Linux Command sharing: detailed explanation of the netstat command and the netstat command

Linux Command sharing: detailed explanation of the netstat command and the netstat command

The netstat command is used to display statistics related to IP, TCP, UDP, and ICMP protocols. It is generally used to check the network connection of each port on the local machine. Netstat is a program that accesses networks and related information in the kernel. It provides reports on TCP connections, TCP and UDP listeners, and process memory management.

If your computer sometimes receives a datagram that causes an error in data or a fault, you don't have to be surprised. TCP/IP can allow these types of errors and automatically resend the datagram. However, if the cumulative number of errors accounts for a considerable percentage of the received IP data packets, or the number of errors increases rapidly, then you should use netstat to check the cause.

1. Command Format:

Netstat [-acCeFghilMnNoprstuvVwx] [-A <network type>] [-ip]

2. command functions:

Netstat is used to display statistics related to IP, TCP, UDP, and ICMP protocols. It is generally used to check the network connection of each port on the local machine.

3. command parameters:

-A or-all shows the sockets in all connections.

-A <network type> or-<network type> lists the related addresses of the network type connections.

-C or-continuous continuously lists the network status.

-C or-cache displays the cache information of the vro configuration.

-E or-extend displays other network-related information.

-F or-fib displays FIB.

-G or-groups displays a list of members of the Multi-Broadcast Function Group.

-H or-help online help.

-I or-interfaces displays the network interface information form.

-L or-listening displays the Socket of the monitored server.

-M or-masquerade displays disguised network connections.

-N or-numeric directly uses the IP address instead of the Domain Name Server.

-N or-netlink or-symbolic indicates the symbolic connection name of the network hardware peripheral device.

-O or-timers displays the timer.

-P or-programs shows the program identification code and program name using Socket.

-R or-route displays the RoutingTable.

-S or-statistice displays a statistical table of network work information.

-T or-tcp shows the connection status of the TCP transmission protocol.

-U or-udp shows the connection status of UDP transmission protocol.

-V or-verbose displays the command execution process.

-V or-version displays version information.

-W or-raw shows the RAW transmission protocol connection status.

-X or-unix: this parameter has the same effect as the specified "-Aunix" parameter.

-Ip or-inet: the effect of this parameter is the same as that of the specified "-Ainet" parameter.

4. Example:

Instance 1: No parameter used

Command:

Netstat

Output:

[Root @ localhost ~] # Netstat

ActiveInternetconnections (w/oservers)

ProtoRecv-QSend-QLocalAddressForeignAddressState

Tcp0268192.168.120.204: ssh10.2.0.68: 62420 ESTABLISHED

Udp00192.168.120.204: 437110.58.119.119: domainESTABLISHED

ActiveUNIXdomainsockets (w/oservers)

ProtoRefCntFlagsTypeStateI-NodePath

Unix2 [] DGRAM1491 @/org/kernel/udev/udevd

Unix4 [] DGRAM7337/dev/log

Unix2 [] DGRAM708823

Unix2 [] DGRAM7539

Unix3 [] STREAMCONNECTED7287

Unix3 [] STREAMCONNECTED7286

[Root @ localhost ~] #

Note:

The output result of netstat can be divided into two parts:

One is ActiveInternetconnections, which is called an active TCP connection. "Recv-Q" and "Send-Q" refer to the receiving queue and sending queue. These numbers are generally 0. If not, the package is accumulating in the queue. This can only be seen in rare cases.

The other is ActiveUNIXdomainsockets, called the active Unix domain interface (which is the same as the network socket, but can only be used for local communication, and the performance can be doubled ).

Proto displays the protocol used for the connection. RefCnt indicates the process number connecting to this interface. Types indicates the type of the interface set. State indicates the current status of the interface set, path indicates the Path name used by other processes connected to the set interface.

Set interface type:

-T: TCP

-U: UDP

-Raw: RAW type

-Unix: UNIX domain type

-Ax25: AX25 type

-Ipx: ipx type

-Netrom: netrom type

Status description:

LISTEN: listens for connection requests from remote TCP ports

SYN-SENT: Wait for the matched connection request after sending the connection request again (if there are a large number of such status packages, check if it is recruited)

SYN-RECEIVED: After receiving and sending a connection request, wait for the other party to confirm the connection request (if there is a large number of this status, it is estimated that the flood attack)

ESTABLISHED: indicates an opened connection.

