Linux netstat command detailed

Linux netstat Command Explanation

A Brief introduction

The Netstat command is used to display various network-related information, such as network connections, routing tables, Interface states (Interface Statistics), masquerade connections, multicast members (multicast memberships), and so on.

Output message Meaning

After executing the netstat, the output is

Active Internet connections (w/o servers)

Proto recv-q send-q Local address Foreign address state

TCP 0 2 210.34.6.89:telnet 210.34.6.96:2873 established

TCP 296 0 210.34.6.89:1165 210.34.6.84:NETBIOS-SSN established

TCP 0 0 localhost.localdom:9001 localhost.localdom:1162 established

TCP 0 0 localhost.localdom:1162 localhost.localdom:9001 established

TCP 0 210.34.6.89:1161 210.34.6.10:netbios-ssn CLOSE

Active UNIX domain sockets (w/o servers)

Proto refcnt Flags Type State I-node Path

UNIX 1 [] STREAM CONNECTED 16178 @000000dd

UNIX 1 [] STREAM CONNECTED 16176 @000000dc

UNIX 9 [] Dgram 5292/dev/log

UNIX 1 [] STREAM CONNECTED 16182 @000000df

As a whole, the output of Netstat can be divided into two parts:

1) One is the active Internet connections, known as the active TCP connection, where "recv-q" and "Send-q" refer to the Receive queue and the send queue for%0a. These figures are generally supposed to be 0. If not, it means that the package is accumulating in the queue. This situation can only be seen in very few cases.

2) The other is the active UNIX domain sockets, known as the active UNIX Domains socket interface (as with network sockets, but only for native communication, which can be improved by one-fold performance).

Proto shows the protocol used by the connection, refcnt represents the process number connected to this set of interfaces, types shows the type of the socket interface, state shows the current status of the socket interface, and path represents the pathname used by other processes connected to the socket.

Two common parameters

-A (All) displays all options and does not show listen related by default

-T (TCP) displays only TCP-related options

-U (UDP) displays only UDP-related options

-N refuses to display aliases, showing all numbers converted to numbers.

-l list only service status in Listen (listening)

-P Displays the program name that establishes the associated link

-R display routing information, routing table

-e display extended information, such as UID, etc.

-S statistics according to each protocol

-C executes the netstat command every other fixed time.

Hint: The status of listen and listening can only be seen with-a or-l

Three Practical Commands Example 3.1 lists all ports (both listening and not listening) 3.1.1 List all ports netstat-a

# Netstat-a | More

Active Internet connections (servers and established)

Proto recv-q send-q Local address Foreign address state

TCP 0 0 localhost:30037 *:* LISTEN

UDP 0 0 *:bootpc *:*

Active UNIX domain sockets (servers and established)

Proto refcnt Flags Type State I-node Path

UNIX 2 [ACC] STREAM LISTENING 6135/tmp/. X11-unix/x0

UNIX 2 [ACC] STREAM LISTENING 5140/var/run/acpid.socket

3.1.2 List all TCP ports Netstat-at

# Netstat-at

Active Internet connections (servers and established)

Proto recv-q send-q Local address Foreign address state

TCP 0 0 localhost:30037 *:* LISTEN

TCP 0 0 Localhost:ipp *:* LISTEN

TCP 0 0 *:smtp *:* LISTEN

TCP6 0 0 Localhost:ipp [::]:* LISTEN

3.1.3 List all UDP ports Netstat-au

# Netstat-au

Active Internet connections (servers and established)

Proto recv-q send-q Local address Foreign address state

UDP 0 0 *:bootpc *:*

UDP 0 0 *:49119 *:*

UDP 0 0 *:mdns *:*

3.2 List all Sockets3.2.1 in the listening state only display the listening port netstat-l

# netstat-l

Active Internet connections (only servers)

Proto recv-q send-q Local address Foreign address state

TCP 0 0 Localhost:ipp *:* LISTEN

TCP6 0 0 Localhost:ipp [::]:* LISTEN

UDP 0 0 *:49119 *:*

3.2.2 lists all listening TCP ports only NETSTAT-LT

# NETSTAT-LT

Active Internet connections (only servers)

Proto recv-q send-q Local address Foreign address state

TCP 0 0 localhost:30037 *:* LISTEN

TCP 0 0 *:smtp *:* LISTEN

TCP6 0 0 Localhost:ipp [::]:* LISTEN

3.2.3 lists all listening UDP ports Netstat-lu

# Netstat-lu

Active Internet connections (only servers)

Proto recv-q send-q Local address Foreign address state

UDP 0 0 *:49119 *:*

UDP 0 0 *:mdns *:*

3.2.4 lists all listening UNIX ports NETSTAT-LX

# NETSTAT-LX

Active UNIX domain sockets (only servers)

Proto refcnt Flags Type State I-node Path

UNIX 2 [ACC] STREAM LISTENING 6294 private/maildrop

UNIX 2 [ACC] STREAM LISTENING 6203 public/cleanup

UNIX 2 [ACC] STREAM LISTENING 6302 private/ifmail

UNIX 2 [ACC] STREAM LISTENING 6306 private/bsmt

3.3 Display statistics for each protocol 3.3.1 displays statistics for all ports netstat-s

# netstat-s

Ip:

11150 Total Packets Received

1 with invalid addresses

0 forwarded

0 Incoming Packets Discarded

11149 Incoming packets delivered

11635 requests sent out

Icmp:

0 ICMP Messages Received

0 Input ICMP message failed.

Tcp:

582 Active connections Openings

2 Failed connection attempts

Connection resets received

Udp:

1183 Packets Received

4 packets to unknown Port received.

