Home >Operation and Maintenance >Linux Operation and Maintenance >A detailed discussion about the netstat command in Linux

A detailed discussion about the netstat command in Linux

黄舟
黄舟Original
2017-05-27 10:22:182241browse

The following editor will bring you a detailed discussionLinux netstat command (required for senior interviews). The editor thinks it’s pretty good, so I’ll share it with you now and give it as a reference. Let’s follow the editor to take a look

Introduction

The Netstat command is used to display various networks Related information, such as network connection, routing table, interfacestatus (Interface Statistics), masquerade connection, multicast memberships (Multicast Memberships), etc.

Output information meaning

After executing netstat, the output result is

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 2 210.34.6.89:telnet 210.34.6.96:2873 ESTABLISHED
tcp 296 0 210.34.6.89:1165 210.34.6.84:netbios-ssn ESTABLISHED
tcp 0 0 localhost.localdom:9001 localhost.localdom:1162 ESTABLISHED
tcp 0 0 localhost.localdom:1162 localhost.localdom:9001 ESTABLISHED
tcp 0 80 210.34.6.89:1161 210.34.6.10:netbios-ssn CLOSE

Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 1 [ ] STREAM CONNECTED 16178 @000000dd
unix 1 [ ] STREAM CONNECTED 16176 @000000dc
unix 9 [ ] DGRAM 5292 /dev/log
unix 1 [ ] STREAM CONNECTED 16182 @000000df

On the whole, the output results of netstat can be divided into two parts:

One is Active Internet connections, called active TCP connections, among which "Recv-Q" and " Send-Q" refers to %0A's receiving queue and sending queue. These numbers should generally be 0. If not it means packages are piling up in the queue. This situation can only be seen in very rare cases.

The other is Active UNIX domain sockets, called active Unix domain sockets (the same as network sockets, but can only be used for local communication, and the performance can be doubled).

Proto displays the protocol used for the connection, RefCnt represents the process number connected to this socket, Types displays the type of the socket, State displays the current status of the socket, and Path represents the number of processes connected to the socket. Pathname used by other processes.

Common parameters

-a (all) displays all options, and LIST## is not displayed by default #EN related -t (tcp) Only display tcp related options
-u (udp) Only display udp related options
-n Refuse to display aliases, and convert all numbers that can be displayed into numbers.
-l Only list the service status in Listen (listening)

-p Display the name of the program that establishes the relevant link

-r Display routing information, routing table
-e Display extension Information, such as uid, etc.
-s Statistics according to each protocol
-c Execute the netstat command at regular intervals.

Tips: The status of LISTEN and LISTENING can only be seen with -a or -l

Practical command examples

1. List all ports (including listening and non-listening ones)

List all ports netstat -a

# netstat -a | more
 Active Internet connections (servers and established)
 Proto Recv-Q Send-Q Local Address      Foreign Address     State
 tcp    0   0 localhost:30037     *:*           LISTEN
 udp    0   0 *:bootpc        *:*
 
Active UNIX domain sockets (servers and established)
 Proto RefCnt Flags    Type    State     I-Node  Path
 unix 2   [ ACC ]   STREAM   LISTENING   6135   /tmp/.X11-unix/X0
 unix 2   [ ACC ]   STREAM   LISTENING   5140   /var/run/acpid.socket

List all tcp ports netstat -at

# netstat -at
 Active Internet connections (servers and established)
 Proto Recv-Q Send-Q Local Address      Foreign Address     State
 tcp    0   0 localhost:30037     *:*           LISTEN
 tcp    0   0 localhost:ipp      *:*           LISTEN
 tcp    0   0 *:smtp         *:*           LISTEN
 tcp6    0   0 localhost:ipp      [::]:*         LISTEN

List all udp ports netstat -au

# netstat -au
 Active Internet connections (servers and established)
 Proto Recv-Q Send-Q Local Address      Foreign Address     State
 udp    0   0 *:bootpc        *:*
 udp    0   0 *:49119         *:*
 udp    0   0 *:mdns         *:*

2. List all Sockets in the listening state

Only display the listening port netstat - l

# netstat -l
 Active Internet connections (only servers)
 Proto Recv-Q Send-Q Local Address      Foreign Address     State
 tcp    0   0 localhost:ipp      *:*           LISTEN
 tcp6    0   0 localhost:ipp      [::]:*         LISTEN
 udp    0   0 *:49119         *:*

Only list all listening tcp ports netstat -lt

# netstat -lt
 Active Internet connections (only servers)
 Proto Recv-Q Send-Q Local Address      Foreign Address     State
 tcp    0   0 localhost:30037     *:*           LISTEN
 tcp    0   0 *:smtp         *:*           LISTEN
 tcp6    0   0 localhost:ipp      [::]:*         LISTEN

Only list all listening udp ports netstat -lu

# netstat -lu
 Active Internet connections (only servers)
 Proto Recv-Q Send-Q Local Address      Foreign Address     State
 udp    0   0 *:49119         *:*
 udp    0   0 *:mdns         *:*

Only list all listening UNIX ports netstat -lx

# netstat -lx
 Active UNIX domain sockets (only servers)
 Proto RefCnt Flags    Type    State     I-Node  Path
 unix 2   [ ACC ]   STREAM   LISTENING   6294   private/maildrop
 unix 2   [ ACC ]   STREAM   LISTENING   6203   public/cleanup
 unix 2   [ ACC ]   STREAM   LISTENING   6302   private/ifmail
 unix 2   [ ACC ]   STREAM   LISTENING   6306   private/bsmtp

3. Display statistics for each protocol

Display statistics for all ports netstat -s

# netstat -s
 Ip:
 11150 total packets received
 1 with invalid addresses
 0 forwarded
 0 incoming packets discarded
 11149 incoming packets delivered
 11635 requests sent out
 Icmp:
 0 ICMP messages received
 0 input ICMP message failed.
 Tcp:
 582 active connections openings
 2 failed connection attempts
 25 connection resets received
 Udp:
 1183 packets received
 4 packets to unknown port received.
 .....

