Linux netstat Command introduction

Focus on Linux system State, mainly from two angles, one angle is what the system is running what service (PS command), and the other is what connection or service available (netstat command). Netstat can also display services that are not displayed by PS, run from inetd or xinetd, such as Telnet.

1. Function and description

The netstat is used to display information about various networks in Linux. such as network links, routing tables, interface status links, multicast members, and so on.

2. Introduction to the meaning of parameters

-A (All) displays all options and does not show listen correlation by default (this option displays a list of all valid connection information, including established connections (established), and also those connections that listen for connections please (LISTENING). ）
-T (TCP) displays only TCP-related options
-U (UDP) displays only UDP-related options
-N refuses to display aliases, showing all numbers converted to numbers.
-l list only service status in Listen (listening)

-P Displays the program name that establishes the associated link
-R Displays routing information, routing table (this option can display information about the routing table, similar to what you see later when you use the route Print command.) In addition to showing valid routes, the currently active connection is displayed. ）
-e Displays extended information, such as UID (this option is used to display statistical data about Ethernet. The items it lists include the total number of bytes sent, the number of errors, the number of deletes, the number of datagrams, and the number of broadcasts. These statistics have both the number of datagrams sent and the number of datagrams received. This option can be used to count some basic network traffic). ）
-S is counted according to each protocol (this option is able to display its statistics according to each protocol separately.) If our application (such as a Web browser) is running slowly, or we cannot display data such as a Web page, then we can use this option to look at the information displayed. We need to take a closer look at the rows of the statistics, find the keywords that went wrong, and then determine where the problem is. ）
-C executes the netstat command every other fixed time.

Hint: The status of listen and listening can only be seen with-a or-l

3. Common examples

3.1 List all ports

Netstat-a

[Email protected] jiehun]# netstat-a|more Active Internet connections (servers and established) Proto Recv-q send-q Local Address               Foreign address             State      TCP        0      0 *:sunrpc                    *:*                         LISTEN      tcp        0      0 *: Webcache                  *:*                         LISTEN      tcp        0      0 *:http                      *:*                         LISTEN      tcp        0      0 192.168.122.1:domain        *:*                         LISTEN      tcp        0      0 localhost.localdomain:d-s-n *:*                         LISTEN      TCP        0      0 *:ssh                       *:*                         LISTEN      tcp        0      0 Localhost.loc:simplifymedia *:*                         LISTEN  

In the above display,

"Proto" is the abbreviation for Protocol, which can be TCP or UDP.

"Recv-q" and "Send-q" refer to the Receive queue and the send queue, which should generally be 0, if not, that the package is accumulating in the queue. This can only happen in a very short period of time, such as when you click the Check Mail button in KMail, the following display is normal:

TCP 0 593 192.168.1.5:34321 VENUS.EUAO.COM:SMTP established

If the receive queue continues to be blocked, it is likely that a denial of service attack is being made. If the send queue cannot be cleaned up quickly, it may be because an application cannot deliver what is being sent.

"Local Address" refers to the IP and port number of this machine.

"Foreign Address" refers to the host name and service to which you want to connect.

"State" means the status of the connection now.

The three common TCP states are as follows:

A) LISTEN wait for the receiving connection;

b) established a connection in an active state;

c) time_wait a newly terminated connection. It lasts only 1-2 minutes, and then it becomes a LISTEN state.

Because UDP is stateless, its state bar is always blank.

Continuous access to useful information

With the "netstat-a" command, you may see hundreds of rows of results. In fact, all of the "Active Unix domain Sockets" content can be ignored in these results. This is because the content is communication between the local internal processes, not the network connection. Use the following command to avoid displaying useless information:

$ netstat--inet-a

The result of the "netstat--inet-a" command will only be a network connection, including all that are in the "LISTEN" state and the "established" state. It is important to note that the Telnet or SMTP service is generally not required for normal users. Therefore, it needs to be turned off to improve system security, and to reconfigure the boot files to ensure that they do not automatically restart the next time the system starts. To continuously view network information that is changing at any time, you can use the "-C" parameter of the netstat command and save the results to a file:

$ netstat--inet-a-c > Netstat.txt

At this point, view the Netstat.txt file to check for changes in the status of mail services, Web services, and Telnet services.

