If your computer sometimes receives a datagram that causes an error in data or a fault, you don't have to be surprised. TCP/IP can allow these types of errors and automatically resend the datagram. However, if the cumulative number of errors accounts for a considerable percentage of the received IP data packets, or the number of errors increases rapidly, then you should use netstat to check the cause.
1. command format:
Netstat [-acCeFghilMnNoprstuvVwx] [- <网络类型> ] [-- Ip]
2. command functions:
Netstat is used to display statistics related to IP, TCP, UDP, and ICMP protocols. it is generally used to check the network connection of each port on the local machine.
3. command parameters:
-A or-all shows the sockets in all connections.
- <网络类型> Or- <网络类型> Lists the related addresses of a network connection.
-C or-continuous continuously lists the network status.
-C or-cache displays the cache information of the vro configuration.
-E or-extend displays other network-related information.
-F or-fib displays FIB.
-G or-groups displays a list of members of the multi-broadcast function Group.
-H or-help online help.
-I or-interfaces displays the network interface information form.
-L or-listening displays the Socket of the monitored server.
-M or-masquerade displays disguised network connections.
-N or-numeric directly uses the IP address instead of the domain name server.
-N or-netlink or-symbolic indicates the symbolic connection name of the network hardware peripheral device.
-O or-timers displays the timer.
-P or-programs shows the program identification code and program name using Socket.
-R or-route displays the Routing Table.
-S or-statistice displays a statistical table of network work information.
-T or-tcp shows the connection status of the TCP transmission protocol.
-U or-udp shows the connection status of UDP transmission protocol.
-V or-verbose displays the command execution process.
-V or-version displays version information.
-W or-raw shows the RAW transmission protocol connection status.
-X or-unix: this parameter has the same effect as the specified "-A unix" parameter.
-Ip or-inet: the effect of this parameter is the same as that of the specified "-A inet" parameter.
4. example:
Instance 1: no parameter used
Command: netstat
Output:
Copy codeThe code is as follows:
[Root @ localhost ~] # Netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
Tcp 0 268 192.168.120.204: ssh 10.2.0.68: 62420 ESTABLISHED
Udp 0 0 192.168.120.204: 4371 10.58.119.119: domain ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
Unix 2 [] DGRAM 1491 @/org/kernel/udev/udevd
Unix 4 [] DGRAM 7337/dev/log
Unix 2 [] DGRAM 708823
Unix 2 [] DGRAM 7539
Unix 3 [] stream connected 7287.
Unix 3 [] stream connected 7286.
[Root @ localhost ~] #
Note:
The output result of netstat can be divided into two parts:
One is Active Internet connections, which is called an Active TCP connection. "Recv-Q" and "Send-Q" refer to the receiving queue and sending queue. These numbers are generally 0. If not, the package is accumulating in the queue. This can only be seen in rare cases.
The other is Active UNIX domain sockets, called the Active Unix domain interface (which is the same as network socket, but can only be used for local communication, and the performance can be doubled ).
Proto displays the protocol used for the connection. RefCnt indicates the process number connecting to this interface. Types indicates the type of the interface set. State indicates the current status of the interface set, path indicates the Path name used by other processes connected to the set interface.
Set interface type:
-T: TCP
-U: UDP
-Raw: RAW type
-- Unix: UNIX domain type
-- Ax25: AX25 type
-- Ipx: ipx type
-- Netrom: netrom type
Status description:
LISTEN: listens for connection requests from remote TCP ports
SYN-SENT: wait for the matched connection request after sending the connection request again (if there are a large number of such status packages, check if it is recruited)
SYN-RECEIVED: After receiving and sending a connection request, wait for the other party to confirm the connection request (if there is a large number of this status, it is estimated that the flood attack)
ESTABLISHED: indicates an opened connection.
FIN-WAIT-1: waiting for confirmation of the remote TCP connection interruption request or previous connection interruption request
FIN-WAIT-2: Waiting for connection interruption requests from remote TCP
CLOSE-WAIT: Waiting for connection interruption requests from local users
CLOSING: waiting for confirmation of remote TCP connection interruption
LAST-ACK: wait for the confirmation of the original connection interrupt request sent to remote TCP (not a good thing, this appears, check whether it is under attack)
TIME-WAIT: WAIT for enough TIME to confirm that the remote TCP receives the connection interruption request.
