Linux netstat commands

Netstat is a common command for Linux Systems management, especially when it comes to troubleshooting network-related issues. I have been just a few of the commonly used options such as (A, n, p, T, u) and several other options are more familiar, but for netstat display of the connection status information, such as 650) this.width=650; "Src=" http://s3.51cto.com/ Wyfs02/m02/59/e3/wkiom1tugqhghvauaakn2na1a6g522.jpg "title=" 1.png "alt=" Wkiom1tugqhghvauaakn2na1a6g522.jpg "/>

Most of them are not thorough enough, and today we have the time to deepen our understanding according to the man document.

Netstat-print network connections, routing tables, interface statistics, masquerade connections, and multicast Membershi Ps

Synopsis (Summary)
netstat [address_family_options (Address family options)] [--tcp|-t] [--udp|-u] [--raw|-w] [--listening|-l] [--all|-a] [--numeric|-n] [- -numeric-hosts][--numeric-ports][--numeric-ports] [--sym-bolic|-n] [--extend|-e[--extend|-e]] [--timers|-o] [-- PROGRAM|-P] [--verbose|-v] [--continuous|-c] [delay]
netstat {--route|-r} [address_family_options] [--extend|-e[--extend|-e]] [--verbose|-v] [--numeric|-n] [-- Numeric-hosts][--numeric-ports][--numeric-ports] [--continu-ous|-c] [delay]
netstat {--interfaces|-i|-i} [iface] [--all|-a] [--EXTEND|-E] [--verbose|-v] [--program|-p] [--numeric|-n] [-- Numeric-hosts][--numeric-ports][--numeric-ports] [--continu-ous|-c] [delay]
netstat {--groups|-g} [--numeric|-n] [--numeric-hosts][--numeric-ports][--numeric-ports] [--continuous|-c] [delay]
netstat {--masquerade|-m} [--extend|-e] [--numeric|-n] [--numeric-hosts][--numeric-ports][--numeric-ports] [-- CONTINUOUS|-C] [delay]
netstat {--statistics|-s} [--tcp|-t] [--udp|-u] [--raw|-w] [delay]
netstat {--version|-v}
netstat {--help|-h}
Address_family_options:
[--protocol={inet,unix,ipx,ax25,netrom,ddp}[,...]] [--unix|-x] [--inet|--ip] [--ax25] [--IPX] [--netrom] [--DDP]
NOTE
This program is obsolete.  Replacement for Netstat is SS.  Replacement for Netstat-r is IP route.  Replacement for Netstat-i is ip-s link. Replacement for Netstat-g
is IP maddr.

Note: This program is already old/obsolete (but still very common). The new version of the system replaces the Netstat with the SS command, replacing the netstat-r with the IP route, and replacing Netstat-g with the IP maddr.

DESCRIPTION(abstract)
Netstat prints information about the Linux networking subsystem. The type of information printed is controlled by the first argument, as follows:

Netstat print information about the Linux network subsystem, the output information style is controlled by the first parameter, as follows:

(none)
       by  default,  netstat  displays  a  List   of  Open sockets.  If You don't specify any address families and then the active sockets of all configured a Ddress families would be
printed.
    (no parameters) by default, Netstat displays a list of all system sockets. If you do not specify any address families, the active sockets for all configured address families will be displayed.
  --route,-R
       Display the kernel routing tables.
    Show kernel routing table
  --groups,-G
       Display multicast Group membership information for IPV4 and IPV6.
    Displays multicast group membership information for IPV4 and IPV6.

--interfaces=iface,-i=iface,-I.
Display a table of all network interfaces, or the specified iface.
Displays the information table for all network interfaces, or displays the specified interface
--masquerade,-M
Display a list of masqueraded connections.
Show spoofed connections
--statistics,-S
Display Summary statistics for each protocol.

Displays summary information for each protocol by protocol type

OPTIONSOptions
--verbose,-V
Tell the user, going on by being verbose. Especially print some useful information about unconfigured address families.
--numeric,-n Show numerical addresses instead of trying to determine symbolic host, port or user names.
--numeric-hosts
Shows numerical host addresses but does not affect the resolution of port or user names.
--numeric-ports
Shows numerical port numbers but does not affect the resolution of host or user names.
--numeric-users
Shows numerical user IDs but does not affect the resolution of host or port names.
--protocol=family,-A (protocol family type)
Specifies the address families (perhaps better described as low level protocols) for which connections is to be shown. Family is a comma (', ') separated list of address
Family keywords like inet, UNIX, IPX, ax25, Netrom, and DDP. This has the same effect as using the--inet,--unix (-X),--ipx,--ax25,--netrom, and--DDP options.
The address family inet includes raw, UDP and TCP protocol sockets.

