TCP connections are the backbone of network communication, and monitoring their states is crucial for detecting performance issues, security threats, and application bugs. A buildup of TIME_WAIT connections can exhaust ephemeral ports. CLOSE_WAIT accumulation indicates application bugs. Too many connections from a single IP might signal abuse or a DDoS attack.
dargslan-tcp-monitor is a free Python CLI tool that reads directly from /proc/net/tcp to give you real-time visibility into all TCP connections on your system ā without depending on netstat or ss.
Quick Start
pip install dargslan-tcp-monitor
dargslan-tcp report # Full TCP connection report
dargslan-tcp states # Connection state breakdown
dargslan-tcp listen # All listening ports
dargslan-tcp established # Active connections
dargslan-tcp per-ip # Connections per remote IP
dargslan-tcp per-port # Established connections per port
dargslan-tcp timewait # TIME_WAIT countUnderstanding TCP Connection States
Every TCP connection goes through a series of states. The most important ones to monitor:
- ESTABLISHED: Active, data-exchanging connections. High numbers are normal for busy servers.
- TIME_WAIT: Connections that have been closed but are waiting for delayed packets. High counts can exhaust ephemeral ports.
- CLOSE_WAIT: The remote end has closed, but the local application has not. This almost always indicates an application bug.
- LISTEN: Ports waiting for incoming connections. Unexpected listeners may indicate security issues.
- SYN_RECV: Half-open connections. A sudden spike indicates a SYN flood attack.
Per-IP Connection Analysis
The per-ip command shows how many connections each remote IP has. This is essential for detecting connection abuse, slow clients holding connections open, or misconfigured load balancers sending too much traffic to one backend.
Python API
from dargslan_tcp_monitor import TCPMonitor
tm = TCPMonitor()
states = tm.get_state_counts()
for state, count in sorted(states.items(), key=lambda x: -x[1]):
print(f"{state}: {count}")
for ip in tm.get_connections_per_ip()[:5]:
print(f"{ip['ip']}: {ip['count']} connections")
for issue in tm.audit():
print(f"[{issue['severity']}] {issue['message']}")TIME_WAIT Tuning
If your server handles many short-lived connections, TIME_WAIT buildup is common. Key kernel parameters to tune: net.ipv4.tcp_tw_reuse=1 allows reusing TIME_WAIT connections for new outgoing connections. net.ipv4.tcp_fin_timeout controls how long to wait before recycling.
Best Practices
- Monitor TIME_WAIT count ā alert above 5000 connections
- Investigate any CLOSE_WAIT connections ā they indicate bugs
- Watch per-IP connection counts for abuse detection
- Track connection state trends over time for capacity planning
- Audit listening ports regularly for unauthorized services
Conclusion
TCP connection monitoring is fundamental network security and performance hygiene. dargslan-tcp-monitor reads /proc/net/tcp directly for maximum speed and zero dependencies. Install it today.
For more networking and security tools, visit dargslan.com.
