Linux netstat command detailed resolution _linux

Brief introduction
The Netstat command is used to display various network-related information, such as network connections, routing tables, Interface states (Interface Statistics), masquerade connections, multicast members (multicast memberships), and so on.

Output information meaning
After the Netstat is executed, its output is

Copy Code code as follows:

Active Internet connections (w/o servers)
Proto recv-q send-q Local address Foreign
TCP 0 2 210.34.6.89:telnet 210.34.6.96:2873 established
TCP 296 0 210.34.6.89:1165 210.34.6.84:NETBIOS-SSN established
TCP 0 0 localhost.localdom:9001 localhost.localdom:1162 established
TCP 0 0 localhost.localdom:1162 localhost.localdom:9001 established
TCP 0-210.34.6.89:1161 210.34.6.10:NETBIOS-SSN Close

Active UNIX domain sockets (w/o servers)
Proto refcnt Flags Type State I-node Path
UNIX 1 [] STREAM CONNECTED 16178 @000000dd
UNIX 1 [] STREAM CONNECTED 16176 @000000dc
UNIX 9 [] Dgram 5292/dev/log
UNIX 1 [] STREAM CONNECTED 16182 @000000df

As a whole, the output of Netstat can be divided into two parts:

One is the active Internet connections, known as the active TCP connection, where "recv-q" and "Send-q" refer to%0a receive queues and send queues. These numbers should generally be 0. If not, it means that the package is piling up in the queue. This situation can only be seen in very few situations.

The other is active UNIX domain sockets, known as the active UNIX domains socket (like a network socket, but only for native communication, which can improve performance by a factor).
Proto displays the protocol used by the connection, refcnt represents the process number that is attached to this set of interfaces, types displays the type of the socket interface, state displays the current status of the socket interface, and path represents the pathname used by other processes connected to the socket interface.

Common parameters
-A (all) shows all options, default does not show listen related
-T (TCP) displays only TCP-related options
-U (UDP) only displays UDP-related options
-N denies displaying aliases, and can display all numbers converted to numbers.
-l list only service status with Listen (listening)

-P Displays the name of the program that establishes the associated link
-R Displays routing information, routing table
-e display extended information, such as UID, etc.
-S statistics according to each protocol
-C executes the netstat command at every other fixed time.

Hint: The status of listen and listening can only be seen with-a or-l

Practical Command Instances

1. List all ports (both listening and not listening)
List all ports netstat-a

Copy Code code as follows:

# Netstat-a | More
Active Internet connections (servers and established)
Proto recv-q send-q Local address Foreign
TCP 0 0 localhost:30037 *:* LISTEN
UDP 0 0 *:bootpc *:*

Active UNIX domain sockets (servers and established)
Proto refcnt Flags Type State I-node Path
UNIX 2 [ACC] STREAM listening 6135/tmp/. X11-unix/x0
UNIX 2 [ACC] STREAM listening 5140/var/run/acpid.socket

List all TCP ports Netstat-at

Copy Code code as follows:

# Netstat-at
Active Internet connections (servers and established)
Proto recv-q send-q Local address Foreign
TCP 0 0 localhost:30037 *:* LISTEN
TCP 0 0 Localhost:ipp *:* LISTEN
TCP 0 0 *:smtp *:* LISTEN
TCP6 0 0 Localhost:ipp [::]:* LISTEN

List all UDP ports Netstat-au

Copy Code code as follows:

# Netstat-au
Active Internet connections (servers and established)
Proto recv-q send-q Local address Foreign
UDP 0 0 *:bootpc *:*
UDP 0 0 *:49119 *:*
UDP 0 0 *:mdns *:*

2. List all Sockets in the listening state
Show only listening ports netstat-l

Copy Code code as follows:

# netstat-l
Active Internet connections (only servers)
Proto recv-q send-q Local address Foreign
TCP 0 0 Localhost:ipp *:* LISTEN
TCP6 0 0 Localhost:ipp [::]:* LISTEN
UDP 0 0 *:49119 *:*

Lists all listening TCP ports only NETSTAT-LT

Copy Code code as follows:

# NETSTAT-LT
Active Internet connections (only servers)
Proto recv-q send-q Local address Foreign
TCP 0 0 localhost:30037 *:* LISTEN
TCP 0 0 *:smtp *:* LISTEN
TCP6 0 0 Localhost:ipp [::]:* LISTEN

Lists all listening UDP ports only Netstat-lu

Copy Code code as follows:

# Netstat-lu
Active Internet connections (only servers)
Proto recv-q send-q Local address Foreign
UDP 0 0 *:49119 *:*
UDP 0 0 *:mdns *:*

List only all listening UNIX ports NETSTAT-LX

Copy Code code as follows:

# NETSTAT-LX
Active UNIX domain sockets (only servers)
Proto refcnt Flags Type State I-node Path
UNIX 2 [ACC] STREAM listening 6294 Private/maildrop
UNIX 2 [ACC] STREAM listening 6203 public/cleanup
UNIX 2 [ACC] STREAM listening 6302 Private/ifmail
UNIX 2 [ACC] STREAM listening 6306 PRIVATE/BSMTP

3. Display statistical information for each protocol
Show statistics for all ports netstat-s

Copy Code code as follows:

# netstat-s
Ip:
Total Packets Received
With invalid addresses
Forwarded
Incoming packets Discarded
Incoming packets Delivered
Requests sent out
Icmp:
ICMP Messages Received
Input ICMP message failed.
Tcp:
Active connections Openings
Failed connection Attempts
Connection resets received
Udp:
Packets Received
Packets to unknown Port received.
.....