-C,--continuous
This would cause Netstat to print the selected information every second continuously (continuous).
-E,--extend
Display additional information. Use this option twice for maximum detail.
Show more information and display the most information with-ee
-O,--timers
Include information related to networking timers.
Display information related to network timers
-P,--program
Show the PID and name of the program to which each socket belongs.
Show the PID and program name the connection belongs to
-L,--listening
Show only listening sockets. (these is omitted by default.)
Only the socket (port) that is listening is ignored by default.
-A,--all
Show both listening and non-listening (for TCP This means established connections) sockets. With the--interfaces option, show interfaces that is not marked
-F
Print routing information from the FIB. (This is the default.)
-C
Print routing information from the route cache.
-Z--context
If SELinux enabled print SELinux context.
-T--notrim
Stop trimming long addresses.
Delay
Netstat'll cycle printing through statistics every delay seconds

Next is the play, in-depth understanding of the output of netstat, here is the actual can help us, give us a hint of the place.

output (outputs)

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/59/E0/wKioL1TukxezUI4BAAKKMJml5bs118.jpg "title=" 2.png " alt= "Wkiol1tukxezui4baakkmjml5bs118.jpg"/>

Active Internet connections (TCP, UDP, Raw)
Proto
The Protocol (TCP, UDP, raw) used by the socket
Recv-q
The count of bytes not copied by the user program connected to this socket.
is not the number of bytes copied by the user program connected to this socket
Send-q
The count of bytes not acknowledged by the remote host.
Number of bytes not yet confirmed by the remote host

The above two outputs, I understand should be receive and send network queue condition

Local Address
Address and port number of the local end of the socket. Unless the--numeric (-N) option is specified, the socket address was resolved to its canonical host name (FQDN),
The port number is translated into the corresponding service name.

Foreign Address
Address and port number of the remote end of the socket. Analogous to "Local Address."

State (connection state, total 12 in status, emphasis.) This needs to be relative to each state of the TCP three handshake)
The state of the socket. Since There is no states in raw mode and usually no states used on UDP, this column is the left blank. Normally this can is one of several val-ues:

established
The socket has an established connection.

Represents an open connection that both parties can make or have interacted with in the data. Represents an open connection to which data can be transmitted to the user

syn_sent
The socket is actively attempting to establish a connection.

The client calls connect through the application to make active open. The client TCP sends a SYN to request a connection. Then the status is set to Syn_sent. Wait for a matching connection request after sending a connection request

syn_recv
A connection request has been received from the network.

The server should issue an ACK acknowledgment to the client's SYN, and send itself a SYN to the client. The status is then set to SYN_RECV. Wait for confirmation of connection request after receiving and sending a connection request

fin_wait1
The socket is closed, and the connection are shutting down.

The active close-side application calls close, and its TCP sends a FIN request to actively close the connection and then enters the fin_wait1 state. Waiting for a connection interrupt request from a remote TCP, or confirmation of a previous connection interrupt request

fin_wait2
Connection is closed, and the socket was waiting for a shutdown from the remote end.

After the active shut-off is received, the ACK is entered into the fin-wait2. Waiting for connection interrupt request from remote TCP

time_wait
The socket is waiting after close to handle packets still in the network.
After the active shut-off side receives fin, TCP sends an ACK packet and enters the time-wait state. Wait enough time to ensure that the remote TCP receives a connection interrupt request acknowledgement

CLOSED The socket is not being used.
After receiving the ACK packet, the passive shut-off end enters the state of the closed. End of connection. No connection Status

close_wait
The remote end has a shut down and waiting for the socket to close.
After the passive shutdown (passive close) side TCP receives FIN, an ACK is issued in response to the FIN request (its receive is also passed as a file terminator to the upper-level application) and enters Close_wait. Waiting for a connection interrupt request from a local user

Last_ack
The remote end has a shut down, and the socket is closed. Waiting for acknowledgement.
After a period of passive shutdown, the application that receives the file terminator will call close to close the connection. This causes its TCP to also send a FIN, which waits for the ACK of the other side. It went into the last-ack. Waiting for a connection interrupt request to be sent to remote TCP

LISTEN The socket is listening for incoming connections. Such sockets is not included in the output unless you specify the--listening (-L) or--all (-a) option.
First, the server needs to open a socket for listening, the status is listen. Listening for connection requests from remote TCP ports

closing
          Both sockets is shut down but we still don ' t has all of our data sent.
    Both host sockets are closed, but all data has not been completely sent
       unknown            The state of the socket is unknown.
   User
       the username or the user ID (UID) of the O Wner of the socket.

The user name or user uid that the socket belongs to
Pid/program name
Slash-separated pair of the process ID (PID) and process name of the process that owns the socket. --program causes this column to be included. You'll also need superuser privileges to see this information on sockets you don ' t own. This identification information is not a yet available for IPX sockets.

The above is the basic usage of netstat and the output of information interpretation, daily to more practice to understand the meaning of the profound, to apply. Share!

Linux netstat commands