UDP open ports monitoring
list Christian
Hi. I would like to monitor UDP ports as TCP ports, with the client module, and a display in the "ports" column. I don't understand why this module is limited to TCP connections, and I would like to extend it to active UDP connections. Why does the client module run a "netstat -ant" command (file "xymonclient-linux.sh")? Is there a reason not to add UDP connections as well? What would be the best solution? Clone the section and run a "netstat -anu"? Patch the existing client and run "netstat -antu"? Another solution? Thanks. -- Christian
list Henrik Størner
▸
Den 16-03-2014 13:42, Christian skrev:
Hi. I would like to monitor UDP ports as TCP ports, with the client module, and a display in the "ports" column. I don't understand why this module is limited to TCP connections, and I would like to extend it to active UDP connections. Why does the client module run a "netstat -ant" command (file "xymonclient-linux.sh")? Is there a reason not to add UDP connections as well?
UDP doesn't have "connections" as such, so you will only be able to list the ports where there is a local process listening for incoming datagrams. That might make sense in some cases, but you can usually do this just be looking for the right process to be running.
▸
What would be the best solution? Clone the section and run a "netstat -anu"? Patch the existing client and run "netstat -antu"? Another solution?
I tried with the Linux client, and you can change the existing client code to run "netstat -antu" instead of just "netstat -ant" - this won't cause any problems. I am not sure if the server-side of the client will be able to pick up those UDP ports, because they haven't got anything in the "State" column. You'll have to try that. Regards, Henrik
list Christian Simonetti
▸
On Sun, 16 Mar 2014 15:22:47 +0100, Henrik Størner <user-ce4a2c883f75@xymon.invalid> wrote:
Den 16-03-2014 13:42, Christian skrev:Hi. I would like to monitor UDP ports as TCP ports, with the client module, and a display in the "ports" column. I don't understand why this module is limited to TCP connections, and I would like to extend it to active UDP connections. Why does the client module run a "netstat -ant" command (file "xymonclient-linux.sh")? Is there a reason not to add UDP connections as well?UDP doesn't have "connections" as such, so you will only be able to list
the ports where there is a local process listening for incoming datagrams. That might make sense in some cases, but you can usually do this just be
looking for the right process to be running.What would be the best solution? Clone the section and run a "netstat -anu"? Patch the existing client and run "netstat -antu"? Another solution?I tried with the Linux client, and you can change the existing client code to run "netstat -antu" instead of just "netstat -ant" - this won't cause any problems. I am not sure if the server-side of the client will be able to pick up those UDP ports, because they haven't got anything in the "State" column. You'll have to try that. Regards, Henrik
Hi, I tried to "patch" the client and run "netstat -antu". Everything works very well, even though there is no STATE of course (because of UDP). I can check both TCP and UDP connections. Well, you're right, my checks are to see if a "server" socket is opened. Both for TCP and UDP connections. But the main usage I have, for both TCP and UDP, is to check the negative: I have an exhaustive list of ports that should be opened, and I check if no other port is opened. For example, I have one line telling: --- cut here --- PORT LOCAL=%100.100.100.100[.:].* EXLOCAL=%[.:](22|25|53|80|443|993|1984)$ STATE=LISTEN MAX=0 "TEXT=public tcp bad listeners" --- cut here --- And I am able to do the same thing with UDP server connections. To grep a UDP "server" socket, I use: --- cut here --- PORT LOCAL=100.100.100.100:1194 EXSTATE=%([:graph:]) TEXT=openvpn --- cut here --- With that regex, I capture all lines with no "STATE" (thus UDP connections). So my question is really that I would like to use the functionality of the client "ports" probe. And I wonder if the philosophy of the "ports" probe is only to check stateful connections (aka TCP) and thus I have to clone it and create a "ports2" to check UDP, or if this probe could be patched to check also UDP connections. Technically it's OK, it works fine. But what modification am I "allowed" to do? Propose a patch to the mainstream to add UDP, or clone the test? Thanks. -- Christian
list Christian
On Sun, 16 Mar 2014 15:22:47 +0100, Henrik Størner <user-ce4a2c883f75@xymon.invalid> wrote:
