Linuxnetstat command details

Source: Internet
Author: User

Linuxnetstat command details
Introduction

The Netstat command is used to display various network-related information, such as network connection, route table, Interface Statistics, masquerade connection, and Multicast member (Multicast Memberships.

Output Information meaning

After netstat is executed, the output result is

Active Internet connections (w/o servers)Proto Recv-Q Send-Q Local Address Foreign Address Statetcp 0 2 210.34.6.89:telnet 210.34.6.96:2873 ESTABLISHEDtcp 296 0 210.34.6.89:1165 210.34.6.84:netbios-ssn ESTABLISHEDtcp 0 0 localhost.localdom:9001 localhost.localdom:1162 ESTABLISHEDtcp 0 0 localhost.localdom:1162 localhost.localdom:9001 ESTABLISHEDtcp 0 80 210.34.6.89:1161 210.34.6.10:netbios-ssn CLOSEActive UNIX domain sockets (w/o servers)Proto RefCnt Flags Type State I-Node Pathunix 1 [ ] STREAM CONNECTED 16178 @000000ddunix 1 [ ] STREAM CONNECTED 16176 @000000dcunix 9 [ ] DGRAM 5292 /dev/logunix 1 [ ] STREAM CONNECTED 16182 @000000df

The output result of netstat can be divided into two parts:

One is Active Internet connections, which is called an Active TCP connection. "Recv-Q" and "Send-Q" indicate that % 0A is a receiving queue and a sending queue. These numbers are generally 0. If not, the package is accumulating in the queue. This can only be seen in rare cases.

The other is Active UNIX domain sockets, called the Active Unix domain interface (which is the same as network socket, but can only be used for local communication, and the performance can be doubled ).
Proto displays the protocol used for the connection. RefCnt indicates the process number connecting to this interface. Types indicates the type of the interface set. State indicates the current status of the interface set, path indicates the Path name used by other processes connected to the set interface.

Common Parameters

-A (all) shows all options. LISTEN is not displayed by default.
-T (tcp) only displays tcp-related options
-U (udp) only displays udp-related options
-N: aliases are not displayed. All digits can be converted to digits.
-L only lists the service statuses that have been listened to by Listen.

-P: the program name for establishing the relevant link
-R: displays route information and route tables.
-E: Display extension information, such as uid.
-S: statistics by Protocol
-C runs the netstat command at every fixed time.

Tip: The LISTEN and LISTENING statuses can only be viewed using-a or-l.

Practical command instance 1. List all ports (including listeners and ports not listened)

List all ports netstat-

# netstat -a | more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address           Foreign Address         State tcp        0      0 localhost:30037         *:*                     LISTEN udp        0      0 *:bootpc                *:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags       Type       State         I-Node   Path unix  2      [ ACC ]     STREAM     LISTENING     6135     /tmp/.X11-unix/X0 unix  2      [ ACC ]     STREAM     LISTENING     5140     /var/run/acpid.socket

List all tcp ports netstat-

# netstat -at Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address           Foreign Address         State tcp        0      0 localhost:30037         *:*                     LISTEN tcp        0      0 localhost:ipp           *:*                     LISTEN tcp        0      0 *:smtp                  *:*                     LISTEN tcp6       0      0 localhost:ipp           [::]:*                  LISTEN

List all udp ports netstat-au

# netstat -au Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address           Foreign Address         State udp        0      0 *:bootpc                *:* udp        0      0 *:49119                 *:* udp        0      0 *:mdns                  *:*
2. List all Sockets in the listening status

Show only the listening port netstat-l

# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address           Foreign Address         State tcp        0      0 localhost:ipp           *:*                     LISTEN tcp6       0      0 localhost:ipp           [::]:*                  LISTEN udp        0      0 *:49119                 *:*

Only list all listening tcp ports netstat-lt

# netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address           Foreign Address         State tcp        0      0 localhost:30037         *:*                     LISTEN tcp        0      0 *:smtp                  *:*                     LISTEN tcp6       0      0 localhost:ipp           [::]:*                  LISTEN

Only list all listening udp ports netstat-lu

# netstat -lu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address           Foreign Address         State udp        0      0 *:49119                 *:* udp        0      0 *:mdns                  *:*

Only list all listening UNIX ports netstat-lx

# netstat -lx Active UNIX domain sockets (only servers) Proto RefCnt Flags       Type       State         I-Node   Path unix  2      [ ACC ]     STREAM     LISTENING     6294     private/maildrop unix  2      [ ACC ]     STREAM     LISTENING     6203     public/cleanup unix  2      [ ACC ]     STREAM     LISTENING     6302     private/ifmail unix  2      [ ACC ]     STREAM     LISTENING     6306     private/bsmtp
3. Display statistics for each protocol

Show statistics of all ports netstat-s

# netstat -s Ip: 11150 total packets received 1 with invalid addresses 0 forwarded 0 incoming packets discarded 11149 incoming packets delivered 11635 requests sent out Icmp: 0 ICMP messages received 0 input ICMP message failed. Tcp: 582 active connections openings 2 failed connection attempts 25 connection resets received Udp: 1183 packets received 4 packets to unknown port received. .....

