Netstat, Linux under grab Bag

1. Netstat command

Netstat is a program that accesses the state of the network connection and its associated information in the kernel, and it provides reports on TCP connections, TCP and UDP snooping, and process memory management.
Netstat is a console command and is a very useful tool for monitoring TCP/IP networks, which can display routing tables, actual network connections, and status information for each network interface device. The netstat is used to display statistics related to IP, TCP, UDP, and ICMP protocols, and is typically used to verify the network connectivity of each port on the machine.
If your computer sometimes receives data packets that cause error data or failures, you don't have to be surprised that TCP/IP can tolerate these types of errors and be able to automatically re-send packets. But if the cumulative number of errors accounts for a significant percentage of the IP datagram received, or if its number is increasing rapidly, then you should use Netstat to find out why these situations occur.
The function of the netstat command is to display network connections, routing tables, and network interface information to let users know which network connections are in operation. When used without parameters, Netstat displays the active TCP connection.

The netstat command is used to print information such as network connection status, ports open by the system, and routing tables. The most common command about Netstat is that this NETSTAT-LNP (to see which ports the current system is booting) and Netstat-an (view network connection status) are useful.
Normally, a machine does not have any port monitoring, which means it has no way to communicate with other machines. To provide Web services so that others can access servers and websites, you need to listen to a port. So how do I view the listening port? Enter command NETSTAT-LNP, enter, see,

Focus on the contents of the red box, show which ports are being monitored, and use this command frequently. TCP and UDP, it is best to check their meaning on the Internet, to do an understanding.
TCP Baidu Encyclopedia Https://baike.baidu.com/item/TCP/33012?fr=aladdin
DUP Baidu Encyclopedia Https://baike.baidu.com/item/UDP/571511?fr=aladdin
In addition to TCP and DUP, as well as UNIX, previously said socket file, said the same server, two processes before each other to communicate with the socket file.
To view only the commands for TCP and UDP, see,

There is also a command, enter Netstat-an, carriage return, see,

More content, no one by one. This command involves the extension of knowledge, called TCP/IP "three-time handshake, four wave". "Three handshakes, four waves" is the point.
The connection state is the common state in. In the original mode there is no state, in the User Datagram Protocol also often has no state, so the status column can be empty. If there is a status, the value is usually:
LISTEN
Listening for connection requests from a remote TCP port
Syn-sent
Wait for a matching connection request after sending a connection request
Syn-received
Wait for confirmation of the connection request after receiving and sending a connection request
Established
Represents an open connection that is communicating. This value needs attention, and if it is large, the system is busy now. Typically, within 1000, the server is acceptable.
Fin-wait-1
Waiting for a remote TCP connection to interrupt the request, or the acknowledgement of a previous connection interrupt request
Fin-wait-2
Waiting for connection interrupt request from remote TCP
Close-wait
Waiting for a connection interrupt request from a local user
CLOSING
Wait for the remote TCP acknowledgement of the connection interruption
Last-ack
Acknowledgement of the connection interrupt request waiting for the original send to remote TCP
Time-wait
Wait enough time to ensure that the remote TCP receives a connection interrupt request acknowledgement
CLOSED
No connection Status

Share a little trick to see all the status of numbers, enter command Netstat-an | awk '/^tcp/{++sta[$NF]} END {for (key in STA) print key, "\ T", Sta[key]} ', enter, see,

The status on my virtual machine is relatively small, shown as LISTEN 4, established 1.

There is also a command SS, which resembles Netstat, see,

More content, not one by one. Ss-an is also able to view the status, if you want to view a certain status individually, enter the command Ss-an | Grep-i Listen, enter, see,

This command has a disadvantage, does not show the process name, netstat command.

2, Linux under the grab bag

Tcpdump can intercept packets that are transmitted over the network to provide analysis. It supports filtering on the network layer, protocol, host, network, or port, and provides logical statements such as and, or, not, to help you get rid of useless information.
Linux as a network server, especially as a router and gateway, data collection and analysis is not rare. Tcpdump is one of the powerful network data acquisition and analysis tools in Linux.
The simple definition of tcpdump is: The dump the traffic on a network, based on the user's definition of the packet interception of packets on the Data Packet Analysis tool.
As a classic system administrator tool on the Internet, tcpdump is one of the necessary tools for each advanced system administrator to analyze the network, troubleshoot problems, and so on with its powerful functions and flexible interception strategies.
Tcpdump provides source code, exposes interfaces, and is therefore highly extensible, and is a useful tool for network maintenance and intruders. Tcpdump exists in the basic FreeBSD system, because it needs to set the network interface to promiscuous mode, the normal user cannot execute normally, but the user with root permission can directly execute it to obtain the information on the network. Therefore, the existence of network analysis tools in the system is not a threat to native security, but a threat to the security of other computers on the network.
Basically the total output format of tcpdump is: System time source host. Port > Destination host. Port packet parameters

