Saturday 6 August 2016

Monitoring inbound and outbound network connections

tcpspy is an administrator’s tool that logs information about incoming and outgoing TCP/IP connections including local address, remote address, and the username of the user responsible for the connection. Connections are selected for logging with rules, similar to the filter expressions accepted by tcpdump and other libpcap-based applications (tcpspy does not, however, use libpcap).

First install the monitoring tool. For apt-based systems, we install it as:
aptitude install tcpspy
Once installed it will start as a daemon and begin logging all incoming and outgoing connections to syslog.
If you want to log a particular type of connection, say all connections to port 22 (ssh), then the rules file comes in handy. In /etc/tcpspy.rules, just put in:
lport 22
will accomplish that. It’s that easy. Of course, you need to restart tcpspy service.
/etc/init.d/tcpsy restart
Or I can replace 22 with ssh or using any other service in /etc/services to log connections for that service
Limiting monitoring from specific network is also incredibly easy. Let’s suppose for a moment that I want to log all tcp connections from my local network,, I would just simply put the following in /etc/tcpspy.rules
The fun does not stop there. I can even log connections initiated or accepted by a specific local user, like so
user “username”
For more info, visit or see the manual pages for tcpsy.