Displays statistics for TCP or UDP ports netstat-st or-SU

Copy Code code as follows:

# netstat-st
# NETSTAT-SU

4. Display PID and process name in netstat output netstat-p
Netstat-p can be used with other switches, you can add "Pid/process name" to the netstat output, so debugging can easily find a specific port to run the program.

Copy Code code as follows:

# netstat-pt
Active Internet connections (w/o servers)
Proto recv-q Send-q Local address Foreign address State Pid/program Name
TCP 1 0 ramesh-laptop.loc:47212 192.168.185.75:www close_wait 2109/firefox
TCP 0 0 ramesh-laptop.loc:52750 Lax:www established 2109/firefox

5. Do not display host, port and username in netstat output (host, port or user)
When you don't want to have the host, port and username displayed, use Netstat-n. Numbers will be used instead of those names.

The output can also be accelerated because there is no comparison query.

Copy Code code as follows:

# Netstat-an

If you just don't want one of these three names to be displayed, use the following command

Copy Code code as follows:

# netsat-a--numeric-ports
# netsat-a--numeric-hosts
# netsat-a--numeric-users

6. Continuous output netstat information
Netstat will output network information every second.

Copy Code code as follows:

# netstat-c
Active Internet connections (w/o servers)
Proto recv-q send-q Local address Foreign
TCP 0 0 ramesh-laptop.loc:36130 101-101-181-225.ama:www established
TCP 1 1 ramesh-laptop.loc:52564 101.11.169.230:www CLOSING
TCP 0 0 ramesh-laptop.loc:43758 Server-101-101-43-2:www established
TCP 1 1 ramesh-laptop.loc:42367 101.101.34.101:www CLOSING
^c

7. Show the system does not support the address of the family (addresses families)

Copy Code code as follows:

Netstat--verbose

At the end of the output, you will have the following information

Copy Code code as follows:

Netstat:no support for ' AF IPX ' in this system.
Netstat:no support for ' AF AX25 ' in this system.
Netstat:no support for ' AF X25 ' in this system.
Netstat:no support for ' AF Netrom ' in this system.

8. Display Core Routing information netstat-r

Copy Code code as follows:

# Netstat-r
Kernel IP Routing Table
Destination Gateway genmask Flags MSS Window Irtt iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth2
link-local * 255.255.0.0 U 0 0 0 eth2
Default 192.168.1.1 0.0.0.0 UG 0 0 0 eth2

Note: Use Netstat-rn to display the number format without querying the host name.

9. Find the port where the program is running
Not all processes can be found, no permissions will be displayed, and all information is viewed using root permissions.

Copy Code code as follows:

# Netstat-ap | grep ssh
TCP 1 0 dev-db:ssh 101.174.100.22:39213 close_wait-
TCP 1 0 dev-db:ssh 101.174.100.22:57643 close_wait-

Locate the process running on the specified port

Copy Code code as follows:

# Netstat-an | grep ': 80 '

10. Display Network Interface list

Copy Code code as follows:

# netstat-i
Kernel Interface Table
Iface MTU Met rx-ok rx-err rx-drp rx-ovr tx-ok tx-err tx-drp TX-OVR FLG
Eth0 1500 0 0 0 0 0 0 0 0 0 BMU
Eth2 1500 0 26196 0 0 0 26883 6 0 0 Bmru
Lo 16436 0 4 0 0 0 4 0 0 0 LRU

Display details, such as Ifconfig using Netstat-ie:

Copy Code code as follows:

# Netstat-ie
Kernel Interface Table
Eth0 Link encap:ethernet hwaddr 00:10:40:11:11:11
Up broadcast multicast mtu:1500 metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0  (0.0 B) TX bytes:0 (0.0 B)
memory:f6ae0000-f6b00000

IP and TCP analysis
View the IP addresses that have the most connections to a service port

Copy Code code as follows:

wss8848@ubuntu:~$ Netstat-nat | grep "192.168.1.15:22" |awk ' {print $} ' |awk-f: ' {print $} ' |sort|uniq-c|sort-nr|head-20
221.136.168.36
154.74.45.242
78.173.31.236
62.183.207.98
192.168.1.14
182.48.111.215
124.193.219.34
119.145.41.2
114.255.41.30
75.102.11.99

TCP Various status lists

Copy Code code as follows:

wss8848@ubuntu:~$ netstat-nat |awk ' {print $} '
Established)
Foreign
LISTEN
Time_wait
Established
Time_wait
Syn_sent

First take the state all out, and then use UNIQ-C statistics, and then sorted.

Copy Code code as follows:

wss8848@ubuntu:~$ netstat-nat |awk ' {print $} ' |sort|uniq-c
Established
Fin_wait1
Foreign
Last_ack
LISTEN
Syn_sent
Time_wait
Established)

The final order is as follows:

Copy Code code as follows:

Netstat-nat |awk ' {print $} ' |sort|uniq-c|sort-rn

Analysis Access.log access to the first 10-bit IP address

Copy Code code as follows:

awk ' {print $} ' Access.log |sort|uniq-c|sort-nr|head-10