FIN-WAIT-1: waiting for confirmation of the remote TCP connection interruption request or previous connection interruption request

FIN-WAIT-2: Waiting for connection interruption requests from remote TCP

CLOSE-WAIT: Waiting for connection interruption requests from Local Users

CLOSING: waiting for confirmation of remote TCP connection interruption

LAST-ACK: Wait for the confirmation of the original connection interrupt request sent to remote TCP (not a good thing, this appears, check whether it is under attack)

TIME-WAIT: WAIT for enough TIME to confirm that the remote TCP receives the connection interruption request.

CLOSED: No connection status

Instance 2: List all ports

Command:

Netstat-

Output:

[Root @ localhost ~] # Netstat-

ActiveInternetconnections (serversandestablished)

ProtoRecv-QSend-QLocalAddressForeignAddressState

Tcp00localhost: smux *: * LISTEN

Tcp00 *: svn *: * LISTEN

Tcp00 *: ssh *: * LISTEN

Tcp0284192.168.120.204: ssh10.2.0.68: 62420 ESTABLISHED

Udp00localhost: syslog *:*

Udp00 *: snmp *:*

ActiveUNIXdomainsockets (serversandestablished)

ProtoRefCntFlagsTypeStateI-NodePath

Unix2 [ACC] stream listening708833/tmp/ssh-yKnDB15725/agent.15725

Unix2 [ACC] STREAMLISTENING7296/var/run/audispd_events

Unix2 [] DGRAM1491 @/org/kernel/udev/udevd

Unix4 [] DGRAM7337/dev/log

Unix2 [] DGRAM708823

Unix2 [] DGRAM7539

Unix3 [] STREAMCONNECTED7287

Unix3 [] STREAMCONNECTED7286

[Root @ localhost ~] #

Note:

Displays a list of all valid connections, including ESTABLISHED connections (ESTABLISHED) and LISTENING connections.

Instance 3: displays the current UDP connection status

Command:

Netstat-nu

Output:

[Root @ andy ~] # Netstat-nu

ActiveInternetconnections (w/oservers)

ProtoRecv-QSend-QLocalAddressForeignAddressState

Udp00: ffff: 192.168.12: 53392: ffff: 192.168.9.120: 10000 ESTABLISHED

Udp00: ffff: 192.168.12: 56723: ffff: 192.168.9.120: 10000 ESTABLISHED

Udp00: ffff: 192.168.12: 56480: ffff: 192.168.9.120: 10000 ESTABLISHED

Udp00: ffff: 192.168.12: 58154: ffff: 192.168.9.120: 10000 ESTABLISHED

Udp00: ffff: 192.168.12: 44227: ffff: 192.168.9.120: 10000 ESTABLISHED

Udp00: ffff: 192.168.12: 36954: ffff: 192.168.9.120: 10000 ESTABLISHED

Udp00: ffff: 192.168.12: 53984: ffff: 192.168.9.120: 10000 ESTABLISHED

Udp00: ffff: 192.168.12: 57703: ffff: 192.168.9.120: 10000 ESTABLISHED

Udp00: ffff: 192.168.12: 53613: ffff: 192.168.9.120: 10000 ESTABLISHED

[Root @ andy ~] #

Note:

Instance 4: displays the UDP port number usage

Command:

Netstat-apu

Output:

[Root @ andy ~] # Netstat-apu

ActiveInternetconnections (serversandestablished)

