for you to play with

$ cat r.pl

#!/usr/bin/perl
use strict;
use warnings;
use diagnostics ;
use Socket;

my $line = "tcp 6 119 TIME_WAIT src=192.168.1.131 dst=62.140.213.93 sport=5
5976 dport=80 packets=5 bytes=661 src=62.140.213.93 dst=192.168.1.131 sport=80 d
port=55976 packets=5 bytes=1219 [ASSURED] mark=0 secmark=0 use=1" ;
# my $line = "udp 17 28 src=192.168.1.131 dst=208.67.222.222 sport=1148 dpo
rt=53 packets=1 bytes=74 src=208.67.222.222 dst=192.168.1.131 sport=53 dport=114
8 packets=1 bytes=106 mark=0 secmark=0 use=1" ;

my @word = "" ;
my $tmp = "" ;
my $port = 0 ;
my $protocol = "";
my $rname = "" ;


$_ = $line ; # copy line into $_
$_ =~ s/=/ /g ; # change all = signs to spaces
@word = split (" ", $_) ; # parse $_ into word array using space separator


print "word[6] = $word[6] \n" ; # print 7'th word in the line

$protocol = $word[0] ;
$port = $word[9] ;
$rname = getservbyport ($port, $protocol ) ;

if ($rname) {} else { $rname = $port ; }

print " $rname\n" ;
#***************** end r.pl *************************************

Here is something to test on Fedora.
You can save it and run
diff -bBw original.pl this_file.pl
to see changes made. Be careful about line wrap.


#!/usr/bin/perl
use strict;
use warnings;
use diagnostics ;
#
# ================================================== ====
# CONNTRACK-VIEWER version 1.3
# http://cv.intellos.net
#
# by Patrick Lagace patou@sympatico.ca
#
# ================================================== ====
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#

use Socket;

# Default value
my $dnsresolution=1;
my $masqueradeonly=0;
my $directonly=0;
my $showheader=1;
my $titre="Active Connections according to /proc/net/ip_conntrack";

my $dstaddr="";
my $dstname="";
my $dstport=0;
my $dstportname="";
my $fn="/proc/net/ip_conntrack" ;
# $fn="test.data" ; # create with cp /proc/net/ip_conntrack > test.data
my $i=0;
my @ip_conntrack_brut ;
my $nbspace=0;
my $plpl=0;
my $portname="";
my $proto="";
my $spacedestination="";
my $spaceport="";
my $spacesource="";
my $spacestate="";
my $srcaddr="";
my $srcname="";
my $srcport=0;
my $srcportname="";
my $state="";
my @word="" ;

# ================================================== ====
# READ THE COMMAND LINE SWITCH
# ================================================== ====
if (($#ARGV)>-1){
for ($a=0;$a<($#ARGV+1);$a=$a+1){
if ($ARGV[$a] eq "-n"){
$dnsresolution=0;
} elsif ($ARGV[$a] eq "-nh"){
$showheader=0;
} elsif ($ARGV[$a] eq "-m"){
$masqueradeonly=1;
$titre="Active MASQUERADED Connections according to /proc/net/ip_conntrack";
} elsif ($ARGV[$a] eq "-d"){
$directonly=1;
$titre="Active DIRECT Connections according to /proc/net/ip_conntrack";
} else {
print "USAGE: ./conntrack-viewer [-n][-m][-d][-nh][-h]\n";
print "-n Numeric form only, no dns resolution (this is faster)\n";
print "-m Masqueraded connections only\n";
print "-d Direct connections only\n";
print "-nh Results only, hide header\n";
print "-h Print this help\n";
exit 1;
}
}
}


# ================================================== ====
# GET IP_CONNTRACK CONTENT
# ================================================== ====

open (PROCNETBUFF,"< $fn") or die "Opening $fn $!\n";
@ip_conntrack_brut = <PROCNETBUFF>;
close (PROCNETBUFF);


# ================================================== ====
# HEADER DISPLAY
# ================================================== ====
if ($showheader){
print "$titre\n";
print "Proto Source Address Remote Address Service State ";
if (!$masqueradeonly && !$directonly){
print "Masq";
}
if ($dnsresolution){
print " Name Resolution";
}
print "\n";
}


