[-= blog Directory =-]
- 1-related instructions
- 1.1-Blog Introduction
- 1.2-netstat and Lsof
- 2-Learning process
- 2.1-netstat
- 2.2-lsof
- 2.3-netstat and lsof differences and associations
- 3-Information
1-related instructions1.1-Blog Introduction
This blog mainly describes the use of Netstat and lsof in the MAC environment and its role.
1.2-netstat and Lsof
Netstat
The Netstat command is used to display various network-related information, such as network connections, routing tables, Interface states (Interface Statistics), masquerade connections, multicast members (multicast memberships), and so on.
Lsof
Lsof (list open files) is a tool that lists open files for the current system. Enter lsof at the terminal to display the file opened by the system, because lsof needs to access core memory and various files, so it must be run as root to fully perform its functions.
Back to Catalog
2-Learning process2.1-netstat
We run the common instruction Netstat-a, and the following information appears:
Active Internet connections (including servers)Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 localhost.53617 tg-in-f138.1e100.https SYN_SENT tcp4 0 0 localhost.53616 tg-in-f138.1e100.https SYN_SENT tcp4 0 0 localhost.53615 tg-in-f101.1e100.https SYN_SENT
Netstat is used to show the network status of our machine, the following is how to print out the parameters to the results we want:
Let's start by describing each parameter:
-A (All) displays all options and does not show listen related by default
-N refuses to display aliases, showing all numbers converted to numbers.
-B Show the number of bytes in and out
-S statistics according to each protocol
-W Wait (s) to display every number of seconds
More detailed information refer to man netstat, not listed here (mainly too troublesome, too lazy to write)
Hint: The status of listen and listening must be added-A to see
Note: Mac and Linux instructions are in the same direction, remember not to take the Linux instructions in the Mac
As an example:
List all TCP/UDP ports netstat -f address_family
, this is more commonly used, we usually need to use the Internet in the basic will go through these two ports:
Active Internet connectionsProto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 172.30.3.1.56841 ti-in-f102.1e100.https SYN_SENT tcp4 0 0 172.30.3.1.56840 ti-in-f102.1e100.https SYN_SENT tcp4 0 0 172.30.3.1.56839 hkg07s24-in-f10..https SYN_SENT tcp4 0 0 172.30.3.1.56838 ti-in-f113.1e100.https SYN_SENT udp4 0 0 *.65444 *.* udp4 0 0 *.52623 *.* udp4 0 0 *.59390 *.* udp4 0 0 *.63755 *.*
About the address_family after-F is entered in man with the write to:
-f address_family Limit statistics or address control block reports to those of the specified address family. The following address families are recognized: inet, for AF_INET, inet6, for AF_INET6 and unix, for AF_UNIX.
Here again the state of science:
LISTEN: (Listening for a connection.) Listening for connection requests from a remote TCP port
Syn-sent: (Active; SENT SYN. Waiting for a matching connection request after having SENT a connection request.) Wait for a matching connection request after sending the connection request again
Syn-received: (Sent and RECEIVED SYN. Waiting for a confirming connection request acknowledgment after have both RECEIVED and sent connection requests.) Wait for confirmation of the connection request after receiving and sending a connection request
Established: (Connection established.) Represents an open connection
Fin-wait-1: (Closed; sent FIN.) Waiting for a remote TCP connection to interrupt the request, or the acknowledgement of a previous connection interrupt request
Fin-wait-2: (Closed; FIN is acknowledged; Awaiting FIN.) Waiting for connection interrupt request from remote TCP
Close-wait: (Received FIN; waiting to receive CLOSE.) Waiting for a connection interrupt request from a local user
CLOSING: (Closed; exchanged fin; waiting for Fin.) Wait for the remote TCP acknowledgement of the connection interruption
Last-ack: (Received fin and CLOSE; waiting for Fin ACK.) Acknowledgement of the connection interrupt request waiting for the original send to remote TCP
Time-wait: (in 2 MSL (twice the maximum segment length) quiet WAIT after close.) Wait enough time to ensure that the remote TCP receives a connection interrupt request acknowledgement
CLOSED: (Connection is CLOSED.) No connection Status
Back to Catalog
2.2-lsof
We execute lsof
the command directly and generate the following information:
COMMAND PID USER FD TYPE DEVICE size/off NODE NAME ... (slightly) Atom 65310 mac 19u kqueue count=0, State=0xaatom 65310 mac 2 0 npolicy Atom 65310 mac PIPE 0x929a75eee67536e9 16384 ->0x929a75eee67528a9atom 65310 mac PIPE 0x929a75eee67528a9 16384->0x929a75e Ee67536e9atom 65310 mac 653 PIPE 0x929a75eee67527e9 16384->0x929a75eee6752669atom Ten Mac pipe 0x929a75eee6752669 16384->0x929a75eee67527e9atom 65310 mac 0x929a75eee6753c29 16384->0x929a75eee6750fe9atom 65310 mac. PIPE 0x929a75eee6750fe9 16384->0x929a75eee6753c29atom 65310 mac 27u Kqueue Co Unt=0, state=0x8
Here is an introduction to each of the fields:
- COMMAND: Name of the process
- PID: Process Identifier
- USER: Process Owner
- FD: File descriptor in which the application recognizes the file through a file descriptor. such as CWD, TXT, etc.
- Type: File types, such as Dir, Reg, etc.
