I am quite new using Kusto so I want to make list grouping differents network connections by the same source ip in differents ports. For example, i got a table like this:
Source IP
Destination IP
Destination Port
192.168.1.1
10.0.0.1
80
192.168.1.1
10.0.0.2
8080
192.168.1.1
10.0.0.1
443
192.168.1.1
10.0.0.1
443
192.168.1.2
10.0.0.1
80
192.168.1.2
10.0.0.1
80
I need to show when this table gots more than 2 matches. This list will contain only unique registers, for example:
Source IP
Destination IP
Destination Port
192.168.1.1
10.0.0.1
80
192.168.1.1
10.0.0.2
8080
192.168.1.1
10.0.0.1
443
So, I tried to use this query but it returns duplicated registers:
datatable(SrcIp:string, DstIP:string, DstPort:string)[
'192.168.1.1', '10.0.0.1','80',
'192.168.1.1', '10.0.0.2','8080',
'192.168.1.1', '10.0.0.1','443',
'192.168.1.1', '10.0.0.1','443',
'192.168.1.2', '10.0.0.1','80',
'192.168.1.2', '10.0.0.1','80',] | summarize
recurrence = count(),
Details = make_list(pack("Source IP: ",SrcIp,"Destination Ip: ",DstIP,"Destination Port: ",DstPort))
by SrcIp| where recurrence >2
You could make the input dataset unique in the first step, by adding a summarize over all columns (see also the Kusto documentation):
datatable(SrcIp:string, DstIP:string, DstPort:string)[
'192.168.1.1', '10.0.0.1','80',
'192.168.1.1', '10.0.0.2','8080',
'192.168.1.1', '10.0.0.1','443',
'192.168.1.1', '10.0.0.1','443',
'192.168.1.2', '10.0.0.1','80',
'192.168.1.2', '10.0.0.1','80',]
| summarize by SrcIp, DstIP, DstPort
| summarize recurrence = count(), Details = make_list(pack("Source IP: ",SrcIp,"Destination Ip: ",DstIP,"Destination Port: ",DstPort))
by SrcIp| where recurrence >2
Related
I have netcat listening for udp traffic on port 8125 in terminal 1
nc -ul 8125
and in terminal 2 I run the following (a test dogstatsd message for troubleshooting a datadog client connection):
echo "test_metric:1|c" | nc -u -w 1 -v localhost 8125
#found 0 associations
#found 1 connections:
# 1: flags=82<CONNECTED,PREFERRED>
# outif lo0
# src ::1 port 50397
# dst ::1 port 8125
# rank info not available
#Connection to localhost port 8125 [udp/*] succeeded!
I would expect to see test_metric:1|c show up in the output of terminal 1, but there is no output at all.
Can you help me understand why the udp message is not showing up and how to successfully send the udp message?
I still don't know why it makes a difference, but adding the -4 option made it work
echo "test_metric:1|c" | nc -u -4 -w 1 localhost 8125
Here's the man page on the option:
-4 Forces nc to use IPv4 addresses only.
I have two server glassfish and apache, when maintaining the sysytem i want to make sur that i have no connecting client, or stop receiving new clients and wait for the current clients until they finish theire tasks then shutdown the system. how can i do this from linux servers ?
I used netstat -nap | grep :80 but since i have actife connection between glassfish and apache i dont know how to determine the exact number of connected clients.
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1825/java
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1703/httpd
I assume apache listens on port 80 and glassfish on port 8080. You can go with your command or you can use this:
netstat -nat | grep :80 | grep EST
That will output the established connections on port 80 and port 8080 (if there are any).
If you want real-time stats you could use this:
netstat -ntapc | grep :80 | grep EST
-c reloads the output every second
Even though tunnelling using ssh is a well discussed topic in internet, I couldn't make my setup proper. This is what the problem statement I have
-> I have two servers A and B.
-> I am trying to create a tunnel from A to B
-> In B I have echo server which is listening on port 34567
-> In A I have executed the command ssh -L 4444:10.106.251.90:34567 127.0.0.1
-> Netstat shows as follows
~ # netstat -na | grep 4444
tcp 0 0 127.0.0.1:4444 0.0.0.0:* LISTEN
tcp 0 0 ::1:4444 :::* LISTEN
-> In B I tried to check netstat -na | grep 4444 but there was no reference of it
-> In A I have echo client which writes into 127.0.0.1:4444
-> If I execute client in A, it doesn't forward. Instead it gives some 0 length string always
Is there any thing that I am missing here ?