# ================================================== ====
# INTERPRETATING EACH LINE
# ================================================== ====
foreach (@ip_conntrack_brut){

$_ =~ s/=/ /g ; # change all = signs to spaces
@word = split (" ", $_) ; # parse $_ into word array using space separator
$proto = $word[0]; # save protocol

if ($proto eq "tcp"){
# tcp 6 119 TIME_WAIT src 192.168.1.131 dst 72.3.246.59 sport 51144 dport
# 0 1 2 3 4 5 6 7 8 9 10
# 80 packets 6 bytes 819 src 72.3.246.59 dst 192.168.1.131
# 11 12 13 14 15 16 17 18 19
# sport 80 dport 51144 packets 5 bytes 1497 [ASSURED] mark 0 secmark 0 use 1
# 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

$state = $word[3];
$srcaddr = $word[17];
$dstaddr = $word[19];
$srcport = $word[21];
$dstport = $word[23];
$plpl = $word[34];

} elsif ($proto eq "udp"){
# udp 17 29 src 192.168.1.131 dst 192.168.1.131 sport 49837 dport 53
# 0 1 2 3 4 5 6 7 8 9 10
# packets 1 bytes 67 src 192.168.1.131 dst 192.168.1.131 sport 53 dport 49837
# 11 12 13 14 15 16 17 18 19 20 21 22
# packets 1 bytes 294 mark 0 secmark 0 use 1
# 23 24 25 26 27 28 29 30 31 32

if ($word[15] ne "src") { # there is an extra state field in this line
$state = $word[15] ; # between word 14 and 15, so we need to
$i = 1 ; # move the rest down 1 location.
}
else {
$state = " ";
$i = 0 ;
}
$srcaddr = $word[16+$i];
$dstaddr = $word[18+$i];
$srcport = $word[20+$i];
$dstport = $word[22+$i];
$plpl = $word[32+$i];
}
$srcportname="";
$dstportname="";
if ($srcportname = getservbyport $srcport,$proto){ } else {$srcportname = "[???]";};
if ($dstportname = getservbyport $dstport,$proto){ } else {$dstportname = "[???]";};
if ($srcportname eq "[???]" && $dstportname eq "[???]"){$portname="[???]";}
if ($srcportname ne "[???]" && $dstportname eq "[???]"){$portname=$srcportname;}
if ($srcportname eq "[???]" && $dstportname ne "[???]"){$portname=$dstportname;}
if ($srcportname ne "[???]" && $dstportname ne "[???]"){$portname=$srcportname."-".$dstportname."\t";}




# ================================================== ====
# CALCULATE THE SPACE TO COMPLETE EACH COLUMN
# ================================================== ====
$spacesource="";
for($nbspace=1;$nbspace<25-((length $srcaddr)+(length $srcport));$nbspace=$nbspace+1){
$spacesource=$spacesource." ";
}

$spacedestination="";
for($nbspace=1;$nbspace<25-((length $dstaddr)+(length $dstport));$nbspace=$nbspace+1){
$spacedestination=$spacedestination." ";
}

$spaceport="";
for($nbspace=1;$nbspace<13-(length $portname);$nbspace=$nbspace+1){
$spaceport=$spaceport." ";
}

$spacestate="";
for($nbspace=1;$nbspace<15-(length $state);$nbspace=$nbspace+1){
$spacestate=$spacestate." ";
}

