Monitor TCP Traffic on specific port

I've searched quite extensively for this, but cannot seem to come up with a working example.

My objective is to monitor TCP traffic on a specific port to see incoming connections and write them to a text file. The catch is I also need a timestamp on each row to show exactly when the client connected down to the second.

I've already exhausted netstat, nmap, and tcptrack, but none support timestamp.

I was thinking a linux shell script might work if I monitored a specific local port and wrote text to a file when a connection is made then just concatenate the date on each line.

I was playing with this:

netstat -ano|grep 443|grep ESTABLISHED

as well as this:

tcptrack -i eth0 port 443

but neither suit my needs as I need the time the connection comes in at.

If you have any suggestions or could point me in the right direction it would be greatly appreciated.

Thanks. :)


edit: I'm still getting upvotes for this years later. Please don't go for this answer, the answer using iptables here is far superior in my opinion.


tcpdump port 443 and '(tcp-syn|tcp-ack)!=0'

or only tcp-syn, or only tcp-ack (my guess would be that one), depending on what you need.


You can use the iptables support in the Linux kernel for this. The upside is that it doesn't require any extra software to be moderately useful. The downside is that it requires root privileges to set up (but given that you are talking about port 443, which is a privileged port, you probably need root privileges with most solutions).

Add an iptables rule with something like:

sudo iptables -I INPUT -p tcp --dport 443 --syn -j LOG --log-prefix "HTTPS SYN: "

(Adjust the -I INPUT part to suit your taste.)

When the rule is triggered, a syslog entry will be emitted by the kernel. For example, with an input rule, the log entry may look something like:

Dec 5 09:10:56 hostname kernel: [1023963.185332] HTTPS SYN: IN=ifX OUT= MAC=80:80:80:80:80:80:80:80:80:80:80:80:08:00 SRC=A.B.C.D DST=W.X.Y.Z LEN=52 TOS=0x00 PREC=0x20 TTL=119 ID=11901 DF PROTO=TCP SPT=37287 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0

You can then use any run-of-the-mill log monitoring tool to do something useful with this information. If your syslog implementation supports it, you can even direct these into a separate log file, effectively fulfilling your requirement to write the connection data to a file timestamped to the second with no additional software.

Note that the LOG target is a non-terminating target, which means that any rules following it will still be evaluated, and the packet will not be either rejected or accepted by the LOG rule itself. This makes the LOG target useful also for debugging firewall rules.

To avoid flooding your log, consider using the limit module in conjunction with this. See the iptables(8) man page for details.


Micro-Second Resolution

By default, the tcpdump utility will report time with micro-second resolution. For example:

$ sudo tcpdump -i any port 443

will show output similar to the following:

12:08:14.028945 IP localhost.33255 > localhost.https: Flags [S], seq 1828376761, win 43690, options [mss 65495,sackOK,TS val 108010971 ecr 0,nop,wscale 7], length 0
12:08:14.028959 IP localhost.https > localhost.33255: Flags [R.], seq 0, ack 1828376762, win 0, length 0

See tcpdump(8) for a full list of tcpdump options, and pcap-filter(7) for the complete syntax of the filters you can use.