[Xymon] UDP open ports monitoring

Christian xymon at elysiria.fr
Sun Mar 16 16:57:38 CET 2014


On Sun, 16 Mar 2014 15:22:47 +0100, Henrik Størner <henrik at hswn.dk> wrote:
> Den 16-03-2014 13:42, Christian skrev:
>> Hi.
>>
>> I would like to monitor UDP ports as TCP ports, with the client module,
>> and a display in the "ports" column. I don't understand why this module
>> is
>> limited to TCP connections, and I would like to extend it to active UDP
>> connections.
>>
>> Why does the client module run a "netstat -ant" command (file
>> "xymonclient-linux.sh")? Is there a reason not to add UDP connections
as
>> well?
> 
> UDP doesn't have "connections" as such, so you will only be able to list

> the ports where there is a local process listening for incoming
datagrams.
> 
> That might make sense in some cases, but you can usually do this just be

> looking for the right process to be running.
> 
>> What would be the best solution? Clone the section and run a "netstat
>> -anu"? Patch the existing client and run "netstat -antu"? Another
>> solution?
> 
> I tried with the Linux client, and you can change the existing client 
> code to run "netstat -antu" instead of just "netstat -ant" - this won't 
> cause any problems.
> 
> I am not sure if the server-side of the client will be able to pick up 
> those UDP ports, because they haven't got anything in the "State" 
> column. You'll have to try that.
> 
> 
> Regards,
> Henrik


Hi,

I tried to "patch" the client and run "netstat -antu". Everything works
very well, even though there is no STATE of course (because of UDP). I can
check both TCP and UDP connections. Well, you're right, my checks are to
see if a "server" socket is opened. Both for TCP and UDP connections.

But the main usage I have, for both TCP and UDP, is to check the negative:
I have an exhaustive list of ports that should be opened, and I check if no
other port is opened. For example, I have one line telling:
--- cut here ---
PORT LOCAL=%100.100.100.100[.:].* EXLOCAL=%[.:](22|25|53|80|443|993|1984)$
STATE=LISTEN MAX=0 "TEXT=public tcp bad listeners"
--- cut here ---
And I am able to do the same thing with UDP server connections.

To grep a UDP "server" socket, I use:
--- cut here ---
PORT LOCAL=100.100.100.100:1194 EXSTATE=%([:graph:]) TEXT=openvpn
--- cut here ---
With that regex, I capture all lines with no "STATE" (thus UDP
connections).

So my question is really that I would like to use the functionality of the
client "ports" probe. And I wonder if the philosophy of the "ports" probe
is only to check stateful connections (aka TCP) and thus I have to clone it
and create a "ports2" to check UDP, or if this probe could be patched to
check also UDP connections.

Technically it's OK, it works fine. But what modification am I "allowed"
to do? Propose a patch to the mainstream to add UDP, or clone the test?

Thanks.

-- 
Christian



More information about the Xymon mailing list