Get a continuously updating display of client IP addresses on a web server using X-Forwarded-For

Sometimes it’s desirable to have a continuously updating display of the IP addresses which are hitting a web server, with an indication of how many times each IP address has made a request. This may be because you suspect a DoS or DDoS attack, or there may appear to be some other odd activity, or you may simply be curious. If a web server is sitting directly on the Internet then it’s possible to do this fairly easily with a tool such as netstat. Often, however, a web server is behind an ELB or another type of load balancer, which means that if you try to use netstat then you’ll just see the load balancer’s IP address, not the address of the client which made the request. But if your load balancer is passing the X-Forwarded-For header (as it really ought to be) then you can use this header instead of the client IP to get a continuously updating display.

First, you’ll need to make sure the tools ngrep and watch are installed. Then copy and paste the following Bash script (replacing eth0 with the correct interface if it’s not eth0) (or grab it from GitHub):

#!/bin/bash

ngrep -il -d eth0 -W byline "x-forwarded-for" "port 80" | grep -i x-forwarded-for | 
  awk -F '[., ]' '{printf( "%s.%s.%s.%sn", $2,$3,$4,$5 );}' > /tmp/ngrep.tmp &

watch -tn 10 'cat /tmp/ngrep.tmp | sort -n | uniq -c | sort -nr | head -30'

When you run this script you should see a continuously updating display which looks something like this:

80 11.22.33.44
60 55.66.77.88
40 44.33.22.11
20 88.77.66.55
...

It may start to slow down after a while. If that happens then just hit CTRL-C and run it again.