CLOSED: No connection status
Instance 2: list all ports
Command: netstat-
Output:
Copy codeThe code is as follows:
[Root @ localhost ~] # Netstat-
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
Tcp 0 0 localhost: smux *: * LISTEN
Tcp 0 0 *: svn *: * LISTEN
Tcp 0 0 *: ssh *: * LISTEN
Tcp 0 284 192.168.120.204: ssh 10.2.0.68: 62420 ESTABLISHED
Udp 0 0 localhost: syslog *:*
Udp 0 0 *: snmp *:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
Unix 2 [ACC] stream listening 708833/tmp/ssh-yKnDB15725/agent.15725
Unix 2 [ACC] stream listening 7296/var/run/audispd_events
Unix 2 [] DGRAM 1491 @/org/kernel/udev/udevd
Unix 4 [] DGRAM 7337/dev/log
Unix 2 [] DGRAM 708823
Unix 2 [] DGRAM 7539
Unix 3 [] stream connected 7287.
Unix 3 [] stream connected 7286.
[Root @ localhost ~] #
Note:
Displays a list of all valid connections, including ESTABLISHED connections (ESTABLISHED) and LISTENING connections.
Instance 3: displays the current UDP connection status
Command: netstat-nu
Output:
Copy codeThe code is as follows:
[Root @ andy ~] # Netstat-nu
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
Udp 0 0: ffff: 192.168.12: 53392: ffff: 192.168.9.120: 10000 ESTABLISHED
Udp 0 0: ffff: 192.168.12: 56723: ffff: 192.168.9.120: 10000 ESTABLISHED
Udp 0 0: ffff: 192.168.12: 56480: ffff: 192.168.9.120: 10000 ESTABLISHED
Udp 0 0: ffff: 192.168.12: 58154: ffff: 192.168.9.120: 10000 ESTABLISHED
Udp 0 0: ffff: 192.168.12: 44227: ffff: 192.168.9.120: 10000 ESTABLISHED
Udp 0 0: ffff: 192.168.12: 36954: ffff: 192.168.9.120: 10000 ESTABLISHED
Udp 0 0: ffff: 192.168.12: 53984: ffff: 192.168.9.120: 10000 ESTABLISHED
Udp 0 0: ffff: 192.168.12: 57703: ffff: 192.168.9.120: 10000 ESTABLISHED
Udp 0 0: ffff: 192.168.12: 53613: ffff: 192.168.9.120: 10000 ESTABLISHED
[Root @ andy ~] #
Instance 4: displays the UDP port number usage
Command: netstat-apu
Output:
Copy codeThe code is as follows:
[Root @ andy ~] # Netstat-apu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
Udp 0 0 *: 57604 *: * 28094/java
Udp 0 0 *: 40583 *: * 21220/java
Udp 0 0 *: 45451 *: * 14583/java
Udp 0 0: ffff: 192.168.12: 53392: ffff: 192.168.9.120: ndmp ESTABLISHED 19327/java
Udp 0 0 *: 52370 *: * 15841/java
Udp 0 0: ffff: 192.168.12: 56723: ffff: 192.168.9.120: ndmp ESTABLISHED 15841/java
Udp 0 0 *: 44182 *: * 31757/java
Udp 0 0 *: 48155 *: * 5476/java
Udp 0 0 *: 59808 *: * 17333/java
Udp 0 0: ffff: 192.168.12: 56480: ffff: 192.168.9.120: ndmp ESTABLISHED 28094/java
Udp 0 0: ffff: 192.168.12: 58154: ffff: 192.168.9.120: ndmp ESTABLISHED 15429/java
Udp 0 0 *: 36780 *: * 10091/java
Udp 0 0 *: 36795 *: * 24594/java
Udp 0 0 *: 41922 *: * 20506/java
Udp 0 0: ffff: 192.168.12: 44227: ffff: 192.168.9.120: ndmp ESTABLISHED 17333/java
Udp 0 0 *: 34258 *: * 8866/java
Udp 0 0 *: 55508 *: * 11667/java
Udp 0 0 *: 36055 *: * 12425/java
Udp 0 0: ffff: 192.168.12: 36954: ffff: 192.168.9.120: ndmp ESTABLISHED 16532/java
Udp 0 0: ffff: 192.168.12: 53984: ffff: 192.168.9.120: ndmp ESTABLISHED 20506/java
Udp 0 0: ffff: 192.168.12: 57703: ffff: 192.168.9.120: ndmp ESTABLISHED 31757/java
Udp 0 0: ffff: 192.168.12: 53613: ffff: 192.168.9.120: ndmp ESTABLISHED 3199/java
Udp 0 0 *: 56309 *: * 15429/java
Udp 0 0 *: 54007 *: * 16532/java
Udp 0 0 *: 39544 *: * 3199/java
Udp 0 0 *: 43900 *: * 19327/java
[Root @ andy ~] #
Instance 5: displays the Nic list
Command: netstat-I
Output:
Copy codeThe code is as follows:
[Root @ andy ~] # Netstat-I
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR Flg
Eth0 1500 0 151818887 0 0 0 198928403 0 0 0 BMRU
Lo 16436 0 107235 0 0 107235 0 0 0 LRU
[Root @ andy ~] #
Instance 6: displays the relationship between multicast groups.