Thanks
~S
Try using
ssh -L 4444:127.0.0.1:34567 user#10.106.251.90
This will open port 4444 on your local machine, forwarding packets to port 34567 of the remote machine.
# using on local
telnet 127.0.0.1 4444
# is the same as
# on remote
telnet 127.0.0.1 34567
i want to access my localhost on port 80,
all the ports are working except the port 80
i used netstate in order to know who is using the port 80 and i found the port 80 in this way:
Proto Local Address
TCP 0.0.0.0.80
what should i do please?
i need to listen to port 80 because i want my localhost call without the port number so the portnumber will be the default witch is 80
Try a netstat -a -n -o and find the PID of that process that is using port 80 then type in the following command to know which application is using that process
tasklist /svc /FI "PID eq 5988"
Here 5988 is the PID.
Once you get to know which application is using that port simply terminate it.
So far as I can tell, Apache James is running correctly:
root#dur:~/apache-james-3.0-beta4.derby#
root#dur:~/apache-james-3.0-beta4.derby# bin/james-cli.sh -h localhost listdomainslocalhost
127.0.1.1
127.0.0.1
127.0.1.1
listdomains command executed sucessfully in 262 ms.
root#dur:~/apache-james-3.0-beta4.derby#
root#dur:~/apache-james-3.0-beta4.derby# bin/james-cli.sh -h localhost listusersa#localhost
b#localhost
thufir#localhost
listusers command executed sucessfully in 277 ms.
root#dur:~/apache-james-3.0-beta4.derby#
root#dur:~/apache-james-3.0-beta4.derby# telnet localhost 143 -l thufir#localhost
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK JAMES IMAP4rev1 Server Server dur.bounceme.net is ready.
login
* BYE Unknown command.
Connection closed by foreign host.
root#dur:~/apache-james-3.0-beta4.derby#
So, I'm trying to login with tomcat:
Of course, that fails. Here's how the account was setup:
Should the server names be prepended with imap and smtp? Why won't thunderbird login? (Yes, I'm using the correct password.)
If this would be better to troubleshoot with Java, I can do that, but it seemed prudent to start with thunderbird.
James shows the login attempts as:
root#dur:~/apache-james-3.0-beta4.derby#
root#dur:~/apache-james-3.0-beta4.derby# tail log/james-server.log
INFO 03:38:56,180 | james.imapserver | ID=10307467 Connection closed for 127.0.0.1
INFO 03:39:42,277 | james.imapserver | ID=18745390 Connection established from 127.0.0.1
INFO 03:40:16,779 | james.imapserver | ID=18745390 Too many authentication failures. Closing connection.
INFO 03:40:16,801 | james.imapserver | ID=18745390 Connection closed for 127.0.0.1
INFO 03:40:16,854 | james.imapserver | ID=18407750 Connection established from 127.0.0.1
INFO 03:40:20,028 | james.imapserver | ID=18407750 Connection closed for 127.0.0.1
INFO 03:42:04,682 | james.imapserver | ID=295845 Connection established from 127.0.0.1
INFO 03:42:14,286 | james.imapserver | ID=295845 Connection closed for 127.0.0.1
INFO 03:48:17,081 | james.imapserver | ID=9571677 Connection established from 127.0.0.1
INFO 03:48:17,143 | james.imapserver | ID=9571677 Connection closed for 127.0.0.1
root#dur:~/apache-james-3.0-beta4.derby#
Your server name should be as is, without any prefixes. It would be best to put there real server name. In your case "dur.bounceme.net".
Or you can play with "hosts" file and assign an alias to your server (i.e. you can add smtp and imap, or just mail prefixes to an alias of the server if you like). For a linux machine you can find it in /etc/hosts and add e.g.:
127.0.0.1 imap.localhost
127.0.0.1 smtp.localhost
or:
<server's IP> <server alias>
This way you can have two additional aliases for the same machine if you would like that, but it is not needed.