Cisco ASA show connections ordered

calendar Oct 28, 2017 · 3 min read · networking cisco asa  ·
Share on: linkedin copy

When a customer calls with a problem or request I often see a chance to investigate a technology, learn something new or apply random skills to find a creative solution.

This time is about an ASA, customer noticed too much traffic on the Internet facing interface. Syslog, Netflow, bandwidth monitoring and any other useful tools are totally missing, only the old good CLI to help.

The MVP

We can get a list of all active connections from ASA with

show conn

And save the output to a file named conn.txt.

With some magic we can filter, order, cut, sort and reorder all the fields:

grep bytes conn.txt | awk {'print $9";"$3";"$5'} | sort -rn | sed s/,//g | head -n 20 | awk 'BEGIN { FS = ";" } ; { print byte =$1/1024/1024" MB\t\t"$2" --> "$3 }'

It is ugly but it works just fine.

Notes:

  • head 20 --> shows top 20 connections, change that value if you want
  • byte =$1/1024/1024 --> converts bytes to MB

This is the result:

841.589 MB              193.45.15.xxx:80 --> 172.21.1.64:32648
655.5 MB                173.194.182.xxx:443 --> 172.21.2.61:55369
76.5992 MB              193.45.15.xxx:80 --> 172.21.1.64:53355
41.459 MB               17.253.55.xxx:80 --> 172.21.15.145:54337
28.5594 MB              17.253.55.xxx:80 --> 172.21.15.185:59055
25.5298 MB              17.253.53.xxx:80 --> 172.21.15.145:54333
22.1446 MB              89.255.250.xxx:443 --> 172.21.1.64:54215
8.23074 MB              95.141.32.xxx:80 --> 172.21.15.164:51811
7.38321 MB              157.240.1.xxx:443 --> 172.21.15.59:44316
7.18369 MB              95.141.32.xxx:80 --> 172.21.15.164:54390
6.65842 MB              93.62.133.xxx:443 --> 172.21.15.148:58721
4.22736 MB              79.61.229.xxx:56640 --> 172.21.7.29:443
3.89087 MB              82.106.3.xxx:62211 --> 172.21.7.13:443
3.30409 MB              188.15.58.xxx:50775 --> 172.21.7.13:443
2.5876 MB               89.255.250.xxx:443 --> 172.21.1.64:53901
2.53782 MB              77.104.184.xxx:443 --> 172.21.15.122:35908
2.47728 MB              93.184.220.xxx:443 --> 172.21.15.102:46428
2.36428 MB              79.14.121.xxx:57285 --> 172.21.7.13:443
2.03804 MB              107.152.26.xxx:443 --> 172.21.2.63:9272
2.01611 MB              8.37.236.xxx:80 --> 172.21.15.68:42504

All active connections are ordered, on top the biggest sessions in term of data transfer.

Add a grep -v if you want to exclude internal traffic.

The script reads show conn output. I started just connecting via Putty and logging the session output but that's something that can be improved.

Start downloading plink.

On Debian/Ubuntu you can get it with

apt install putty-tools

For Windows it is available on Putty website.

Create a file showconn.txt with these lines

no terminal pag
sh conn
exit

Run plink

plink 10.0.0.254 -l MYUSER -pw MYSECRETPASSWORD -m showconn.txt > conn.txt

Then run the script

grep bytes conn.txt | awk {'print $9";"$3";"$5'} | sort -rn | sed s/,//g | head -n 20 | awk 'BEGIN { FS = ";" } ; { print byte =$1/1024/1024" MB\t\t"$2" --> "$3 }'

Or do both in one line:

plink 10.0.0.254 -l MYUSER -pw MYSECRETPASSWORD -m showconn.txt | grep bytes | awk {'print $9";"$3";"$5'} | sort -rn | sed s/,//g | head -n 20 | awk 'BEGIN { FS = ";" } ; { print byte =$1/1024/1024" MB\t\t"$2" --> "$3 }'

This is just one example of many little scripts I create quite often to solve small problems and save time.

Enjoy!

Cisco Champion

This blog post was included on Cisco Champions weekly newsletter