Linux Command sharing: detailed explanation of the netstat command and the netstat command
The netstat command is used to display statistics related to IP, TCP, UDP, and ICMP protocols. It is generally used to check the network connection of each port on the local machine. Netstat is a program that accesses networks and related information in the kernel. It provides reports on TCP connections, TCP and UDP listeners, and process memory management.
If your computer sometimes receives a datagram that causes an error in data or a fault, you don't have to be surprised. TCP/IP can allow these types of errors and automatically resend the datagram. However, if the cumulative number of errors accounts for a considerable percentage of the received IP data packets, or the number of errors increases rapidly, then you should use netstat to check the cause.
1. Command Format:
Netstat [-acCeFghilMnNoprstuvVwx] [-A <network type>] [-ip]
2. command functions:
Netstat is used to display statistics related to IP, TCP, UDP, and ICMP protocols. It is generally used to check the network connection of each port on the local machine.
3. command parameters:
-A or-all shows the sockets in all connections.
-A <network type> or-<network type> lists the related addresses of the network type connections.
-C or-continuous continuously lists the network status.
-C or-cache displays the cache information of the vro configuration.
-E or-extend displays other network-related information.
-F or-fib displays FIB.
-G or-groups displays a list of members of the Multi-Broadcast Function Group.
-H or-help online help.
-I or-interfaces displays the network interface information form.
-L or-listening displays the Socket of the monitored server.
-M or-masquerade displays disguised network connections.
-N or-numeric directly uses the IP address instead of the Domain Name Server.
-N or-netlink or-symbolic indicates the symbolic connection name of the network hardware peripheral device.
-O or-timers displays the timer.
-P or-programs shows the program identification code and program name using Socket.
-R or-route displays the RoutingTable.
-S or-statistice displays a statistical table of network work information.
-T or-tcp shows the connection status of the TCP transmission protocol.
-U or-udp shows the connection status of UDP transmission protocol.
-V or-verbose displays the command execution process.
-V or-version displays version information.
-W or-raw shows the RAW transmission protocol connection status.
-X or-unix: this parameter has the same effect as the specified "-Aunix" parameter.
-Ip or-inet: the effect of this parameter is the same as that of the specified "-Ainet" parameter.
4. Example:
Instance 1: No parameter used
Command:
Netstat
Output:
[Root @ localhost ~] # Netstat
ActiveInternetconnections (w/oservers)
ProtoRecv-QSend-QLocalAddressForeignAddressState
Tcp0268192.168.120.204: ssh10.2.0.68: 62420 ESTABLISHED
Udp00192.168.120.204: 437110.58.119.119: domainESTABLISHED
ActiveUNIXdomainsockets (w/oservers)
ProtoRefCntFlagsTypeStateI-NodePath
Unix2 [] DGRAM1491 @/org/kernel/udev/udevd
Unix4 [] DGRAM7337/dev/log
Unix2 [] DGRAM708823
Unix2 [] DGRAM7539
Unix3 [] STREAMCONNECTED7287
Unix3 [] STREAMCONNECTED7286
[Root @ localhost ~] #
Note:
The output result of netstat can be divided into two parts:
One is ActiveInternetconnections, which is called an active TCP connection. "Recv-Q" and "Send-Q" refer to the receiving queue and sending queue. These numbers are generally 0. If not, the package is accumulating in the queue. This can only be seen in rare cases.
The other is ActiveUNIXdomainsockets, called the active Unix domain interface (which is the same as the network socket, but can only be used for local communication, and the performance can be doubled ).
Proto displays the protocol used for the connection. RefCnt indicates the process number connecting to this interface. Types indicates the type of the interface set. State indicates the current status of the interface set, path indicates the Path name used by other processes connected to the set interface.
Set interface type:
-T: TCP
-U: UDP
-Raw: RAW type
-Unix: UNIX domain type
-Ax25: AX25 type
-Ipx: ipx type
-Netrom: netrom type
Status description:
LISTEN: listens for connection requests from remote TCP ports
SYN-SENT: Wait for the matched connection request after sending the connection request again (if there are a large number of such status packages, check if it is recruited)
SYN-RECEIVED: After receiving and sending a connection request, wait for the other party to confirm the connection request (if there is a large number of this status, it is estimated that the flood attack)
ESTABLISHED: indicates an opened connection.
