Who is Connecting to What
Combining the previous two examples produces a useful one liner, to quickly identify who is connecting to what:
# dtrace -n 'tcp:::accept-established \ { @[args[3]->tcps_raddr, args[3]->tcps_lport] = count(); }' dtrace: description 'tcp:::state-change' matched 1 probes ^C 192.0.2.35/27 40648 1 fe80::214:4fff:fe8d:59aa 22 1 192.0.2.14/27 22 3
The preceding output shows there were three TCP connections from 192.0.2.14/27
to port 22 (ssh
).