# ================================================== ====
# DISPLAYS THE RESULTS
# ================================================== ====
if (($masqueradeonly && ($srcaddr ne $plpl)) || (!$masqueradeonly && !$directonly)){
print "$proto\t$srcaddr:$srcport"."$spacesource"."$dstad dr:$dstport"."$spacedestination"."$portname".$spac eport."$state"."$spacestate";

if (!$masqueradeonly && !$directonly){
if ($srcaddr ne $plpl){
print "M\t";
}else{
print " \t";
}
}

if ($dnsresolution){
if ($srcname = gethostbyaddr(inet_aton($srcaddr),AF_INET)){ } else {$srcname = "UNRESOLVED!";};
if ($dstname = gethostbyaddr(inet_aton($dstaddr),AF_INET)){ } else {$dstname = "UNRESOLVED!";};
print "$srcname > $dstname";
}
print "\n";
}elsif ($directonly && ($srcaddr eq $plpl)) {
print "$proto\t$srcaddr:$srcport"."$spacesource"."$dstad dr:$dstport"."$spacedestination"."$portname".$spac eport."$state";

if ($dnsresolution){
if ($srcname = gethostbyaddr(inet_aton($srcaddr),AF_INET)){ } else {$srcname = "UNRESOLVED!";};
if ($dstname = gethostbyaddr(inet_aton($dstaddr),AF_INET)){ } else {$dstname = "UNRESOLVED!";};
print "$spacestate"."$srcname > $dstname";
}
print "\n";
}
}

exit;

__END__

"Theo v. Werkhoven" <theo@van-werkhoven.nl.invalid> wrote in
news:slrnfu6v0n.6hj.theo@ferrets4me.xs4all.nl:

> The carbonbased lifeform Ohmster inspired alt.os.linux with:
>> I would like to use Patrick Lagac'e' Conntrack-Viewer in Fedora 6 to see
>> who is logged in on NAT and what they are doing. I use the Linux box as
>> a firewall and router. Used to be one could simply do a:
>> sudo cat /proc/net/ip_conntrack
> [ >8 unwilling perl script story ]
>
> Alternatively, try netstat-nat in this perl program's stead.
> http://www.tweegy.nl/projects/netstat-nat/index.html
>
> Theo

Oh that worked pretty good. I downloaded the Suse source RPM and built it
on my Fedora box and it works quite well. It does not show the servive like
conntrack-viewer does, i.e.: kazzaa, icq, pop3, unless I have not figured
out how to work it yet, but it does seem to work. Wish it would show the
amount of traffic per connection but if-top does that pretty good. I can
use netstat-nat to see what connections belong to who and iftop to see the
traffic flow.

Thanks Theo.

--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body
(That is Message Body, not Subject!)
to pass my spam filter.

Bit Twister <BitTwister@mouse-potato.com> wrote in news:slrnfu80dm.4qr.BitTwister@wm81.home.test:

>> Can somebody figure out what is wrong with this perl script and make it
>> work with Fedora please? Thank you so much.
>
> Well, I played with it on Mandriva Linux. It does not work like I
> think it should, but I did not spend very much time on in.
> I think it would be nice for it to show which service port
>:ssh instead of :22.
>
> Here is hack to test the function call for you to play with
>
> $ cat r.pl

Oh my goodness, you really went at it Bit Twister! I agree, it would be neat to see
the service like kazzaa, pop3, icq, etc, rather than port 22. I tried out Theo's
netstat-nat and it works pretty good, it does give service names for what it knows
like http and of course a lot of port numbers and it lists tcp connections first, then
udp connections. Does not show how much traffic on each connection though.
That would be neat to know just what connections are eating up the bandwidth but
iftop does that job pretty good.

I don't think the linewrap was a problem here Bit, you did not wrap it or so it
seems and from what I see, it looks good. I was able to copy and paste the
whole shebang into vim and saved it as natview, then chomodded it to executable
and ran it, even as root in case that was necessary but the results were not good.
This is *way* over my head and I don't expect you to fix it but here are the results
of running "natview" on my machine:


-------------------------------------------------------------------
[ohmster@ohmster scripts]$ sudo ./natview
Bareword found where operator expected at ./natview line 11, near "53 packets" (#1)
(S syntax) The Perl lexer knows whether to expect a term or an operator.
If it sees what it knows to be a term when it was expecting to see an
operator, it gives you this warning. Usually it indicates that an
operator or delimiter was omitted, such as a semicolon.