FIN-WAIT-1: waiting for confirmation of the remote TCP connection interruption request or previous connection interruption request
FIN-WAIT-2: Waiting for connection interruption requests from remote TCP
CLOSE-WAIT: Waiting for connection interruption requests from Local Users
CLOSING: waiting for confirmation of remote TCP connection interruption
LAST-ACK: Wait for the confirmation of the original connection interrupt request sent to remote TCP (not a good thing, this appears, check whether it is under attack)
TIME-WAIT: WAIT for enough TIME to confirm that the remote TCP receives the connection interruption request.
CLOSED: No connection status
Instance 2: List all ports
Command:
Netstat-
Output:
[Root @ localhost ~] # Netstat-
ActiveInternetconnections (serversandestablished)
ProtoRecv-QSend-QLocalAddressForeignAddressState
Tcp00localhost: smux *: * LISTEN
Tcp00 *: svn *: * LISTEN
Tcp00 *: ssh *: * LISTEN
Tcp0284192.168.120.204: ssh10.2.0.68: 62420 ESTABLISHED
Udp00localhost: syslog *:*
Udp00 *: snmp *:*
ActiveUNIXdomainsockets (serversandestablished)
ProtoRefCntFlagsTypeStateI-NodePath
Unix2 [ACC] stream listening708833/tmp/ssh-yKnDB15725/agent.15725
Unix2 [ACC] STREAMLISTENING7296/var/run/audispd_events
Unix2 [] DGRAM1491 @/org/kernel/udev/udevd
Unix4 [] DGRAM7337/dev/log
Unix2 [] DGRAM708823
Unix2 [] DGRAM7539
Unix3 [] STREAMCONNECTED7287
Unix3 [] STREAMCONNECTED7286
[Root @ localhost ~] #
Note:
Displays a list of all valid connections, including ESTABLISHED connections (ESTABLISHED) and LISTENING connections.
Instance 3: displays the current UDP connection status
Command:
Netstat-nu
Output:
[Root @ andy ~] # Netstat-nu
ActiveInternetconnections (w/oservers)
ProtoRecv-QSend-QLocalAddressForeignAddressState
Udp00: ffff: 192.168.12: 53392: ffff: 192.168.9.120: 10000 ESTABLISHED
Udp00: ffff: 192.168.12: 56723: ffff: 192.168.9.120: 10000 ESTABLISHED
Udp00: ffff: 192.168.12: 56480: ffff: 192.168.9.120: 10000 ESTABLISHED
Udp00: ffff: 192.168.12: 58154: ffff: 192.168.9.120: 10000 ESTABLISHED
Udp00: ffff: 192.168.12: 44227: ffff: 192.168.9.120: 10000 ESTABLISHED
Udp00: ffff: 192.168.12: 36954: ffff: 192.168.9.120: 10000 ESTABLISHED
Udp00: ffff: 192.168.12: 53984: ffff: 192.168.9.120: 10000 ESTABLISHED
Udp00: ffff: 192.168.12: 57703: ffff: 192.168.9.120: 10000 ESTABLISHED
Udp00: ffff: 192.168.12: 53613: ffff: 192.168.9.120: 10000 ESTABLISHED
[Root @ andy ~] #
Note:
Instance 4: displays the UDP port number usage
Command:
Netstat-apu
Output:
[Root @ andy ~] # Netstat-apu
ActiveInternetconnections (serversandestablished)
ProtoRecv-QSend-QLocalAddressForeignAddressStatePID/Programname
Udp00 *: 57604 *: * 28094/java
Udp00 *: 40583 *: * 21220/java
Udp00 *: 45451 *: * 14583/java
Udp00: ffff: 192.168.12: 53392: ffff: 192.168.9.120: ndmpESTABLISHED19327/java
Udp00 *: 52370 *: * 15841/java
Udp00: ffff: 192.168.12: 56723: ffff: 192.168.9.120: ndmpESTABLISHED15841/java
Udp00 *: 44182 *: * 31757/java
Udp00 *: 48155 *: * 5476/java
Udp00 *: 59808 *: * 17333/java
Udp00: ffff: 192.168.12: 56480: ffff: 192.168.9.120: ndmpESTABLISHED28094/java
Udp00: ffff: 192.168.12: 58154: ffff: 192.168.9.120: ndmpESTABLISHED15429/java