3.2 List all TCP ports

[Email protected] jiehun]# netstat-at|more Active Internet connections (servers and established) Proto Recv-q send-q Loca L Address               Foreign address             State      TCP        0      0 *:sunrpc                    *:*                         LISTEN      tcp        0      0 *: Webcache                  *:*                         LISTEN      tcp        0      0 *:http                      *:*                         LISTEN      tcp        0      0 192.168.122.1:domain        *:*                         LISTEN      tcp        0      0 localhost.localdomain:d-s-n *:*                         LISTEN      TCP        0      0 *:ssh                       *:*                         LISTEN      tcp        0      0 Localhost.loc:simplifymedia *:*                         LISTEN  

3.3 List all UDP ports

Netstat-au

[[email protected] jiehun]# netstat-au|more Active Internet connections (servers and established) Proto Recv-q send-                                     Q Local address Foreign address state UDP 0 0 *:ideafarm-panic *:*                                     UDP 0 0 *:47005 *:*                     UDP 0 0 localhost.loca:memcache *:* UDP 0 0 *:55276                                     *:* UDP 0 0 192.168.122.1:domain *:*      UDP 0 0 *:bootps *:* UDP 0                    0 *:BOOTPC *:* UDP 0 0 *:sunrpc                                     *:* UDP 0 0 *:ipp *:*      UDP 00 *:44236 *:* UDP 0 0 *:722 *:*

3.4 Displays only the ports that are in the listening state netstat-l

[[email protected] jiehun]# netstat-lactive Internet connections (only servers) Proto recv-q send-q Local Address                         Foreign Address State TCP 0 0 *:SUNRPC *:*      LISTEN TCP 0 0 *:webcache *:* LISTEN TCP 0                         0 *:http *:* LISTEN TCP 0 0 192.168.122.1:domain *:*      LISTEN TCP 0 0 localhost.localdomain:d-s-n *:* LISTEN TCP 0 0 *:ssh *:* LISTEN TCP 0 0 Localhost.lo                         C:simplifymedia *:* LISTEN TCP 0 0 Localhost.localdomain:ipp *:*       LISTEN TCP 0 0 *:44343 *:* LISTEN TCP 0 0 Localhost.localdOMAIN:SMTP *:* LISTEN     

3.5 Display only the listening TCP port Netstat-lt

[[email protected] jiehun]# netstat-ltactive Internet connections (only servers) Proto recv-q send-q Local Address                         Foreign Address State TCP 0 0 *:SUNRPC *:*      LISTEN TCP 0 0 *:webcache *:* LISTEN TCP 0                          0 *:http *:* LISTEN TCP 0 0 192.168.122.1:domain *:*      LISTEN TCP 0 0 localhost.localdomain:d-s-n *:* LISTEN TCP 0 0 *:ssh *:* LISTEN TCP 0 0 LOCALHOST.L                         Oc:simplifymedia *:* LISTEN TCP 0 0 Localhost.localdomain:ipp *:*        LISTEN TCP 0 0 *:44343 *:* LISTEN TCP 0 0 localhost.localDOMAIN:SMTP *:* LISTEN      

3.6 Show all listening UDP ports only Netstat-lu

[[email protected] jiehun]# netstat-luactive Internet connections (only servers) Proto recv-q send-q Local Address for               Eign Address             State      UDP        0      0 *:ideafarm-panic            *:*                                     UDP        0      0 *:47005                     *:*                                     UDP        0      0 *:47551                     *:*                                     UDP        0      0 localhost.loca:memcache     *:*                                     UDP        0      0 * : 55276                     *:*                                     UDP        0      0 192.168.122.1:domain        *:*                                     UDP        0      0 *:bootps                    *:*                                     UDP        0      0 *:bootpc                    *:*                                     UDP        0      0 *:sunrpc                    *:*      

3.7 List only All listening Unix ports netstat-lx

[Email protected] jiehun]# netstat-lxactive UNIX domain sockets (only servers) Proto refcnt Flags       Type       state
   
    i-node Pathunix  2      [ACC]     STREAM     LISTENING     21941  /tmp/. X11-unix/x0unix  2      [ACC]     STREAM     LISTENING     34096  /tmp/orbit-haozheng/ Linc-cd2-0-5b33fa1ecf0c9unix  2      [ACC]     STREAM     LISTENING     22263  @/tmp/ Gdm-greeter-cblqsyrfunix  2      [ACC]     STREAM     LISTENING     32728  /tmp/. Ice-unix/3103unix  2      [ACC]     STREAM     LISTENING     36866  @/tmp/dbus-acjrblwfunix  2      [ACC]     STREAM     LISTENING     20454  /tmp/mysql.sock
   

3.8 Show statistics for all ports netstat-s

[[email protected] jiehun]# Netstat-sip:    1943780 Total Packets received    2 forwarded    0 incoming packets Disca rded    1769532 incoming packets delivered    1121573 requests sent out    45867 outgoing packets dropped Dropped because of missing routetcp:    64002 Active connections Openings 7632 passive connection    openings    2309 Failed connection attempts    498 connection resets received    8 connections established    1018564 segments Received    1022700 segments send out    16835 segments retransmited    2 Bad segments received.    552 resets SENTUDP:    133420 Packets received 7845    packets to unknown Port received.    0 packet Receive errors    74841 packets sent    0 receive buffer errors    0 Send buffer errors

