Home >Operation and Maintenance >Linux Operation and Maintenance >A detailed discussion about the netstat command in Linux
The following editor will bring you a detailed discussionLinux netstat command (required for senior interviews). The editor thinks it’s pretty good, so I’ll share it with you now and give it as a reference. Let’s follow the editor to take a look
The Netstat command is used to display various networks Related information, such as network connection, routing table, interfacestatus (Interface Statistics), masquerade connection, multicast memberships (Multicast Memberships), etc.
Output information meaning
After executing netstat, the output result is
Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 2 210.34.6.89:telnet 210.34.6.96:2873 ESTABLISHED tcp 296 0 210.34.6.89:1165 210.34.6.84:netbios-ssn ESTABLISHED tcp 0 0 localhost.localdom:9001 localhost.localdom:1162 ESTABLISHED tcp 0 0 localhost.localdom:1162 localhost.localdom:9001 ESTABLISHED tcp 0 80 210.34.6.89:1161 210.34.6.10:netbios-ssn CLOSE Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 1 [ ] STREAM CONNECTED 16178 @000000dd unix 1 [ ] STREAM CONNECTED 16176 @000000dc unix 9 [ ] DGRAM 5292 /dev/log unix 1 [ ] STREAM CONNECTED 16182 @000000df
On the whole, the output results of netstat can be divided into two parts:
One is Active Internet connections, called active TCP connections, among which "Recv-Q" and " Send-Q" refers to %0A's receiving queue and sending queue. These numbers should generally be 0. If not it means packages are piling up in the queue. This situation can only be seen in very rare cases.
The other is Active UNIX domain sockets, called active Unix domain sockets (the same as network sockets, but can only be used for local communication, and the performance can be doubled).
Proto displays the protocol used for the connection, RefCnt represents the process number connected to this socket, Types displays the type of the socket, State displays the current status of the socket, and Path represents the number of processes connected to the socket. Pathname used by other processes.
Common parameters
-a (all) displays all options, and LIST## is not displayed by default #EN related -t (tcp) Only display tcp related options
-u (udp) Only display udp related options
-n Refuse to display aliases, and convert all numbers that can be displayed into numbers.
-l Only list the service status in Listen (listening)
-r Display routing information, routing table
-e Display extension Information, such as uid, etc.
-s Statistics according to each protocol
-c Execute the netstat command at regular intervals.
Practical command examples
1. List all ports (including listening and non-listening ones)
List all ports netstat -a# netstat -a | more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:30037 *:* LISTEN udp 0 0 *:bootpc *:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 6135 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 5140 /var/run/acpid.socketList all tcp ports netstat -at
# netstat -at Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:30037 *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp6 0 0 localhost:ipp [::]:* LISTENList all udp ports netstat -au
# netstat -au Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 *:bootpc *:* udp 0 0 *:49119 *:* udp 0 0 *:mdns *:*
2. List all Sockets in the listening state
# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:ipp *:* LISTEN tcp6 0 0 localhost:ipp [::]:* LISTEN udp 0 0 *:49119 *:*Only list all listening tcp ports netstat -lt
# netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:30037 *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp6 0 0 localhost:ipp [::]:* LISTENOnly list all listening udp ports netstat -lu
# netstat -lu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 *:49119 *:* udp 0 0 *:mdns *:*Only list all listening UNIX ports netstat -lx
# netstat -lx Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 6294 private/maildrop unix 2 [ ACC ] STREAM LISTENING 6203 public/cleanup unix 2 [ ACC ] STREAM LISTENING 6302 private/ifmail unix 2 [ ACC ] STREAM LISTENING 6306 private/bsmtp
3. Display statistics for each protocol
Display statistics for all ports netstat -s# netstat -s Ip: 11150 total packets received 1 with invalid addresses 0 forwarded 0 incoming packets discarded 11149 incoming packets delivered 11635 requests sent out Icmp: 0 ICMP messages received 0 input ICMP message failed. Tcp: 582 active connections openings 2 failed connection attempts 25 connection resets received Udp: 1183 packets received 4 packets to unknown port received. .....Display TCP or UDP Port statistics netstat -st or -su# netstat -st
# netstat -su
4. Display the PID and process name in the netstat output netstat -p
netstat -p can be used together with other switches to add "PID/process name" to the netstat output, so that you can easily discover programs running on specific ports during debugging. .# netstat -pt Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 1 0 ramesh-laptop.loc:47212 192.168.185.75:www CLOSE_WAIT 2109/firefox tcp 0 0 ramesh-laptop.loc:52750 lax:www ESTABLISHED 2109/firefox
5. Do not display the host, port and user name (host, port or user) in the netstat output
When you do not want the host, port and user name To display, use netstat -n. Numbers will be used in place of those names. It can also speed up the output because there is no need to comparequery.
