Linux netstat details

Netstat

The netstat command is a very useful tool for monitoring TCP/IP networks. It displays the route table, the actual network connection, and the status information of each network interface device, after netstat is executed on my computer, the output result is:

Active Internet connections (W/O servers)
PROTO Recv-Q send-Q local address foreign address State
TCP 0 2 210.34.6.89: Telnet 210.34.6.96: 2873 established
TCP 296 0 210.34.6.89: 1165 210.34.6.84: NetBIOS-SSN
Established
TCP 0 0 localhost. localdom: 9001 localhost. Local DOM: 1162
Established
TCP 0 0 localhost. localdom: 1162 localhost. Local DOM: 9001
Established
TCP 0 80 210.34.6.89: 1161 210.34.6.10: NetBIOS-SSN close

Active Unix domain sockets (W/O servers)
PROTO refcnt flags type state I-Node path
UNIX 1 [] stream connected 16178 @ 000000dd
UNIX 1 [] stream connected 16176 @ 000000dc
For Unix 9 [] dgram 5292/dev/log
UNIX 1 [] stream connected 16182 @ 000000df

The output result of netstat can be divided into two parts: active Internet
Connections is called an active TCP connection, and the other is an active Unix domain.
Sockets is called the source Unix domain interface. In the above output results, the first part has five output results, showing the active TCP connection, and the second part shows the connection of the UNIX domain interface. PROTO displays the protocol used for the connection; refcnt indicates the process number connected to the current interface; types indicates the type of the interface set; State indicates the current status of the interface set; path indicates the path name used by other processes connected to the set interface.

In fact, netstat is a summary of several tools.

◆ Display route table
When calling n e t s t a t along with the-r tag, the kernel route table is displayed, just as we use R o u t
E command is the same. The output is as follows:

[Root @ machine1/] $ netstat-NR
Kernel IP routing table
Destination gateway genmask flags MSS window irtt iface
210.34.6.0 0.0.0.0 255.255.255.128 u 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 u 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 u 0 0 0 Lo
0.0.0.0 210.34.6.2 0.0.0.0 ug 0 0 0 eth0

-N
The option allows netstat to output IP addresses in four periods, instead of symbolic host names and network names. This is especially useful if you want to avoid finding addresses through the network (such as avoiding DNS or NIS servers.

In the netstat output result, the second column displays the gateway specified by the route entry. If no gateway is used, an asterisk (*) or 0.0.0.0 is displayed. The third column displays the overview of the route, in
When the P address is used to find the most appropriate route, the kernel will view all entries in the route table.
The P address and genmask are calculated by bit "and". The fourth column shows different tags, which are described as follows:

■ G routing will adopt a gateway.
■ The interface U is going to use is in the "active" status.
■ H through this route, only one host can be reached.
■ D if the route table entry is generated by an ICMP redirection message, this flag is set.
■ M this flag is set if the route table entry has been modified by the ICMP redirection message.

Iface in the netstat output result shows the physical network adapter used for the connection. For example, eth0 indicates the first and eth1 indicates the second.

◆ Display interface features

When called along with the-I tag,
Netstat displays the current configuration features of the network interface. In addition, if the-A option is also included in the call, it will also output all the interfaces in the kernel, not just the interfaces currently configured. The output result of netstat-I is as follows:

[Root @ machine1/] $ netstat-I
Kernel interface table
Iface MTU met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP
Flg
Eth0 1500 0 787165 0 0 1 51655 0 0 0 bru
Eth1 1500 0 520811 0 0 0 1986 0 0 0 bru
Lo 3924 0 1943 0 0 43 0 0 LRU

The MTU and met fields indicate the MTU and Measure Value of the interface. The RX and TX columns indicate the number of packets that have been sent and received accurately (RX-OK/TX
-OK), how many errors are generated (
RX-ERR/TX-ERR), dropped packets (RX-DRP/TX-DRP), lost due to the error of how many packets (RX-OVR/TX-OVR ); the last column shows the tags set for this interface. When using ifconfig to display interface configuration, these tags all use one letter. They are described as follows:

■ B has set a broadcast address.
■ L this interface is a return device.
■ M receives all data packets (in chaotic mode ).
■ N to avoid tracking.
■ O disables a R p on this interface.
■ P this is a point-to-point link.
■ The R interface is running.
■ The U Interface is in the active state.

◆ Display Link
Netstat supports the set of options used to display active or passive sockets. Options-T,-u,-W, and-
X indicates TCP, UDP, raw, and UNIX socket connections. If you provide another-
The a tag also displays the socket waiting for connection (that is, in listening mode. In this way, you can obtain a server list. All servers currently running in the system will be included.

When netstat-Ta is called, the output result is as follows:

[Root @ machine1/] $ netstat-Ta
Active Internet connections (servers and established)
PROTO Recv-Q send-Q local address foreign address State
TCP 0 2 210.34.6.89: Telnet 210.34.6.96: 2873 established
TCP 0 0 210.34.6.89: 1165 210.34.6.84: NetBIOS-SSN established
TCP 0 0 localhost. localdom: 9001 localhost. Local DOM: 1162
Established
TCP 0 0 localhost. localdom: 1162 localhost. Local DOM: 9001
Established
TCP 0 0 *: 9001 *: * listen
TCP 0 0 *: 6000 *: * listen
TCP 0 0 *: SOCKS *: * listen
TCP 0 80 210.34.6.89: 1161 210.34.6.10: NetBIOS-SSN
Close

The above output indicates that some servers are waiting for access connection. Exploitation-
If option A is selected, netstat displays all sockets. You can determine whether a connection is an outbound connection based on the port number. For the caller host, the listed port number should always be an integer, and for the well-known Service (
Known
For the caller who is using the port, netstat uses the symbolic service name from the/etc/services file.

Address: http://www.linuxeden.com/doc/20417.html