(Missing operator before packets?)
Bareword found where operator expected at ./natview line 11, near "1 bytes" (#1)
(Missing operator before bytes?)
Bareword found where operator expected at ./natview line 11, near "74 src" (#1)
(Missing operator before src?)
Bareword found where operator expected at ./natview line 11, near
"208.67.222.222 dst" (#1)
(Missing operator before dst?)
Bareword found where operator expected at ./natview line 11, near
"192.168.1.131 sport" (#1)
(Missing operator before sport?)
Bareword found where operator expected at ./natview line 11, near "53 dport" (#1)
(Missing operator before dport?)
Number found where operator expected at ./natview line 12, near "8" (#1)
(Missing semicolon on previous line?)
Bareword found where operator expected at ./natview line 12, near "8 packets" (#1)
(Missing operator before packets?)
Bareword found where operator expected at ./natview line 12, near "1 bytes" (#1)
(Missing operator before bytes?)
Bareword found where operator expected at ./natview line 12, near "106 mark" (#1)
(Missing operator before mark?)
Bareword found where operator expected at ./natview line 12, near "0 secmark" (#1)
(Missing operator before secmark?)
String found where operator expected at ./natview line 14, near "my @word = ""
(Might be a runaway multi-line "" string starting on line 12) (#1)
(Missing semicolon on previous line?)

Possible unintended interpolation of @word in string at ./natview line 12 (#2)
(W ambiguous) You said something like `@foo' in a double-quoted string
but there was no array @foo in scope at the time. If you wanted a
literal @foo, then write it as \@foo; otherwise find out what happened
to the array you apparently lost track of.

String found where operator expected at ./natview line 15, near "my $tmp = ""
(Might be a runaway multi-line "" string starting on line 14) (#1)
(Missing semicolon on previous line?)
String found where operator expected at ./natview line 17, near "my $protocol = ""
(Might be a runaway multi-line "" string starting on line 15) (#1)
(Missing semicolon on previous line?)
String found where operator expected at ./natview line 18, near "my $rname = ""
(Might be a runaway multi-line "" string starting on line 17) (#1)
(Missing semicolon on previous line?)
String found where operator expected at ./natview line 23, near "@word = split (""
(Might be a runaway multi-line "" string starting on line 18) (#1)
(Missing semicolon on previous line?)
Possible unintended interpolation of @word in string at ./natview line 18 (#2)
String found where operator expected at ./natview line 26, near "print ""
(Might be a runaway multi-line "" string starting on line 23) (#1)
(Missing semicolon on previous line?)
Bareword found where operator expected at ./natview line 26, near "print "word" (#1)
(Do you need to predeclare print?)
Backslash found where operator expected at ./natview line 26, near "] \" (#1)
(Missing operator before \?)
String found where operator expected at ./natview line 34, near "print ""
(Might be a runaway multi-line "" string starting on line 26) (#1)
(Missing semicolon on previous line?)
Scalar found where operator expected at ./natview line 34, near "print "
$rname" (#1)

syntax error at ./natview line 11, near "53 packets"
"use" not allowed in expression at ./natview line 12, near "0 "
Global symbol "@word" requires explicit package name at ./natview line 12.
Global symbol "$tmp" requires explicit package name at ./natview line 14.
Global symbol "$port" requires explicit package name at ./natview line 15.
Global symbol "$protocol" requires explicit package name at ./natview line 15.
Global symbol "$rname" requires explicit package name at ./natview line 17.
Global symbol "@word" requires explicit package name at ./natview line 18.
Global symbol "@word" requires explicit package name at ./natview line 26.
Global symbol "$protocol" requires explicit package name at ./natview line 26.
Global symbol "@word" requires explicit package name at ./natview line 26.
Global symbol "$port" requires explicit package name at ./natview line 26.
Global symbol "@word" requires explicit package name at ./natview line 26.
Global symbol "$rname" requires explicit package name at ./natview line 26.
Global symbol "$port" requires explicit package name at ./natview line 26.
Global symbol "$protocol" requires explicit package name at ./natview line 26.
Global symbol "$rname" requires explicit package name at ./natview line 26.
Global symbol "$rname" requires explicit package name at ./natview line 26.
Global symbol "$port" requires explicit package name at ./natview line 26.
../natview has too many errors (#3)
(F) Probably means you had a syntax error. Common reasons include:

A keyword is misspelled.
A semicolon is missing.
A comma is missing.
An opening or closing parenthesis is missing.
An opening or closing brace is missing.
A closing quote is missing.