ProtoRecv-QSend-QLocalAddressForeignAddressStatePID/Programname

Udp00 *: 57604 *: * 28094/java

Udp00 *: 40583 *: * 21220/java

Udp00 *: 45451 *: * 14583/java

Udp00: ffff: 192.168.12: 53392: ffff: 192.168.9.120: ndmpESTABLISHED19327/java

Udp00 *: 52370 *: * 15841/java

Udp00: ffff: 192.168.12: 56723: ffff: 192.168.9.120: ndmpESTABLISHED15841/java

Udp00 *: 44182 *: * 31757/java

Udp00 *: 48155 *: * 5476/java

Udp00 *: 59808 *: * 17333/java

Udp00: ffff: 192.168.12: 56480: ffff: 192.168.9.120: ndmpESTABLISHED28094/java

Udp00: ffff: 192.168.12: 58154: ffff: 192.168.9.120: ndmpESTABLISHED15429/java

Udp00 *: 36780 *: * 10091/java

Udp00 *: 36795 *: * 24594/java

Udp00 *: 41922 *: * 20506/java

Udp00: ffff: 192.168.12: 44227: ffff: 192.168.9.120: ndmpESTABLISHED17333/java

Udp00 *: 34258 *: * 8866/java

Udp00 *: 55508 *: * 11667/java

Udp00 *: 36055 *: * 12425/java

Udp00: ffff: 192.168.12: 36954: ffff: 192.168.9.120: ndmpESTABLISHED16532/java

Udp00: ffff: 192.168.12: 53984: ffff: 192.168.9.120: ndmpESTABLISHED20506/java

Udp00: ffff: 192.168.12: 57703: ffff: 192.168.9.120: ndmpESTABLISHED31757/java

Udp00: ffff: 192.168.12: 53613: ffff: 192.168.9.120: ndmpESTABLISHED3199/java

Udp00 *: 56309 *: * 15429/java

Udp00 *: 54007 *: * 16532/java

Udp00 *: 39544 *: * 3199/java

Udp00 *: 43900 *: * 19327/java

[Root @ andy ~] #

Note:

Instance 5: displays the NIC list

Command:

Netstat-I

Output:

[Root @ andy ~] # Netstat-I

KernelInterfacetable

IfaceMTUMetRX-OKRX-ERRRX-DRPRX-OVRTX-OKTX-ERRTX-DRPTX-OVRFlg

Eth015000151818887000198928403000BMRU

Lo164360107235000107235000LRU

[Root @ andy ~] #

Note:

Instance 6: displays the relationship between multicast groups.

Command:

Netstat-g

Output:

[Root @ andy ~] # Netstat-g

IPv6/IPv4GroupMemberships

InterfaceRefCntGroup

--------------

Lo1all-systems.mcast.net

Eth01all-systems.mcast.net

Lo1ff02: 1

Eth01ff02: 1: ffff: 9b0c

Eth01ff02: 1

[Root @ andy ~] #

Note:

Instance 7: displays network statistics

Command:

Netstat-s

Output:

[Root @ localhost ~] # Netstat-s

Ip:

530999 totalpacketsreceived

0 forwarded

0 incomingpacketsdiscarded

530999 incomingpacketsdelivered

8258 requestssentout

1 droppedbecauseofmissingroute

Icmp:

90 ICMPmessagesreceived

0inputICMPmessagefailed.

ICMPinputhistogram:

Destinationunreachable: 17

Echorequests: 1

Echoreplies: 72

106 ICMPmessagessent

0 ICMPmessagesfailed

ICMPoutputhistogram:

Destinationunreachable: 8

Echorequest: 97

Echoreplies: 1

IcmpMsg:

InType0: 72

InType3: 17

InType8: 1

OutType0: 1

OutType3: 8

OutType8: 97

Tcp:

8 activeconnectionsopenings

15 passiveconnectionopenings

8 failedconnectionattempts

3 connectionresetsreceived

1 connectionsestablished

3132 segmentsreceived

2617 segmentssendout

53 segmentsretransmited

0badsegmentsreceived.

252 resetssent

Udp:

0 packetsreceived

0packetstounknownportreceived.

0 packetreceiveerrors

5482 packetssent

TcpExt:

1 invalidSYNcookiesreceived

1 TCPsocketsfinishedtimewaitinfasttimer

57 delayedackssent

Quickackmodewasactivated50times

60packetsdirectlyqueuedtorecvmsgprequeue.

68 packetsdirectlyreceivedfrombacklog

4399 packetsdirectlyreceivedfromprequeue

520 packetsheaderpredicted

51 packetsheaderpredictedanddirectlyqueuedtouser

1194 acknowledgmentsnotcontainingdatareceived

21 predictedacknowledgments

0 TCPdatalossevents

1 timeoutsafterrenofastretransmit

9 retransmitsinslowstart

42 otherTCPtimeouts

3 connectionsabortedduetotimeout

IpExt:

InBcastPkts: 527777

Note:

Statistics are displayed based on each protocol. If our applications (such as Web browsers) run slowly or cannot display data such as Web pages, we can use this option to view the displayed information. We need to carefully check the rows of statistics, find the keyword of the error, and then determine the problem.

