#! /usr/bin/perl -w
#
# socksumm -- socket usage summary
#
# Copyright (C) 2005-2006 David Landgren

use strict;
use Getopt::Long;

my $VERSION = '1.1';

my $ok = GetOptions(
    'help',         \my $help,
    'localport=s',  \my $watch_local_port,
    'remoteport=s', \my $watch_remote_port,
    'port=s',       \my $watch_port,
    'sleep=i',      \my $sleep,
    'version',      \my $version,
    'num=i',        \my $num,
);

if( not $ok or $help ) {
    eval "use Pod::Usage";
    if( $@ ) {
        print <<HELP;
$0 [-localport=?] [-remoteport=?] [-port=?] [-sleep=n] [-num=n]
(install Pod::Usage for detailed help)
HELP
    }
    else {
        pod2usage(1);
    }
    exit;
}

$sleep ||= 60;

if( $version ) {
    eval "use File::Basename";
    print +($@ ? $0 : basename($0)), " v$VERSION\n";
    exit 0;
}

my $netstat_re;
my $args;

# platform-specific settings;
{
    my $ip_re = '\d+(?:\.\d+){3}';

    if( $^O eq 'freebsd' ) {
        $args = '-nf inet';
        $netstat_re = qr/^\S+(?:\s+\d+){2}\s+($ip_re)[:.](\d+)\s+($ip_re)[:.](\d+)\s+(\S+)\s*$/;
    }
    elsif( $^O eq 'linux' ) {
        $args = '-n --inet';
        $netstat_re = qr/^\S+(?:\s+\d+){2}\s+($ip_re)[:.](\d+)\s+($ip_re)[:.](\d+)\s+(\S+)\s*$/;
    }
    elsif( $^O eq 'solaris' ) {
        $args = '-nf inet';
        $netstat_re = qr/^($ip_re)\.(\d+)\s+($ip_re)\.(\d+)(?:\s+\d+){4}\s+(\S+)\s*$/;
    }
    elsif( $^O eq 'MSWin32' ) {
        $args = '-n';
        $netstat_re = qr/^\s+TCP\s+($ip_re):(\d+)\s+($ip_re):(\d+)\s+(\S+)\s*$/;
    }
    else {
        die "Don't know how to decode netstat on $^O\n" unless defined $args;
    }
}

# resolve service names if we can
defined $_ and /\D/ and $_ = getservbyname($_,'tcp') || $_
    for ($watch_local_port, $watch_remote_port, $watch_port);

my %state;
my @col = qw(
    ESTABLISHED CLOSE_WAIT TIME_WAIT FIN_WAIT_1 FIN_WAIT_2 SYN_SENT SYN_RECV LAST_ACK
);
print "estab close twait finw1 finw2 syntx synrx lastk total\n";

while( 1 ) {
    my $total    = 0;
    @state{@col} = (0) x @col;

    open my $in, "netstat $args |"
        or die "Cannot open pipe from netstat: $!\n";
    while( <$in> ) {
        chomp;
        next unless my($local_host, $local_port, $remote_host, $remote_port, $state)
            = /$netstat_re/;
        next if $watch_port
            and $local_port  != $watch_port
            and $remote_port != $watch_port
        ;
        next if $watch_local_port  and $local_port  != $watch_local_port;
        next if $watch_remote_port and $remote_port != $watch_remote_port;

        $state =~ s/^(FIN_WAIT)(\d+)$/$1_$2/; # munge Linux variant
        ++$state{$state};
        ++$total;
    }
    close $in;

    # display one line of data
    my $timestamp = sprintf( '%02d:%02d:%02d', (localtime)[2,1,0] );
    printf "%5d %5d %5d %5d %5d %5d %5d %5d %5d %s",
        @state{@col}, $total, $timestamp;
    delete @state{@col};

    # deal with unknown or don't-care socket states
    if( %state ) {
        print ' ', join( ' ', map {"$_=$state{$_}"} sort keys %state );
        %state = ();
    }
    print "\n";

    last if defined $num and --$num <= 0;
    sleep $sleep;
}

exit 0;

__END__

=head1 NAME

socksumm - Display a summary of open sockets

=head1 SYNOPSIS

B<socksumm> [B<-l>,B<-localport>] [B<-r>,B<-remoteport>] [B<-p>,B<-port>] [B<-s>,B<-sleep>] [B<-n>,B<-num>] [B<-version>]

=head1 DESCRIPTION

Parse the output of the C<netstat(1)> command and produce a summary
of the socket connections on a port.

=head1 OPTIONS

=over 5

=item B<-l>,B<-localport>

Summarise socket connections on this local port. Numeric or symbolic names
(for example 389 or C<ldap>) are recognised. In otherwords, use this to
monitor inbound connections.

=item B<-r>,B<-remoteport>

Summarise socket connections on this remote port. Numeric or symbolic names
are recognised. Use this to monitor outbound connections.

=item B<-p>,B<-port>

Summarise socket connections on this port. Numeric or symbolic names
are recognised. Use this to monitor eitherbound connections.

=item B<-s>,B<-sleep>

Time to sleep between invocations of C<netstat>. A sixty (60) second sleep
time is assumed if this switch is omitted.

=item B<-n>,B<-number>

Produce this many summaries of C<netstat> and then exit.

=back

=head1 EXAMPLES

C<socksumm -l=ldap -s=10>

Summarise the inbound connections to the LDAP listener port. Will produce
output that looks similar to the following:

 estab close twait finw1 finw2 syntx synrx lastk total
   519     0     4     0     0     0     0     0   523 12:42:50
   524     0     2     0     0     0     0     1   527 12:43:00
   516     0     3     0     0     0     0     0   519 12:43:11

C<socksumm -r=22 -s=3600>

See how many outbound C<ssh> connections are open every hour.

=head1 BUGS

Assumes that C<netstat> can be found on the PATH. If you are running
C<netstat> on a platform other than FreeBSD, Linux or Solaris the
script will die. Please mail me the output and I'll endeavour to
incorporate it (or, better yet, send me patches).

=head1 COPYRIGHT

Copyright 2005-2006 David Landgren.

This script is free software; you can redistribute it and/or modify it
under the same terms as Perl itself.

=head1 AUTHOR

David Landgren
join chr(0x40) => reverse qw[landgren.net david]

=cut