Often there will be another error message associated with the syntax
error giving more information. (Sometimes it helps to turn on -w.)
The error message itself often tells you where it was in the line when
it decided to give up. Sometimes the actual error is several tokens
before this, because Perl is good at understanding random input.
Occasionally the line number may be misleading, and once in a blue moon
the only way to figure out what's triggering the error is to call
perl -c repeatedly, chopping away half the program each time to see
if the error went away. Sort of the cybernetic version of S<20
questions>.

Uncaught exception from user code:
syntax error at ./natview line 11, near "53 packets"
"use" not allowed in expression at ./natview line 12, near "0 "
Global symbol "@word" requires explicit package name at ./natview line 12.
Global symbol "$tmp" requires explicit package name at ./natview line 14.
Global symbol "$port" requires explicit package name at ./natview line 15.
Global symbol "$protocol" requires explicit package name at ./natview line 15.
Global symbol "$rname" requires explicit package name at ./natview line 17.
Global symbol "@word" requires explicit package name at ./natview line 18.
Global symbol "@word" requires explicit package name at ./natview line 26.
Global symbol "$protocol" requires explicit package name at ./natview line 26.
Global symbol "@word" requires explicit package name at ./natview line 26.
Global symbol "$port" requires explicit package name at ./natview line 26.
Global symbol "@word" requires explicit package name at ./natview line 26.
Global symbol "$rname" requires explicit package name at ./natview line 26.
Global symbol "$port" requires explicit package name at ./natview line 26.
Global symbol "$protocol" requires explicit package name at ./natview line 26.
Global symbol "$rname" requires explicit package name at ./natview line 26.
Global symbol "$rname" requires explicit package name at ./natview line 26.
Global symbol "$port" requires explicit package name at ./natview line 26.
../natview has too many errors.
at ./natview line 34
[ohmster@ohmster scripts]$
-------------------------------------------------------------------

I sure as hell do appreciate your effort though, Bit Twister.
Thank you very much.

--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body
(That is Message Body, not Subject!)
to pass my spam filter.

On Sat, 22 Mar 2008 12:30:19 -0500, Ohmster wrote:
> Bit Twister <BitTwister@mouse-potato.com> wrote in news:slrnfu80dm.4qr.BitTwister@wm81.home.test:
>
>>> Can somebody figure out what is wrong with this perl script and make it
>>> work with Fedora please? Thank you so much.

I need you to post the distribution release
cat /etc/redhat-release

and I also need a conntrack sample to parse. Get into a root terminal,

You may have to spin up a browser, pick
some web page say http://www.news.com/
and just after it comes up, in the root terminal do a

cat /proc/net/ip_conntrack > test.data


Verify test.data has udp and tcp lines before posting test.data.

On Sat, 22 Mar 2008 12:30:19 -0500, Ohmster wrote:
>
> Oh my goodness, you really went at it Bit Twister! I agree, it would be neat to see
>
>
> -------------------------------------------------------------------
> [ohmster@ohmster scripts]$ sudo ./natview
> Bareword found where operator expected at ./natview line 11, near
"53 packets" (#1)

Here try this one, starting with line #!/usr/bin/perl


#!/usr/bin/perl
use strict ; # force definations for all vars an subroutines
use warnings ; # force check of unset variables in expressions
use diagnostics ; # give var/code line number on faults
#
# ================================================== ====
# CONNTRACK-VIEWER version 1.3
# http://cv.intellos.net
#
# by Patrick Lagace patou@sympatico.ca
#
# ================================================== =======================
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Modified Sun Mar 23 2008 to support ip_conntrack or nf_conntrack formats
#
# ================================================== =========================
#

use Socket; # gethostbyaddr, getservbyport functions

# default values
my $deb_flg=0; # Debugging flag
my $directonly=0;
my $dnsresolution=1;
my $masqueradeonly=0;
my $showheader=1;