Udp00 *: 36780 *: * 10091/java
Udp00 *: 36795 *: * 24594/java
Udp00 *: 41922 *: * 20506/java
Udp00: ffff: 192.168.12: 44227: ffff: 192.168.9.120: ndmpESTABLISHED17333/java
Udp00 *: 34258 *: * 8866/java
Udp00 *: 55508 *: * 11667/java
Udp00 *: 36055 *: * 12425/java
Udp00: ffff: 192.168.12: 36954: ffff: 192.168.9.120: ndmpESTABLISHED16532/java
Udp00: ffff: 192.168.12: 53984: ffff: 192.168.9.120: ndmpESTABLISHED20506/java
Udp00: ffff: 192.168.12: 57703: ffff: 192.168.9.120: ndmpESTABLISHED31757/java
Udp00: ffff: 192.168.12: 53613: ffff: 192.168.9.120: ndmpESTABLISHED3199/java
Udp00 *: 56309 *: * 15429/java
Udp00 *: 54007 *: * 16532/java
Udp00 *: 39544 *: * 3199/java
Udp00 *: 43900 *: * 19327/java
[Root @ andy ~] #
Note:
Instance 5: displays the NIC list
Command:
Netstat-I
Output:
[Root @ andy ~] # Netstat-I
KernelInterfacetable
IfaceMTUMetRX-OKRX-ERRRX-DRPRX-OVRTX-OKTX-ERRTX-DRPTX-OVRFlg
Eth015000151818887000198928403000BMRU
Lo164360107235000107235000LRU
[Root @ andy ~] #
Note:
Instance 6: displays the relationship between multicast groups.
Command:
Netstat-g
Output:
[Root @ andy ~] # Netstat-g
IPv6/IPv4GroupMemberships
InterfaceRefCntGroup
--------------
Lo1all-systems.mcast.net
Eth01all-systems.mcast.net
Lo1ff02: 1
Eth01ff02: 1: ffff: 9b0c
Eth01ff02: 1
[Root @ andy ~] #
Note:
Instance 7: displays network statistics
Command:
Netstat-s
Output:
[Root @ localhost ~] # Netstat-s
Ip:
530999 totalpacketsreceived
0 forwarded
0 incomingpacketsdiscarded
530999 incomingpacketsdelivered
8258 requestssentout
1 droppedbecauseofmissingroute
Icmp:
90 ICMPmessagesreceived
0inputICMPmessagefailed.
ICMPinputhistogram:
Destinationunreachable: 17
Echorequests: 1
Echoreplies: 72
106 ICMPmessagessent
0 ICMPmessagesfailed
ICMPoutputhistogram:
Destinationunreachable: 8
Echorequest: 97
Echoreplies: 1
IcmpMsg:
InType0: 72
InType3: 17
InType8: 1
OutType0: 1
OutType3: 8
OutType8: 97
Tcp:
8 activeconnectionsopenings
15 passiveconnectionopenings
8 failedconnectionattempts
3 connectionresetsreceived
1 connectionsestablished
3132 segmentsreceived
2617 segmentssendout
53 segmentsretransmited
0badsegmentsreceived.
252 resetssent
Udp:
0 packetsreceived
0packetstounknownportreceived.
0 packetreceiveerrors
5482 packetssent
TcpExt:
1 invalidSYNcookiesreceived
1 TCPsocketsfinishedtimewaitinfasttimer
57 delayedackssent
Quickackmodewasactivated50times
60packetsdirectlyqueuedtorecvmsgprequeue.
68 packetsdirectlyreceivedfrombacklog
4399 packetsdirectlyreceivedfromprequeue
520 packetsheaderpredicted
51 packetsheaderpredictedanddirectlyqueuedtouser
1194 acknowledgmentsnotcontainingdatareceived
21 predictedacknowledgments
0 TCPdatalossevents
1 timeoutsafterrenofastretransmit
9 retransmitsinslowstart
42 otherTCPtimeouts
3 connectionsabortedduetotimeout
IpExt:
InBcastPkts: 527777
Note:
Statistics are displayed based on each protocol. If our applications (such as Web browsers) run slowly or cannot display data such as Web pages, we can use this option to view the displayed information. We need to carefully check the rows of statistics, find the keyword of the error, and then determine the problem.