Command: netstat-g
Output:
Copy codeThe code is as follows:
[Root @ andy ~] # Netstat-g
IPv6/IPv4 Group Memberships
Interface RefCnt Group
------------------------------------------
LO1 all-systems.mcast.net
All-systems.mcast.net eth0 1
Lo 1 ff02: 1
Eth0 1 ff02: 1: ffff: 9b0c
Eth0 1 ff02: 1
[Root @ andy ~] #
Instance 7: Displays network statistics
Command: netstat-s
Output:
Copy codeThe code is as follows:
[Root @ localhost ~] # Netstat-s
Ip:
530999 total packets received
0 forwarded
0 incoming packets discarded
530999 incoming packets delivered
8258 requests sent out
1 dropped because of missing route
Icmp:
90 ICMP messages received ED
0 input ICMP message failed.
ICMP input histogram:
Destination unreachable: 17
Echo requests: 1
Echo replies: 72
106 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
Destination unreachable: 8
Echo request: 97
Echo replies: 1
IcmpMsg:
InType0: 72
InType3: 17
InType8: 1
OutType0: 1
OutType3: 8
OutType8: 97
Tcp:
8 active connections openings
15 passive connection openings
8 failed connection attempts
3 connection resets committed Ed
1 connections established
3132 segments received
2617 segments send out
53 segments retransmited
0 bad segments received.
252 resets sent
Udp:
0 packets received
0 packets to unknown port already ed.
0 packet receive errors
5482 packets sent
TcpExt:
1 invalid SYN cookies encoded Ed
1 TCP sockets finished time wait in fast timer
57 delayed acks sent
Quick ack mode was activated 50 times
60 packets directly queued to recvmsg prequeue.
68 packets directly received from backlog
4399 packets directly received from prequeue
520 packets header predicted
51 packets header predicted and directly queued to user
1194 acknowledgments not containing data already ed
21 predicted acknowledgments
0 TCP data loss events
1 timeouts after reno fast retransmit
9 retransmits in slow start
42 other TCP timeouts
3 connections aborted due to timeout
IpExt:
InBcastPkts: 527777
Note:
Statistics are displayed based on each protocol. If our applications (such as Web browsers) run slowly or cannot display data such as Web pages, we can use this option to view the displayed information. We need to carefully check the rows of statistics, find the keyword of the error, and then determine the problem.
Instance 8: interface for displaying listeners
Command: netstat-l
Output:
Copy codeThe code is as follows:
[Root @ localhost ~] # Netstat-l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
Tcp 0 0 localhost: smux *: * LISTEN
Tcp 0 0 *: svn *: * LISTEN
Tcp 0 0 *: ssh *: * LISTEN
Udp 0 0 localhost: syslog *:*
Udp 0 0 *: snmp *:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
Unix 2 [ACC] stream listening 708833/tmp/ssh-yKnDB15725/agent.15725
Unix 2 [ACC] stream listening 7296/var/run/audispd_events
[Root @ localhost ~] #
Instance 9: displays all established valid connections
Command: netstat-n
Output:
Copy codeThe code is as follows:
[Root @ localhost ~] # Netstat-n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
Tcp 0 268 192.168.120.204: 22 10.2.0.68: 62420 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
Unix 2 [] DGRAM 1491 @/org/kernel/udev/udevd
Unix 4 [] DGRAM 7337/dev/log
Unix 2 [] DGRAM 708823
Unix 2 [] DGRAM 7539
Unix 3 [] stream connected 7287.