Instance 8: interface for displaying listeners

Command:

Netstat-l

Output:

[Root @ localhost ~] # Netstat-l

ActiveInternetconnections (onlyservers)

ProtoRecv-QSend-QLocalAddressForeignAddressState

Tcp00localhost: smux *: * LISTEN

Tcp00 *: svn *: * LISTEN

Tcp00 *: ssh *: * LISTEN

Udp00localhost: syslog *:*

Udp00 *: snmp *:*

ActiveUNIXdomainsockets (onlyservers)

ProtoRefCntFlagsTypeStateI-NodePath

Unix2 [ACC] stream listening708833/tmp/ssh-yKnDB15725/agent.15725

Unix2 [ACC] STREAMLISTENING7296/var/run/audispd_events

[Root @ localhost ~] #

Note:

Instance 9: displays all established valid connections

Command:

Netstat-n

Output:

[Root @ localhost ~] # Netstat-n

ActiveInternetconnections (w/oservers)

ProtoRecv-QSend-QLocalAddressForeignAddressState

Tcp0268192.168.120.204: 2210.2.0.68: 62420 ESTABLISHED

ActiveUNIXdomainsockets (w/oservers)

ProtoRefCntFlagsTypeStateI-NodePath

Unix2 [] DGRAM1491 @/org/kernel/udev/udevd

Unix4 [] DGRAM7337/dev/log

Unix2 [] DGRAM708823

Unix2 [] DGRAM7539

Unix3 [] STREAMCONNECTED7287

Unix3 [] STREAMCONNECTED7286

[Root @ localhost ~] #

Note:

Instance 10: displays Ethernet statistics

Command:

Netstat-e

Output:

[Root @ localhost ~] # Netstat-e

ActiveInternetconnections (w/oservers)

ProtoRecv-QSend-QLocalAddressForeignAddressStateUserInode

Tcp0248192.168.120.204: ssh10.2.0.68: 62420ESTABLISHEDroot708795

ActiveUNIXdomainsockets (w/oservers)

ProtoRefCntFlagsTypeStateI-NodePath

Unix2 [] DGRAM1491 @/org/kernel/udev/udevd

Unix4 [] DGRAM7337/dev/log

Unix2 [] DGRAM708823

Unix2 [] DGRAM7539

Unix3 [] STREAMCONNECTED7287

Unix3 [] STREAMCONNECTED7286

[Root @ localhost ~] #

Note:

Displays Ethernet statistics. It lists items including the total number of bytes, number of errors, number of delimiters, number of datagram, and number of broadcasts. These statistics include both the number of sent and received data packets. This option can be used to count some basic network traffic)

Instance 11: displays information about the route table.

Command:

Netstat-r

Output:

[Root @ localhost ~] # Netstat-r

KernelIProutingtable

DestinationGatewayGenmaskFlagsMSSWindowirttIface

192.168.120.0*255.255.255.0U000eth0

192.168.0.0192.168.120.1255.20.0.0ug000eth0

10.0.0.0192.168.120.1255.0.0.0UG000eth0

Default192.168.120.2400.0.0.0UG000eth0

[Root @ localhost ~] #

Note:

Instance 12: list all tcp ports

Command:

Netstat-

Output:

[Root @ localhost ~] # Netstat-

ActiveInternetconnections (serversandestablished)

ProtoRecv-QSend-QLocalAddressForeignAddressState

Tcp00localhost: smux *: * LISTEN

Tcp00 *: svn *: * LISTEN

Tcp00 *: ssh *: * LISTEN

Tcp0284192.168.120.204: ssh10.2.0.68: 62420 ESTABLISHED

[Root @ localhost ~] #

Note:

Instance 13: count the number of network connections in the Machine

Command:

Netstat-a | awk '/^ tcp/{++ S [NF]} END {for (a in S) print a, S [a]}'

Output:

[Root @ localhost ~] # Netstat-a | awk '/^ tcp/{++ S [NF]} END {for (a in S) print a, S [a]}'

ESTABLISHED 1

LISTEN 3

[Root @ localhost ~] #

Note:

Instance 14: obtain all the statuses and use uniq-c for statistics before sorting.

Command:

Netstat-nat | awk '{print 6}' | sort | uniq-c

Output: