Hi.
I would like to monitor UDP ports as TCP ports, with the client module, and a display in the "ports" column. I don't understand why this module is limited to TCP connections, and I would like to extend it to active UDP connections.
Why does the client module run a "netstat -ant" command (file "xymonclient-linux.sh")? Is there a reason not to add UDP connections as well?
What would be the best solution? Clone the section and run a "netstat -anu"? Patch the existing client and run "netstat -antu"? Another solution?
Thanks.
-- Christian
Den 16-03-2014 13:42, Christian skrev:
Hi.
I would like to monitor UDP ports as TCP ports, with the client module, and a display in the "ports" column. I don't understand why this module is limited to TCP connections, and I would like to extend it to active UDP connections.
Why does the client module run a "netstat -ant" command (file "xymonclient-linux.sh")? Is there a reason not to add UDP connections as well?
UDP doesn't have "connections" as such, so you will only be able to list the ports where there is a local process listening for incoming datagrams.
That might make sense in some cases, but you can usually do this just be looking for the right process to be running.
What would be the best solution? Clone the section and run a "netstat -anu"? Patch the existing client and run "netstat -antu"? Another solution?
I tried with the Linux client, and you can change the existing client code to run "netstat -antu" instead of just "netstat -ant" - this won't cause any problems.
I am not sure if the server-side of the client will be able to pick up those UDP ports, because they haven't got anything in the "State" column. You'll have to try that.
Regards, Henrik
On Sun, 16 Mar 2014 15:22:47 +0100, Henrik Størner <henrik at hswn.dk> wrote:
Den 16-03-2014 13:42, Christian skrev:
Hi.
I would like to monitor UDP ports as TCP ports, with the client module, and a display in the "ports" column. I don't understand why this module is limited to TCP connections, and I would like to extend it to active UDP connections.
Why does the client module run a "netstat -ant" command (file "xymonclient-linux.sh")? Is there a reason not to add UDP connections as well?
UDP doesn't have "connections" as such, so you will only be able to list
the ports where there is a local process listening for incoming datagrams.
That might make sense in some cases, but you can usually do this just be
looking for the right process to be running.
What would be the best solution? Clone the section and run a "netstat -anu"? Patch the existing client and run "netstat -antu"? Another solution?
I tried with the Linux client, and you can change the existing client code to run "netstat -antu" instead of just "netstat -ant" - this won't cause any problems.
I am not sure if the server-side of the client will be able to pick up those UDP ports, because they haven't got anything in the "State" column. You'll have to try that.
Regards, Henrik
Hi,
I tried to "patch" the client and run "netstat -antu". Everything works very well, even though there is no STATE of course (because of UDP). I can check both TCP and UDP connections. Well, you're right, my checks are to see if a "server" socket is opened. Both for TCP and UDP connections.
But the main usage I have, for both TCP and UDP, is to check the negative: I have an exhaustive list of ports that should be opened, and I check if no other port is opened. For example, I have one line telling: --- cut here --- PORT LOCAL=%100.100.100.100[.:].* EXLOCAL=%.:$ STATE=LISTEN MAX=0 "TEXT=public tcp bad listeners" --- cut here --- And I am able to do the same thing with UDP server connections.
To grep a UDP "server" socket, I use: --- cut here --- PORT LOCAL=100.100.100.100:1194 EXSTATE=%([:graph:]) TEXT=openvpn --- cut here --- With that regex, I capture all lines with no "STATE" (thus UDP connections).
So my question is really that I would like to use the functionality of the client "ports" probe. And I wonder if the philosophy of the "ports" probe is only to check stateful connections (aka TCP) and thus I have to clone it and create a "ports2" to check UDP, or if this probe could be patched to check also UDP connections.
Technically it's OK, it works fine. But what modification am I "allowed" to do? Propose a patch to the mainstream to add UDP, or clone the test?
Thanks.
-- Christian
On Sun, 16 Mar 2014 15:22:47 +0100, Henrik Størner <henrik at hswn.dk> wrote:
Den 16-03-2014 13:42, Christian skrev:
Hi.
I would like to monitor UDP ports as TCP ports, with the client module, and a display in the "ports" column. I don't understand why this module is limited to TCP connections, and I would like to extend it to active UDP connections.