Unix 3 [] stream connected 7286.
[Root @ localhost ~] #
Instance 10: displays Ethernet statistics
Command: netstat-e
Output:
Copy codeThe code is as follows:
[Root @ localhost ~] # Netstat-e
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode
Tcp 0 248 192.168.120.204: ssh 10.2.0.68: 62420 ESTABLISHED root 708795
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
Unix 2 [] DGRAM 1491 @/org/kernel/udev/udevd
Unix 4 [] DGRAM 7337/dev/log
Unix 2 [] DGRAM 708823
Unix 2 [] DGRAM 7539
Unix 3 [] stream connected 7287.
Unix 3 [] stream connected 7286.
[Root @ localhost ~] #
Note:
Displays Ethernet statistics. It lists items including the total number of bytes, number of errors, number of delimiters, number of Datagram, and number of broadcasts. These statistics include both the number of sent and received data packets. This option can be used to count some basic network traffic)
Instance 11: displays information about the route table.
Command: netstat-r
Output:
Copy codeThe code is as follows:
[Root @ localhost ~] # Netstat-r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.120.0*255.255.255.0 U 0 0 0 eth0
192.168.0.0 192.168.120.1 255.255.0.0 UG 0 0 0 eth0
10.0.0.0 192.168.120.1 255.0.0.0 UG 0 0 0 eth0
Default 192.168.120.240 0.0.0.0 UG 0 0 0 eth0
[Root @ localhost ~] #
Instance 12: list all tcp ports
Command: netstat-
Output:
Copy codeThe code is as follows:
[Root @ localhost ~] # Netstat-
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
Tcp 0 0 localhost: smux *: * LISTEN
Tcp 0 0 *: svn *: * LISTEN
Tcp 0 0 *: ssh *: * LISTEN
Tcp 0 284 192.168.120.204: ssh 10.2.0.68: 62420 ESTABLISHED
[Root @ localhost ~] #
Instance 13: count the number of network connections in the machine
Command: netstat-a | awk '/^ tcp/{++ S [$ NF]} END {for (a in S) print a, S [a]}'
Output:
Command: netstat-nat | awk '{print $6}' | sort | uniq-c
Output:
Copy codeThe code is as follows:
[Root @ andy ~] # Netstat-nat | awk '{print $6}' | sort | uniq-c
14 CLOSE_WAIT
1 established)
578 ESTABLISHED
1 Foreign
43 LISTEN
5 TIME_WAIT
[Root @ andy ~] # Netstat-nat | awk '{print $6}' | sort | uniq-c | sort-rn
576 ESTABLISHED
43 LISTEN
14 CLOSE_WAIT
5 TIME_WAIT
1 Foreign
1 established)
[Root @ andy ~] #
Instance 15: view the IP addresses that have the most connections to a service port
Command: netstat-nat | grep "192.168.120.20: 16067" | awk '{print $5}' | awk-F: '{print $4}' | sort | uniq-c | sort-nr | head-20
Output:
Copy codeThe code is as follows:
[Root @ andy ~] # Netstat-nat | grep "192.168.120.20: 16067" | awk '{print $5}' | awk-F: '{print $4}' | sort | uniq-c | sort-nr | head-20
8 10.2.1.68
7 192.168.119.13
6 192.168.119.201
6 192.168.119.20
6 192.168.119.10
4 10.2.1.199
3 10.2.1.207
2 192.168.120.20
2 192.168.120.15
2 192.168.119.197
2 192.168.119.11
2 10.2.1.206
2 10.2.1.203
2 10.2.1.189
2 10.2.1.173
1 192.168.120.18
1 192.168.119.19
1 10.2.2.227
1 10.2.2.138
1 10.2.1.208
[Root @ andy ~] #
Instance 16: Find the port for running the program
Command: netstat-ap | grep ssh
Output:
Instance 17: The PID and process name are displayed in the netstat output.
Command: netstat-pt
Output:
Note:
Netstat-p can be used with other switches to add the "PID/process name" to the netstat output, so that programs running on specific ports can be easily found during debugging.
Instance 18: find the process running on the specified port
Command: netstat-anpt | grep ': 100'
Output:
Note:
The id of the process running on port 16064 is 24596, and the specific application can be found through the ps command.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