.....

3.3.2 Displays statistics for TCP or UDP ports netstat-st or-SU

# netstat-st

# NETSTAT-SU

3.4 Show PID and process name in netstat output netstat-p

Netstat-p can be used with other switches, you can add "Pid/process name" to the netstat output, so debugging can easily find a specific port to run the program.

# netstat-pt

Active Internet connections (w/o servers)

Proto recv-q send-q Local address Foreign address State Pid/program Name

TCP 1 0 ramesh-laptop.loc:47212 192.168.185.75:www close_wait 2109/firefox

TCP 0 0 ramesh-laptop.loc:52750 Lax:www established 2109/firefox

3.5 hosts, ports and usernames (host, port or user) are not displayed in the Netstat output

When you don't want to let the host, port and user name display, use Netstat-n. Numbers will be used instead of those names.

The output can also be accelerated because there is no comparison query.

# Netstat-an

If you just don't want one of these three names to be displayed, use the following command

# netsat-a--numeric-ports

# netsat-a--numeric-hosts

# netsat-a--numeric-users

3.6 Continuous output netstat information

Netstat will output network information every second.

# netstat-c

Active Internet connections (w/o servers)

Proto recv-q send-q Local address Foreign address state

TCP 0 0 ramesh-laptop.loc:36130 101-101-181-225.ama:www established

TCP 1 1 ramesh-laptop.loc:52564 101.11.169.230:www CLOSING

TCP 0 0 ramesh-laptop.loc:43758 Server-101-101-43-2:www established

TCP 1 1 ramesh-laptop.loc:42367 101.101.34.101:www CLOSING

^c

3.7 Display of address families not supported by the system (addr families)

Netstat--verbose

At the end of the output, there is the following information

Netstat:no support for ' AF IPX ' on the This system.

Netstat:no support for ' AF AX25 ' on the This system.

Netstat:no support for ' AF X25 ' on the This system.

Netstat:no support for ' AF Netrom ' on the This system.

3.8 Displaying core routing information netstat-r

# Netstat-r

Kernel IP Routing Table

Destination Gateway genmask Flags MSS Window Irtt Iface

192.168.1.0 * 255.255.255.0 U 0 0 0 eth2

link-local * 255.255.0.0 U 0 0 0 eth2

Default 192.168.1.1 0.0.0.0 UG 0 0 0 eth2

Note: Use Netstat-rn to display the number format without querying the host name.

3.9 Find out which port the program is running on

Not all processes can be found, no permissions will not be displayed, use root permissions to view all the information.

# Netstat-ap | grep ssh

TCP 1 0 dev-db:ssh 101.174.100.22:39213 close_wait-

TCP 1 0 dev-db:ssh 101.174.100.22:57643 close_wait-

Locate the process running on the specified port

# Netstat-an | grep ': 80 '

3.10 Displaying the list of network interfaces

# netstat-i

Kernel Interface Table

Iface MTU Met rx-ok rx-err rx-drp rx-ovr tx-ok tx-err tx-drp TX-OVR FLG

Eth0 0 0 0 0 0 0 0 0 0 BMU

Eth2 0 26196 0 0 0 26883 6 0 0 Bmru

Lo 16436 0 4 0 0 0 4 0 0 0 LRU

Show details like ifconfig using Netstat-ie:

# Netstat-ie

Kernel Interface Table

Eth0 Link encap:ethernet HWaddr 00:10:40:11:11:11

Up broadcast multicast mtu:1500 metric:1

RX packets:0 errors:0 dropped:0 overruns:0 frame:0

TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

collisions:0 txqueuelen:1000

RX bytes:0  (0.0 B) TX bytes:0 (0.0 B)

memory:f6ae0000-f6b00000

3.11 IP and TCP analysis 3.11.1 view the IP addresses that connect to a service port

[Email protected]:~$ Netstat-nat | grep "192.168.1.15:22" |awk ' {print $} ' |awk-f: ' {print '} ' |sort|uniq-c|sort-nr|head-20

18 221.136.168.36

3 154.74.45.242

2 78.173.31.236

2 62.183.207.98

2 192.168.1.14

2 182.48.111.215

2 124.193.219.34

2 119.145.41.2

2 114.255.41.30

1 75.102.11.99

3.11.2 TCP Various status lists

[Email protected]:~$ netstat-nat |awk ' {print $6} '

Established)

Foreign

LISTEN

Time_wait

Established

Time_wait

Syn_sent

Take the state all out first, then use UNIQ-C statistics, then sort.

[Email protected]:~$ netstat-nat |awk ' {print $6} ' |sort|uniq-c

143 established

1 fin_wait1

1 Foreign

1 Last_ack

Approx. LISTEN

6 syn_sent

113 Time_wait

1 established)

Linux netstat command detailed