my $dstaddr=""; # destination ip address
my $dstname=""; # destination port name
my $dstport=0; # destination port number
my $dstportname=""; # destination port name
my $fn=""; # connection information name
my @ip_conntrack_brut="" ; # array for connection strings
my $mdstaddr=""; # masq destination ip address
my $mdstport=0; # masq destination port number
my $msrcaddr=""; # masq source address
my $msrcport=0; # masq source port
my $mstaddr=""; # masq source ip address
my $nbspace=0; # temp number of spaces storage
my $offset=0 ; # offset to protocol column (zero relative)
my $portname=""; # port name
my $proto=""; # protocol (tcp, udp, unknown,...)
my $spacedestination=""; # temp destination string for printing
my $spaceport=""; # temp port string for printing
my $spacesource=""; # temp source string for printing
my $spacestate=""; # temp state string for printing
my $srcaddr=""; # source address
my $srcname=""; # spirce name
my $srcport=0; # source port
my $srcportname=""; # source port name
my $state=""; # connection state
my $titre=""; # display header
my $tmp=""; # temp string storage
my @word="" ; # temp Word array for parsing

#

# ================================================== ====
# Main code starts here
# ================================================== ====

# ==========================================
# Figure out which conntrack file to use.
# ==========================================

if ( -e "/proc/net/nf_conntrack") {
$fn = "/proc/net/nf_conntrack" ;
$offset = 2 ; # set offset to protocol column (zero relative)
} elsif ( -e "/proc/net/ip_conntrack") {
$fn = "/proc/net/ip_conntrack" ;
$offset = 0 ; # set offset to protocol column
} else {
print "\nThis distribution has neither /proc/net/nf_conntrack\n" ;
print "or /proc/net/ip_conntrack.\n" ;
print "Program will have to be modified or it will not run\n" ;
print "on this distribution.\n" ;
exit 1 ;
}

# ================================================== ====
# READ THE COMMAND LINE SWITCH
# ================================================== ====
if (($#ARGV)>-1){
for ($a=0;$a<($#ARGV+1);$a=$a+1){
if ($ARGV[$a] eq "-n"){
$dnsresolution=0;
} elsif ($ARGV[$a] eq "-nh"){
$showheader=0;
} elsif ($ARGV[$a] eq "-m"){
$masqueradeonly=1;
$titre="Active MASQUERADED Connections according to $fn";
} elsif ($ARGV[$a] eq "-d"){
$directonly=1;
$titre="Active DIRECT Connections according to $fn";
} elsif ($ARGV[$a] eq "debug"){
$deb_flg = 1 ;
} else {
print "USAGE: ./conntrack-viewer.pl debug [-n][-m][-d][-nh][-h]\n";
print "-n Numeric form only, no dns resolution (this is faster)\n";
print "-m Masqueraded connections only\n";
print "-d Direct connections only\n";
print "-nh Results only, hide header\n";
print "-h Print this help\n";
print "debug Assumes test.data contains test data created by a\n";
print " cat $fn > test.data\n";
exit 1;
}
}
}

if ($deb_flg == 1) {
$fn = "test.data" ; # see "conntrack-viewer.pl -h" for creation
}

#
# ================================================== ====
# GET IP_CONNTRACK CONTENT
# ================================================== ====

open (PROCNETBUFF,"< $fn") or die "Opening $fn $!\n";
@ip_conntrack_brut = <PROCNETBUFF>;
close (PROCNETBUFF);

# ================================================== ====
# HEADER DISPLAY SETUP
# ================================================== ====

$titre="Active Connections according to $fn ";

if ($showheader){
print "$titre\n";
print "Proto Source Address Remote Address Service State ";
if (!$masqueradeonly && !$directonly){
print "Masq";
}
if ($dnsresolution){
print " Name Resolution";
}
print "\n";
}


# ================================================== ====
# INTERPRETATING EACH LINE
# ================================================== ====

foreach (@ip_conntrack_brut){

chomp ; # remove newline char.
$tmp = $_ ; # save conntrack line
@word = split (" ", $tmp) ; # parse based on spaces