Why does the client module run a "netstat -ant" command (file "xymonclient-linux.sh")? Is there a reason not to add UDP connections as well?
UDP doesn't have "connections" as such, so you will only be able to list
the ports where there is a local process listening for incoming datagrams.
That might make sense in some cases, but you can usually do this just be
looking for the right process to be running.
What would be the best solution? Clone the section and run a "netstat -anu"? Patch the existing client and run "netstat -antu"? Another solution?
I tried with the Linux client, and you can change the existing client code to run "netstat -antu" instead of just "netstat -ant" - this won't cause any problems.
I am not sure if the server-side of the client will be able to pick up those UDP ports, because they haven't got anything in the "State" column. You'll have to try that.
Regards, Henrik
Hi,
I tried to "patch" the client and run "netstat -antu". Everything works very well, even though there is no STATE of course (because of UDP). I can check both TCP and UDP connections. Well, you're right, my checks are to see if a "server" socket is opened. Both for TCP and UDP connections.
But the main usage I have, for both TCP and UDP, is to check the negative: I have an exhaustive list of ports that should be opened, and I check if no other port is opened. For example, I have one line telling: --- cut here --- PORT LOCAL=%100.100.100.100[.:].* EXLOCAL=%.:$ STATE=LISTEN MAX=0 "TEXT=public tcp bad listeners" --- cut here --- And I am able to do the same thing with UDP server connections.
To grep a UDP "server" socket, I use: --- cut here --- PORT LOCAL=100.100.100.100:1194 EXSTATE=%([:graph:]) TEXT=openvpn --- cut here --- With that regex, I capture all lines with no "STATE" (thus UDP connections).
So my question is really that I would like to use the functionality of the client "ports" probe. And I wonder if the philosophy of the "ports" probe is only to check stateful connections (aka TCP) and thus I have to clone it and create a "ports2" to check UDP, or if this probe could be patched to check also UDP connections.
Technically it's OK, it works fine. But what modification am I "allowed" to do? Propose a patch to the mainstream to add UDP, or clone the test?
Thanks.
-- Christian
On Mar 16, 2014, at 10:57, Christian <xymon at elysiria.fr> wrote:
And I wonder if the philosophy of the "ports" probe is only to check stateful connections (aka TCP) and thus I have to clone it and create a "ports2" to check UDP, or if this probe could be patched to check also UDP connections.
The real question is *how* ? How exactly do you check remotely if a UDP port is open? There is no state; there is no 3-way handshake. You will have to write code that speaks the protocol of the UDP service you're monitoring to prove it's there and listening/functioning.
On 17 March 2014 13:25, Mark Felder <feld at feld.me> wrote:
The real question is *how* ? How exactly do you check remotely if a UDP port is open? There is no state; there is no 3-way handshake. You will have to write code that speaks the protocol of the UDP service you're monitoring to prove it's there and listening/functioning.
I think the OP is using the term "open" to mean "listening" (state=LISTEN).
If you click on the word "port" on any page that lists hosts, it shows the column info, which in this case is something like "...shows the status of select tcp ports and connections that are expected to exist on the system." So the original purpose was to detect TCP port states, and it seems that this is not too difficult because the TCP output from netstat is fairly consistent across different Unices. But non-TCP ports seem to vary a lot more between Unices. It would have been opening a can of worms to attempt to include all the different UDP formats, not to mention other types of sockets, so only TCP was included. But I see no reason to include UDP sockets in the same port page as you have done, if the netstat output shows the same format as for TCP sockets.
This is a neat trick. On some of my servers where the number of half-open and half-closed sockets is interesting to me, I get Xymon to watch those states using the "TRACK" keyword, and I end up with alerts and graphs for all the different states. It only works for TCP sockets of course, but I think I could extend it to track established UDP sockets also. FreeBSD netstat output never seems to show a state, even for established connections, but I can match established connections (excluding listening connections) with "REMOTE=*.*".
J
participants (5)
-
christian.simonetti@elysiria.fr
-
feld@feld.me
-
henrik@hswn.dk
-
jlaidman@rebel-it.com.au
-
xymon@elysiria.fr