Network Monitoring Tools-netstat

Check the network online and backstage: netstat
[[email protected] ~]# netstat-[rn] <== route-related parameters
[[email protected] ~]# netstat-[ANTULPC] <== parameters related to the network interface

Options and Parameters:
Description of the parameters related to routing (route):
-R: Lists the route table, which functions as a route command;
-N: Do not use host name and service name, use IP with port number, as Route-n
Parameters related to the network interface:
-A: Lists all the online statuses, including Tcp/udp/unix sockets, etc.;
-T: Lists only the TCP packets that are online;
-U: Lists only UDP packets online;
-L: Lists only the network status of services that are in listen (listening);
-P: Lists the PID and program's file name;
-C: Can be set to automatically update after a few seconds, for example,-C 5 updates the display of network status every five seconds;

-e display extended information, such as UID, etc.;
-S is counted according to each protocol.

Hint: The status of listen and listening can only be seen with-a or-l

the output of Netstat is mainly divided into two parts, namely the network interface of TCP/IP and the traditional UNIX socket (Active UNIX domain sockets content).
It is usually recommended to add-N to this parameter, because you can avoid the hostname and the service name of the reverse, directly to the IP and port number to display, the speed of the display will be much faster!

Active Internet connections, known as active TCP connections, is mainly divided into several major items:
Proto: The online packet protocol, mainly for TCP/UDP and other packets;
RECV-Q: The total number of bytes that are not copied by the user program connection;
SEND-Q: The total number of bytes that is transmitted by a remote host, but does not have an ACK flag, meaning the number of bytes in the packet of the active online SYN or other mark;
Local address: The location of the home-side, either IP (when the-n parameter exists), or the full host name. The use of the lattice is that "ip:port" is only the format of the IP IPv4 and IPv6 differences. As shown above, in the Port 22 interface, used::: 22 is the display for IPv6, in fact he is the same as 0.0.0.0:22 meaning. As for port 25 only open for Lo interface, meaning that the Internet is basically unable to connect to my local 25 port!
Foreign Address: Remote host IP with port number
Stat: Status bar, the main state contains:
Establised: The status of the online has been established;
Syn_sent: An online packet that sends an active online (SYN flag);
SYN_RECV: Receive an active online package that requires online;
FIN_WAIT1: The socket Service (socket) has been interrupted and the connection is disconnected;
Fin_wait2: The connection has been hung up, but is waiting for the other host to respond to the packet disconnection confirmation;
Time_wait: The connection has been hung up, but the socket is still waiting for the end on the network;
LISTEN: Usually used in the service of the listening port! You can use the "-L" parameter lookup.

where "Recv-q" and "Send-q" refer to%0a are the receive queue and the send queue. These figures are generally supposed to be 0. If not, it means that the package is accumulating in the queue. This situation can only be seen in very few cases.

Active UNIX domain sockets is referred to as the active UNIX Domains socket interface (as with network sockets, but only for native communication, and performance can be increased by one times):

Proto shows the protocol used by the connection
REFCNT represents the process number connected to this set of interfaces
Types display type of socket interface
State shows the current status of the socket interface
Path indicates the pathname used by other processes connected to the socket
Flags on-line flag

Practical Command Instances
1) List all ports (including listening and not listening)
List all ports: netstat-a
List all TCP ports: Netstat-at
List all UDP ports: Netstat-au

2) List all sockets in the listening state
Show only listening ports: netstat-l
List all listening TCP ports only: Netstat-lt
List all listening UDP ports only: Netstat-lu
List all listening Unix ports only: NETSTAT-LX

3) Display statistics for each protocol
Show statistics for all ports: netstat-s
Display statistics for TCP or UDP ports: netstat-st or-SU

4) Continuous output netstat information: Netstat will output network information every second.

5) Display of address families not supported by the system (addr families): Netstat--verbose

6) Find out which port the program is running on: Netstat-an | grep ': 80 ' not all processes can be found, no permissions will not be displayed, use root permissions to view all the information.

7) Display Network interface list: Netstat-i

8) Count the number of network connection states in the machine

netstat-a | awk '/^tcp/{++s[$NF]} END {for (a in S) print A, s[a]} '

9) View the IP addresses that connect to a service port

Netstat-nat | grep "192.168.120.20:16067" |awk ' {print $} ' |awk-f: ' {print $4} ' |sort|uniq-c|sort-nr|head-20

Example one: Lists the current routing table status and displays it in IP and port number:
[Email protected] ~]# Netstat-rn
In fact, this parameter is exactly the same as route-n, which is not the main function of Netstat.