# netstat -anIf you only don’t want one of these three names to be displayed, use the following command
# netsat -a --numeric-ports # netsat -a --numeric-hosts # netsat -a --numeric-users
6. Continuously output netstat information
netstat Network information will be output every second.# netstat -c Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 ramesh-laptop.loc:36130 101-101-181-225.ama:www ESTABLISHED tcp 1 1 ramesh-laptop.loc:52564 101.11.169.230:www CLOSING tcp 0 0 ramesh-laptop.loc:43758 server-101-101-43-2:www ESTABLISHED tcp 1 1 ramesh-laptop.loc:42367 101.101.34.101:www CLOSING ^C
7. Display address families that are not supported by the system
netstat --verboseAt the end of the output, there will be the following information
netstat: no support for `AF IPX' on this system. netstat: no support for `AF AX25' on this system. netstat: no support for `AF X25' on this system. netstat: no support for `AF NETROM' on this system.
8. Display core routing information netstat -r
# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth2 link-local * 255.255.0.0 U 0 0 0 eth2 default 192.168.1.1 0.0.0.0 UG 0 0 0 eth2
Note: Use netstat -rn to display the numeric format and do not query the host name.
9. Find the port on which the program is running.
Not all processes can be found. Those without permission will not be displayed. Use root permissions to view all Information.# netstat -ap | grep ssh tcp 1 0 dev-db:ssh 101.174.100.22:39213 CLOSE_WAIT - tcp 1 0 dev-db:ssh 101.174.100.22:57643 CLOSE_WAIT -Find out the process running on the specified port
# netstat -an | grep ':80'
10. Display the network interface list
# netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 0 0 0 0 0 0 0 0 BMU eth2 1500 0 26196 0 0 0 26883 6 0 0 BMRU lo 16436 0 4 0 0 0 4 0 0 0 LRU
显示详细信息,像是 ifconfig 使用 netstat -ie:
# netstat -ie Kernel Interface table eth0 Link encap:Ethernet HWaddr 00:10:40:11:11:11 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Memory:f6ae0000-f6b00000
11. IP和TCP分析
查看连接某服务端口最多的的IP地址
wss8848@ubuntu:~$ netstat -nat | grep "192.168.1.15:22" |awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -20 18 221.136.168.36 3 154.74.45.242 2 78.173.31.236 2 62.183.207.98 2 192.168.1.14 2 182.48.111.215 2 124.193.219.34 2 119.145.41.2 2 114.255.41.30 1 75.102.11.99
TCP各种状态列表
wss8848@ubuntu:~$ netstat -nat |awk '{print $6}' established) Foreign LISTEN TIME_WAIT ESTABLISHED TIME_WAIT SYN_SENT
先把状态全都取出来,然后使用uniq -c统计,之后再进行排序。
wss8848@ubuntu:~$ netstat -nat |awk '{print $6}'|sort|uniq -c 143 ESTABLISHED 1 FIN_WAIT1 1 Foreign 1 LAST_ACK 36 LISTEN 6 SYN_SENT 113 TIME_WAIT 1 established)
最后的命令如下:
netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn
分析access.log获得访问前10位的ip地址
awk '{print $1}' access.log |sort|uniq -c|sort -nr|head -10
The above is the detailed content of A detailed discussion about the netstat command in Linux. For more information, please follow other related articles on the PHP Chinese website!