Sometimes you might want to look at what packets are on a network card, especially if you initially decide that there is a traffic attack on your server. At this point, use the grab Bag tool to grab the packet, you can know which IP is attacking you.
If you do not have tcpdump this command, you need to use the Yum install-y tcpdump command to install it. See

Then perform the simplest usage, enter command tcpdump-nn, carriage return, see,

A paragraph is displayed, and then the command is stuck, and CTRL + C is required to end the command. This is because my device name is very special, so I need to specify the name of the network card, using the command ifconfig, see,

Then enter the command tcpdump-nn-i ens33, enter, see,

The command runs very fast, and you need to use CTRL + C to end the command. , the results show a lot of information, the command side of the-NN in the 1th n means that the IP is displayed in the form of numbers, if not added will be displayed as the host name. Enter command Tcpdump-i ens33, enter, see,

As you can see, the displayed IP address becomes the host name. Hostname for us, do not know who, so still use-nn to view the IP address is more intuitive. Our own host name on the. SSH means SSH service port 22, know that 22 is OK, do not know, do not know who is.
The 1th column is the time, the 2nd column is IP, and the 3rd column shows the original IP. The original port,> is a direction to where to go, the 4th column displays the information that is now IP and port, and the following information is the information about the packet. Our main focus is on the IP address and port of the two columns. Look carefully, you will find that the two columns of IP address is a pair, and send each other information.
Tcpdump is looking at the flow of data.
You can also specify Port view, take a look at Port 123, input command tcpdump-nn-i ENS33 Port 123, enter, see,

The result is only port 123 out, of course there are excluded commands, input tcpdump-nn-i ens33 not port 22, enter, see,

You can also add conditions, enter commands Tcpdump-nn-i ENS33 not port and host 192.168.218.128, enter, see,

You can also specify the length and number of packets, see

In 10 is the number, you can also specify the file to be stored, the name of the random take, see,

It will take some time to pick up the bag here, not to get stuck, and patience will be a result. The final written file can be entered to view, input command File/tmp/1.cap, enter, see,

This file cannot be viewed with the cat command, the result is a bunch of garbled, you can use the file command to view the approximate information, you can also use the tcpdump command to view, need to add-r, see,

The result is some data flow.
Then share a command tshark, you need to install a tool first, see,


Installation complete, down operation, input command tshark-n-t a-r http.request-t fields-e "Frame.time"-E "ip.src"-E "http.host"-E "Http.request.method "-E" Http.request.uri ", enter, see,

Can view the specified network card, 80 port of a Web port access situation, the virtual machine is not able to find the situation, because there is no 80 port in the listening, no Web services provided. So there is no result, no effect, but this command needs to be remembered. The result of this command is similar to the Web Access log, which contains information such as time, IP address, access domain name, link, and so on.

Summarize:
NETSTAT-LNP See which ports the current system launches
Netstat-an View Network Connection Status
NETSTAT-LTNP viewing the current system-initiated TCP port
NETSTAT-LUNP view current system-initiated UDP ports
NETSTAT-LTUNP view current system-initiated TCP and UDP ports
Netstat-an | awk '/^tcp/{++sta[$NF]} END {for (key in STA) print key, "\ T", Sta[key]} ' can view all status numbers.
Courseware address in centos7.aminglinux.com
Ss-an is the same as Netstat, it's all looking at the state, but it doesn't show the name of the process.
Ss-an | Grep-i Listen View status as Listen
Tcpdump-nn-i Ens33 View the flow of data to see the IP address and port
Tcpdump-i ens33 do not add-NN view hostname, no IP address and port
Tcpdump-nn-i ENS33 Port 123 View data flow to specified port 123
Tcpdump-nn-i Ens33 not port 22 View data flow to non-specified port 22
Tcpdump-nn-i Ens33 not port and host 192.168.218.128 view non-specified port 22 and IP address is 192.168.218.128 data flow
Tcpdump-nn-i ens33-c 10 View the flow of 10 data
Tcpdump-nn-i ens33-c 10-w/tmp/1.cap View 10 Data flow and specify a path to store/tmp/1.cap
Tcpdump-r/tmp/1.cap view data stored files

Netstat, Linux under grab Bag