$proto = $word[0+$offset] ; # save protocol (tcp, udp, unknown...)

if ($proto eq "tcp"){ # then fetch tcp's state
$state = $word[3+$offset] ;
}
else {
$state = " "; # other protocols have no state
}

($srcaddr, $msrcaddr) = ($tmp =~ /\ssrc=(\S+)\b/gi) ;
($dstaddr, $mdstaddr) = ($tmp =~ /\sdst=(\S+)\b/gi) ;


# ================================================== ==
# just in case line does not have sport/dport fields,
# like an unknown protocol line, we'll add them to the
# end of line and then parse it.
# ================================================== ==

$_ = sprintf ("$tmp sport=0 dport=0 sport=0 dport=0") ;
($srcport, $msrcport) = ($_ =~ /\ssport=(\S+)\b/gi) ;
($dstport, $mdstport) = ($_ =~ /\sdport=(\S+)\b/gi) ;


$srcportname="";
$dstportname="";
if ($srcportname = getservbyport $srcport,$proto){ } else {$srcportname = "[???]";};
if ($dstportname = getservbyport $dstport,$proto){ } else {$dstportname = "[???]";};
if ($srcportname eq "[???]" && $dstportname eq "[???]"){$portname="[???]";}
if ($srcportname ne "[???]" && $dstportname eq "[???]"){$portname=$srcportname;}
if ($srcportname eq "[???]" && $dstportname ne "[???]"){$portname=$dstportname;}
if ($srcportname ne "[???]" && $dstportname ne "[???]"){$portname=$srcportname."-".$dstportname."\t";}

# ================================================== ====
# CALCULATE THE SPACE TO COMPLETE EACH COLUMN
# ================================================== ====

$spacesource="";
for($nbspace=1;$nbspace<25-((length $srcaddr)+(length $srcport));$nbspace=$nbspace+1){
$spacesource=$spacesource." ";
}

$spacedestination="";
for($nbspace=1;$nbspace<25-((length $dstaddr)+(length $dstport));$nbspace=$nbspace+1){
$spacedestination=$spacedestination." ";
}

$spaceport="";
for($nbspace=1;$nbspace<13-(length $portname);$nbspace=$nbspace+1){
$spaceport=$spaceport." ";
}

$spacestate="";
for($nbspace=1;$nbspace<15-(length $state);$nbspace=$nbspace+1){
$spacestate=$spacestate." ";
}

# ================================================== ====
# DISPLAYS THE RESULTS
# ================================================== ====

if (($masqueradeonly && ($srcaddr ne $msrcaddr)) || (!$masqueradeonly && !$directonly)){
print "$proto\t$srcaddr:$srcport"."$spacesource"."$dstad dr:$dstport"."$spacedestination"."$portname".$spac eport."$state"."$spacestate";

if (!$masqueradeonly && !$directonly){
if ($srcaddr ne $msrcaddr ){
print "M\t";
}else{
print " \t";
}
}

if ($dnsresolution){
if ($srcname = gethostbyaddr(inet_aton($srcaddr),AF_INET)){ } else {$srcname = "UNRESOLVED!";};
if ($dstname = gethostbyaddr(inet_aton($dstaddr),AF_INET)){ } else {$dstname = "UNRESOLVED!";};
print "$srcname > $dstname";
}
print "\n";
}elsif ($directonly && ($srcaddr eq $msrcaddr)) {
print "$proto\t$srcaddr:$srcport"."$spacesource"."$dstad dr:$dstport"."$spacedestination"."$portname".$spac eport."$state";

if ($dnsresolution){
if ($srcname = gethostbyaddr(inet_aton($srcaddr),AF_INET)){ } else {$srcname = "UNRESOLVED!";};
if ($dstname = gethostbyaddr(inet_aton($dstaddr),AF_INET)){ } else {$dstname = "UNRESOLVED!";};
print "$spacestate"."$srcname > $dstname";
}
print "\n";
}
} # end foreach (@ip_conntrack_brut)

exit;