Instance 8: interface for displaying listeners
Command:
Netstat-l
Output:
[Root @ localhost ~] # Netstat-l
ActiveInternetconnections (onlyservers)
ProtoRecv-QSend-QLocalAddressForeignAddressState
Tcp00localhost: smux *: * LISTEN
Tcp00 *: svn *: * LISTEN
Tcp00 *: ssh *: * LISTEN
Udp00localhost: syslog *:*
Udp00 *: snmp *:*
ActiveUNIXdomainsockets (onlyservers)
ProtoRefCntFlagsTypeStateI-NodePath
Unix2 [ACC] stream listening708833/tmp/ssh-yKnDB15725/agent.15725
Unix2 [ACC] STREAMLISTENING7296/var/run/audispd_events
[Root @ localhost ~] #
Note:
Instance 9: displays all established valid connections
Command:
Netstat-n
Output:
[Root @ localhost ~] # Netstat-n
ActiveInternetconnections (w/oservers)
ProtoRecv-QSend-QLocalAddressForeignAddressState
Tcp0268192.168.120.204: 2210.2.0.68: 62420 ESTABLISHED
ActiveUNIXdomainsockets (w/oservers)
ProtoRefCntFlagsTypeStateI-NodePath
Unix2 [] DGRAM1491 @/org/kernel/udev/udevd
Unix4 [] DGRAM7337/dev/log
Unix2 [] DGRAM708823
Unix2 [] DGRAM7539
Unix3 [] STREAMCONNECTED7287
Unix3 [] STREAMCONNECTED7286
[Root @ localhost ~] #
Note:
Instance 10: displays Ethernet statistics
Command:
Netstat-e
Output:
[Root @ localhost ~] # Netstat-e
ActiveInternetconnections (w/oservers)
ProtoRecv-QSend-QLocalAddressForeignAddressStateUserInode
Tcp0248192.168.120.204: ssh10.2.0.68: 62420ESTABLISHEDroot708795
ActiveUNIXdomainsockets (w/oservers)
ProtoRefCntFlagsTypeStateI-NodePath
Unix2 [] DGRAM1491 @/org/kernel/udev/udevd
Unix4 [] DGRAM7337/dev/log
Unix2 [] DGRAM708823
Unix2 [] DGRAM7539
Unix3 [] STREAMCONNECTED7287
Unix3 [] STREAMCONNECTED7286
[Root @ localhost ~] #
Note:
Displays Ethernet statistics. It lists items including the total number of bytes, number of errors, number of delimiters, number of datagram, and number of broadcasts. These statistics include both the number of sent and received data packets. This option can be used to count some basic network traffic)
Instance 11: displays information about the route table.
Command:
Netstat-r
Output:
[Root @ localhost ~] # Netstat-r
KernelIProutingtable
DestinationGatewayGenmaskFlagsMSSWindowirttIface
192.168.120.0*255.255.255.0U000eth0
192.168.0.0192.168.120.1255.20.0.0ug000eth0
10.0.0.0192.168.120.1255.0.0.0UG000eth0
Default192.168.120.2400.0.0.0UG000eth0
[Root @ localhost ~] #
Note:
Instance 12: list all tcp ports
Command:
Netstat-
Output:
[Root @ localhost ~] # Netstat-
ActiveInternetconnections (serversandestablished)
ProtoRecv-QSend-QLocalAddressForeignAddressState
Tcp00localhost: smux *: * LISTEN
Tcp00 *: svn *: * LISTEN
Tcp00 *: ssh *: * LISTEN
Tcp0284192.168.120.204: ssh10.2.0.68: 62420 ESTABLISHED
[Root @ localhost ~] #
Note:
Instance 13: count the number of network connections in the Machine
Command:
Netstat-a | awk '/^ tcp/{++ S [NF]} END {for (a in S) print a, S [a]}'
Output:
[Root @ localhost ~] # Netstat-a | awk '/^ tcp/{++ S [NF]} END {for (a in S) print a, S [a]}'
ESTABLISHED 1
LISTEN 3
[Root @ localhost ~] #
Note:
Instance 14: obtain all the statuses and use uniq-c for statistics before sorting.
Command:
Netstat-nat | awk '{print 6}' | sort | uniq-c
Output: