How to parse netstat command to get the send-q number from the line

Question

I have this output from netstat -naputeo:

    tcp        0      0 :::44500                    :::*                        LISTEN      2000       773788772  18117/java          off (0.00/0/0)
    tcp        0      0 :::22                       :::*                        LISTEN      0          9419       4186/sshd           off (0.00/0/0)
    tcp        0      0 ::ffff:127.0.0.1:61666      ::ffff:127.0.0.1:43940      ESTABLISHED 2000       788032760  18122/java          off (0.00/0/0)
    tcp        0      0 ::ffff:192.168.1.202:56510  ::ffff:192.168.1.202:3000   ESTABLISHED 0          791652028  6804/java_ndsagent  keepalive (7185.05/0/0)
    tcp        0      0 ::ffff:192.168.1.202:56509  ::ffff:192.168.1.202:3000   TIME_WAIT   0          0          -                   timewait (41.13/0/0)
    tcp        0      0 ::ffff:192.168.1.202:56508  ::ffff:192.168.1.202:3000   TIME_WAIT   0          0          -                   timewait (21.13/0/0)
    tcp        0   4656 ::ffff:192.168.1.202:22     ::ffff:84.208.36.125:48507  ESTABLISHED 0          791474860  24141/1             on (0.19/0/0)
    tcp        0      0 ::ffff:127.0.0.1:61616      ::ffff:127.0.0.1:45121      ESTABLISHED 2000       788032761  18117/java          off (0.00/0/0)
    tcp        0      0 ::ffff:192.168.1.202:3000   ::ffff:192.168.1.202:56510  ESTABLISHED 0          791651217  8044/rmiregistry    off (0.00/0/0)

The Send-Q is the 3rd field, here the offender is port 22 and 4656KB. The problem is that i need to output that specific line and that number/port/process to an output file [only if it is above 4000, that will be sent to my inbox and alert me.

I have seen similar answers but I can't extract the line using those suggestions. I don't know what process will be filling the Q but I know the ports. It's not just the 22 it could be more at any giving time.

I tried:

netstat -naputeo | awk '$3 == 0 && $4 ~ /[^0-9]22$/'

But that gives me the wrong line. [that is the :::22]

netstat -naputeo | awk '{if(($3)>0) print $3;}'

That is all wrong because it somehow produces all the lines of that field.

All I need is that number and line sent to a csv and that's all. I can deal with error checking later and maybe refine it.

Any suggestions??

Used this and it worked for now but there is room for improvement

filterQs() {
    while read recv send address pid_program; do
        ip=${address%%:*}
        port=${address##*:}
        pid=${pid_program%%/*}
        program=${pid_program#*/}
        echo "recv=${recv} send=${send} ip=${ip} port=${port} pid=${pid} program=${program}"


        if [[ ${port} -eq 35487||  ${port} -eq 65485||  ${port} -eq CalorisPort || ${port} -eq 22 ]]
                then
                        echo "recv=${recv} send=${send} ip=${ip} port=${port} pid=${pid} program=${program}" >> Qmonitor.txt

        fi


done < <(netstat -napute 2>/dev/null | awk '$1 ~ /^(tcp|udp)/ && ($2 > 500 || $3 > 500) { print $2, $3, $4, $9 }')

}

Thanks all

Answer 1

Something like

$ netstat -naputeo 2>/dev/null | awk -v OFS=';' '$1 ~ /^tcp/ && $3 > 4000 { sub(/^.+:/, "", $4); print $3, $4, $9 }'

?

That would output the 3rd column (Send-Q), the port part of the 4th column (Local Address) and the 9th column (PID/Program name) if Send-Q > 4000, separated by semicolons so you can pipe it into your CSV.

E.g. (for Send-Q > 0 on my box)

$ netstat -naputeo 2>/dev/null | awk -v OFS=';' '$1 ~ /^tcp/ && $3 > 0 { sub(/^.+:/, "", $4); print $3, $4, $9 }'
52;22;4363/sshd:

EDIT:

If you really need to further process the values in bash, then you can just print the respective columns via awk and iterate over the lines like this:

#!/bin/bash

while read recv send address pid_program; do
        ip=${address%%:*}
        port=${address##*:}
        pid=${pid_program%%/*}
        program=${pid_program#*/}
        echo "recv=${recv} send=${send} ip=${ip} port=${port} pid=${pid} program=${program}"
        # do stuff here
done < <(netstat -naputeo 2>/dev/null | awk '$1 ~ /^(tcp|udp)/ && ($2 > 4000 || $3 > 4000) { print $2, $3, $4, $9 }')

E.g.:

$ ./t.sh
recv=0 send=52 ip=x.x.x.x port=22 pid=12345 program=sshd:

Note: I don't understand why you need the -o switch to netstat since you don't seem to be interested in the timers output, so you could probably drop that.

Answer 2

Pure bash solution:

#!/bin/bash

filterHuge() {
    while read -r -a line; do
        if (( line[2] > 4000 )) && [[ ${line[3]##*:} == '22' ]]; then # if Send-Q is higher than 4000 and port number is 22
            echo "Size: ${line[2]} Whole line: ${line[@]}"
        fi
    done
}

netstat -naputeo | filterHuge

Answer 3

Try this:

netstat -naputeo | awk '{ if (($3 + 0) >= 4000) { sub(/.*:/, "", $4); print $3, $4, $9;} }'

This filters out the header line, and extracts the port number from the field $4.

Answer 4

I have a lineage2 server and have some problems with sent-q

I use your script and ....:

Size: 84509 Whole line: tcp 0 84509 144.217.255.80:6254 179.7.212.0:35176 ESTABLISHED 0 480806 2286/java on (46.42/11/0)
Size: 12130 Whole line: tcp 0 12130 144.217.255.80:6254 200.120.203.238:52295 ESTABLISHED 0 410043 2286/java on (0.69/0/0)
Size: 13774 Whole line: tcp 0 13774 144.217.255.80:6254 190.30.75.253:63749 ESTABLISHED 0 469361 2286/java on (0.76/0/0)
Size: 12319 Whole line: tcp 0 12319 144.217.255.80:6254 200.120.203.238:52389 ESTABLISHED 0 487569 2286/java on (0.37/0/0)
Size: 9800 Whole line: tcp 0 9800 144.217.255.80:6254 186.141.200.7:63572 ESTABLISHED 0 478974 2286/java on (0.38/0/0)
Size: 12150 Whole line: tcp 0 12150 144.217.255.80:6254 200.120.203.238:52298 ESTABLISHED 0 410128 2286/java on (0.26/0/0)
Size: 9626 Whole line: tcp 0 9626 144.217.255.80:6254 186.141.200.7:63569 ESTABLISHED 0 482721 2286/java on (0.44/0/0)
Size: 11443 Whole line: tcp 0 11443 144.217.255.80:6254 200.120.203.238:52291 ESTABLISHED 0 411061 2286/java on (0.89/0/0)
Size: 79254 Whole line: tcp 0 79254 144.217.255.80:6254 179.7.212.0:6014 ESTABLISHED 0 501998 2286/java on (89.42/10/0)
Size: 10722 Whole line: tcp 0 10722 144.217.255.80:6254 179.7.111.208:12925 ESTABLISHED 0 488352 2286/java on (0.23/0/0)
Size: 126708 Whole line: tcp 0 126708 144.217.255.80:6254 190.11.106.181:3481 ESTABLISHED 0 487867 2286/java on (85.32/7/0)

Problem are in one port : 6254

Which I could place for connections that are greater than 4000 in sent to the restart to 0 or dropping them