Display TCP or UDP Port statistics netstat -st or -su

# netstat -st

# netstat -su

4. Display the PID and process name in the netstat output netstat -p

netstat -p can be used together with other switches to add "PID/process name" to the netstat output, so that you can easily discover programs running on specific ports during debugging. .

# netstat -pt
 Active Internet connections (w/o servers)
 Proto Recv-Q Send-Q Local Address      Foreign Address     State    PID/Program name
 tcp    1   0 ramesh-laptop.loc:47212 192.168.185.75:www    CLOSE_WAIT 2109/firefox
 tcp    0   0 ramesh-laptop.loc:52750 lax:www ESTABLISHED 2109/firefox

5. Do not display the host, port and user name (host, port or user) in the netstat output

When you do not want the host, port and user name To display, use netstat -n. Numbers will be used in place of those names.

It can also speed up the output because there is no need to compare

query.

# netstat -an

If you only don’t want one of these three names to be displayed, use the following command

# netsat -a --numeric-ports
# netsat -a --numeric-hosts
# netsat -a --numeric-users

6. Continuously output netstat information

netstat Network information will be output every second.

# netstat -c
 Active Internet connections (w/o servers)
 Proto Recv-Q Send-Q Local Address      Foreign Address     State
 tcp    0   0 ramesh-laptop.loc:36130 101-101-181-225.ama:www ESTABLISHED
 tcp    1   1 ramesh-laptop.loc:52564 101.11.169.230:www   CLOSING
 tcp    0   0 ramesh-laptop.loc:43758 server-101-101-43-2:www ESTABLISHED
 tcp    1   1 ramesh-laptop.loc:42367 101.101.34.101:www   CLOSING
 ^C

7. Display address families that are not supported by the system

netstat --verbose

At the end of the output, there will be the following information

netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.

8. Display core routing information netstat -r

# netstat -r
 Kernel IP routing table
 Destination   Gateway     Genmask     Flags  MSS Window irtt Iface
 192.168.1.0   *        255.255.255.0  U     0 0     0 eth2
 link-local   *        255.255.0.0   U     0 0     0 eth2
 default     192.168.1.1   0.0.0.0     UG    0 0     0 eth2

Note: Use netstat -rn to display the numeric format and do not query the host name.

9. Find the port on which the program is running.

Not all processes can be found. Those without permission will not be displayed. Use root permissions to view all Information.

# netstat -ap | grep ssh
 tcp    1   0 dev-db:ssh      101.174.100.22:39213    CLOSE_WAIT -
 tcp    1   0 dev-db:ssh      101.174.100.22:57643    CLOSE_WAIT -

Find out the process running on the specified port

# netstat -an | grep ':80'

10. Display the network interface list

# netstat -i
 Kernel Interface table
 Iface  MTU Met  RX-OK RX-ERR RX-DRP RX-OVR  TX-OK TX-ERR TX-DRP TX-OVR Flg
 eth0    1500 0     0   0   0 0       0   0   0   0 BMU
 eth2    1500 0   26196   0   0 0     26883   6   0   0 BMRU
 lo    16436 0     4   0   0 0       4   0   0   0 LRU

显示详细信息,像是 ifconfig 使用 netstat -ie:

# netstat -ie
 Kernel Interface table
 eth0   Link encap:Ethernet HWaddr 00:10:40:11:11:11
 UP BROADCAST MULTICAST MTU:1500 Metric:1
 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
 Memory:f6ae0000-f6b00000

11. IP和TCP分析

查看连接某服务端口最多的的IP地址

wss8848@ubuntu:~$ netstat -nat | grep "192.168.1.15:22" |awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -20
18 221.136.168.36
3 154.74.45.242
2 78.173.31.236
2 62.183.207.98
2 192.168.1.14
2 182.48.111.215
2 124.193.219.34
2 119.145.41.2
2 114.255.41.30
1 75.102.11.99

TCP各种状态列表

wss8848@ubuntu:~$ netstat -nat |awk '{print $6}'
established)
Foreign
LISTEN
TIME_WAIT
ESTABLISHED
TIME_WAIT
SYN_SENT

先把状态全都取出来,然后使用uniq -c统计,之后再进行排序。

wss8848@ubuntu:~$ netstat -nat |awk '{print $6}'|sort|uniq -c
143 ESTABLISHED
1 FIN_WAIT1
1 Foreign
1 LAST_ACK
36 LISTEN
6 SYN_SENT
113 TIME_WAIT
1 established)

最后的命令如下:

netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn

分析access.log获得访问前10位的ip地址

awk '{print $1}' access.log |sort|uniq -c|sort -nr|head -10

The above is the detailed content of A detailed discussion about the netstat command in Linux. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn