0

Using lsof command I would like to print out TCP connections with ESTABLISHED state but ignoring the ones with localhost.

I tried:

lsof -itcp@^127.0.0.1 -stcp:established lsof -itcp@(^127.0.0.1) -stcp:established lsof -itcp -i ^@127.0.0.1 -stcp:established

and others similar, but always getting sintax error response.

What is correct sintax?

Improve this question
3
  • 1
    Try using ss -tlpn -o state ESTABLISHED This is much better than lsof for what you want. Commented Dec 13, 2023 at 19:34
  • Or while at it as a Linux-only method: ss -4tnp state established not dst 127.0.0.0/8 . @ValentinBajrami btw: -l is incompatible with state established (because it means state listening). Commented Dec 13, 2023 at 19:43
  • @A.B on that's so true. Wasn't even thinking since I usually type ss -tlpen... most of the time. Good pointers and not dst 127.0.0.0/8 is definitely what's needed here. Commented Dec 13, 2023 at 20:06

1 Answer 1

Reset to default
5

It doesn't look like you can negate network addresses in lsof.

If on Linux, you could use lsfd from util-linux instead:

lsfd -Q '(type =~ "^TCP") and (name =~ "state=established") and (name !~ "addr=(\[::1\]|127)")'

Or as mentioned by @A.B ss from iproute2:

ss -tp state established not dst 127.0/8 not dst '[::1]'
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.