3.9 Displaying statistics for all TCP (NETSTAT-ST) or UDP (NETSTAT-SU)

[Email protected] jiehun]# netstat-suicmpmsg:    intype0:11    intype3:13506 outtype3:13679    OutType8: 11UDP:    133462 Packets received    7869 packets to unknown Port received.    0 packet Receive errors    74888 packets sent    0 receive buffer errors    0 Send buffer errorsudplite:ipext:    in noroutes:991    inmcastpkts:24308    outmcastpkts:2353    inbcastpkts:630615    outbcastpkts:1546    inoctets:755319900    outoctets:296705252    inmcastoctets:2908748    outmcastoctets:93173    inbcastoctets:99500419    outbcastoctets:299980

3.10 Show Pid/process name Netstat-p-P can be used with other parameters such as displaying process ID information for TCP

[Email protected] jiehun]# netstat-ptactive Internet connections (w/o servers) Proto recv-q send-q Local Address               Fore IGN Address             State       pid/program name   TCP        0      0 192.168.0.52:44784          123.150.49.20:http          fin_ WAIT2   4207/virtualbox     tcp        0      0 192.168.0.52:46715          Ie-in-f125.1e100.net:https  Established 4207/virtualbox     TCP        0      0 192.168.0.52:43415          geotrust-ocsp-mtv.veri:http fin_wait2   4207/virtualbox     

3.11 hosts, ports and usernames (host, port, or user) are not displayed in the Netstat output when you do not want the host, port, and user name to display, using netstat-n, the numbers will be used instead of those names, and the output can also be accelerated because there is no DNS polling. NETSTAT-NTPL Display TCP Listener port does not display host port username is replaced with a number

[[email protected] jiehun]# netstat-ptnlactive Internet connections (only servers) Proto recv-q send-q Local Address                 Foreign Address State Pid/program name TCP 0 0 0.0.0.0:111                   0.0.0.0:* LISTEN 971/rpcbind TCP 0 0 0.0.0.0:8080 0.0.0.0:*                   LISTEN 1526/nginx:master TCP 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1526/nginx:master TCP 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 12         48/DNSMASQ TCP 0 0 127.0.0.1:8086 0.0.0.0:* LISTEN 1553/python        TCP 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1163/sshd TCP 0 0 127.0.0.1:8087 0.0.0.0:* LISTEN 1553/python TCP 0 0 127. 0.0.1:631 0.0.0.0:* LISTEN 1140/cupsd TCP 0 0 0.0.0.0:44343 0.0.0.0:* LISTEN 1151/rpc.statd TCP 0 0 127.0.0.1:25 0.0.0.0:* L Isten 18573/SENDMAIL:ACC TCP 0 0 127.0.0.1:3002 0.0.0.0:* LISTEN 100 4/ruby TCP 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 1526/nginx:maste   R

3.12 One-second output TCP listener port information NETSTAT-NTPLC

Active Internet connections (only servers) Proto recv-q send-q Local address               Foreign address             State       Pid/ Program name   TCP        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      971/rpcbind         tcp        0      0 0.0.0.0:8080                0.0.0.0:*                   LISTEN      1526/nginx:master  tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      1526/nginx:master  tcp        0      0 192.168.122.1:53            0.0.0.0:*                   LISTEN      1248/DNSMASQ        TCP        0      0 127.0.0.1:8086              0.0.0.0:*                   LISTEN      1553/python         TCP        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1163/sshd    

3.13 Displaying routing information netstat-r

[Email protected] jiehun]# netstat-rkernel IP routing tabledestination     Gateway         genmask         Flags   MSS Window  irtt ifacedefault         vrouter         0.0.0.0         UG        0 0          0 eth0192.168.0.0     *               255.255.255.0   u         0 0          0 eth0192.168.122.0   *               255.255.255.0   u         0 0          0 VIRB

3.14 display a list of network interfaces, check the NIC Netstat-i

[[email protected] jiehun]# netstat-ikernel Interface tableiface       MTU Met    rx-ok rx-err rx-drp RX-OVR    Tx-ok tx-err tx-drp tx-ovr Flgeth0   0  4943885      0      0      0   901773      0      0      0 bmrulo        16436   0   236931      0      0      0   236931      0      0      0 LRUvirbr0   0        0      0      0      0        0      0      0      0 BMU

You should see a lot of numbers in the Rx-ok (Received OK) and Tx-ok (transmitted OK) columns, and the numbers in other places should be very small. If you see a lot of data in the "Rx-err" or "tx-err" columns, it is likely that there is a problem with the NIC or the network cable.

Linux netstat Command introduction