Den 16-03-2014 13:42, Christian skrev:Hi. I would like to monitor UDP ports as TCP ports, with the client module, and a display in the "ports" column. I don't understand why this module is limited to TCP connections, and I would like to extend it to active UDP connections. Why does the client module run a "netstat -ant" command (file "xymonclient-linux.sh")? Is there a reason not to add UDP connections as well?UDP doesn't have "connections" as such, so you will only be able to list
the ports where there is a local process listening for incoming datagrams. That might make sense in some cases, but you can usually do this just be
looking for the right process to be running.What would be the best solution? Clone the section and run a "netstat -anu"? Patch the existing client and run "netstat -antu"? Another solution?I tried with the Linux client, and you can change the existing client code to run "netstat -antu" instead of just "netstat -ant" - this won't cause any problems. I am not sure if the server-side of the client will be able to pick up those UDP ports, because they haven't got anything in the "State" column. You'll have to try that. Regards, Henrik
Hi, I tried to "patch" the client and run "netstat -antu". Everything works very well, even though there is no STATE of course (because of UDP). I can check both TCP and UDP connections. Well, you're right, my checks are to see if a "server" socket is opened. Both for TCP and UDP connections. But the main usage I have, for both TCP and UDP, is to check the negative: I have an exhaustive list of ports that should be opened, and I check if no other port is opened. For example, I have one line telling: --- cut here --- PORT LOCAL=%100.100.100.100[.:].* EXLOCAL=%[.:](22|25|53|80|443|993|1984)$ STATE=LISTEN MAX=0 "TEXT=public tcp bad listeners" --- cut here --- And I am able to do the same thing with UDP server connections. To grep a UDP "server" socket, I use: --- cut here --- PORT LOCAL=100.100.100.100:1194 EXSTATE=%([:graph:]) TEXT=openvpn --- cut here --- With that regex, I capture all lines with no "STATE" (thus UDP connections). So my question is really that I would like to use the functionality of the client "ports" probe. And I wonder if the philosophy of the "ports" probe is only to check stateful connections (aka TCP) and thus I have to clone it and create a "ports2" to check UDP, or if this probe could be patched to check also UDP connections. Technically it's OK, it works fine. But what modification am I "allowed" to do? Propose a patch to the mainstream to add UDP, or clone the test? Thanks. -- Christian
list Mark Felder
▸
On Mar 16, 2014, at 10:57, Christian <user-89dccf1f18cb@xymon.invalid> wrote:
And I wonder if the philosophy of the "ports" probe is only to check stateful connections (aka TCP) and thus I have to clone it and create a "ports2" to check UDP, or if this probe could be patched to check also UDP connections.
The real question is *how* ? How exactly do you check remotely if a UDP port is open? There is no state; there is no 3-way handshake. You will have to write code that speaks the protocol of the UDP service you're monitoring to prove it's there and listening/functioning.
list Jeremy Laidman
▸
On 17 March 2014 13:25, Mark Felder <user-db141d317836@xymon.invalid> wrote:
The real question is *how* ? How exactly do you check remotely if a UDP port is open? There is no state; there is no 3-way handshake. You will have to write code that speaks the protocol of the UDP service you're monitoring to prove it's there and listening/functioning.
I think the OP is using the term "open" to mean "listening" (state=LISTEN).
If you click on the word "port" on any page that lists hosts, it shows the
column info, which in this case is something like "...shows the status of
select tcp ports and connections that are expected to exist on the
system." So the original purpose was to detect TCP port states, and it
seems that this is not too difficult because the TCP output from netstat is
fairly consistent across different Unices. But non-TCP ports seem to vary
a lot more between Unices. It would have been opening a can of worms to
attempt to include all the different UDP formats, not to mention other
types of sockets, so only TCP was included. But I see no reason to include
UDP sockets in the same port page as you have done, if the netstat output
shows the same format as for TCP sockets.
This is a neat trick. On some of my servers where the number of half-open
and half-closed sockets is interesting to me, I get Xymon to watch those
states using the "TRACK" keyword, and I end up with alerts and graphs for
all the different states. It only works for TCP sockets of course, but I
think I could extend it to track established UDP sockets also. FreeBSD
netstat output never seems to show a state, even for established
connections, but I can match established connections (excluding listening
connections) with "REMOTE=*.*".
J