__END__
#==================== end conntrack-viewer.pl ================================

On 2008-03-22, Bit Twister <BitTwister@mouse-potato.com> wrote:
> On Sat, 22 Mar 2008 12:30:19 -0500, Ohmster wrote:
>> Bit Twister <BitTwister@mouse-potato.com> wrote in news:slrnfu80dm.4qr.BitTwister@wm81.home.test:
>>
>>>> Can somebody figure out what is wrong with this perl script and make it
>>>> work with Fedora please? Thank you so much.
>
> I need you to post the distribution release
> cat /etc/redhat-release

[ohmster@ohmster ~]$ cat /etc/redhat-release
Fedora Core release 6 (Zod)
[ohmster@ohmster ~]$

> and I also need a conntrack sample to parse. Get into a root terminal,
>
> You may have to spin up a browser, pick
> some web page say http://www.news.com/
> and just after it comes up, in the root terminal do a
>
> cat /proc/net/ip_conntrack > test.data
>
>
> Verify test.data has udp and tcp lines before posting test.data.
>

Okay I got it, did not have to run a browser, my PC and my roommie's
computer are on the net all the time, both udp and tcp content are
present but I really don't understand the line wrap in this file,
test.data. It seems to go on forever. Oh, it saved as a standard UNIX
ANSI text file and can be viewed with no line wrap. I might do best to
zip it and give you a link or just post to web and give link. Oh, it
shows up real well in a web browser, here ya go Bit:
http://www.ohmster.com/~ohmster/test/test.data

What do you think? Thanks for your help.

--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body
(That is MESSAGE BODY, not Subject!)
to pass my spam filter.

On 2008-03-25, Bit Twister <BitTwister@mouse-potato.com> wrote:
> On Sat, 22 Mar 2008 12:30:19 -0500, Ohmster wrote:
>>
>> Oh my goodness, you really went at it Bit Twister! I agree, it would be neat to see
>>
>>
>> -------------------------------------------------------------------
>> [ohmster@ohmster scripts]$ sudo ./natview
>> Bareword found where operator expected at ./natview line 11, near
> "53 packets" (#1)
>
> Here try this one, starting with line #!/usr/bin/perl
[..]

Wow, boy oh boy did that ever work, Bit! Does yours do the command line
switches too, Bit?

>> Usage

usage: ./conntrack-viewer [-n][-m][-d][-nh][-h]
-n Numeric form only, no dns resolution (this is faster)
-m Shows Masqueraded connections only, no direct connections
-d Shows Direct connections only, no masqueraded connections
-nh NoHeader, shows only the results without any header
-h Print this help

The output is going to wrap like crap in here, let me see if I can do
the web thingy again...
Wow, look how cool!

usage: ./conntrack-viewer [-n][-m][-d][-nh][-h]
-n Numeric form only, no dns resolution (this is faster)
-m Shows Masqueraded connections only, no direct connections
-d Shows Direct connections only, no masqueraded connections
-nh NoHeader, shows only the results without any header
-h Print this help

sudo conntrack-viewer.pl
http://www.ohmster.com/~ohmster/test/plain.data

sudo conntrack-viewer.pl -n
http://www.ohmster.com/~ohmster/test/n.data

sudo conntrack-viewer.pl -m
http://www.ohmster.com/~ohmster/test/m.data

sudo conntrack-viewer.pl -d
http://www.ohmster.com/~ohmster/test/d.data

sudo conntrack-viewer.pl -nh
http://www.ohmster.com/~ohmster/test/nh.data

sudo conntrack-viewer.pl -h
http://www.ohmster.com/~ohmster/test/h.data

It shows the service and everything! I already have it aliased to
natview as "sudo conntrack-viewer.pl" to make it easy to run. I chmodded
it to executable and keep it in my scripts directory that is in my path
and now with the alias, it will be easier to run. Oh thanks dude, you
are...

.... DA MAN!
--
~Ohmster | ohmster /a/t/ ohmster dot com
Put "messageforohmster" in message body
(That is MESSAGE BODY, not Subject!)
to pass my spam filter.