Example two: List all current network online states, using IP with port number
[Email protected] ~]# Netstat-an
Active Internet connections (servers and established)
Proto recv-q send-q Local address Foreign address state
.... (omitted in the middle) ....

TCP 0 0 127.0.0.1:25 0.0.0.0:* listen 
TCP 0 192.168.1.100:22 192.168.1.101:1937 established 
TCP 0 0::: +:::* listen 
.... (omitted in middle)  
Active UNIX domain sockets (servers and established)  
Proto refcnt Flags Type State I-node Pat h 
Unix 2 [ACC] stream LISTENING 11075 @/var/run/hald/dbus-uukdg1qmph 
Unix 2 [ACC] stream LISTENING 1 0952/var/run/dbus/system_bus_socket 
Unix 2 [ACC] STREAM LISTENING 11032/var/run/acpid.socket 
.... (omitted below) ....  

Example three: Show the network Service   that is currently started;
[[email protected] ~]# netstat-tulnp 
Active Internet connections (only servers)  
Proto recv-q send-q Local address Foreign Address State pid/program name 
TCP 0 0 0.0.0.0:34796 0.0.0.0:* LISTEN 987/rpc.statd 
TCP 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 969/rpcbind 
TCP 0 0 127.0.0.1:25 0.0 .0.0:* LISTEN 1231/master 
TCP 0 0::: $:::* LISTEN 1155/sshd 
UDP 0 0 0.0.0.0:111 0.0.0.0:* 969/rpcbind& nbsp
.... (omitted below)  
      above is actually the parameter of-L, because it is possible to list only the port  in listen;
You can see that many Web services are actually only available for the lo of this machine. , the Internet is not connected to the port and service. And from the above data we can also see, start Port 111, is actually rpcbind that program, that if you want to close this port, you can use kill to delete PID 969, you can also use Killall delete Rpcbind this program. As a result, it's easy for you to know which port the program started.

Example four: Observing all the network online status of the machine
[Email protected] ~]# NETSTAT-ATUNP
Active Internet connections (servers and established)
Proto recv-q send-q Local address Foreign address State Pid/program
TCP 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 969/rpcbind
TCP 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1155/sshd
TCP 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1231/master
TCP 0 192.168.1.100:22 192.168.1.101:1937 established 4716/0
.... (omitted below) ....
The fourth data represents a network that has been established online, he is a remote host 192.168.1.101 start a port greater than 1024 to the local side host 192.168.1.100 Port 22, you have to remember that: "Client End is randomly take a more than 1024 port to go online ", in addition," only root can start less than 1024 of the port ", then read the top of the line! If you want to cut him off this line, you see the right 4716? kill!
As for the traditional UNIX socket data, remember to use man netstat to check it out! This Unix socket is usually used in some slot interface files that are open only to programs that operate on this computer, such as X window. So why start the network port? Of course, you can use a UNIX socket, in addition, such as postfix this kind of network server, because a lot of actions are on the top of the machine to complete, so it will occupy a lot of Unix sockets Oh!

--------------------------------------------------------------------------------

TCP Connection Status:

Time_wait 8947
Fin_wait1 15
Fin_wait2 1
Established 55
Syn_recv 21
CLOSING 2
Last_ack 4
TCP Connection Status Detailed www.2cto.com
LISTEN: Listening for connection requests from a remote TCP port
Syn-sent: Wait for a matching connection request after sending the connection request
Syn-received: Wait for confirmation of connection request after receiving and sending a connection request
Established: Represents an open connection
Fin-wait-1: Waiting for a remote TCP connection interrupt request, or confirmation of a previous connection interrupt request
Fin-wait-2: Waiting for connection interrupt request from remote TCP www.2cto.com
Close-wait: Waiting for a connection interrupt request from a local user
CLOSING: Waiting for remote TCP to confirm connection interruption
Last-ack: Waiting for acknowledgement of the original connection interrupt request to the remote TCP
Time-wait: Wait enough time to ensure that the remote TCP receives a connection interrupt request acknowledgement
CLOSED: No connection status

TCP state transition diagram:

Network Monitoring Tools-netstat