Displays TCP or UDP port statistics. netstat-st or-su

# netstat -st # netstat -su
4. display the PID and process name netstat-p in the netstat output.

Netstat-p can be used with other switches to add the "PID/process name" to the netstat output, so that programs running on specific ports can be easily found during debugging.

# netstat -pt Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name tcp        1      0 ramesh-laptop.loc:47212 192.168.185.75:www        CLOSE_WAIT  2109/firefox tcp        0      0 ramesh-laptop.loc:52750 lax:www ESTABLISHED 2109/firefox
5. The host, port, and user name (host, port or user) are not displayed in the netstat output)

When you do not want the host, port, and user name to be displayed, use netstat-n. The names will be replaced by numbers.

The output can also be accelerated because comparison queries are not required.

# netstat -an

If you only want to display one of the three names, run the following command:

# netsat -a --numeric-ports# netsat -a --numeric-hosts# netsat -a --numeric-users
6. Continuous output of netstat Information

Netstat outputs network information every second.

# netstat -c Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address           Foreign Address         State tcp        0      0 ramesh-laptop.loc:36130 101-101-181-225.ama:www ESTABLISHED tcp        1      1 ramesh-laptop.loc:52564 101.11.169.230:www      CLOSING tcp        0      0 ramesh-laptop.loc:43758 server-101-101-43-2:www ESTABLISHED tcp        1      1 ramesh-laptop.loc:42367 101.101.34.101:www      CLOSING ^C
7. Display Address Families not supported by the system)
netstat --verbose

At the end of the output, the following information is displayed:

netstat: no support for `AF IPX' on this system.netstat: no support for `AF AX25' on this system.netstat: no support for `AF X25' on this system.netstat: no support for `AF NETROM' on this system.
8. display the core route information netstat-r
# netstat -r Kernel IP routing table Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface 192.168.1.0     *               255.255.255.0   U         0 0          0 eth2 link-local      *               255.255.0.0     U         0 0          0 eth2 default         192.168.1.1     0.0.0.0         UG        0 0          0 eth2

Note:Use netstat-rn to display the numeric format, without querying the host name.

9. Find the port for running the program.

Not all processes can be found. If you do not have the permission, it will not be displayed. You can use the root permission to view all information.

# netstat -ap | grep ssh tcp        1      0 dev-db:ssh           101.174.100.22:39213        CLOSE_WAIT  - tcp        1      0 dev-db:ssh           101.174.100.22:57643        CLOSE_WAIT  -

Find the process running on the specified port

# netstat -an | grep ':80'
10. display the network interface list
# netstat -i Kernel Interface table Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg eth0       1500 0         0      0      0 0             0      0      0      0 BMU eth2       1500 0     26196      0      0 0         26883      6      0      0 BMRU lo        16436 0         4      0      0 0             4      0      0      0 LRU

Display details, such as ifconfig using netstat-ie:

# netstat -ie Kernel Interface table eth0      Link encap:Ethernet  HWaddr 00:10:40:11:11:11 UP BROADCAST MULTICAST  MTU:1500  Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B) Memory:f6ae0000-f6b00000
11. IP and TCP Analysis

View the IP addresses that have the most connections to a service port

wss8848@ubuntu:~$ netstat -nat | grep "192.168.1.15:22" |awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -2018 221.136.168.363 154.74.45.2422 78.173.31.2362 62.183.207.982 192.168.1.142 182.48.111.2152 124.193.219.342 119.145.41.22 114.255.41.301 75.102.11.99

List of TCP statuses

wss8848@ubuntu:~$ netstat -nat |awk '{print $6}'established)ForeignLISTENTIME_WAITESTABLISHEDTIME_WAITSYN_SENT
Obtain all the statuses, use uniq-c statistics, and then sort them.
wss8848@ubuntu:~$ netstat -nat |awk '{print $6}'|sort|uniq -c143 ESTABLISHED1 FIN_WAIT11 Foreign1 LAST_ACK36 LISTEN6 SYN_SENT113 TIME_WAIT1 established)
The final command is as follows:
netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn
Analyze access. log to obtain the top 10 IP addresses
awk '{print $1}' access.log |sort|uniq -c|sort -nr|head -10

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.