I'm not successful filtering on the connection state associated with a port. None of the syntax variations I have tried have been successful. If I remove the STATE specifier, matches are found.
There are multiple hosts connecting to the same port:
ESTAB 0 0 10.160.8.130:61617 10.160.8.132:57765 ESTAB 0 0 10.160.8.130:61617 10.160.8.132:57766 ESTAB 0 0 10.160.8.130:61617 10.160.8.132:57768 ESTAB 0 0 10.160.8.130:61617 10.160.8.133:45096 ESTAB 0 0 10.160.8.130:61617 10.160.8.133:45104 ESTAB 0 0 10.160.8.130:61617 10.160.8.133:45107 ESTAB 0 0 10.160.8.130:61617 130.118.4.2:36141 ESTAB 0 0 10.160.8.130:61617 130.118.4.2:36150 ESTAB 0 0 10.160.8.130:61617 130.118.4.2:36151 ESTAB 0 0 10.160.8.130:61617 136.177.16.3:34320 ESTAB 0 0 10.160.8.130:61617 136.177.16.3:34321 ESTAB 0 0 10.160.8.130:61617 136.177.16.3:34324 ESTAB 0 0 10.160.8.130:61617 137.227.240.32:50726 ESTAB 0 0 10.160.8.130:61617 137.227.240.32:50727 ESTAB 0 0 10.160.8.130:61617 137.227.240.32:50729 LISTEN 0 0 *:61617 *:*
I've set up several port monitoring specifications, but none of them match the state (the first example where no state is specified succeeds):
PORT LOCAL=%: REMOTE=%10.160.8.132 MIN=3 MAX=3 COLOR=yellow TEXT=ActiveMQ-DHCP PORT LOCAL=%: REMOTE=%10.160.8.133 STATE=ESTABLISHED MIN=3 MAX=3 COLOR=yellow TEXT=ActiveMQ-nsp.er PORT LOCAL=%: REMOTE=%136.177.16.3 STATE=ESTAB MIN=3 MAX=3 COLOR=yellow TEXT=ActiveMQ-ns.cr PORT LOCAL=%: REMOTE=%137.227.240.32 STATE=%ESTAB MIN=3 MAX=3 COLOR=yellow TEXT=ActiveMQ-ns.er PORT LOCAL=%: REMOTE=%130.118.4.2 STATE=%ESTAB* MIN=3 MAX=3 COLOR=yellow TEXT=ActiveMQ-ns.wr
Note: On this server netstat does not exist and ss is being used,.
Observation: Discovering the syntax for REMOTE was trial and error. Specifying the IP address alone did not work, and I found no examples for the type of filtering above.
-- -- David Boldt <dboldt at usgs.gov>
"Discovery consists of seeing what everybody has seen and thinking what nobody has thought." --Albert Szent-Gyorgyi (1893 - 1986)