- DEVICE: Specifies the name of the disk
- Size: Sizes of files
- Node: Index node (the identity of the file on disk)
- Name: Open the exact name of the file
Several common operations
Use lsof -i :[端口号]
to see how a port is now running:
blackay-macbook-air:~ mac$ lsof-i:443command PID USER FD TYPE DEVICE size/off NODE NAMEnode 2465 9 mac 38u IPv4 0x929a75eee50611b1 0t0 TCP 172.30.3.1:60430->ec2-50-16-240-181.compute-1.amazonaws.com:https ( Established) node 33752 mac 38u IPv4 0x929a75eee74831b1 0t0 TCP 192.168.43.135:55147->ec2-50-17-234-140.c OMPUTE-1.AMAZONAWS.COM:HTTPS (established) node 40504 mac 23u IPv4 0x929a75eeed976ef1 0t0 TCP 172.30.3.1:621 75->EC2-50-19-252-69.COMPUTE-1.AMAZONAWS.COM:HTTPS (established) node 40504 mac 36u IPv4 0x929a75eee94fa851 0t0 TCP 172.30.3.1:62180->ec2-50-19-252-69.compute-1.amazonaws.com:https (established) node 41729 mac 30u IP V4 0X929A75EEEAD5EB11 0t0 TCP 192.168.43.135:64612->ec2-50-16-232-79.compute-1.amazonaws.com:https (ESTABLISHED) Google 48559 mac 19u IPv4 0x929a75eee9c25b11 0t0 TCP 172.30.3.1:56594->ti-in-f100.1e100.net:https (Syn_sen T) Google 48559 mac81u IPv4 0x929a75eee9d87b11 0t0 TCP 172.30.3.1:56598->ti-in-f113.1e100.net:https (syn_sent)
-
Use sudo lsof-np-itcp-stcp:listen
to view the program that occupies the port
macbook-air:~ mac$ sudo lsof-np-itcp- Stcp:listencommand PID USER FD TYPE DEVICE size/off NODE nameqqmacmgrm mac 3u IPv4 0x929a75 eee5126851 0t0 TCP 127.0.0.1:50154 (LISTEN) qqmacmgrm mac 10u IPv4 0x929a75eee5568851 0t0 TCP 127.0.0 .1:30100 (LISTEN) qqmacmgrm-mac 32u IPv4 0x929a75eee5568851 0t0 TCP 127.0.0.1:30100 (LISTEN) adobe\x20 663 Mac 8u IPv4 0x929a75eee5799591 0t0 TCP 127.0.0.1:15292 (LISTEN)
Use lsof -p [pid]
search for all files opened by the program and associated processes for open files
MacBook-Air:~ mac$ lsof -p 59037COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEQQ 59037 mac cwd DIR 1,4 384 915270 /Users/mac/Library/Containers/com.tencent.qq/DataQQ 59037 mac txt REG 1,4 39443376 8594340462 /Applications/QQ.app/Contents/MacOS/QQQQ 59037 mac txt REG 1,4 585744 8594339489 /Applications/QQ.app/Contents/Frameworks/FTMiniNN.framework/Versions/A/FTMiniNNQQ 59037 mac txt RE
The Ps:pid (process identification) operating system refers to the identification number of processes, which is the process identifier. Each program opened in the operating system will create a process ID, which is the PID. As soon as you run a program, the system automatically assigns an identity. Temporarily unique: Once the process is aborted, the number is recycled and may be assigned to another new process.
This PID continues to be assigned to the program that is currently running, as long as no other programs are running successfully.
If you run a program successfully and then run another program, the system automatically assigns another PID.
Back to Catalog
2.3-netstat and lsof differences and associations
Netstat no rights control, lsof have permission to control, only see this user
LOSF can see the PID and the user, can find which process takes up this port
Some people may think that these two seem to be quite a lot of functions are similar? Think about the difference between them is very big, even some functions are complementary, combined with the use of Simply invincible. The main reason I use lsof is that when I use the Netstat query to the network link state, there is no name of the port using the program and its related information, so we can compensate for this defect by lsof.
How does it work? For example, I found a link using port 55147 via netstat:
Proto Recv-Q Send-Q Local Address Foreign Addresstcp4 0 0 192.168.43.135.55147 50.17.234.140.443
So I'm going to look for Port 55147, the program uses this port, then you can use the lsof command:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEnode 24659 mac 38u IPv4 0x929a75eee50611b1 0t0 TCP 172.30.3.1:60430->ec2-50-16-240-181.compute-1.amazonaws.com:https (ESTABLISHED)
Find this program, know its PID, I can even see what he moved me file: lsof-p [PID]
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAMEnode 24659 mac cwd DIR 1,4 1120 2 /node 24659 mac txt REG 1,4 30482564 8597437279 /Applications/Atom.app/Contents/Resources/app/apm/bin/nodenode 24659 mac txt REG 1,4 1112560 8597441970 /Applications/Atom.app/Contents/Resources/app/apm/node_modules/git-utils/build/Release/git.node
So the question is, what's the point of doing it ... The point is that I was trying to analyze the computer for malicious code or a program running through network monitoring, and by using these two commands, I would pinpoint all the states of each suspicious link.
Back to Catalog
3-References
Refer to the blog for more than 30 +, here are some of the most important.
- Mac OS X view network port conditions
- Pid
- --"bold emphasis" lsof command use detailed (original)
- Lsof view port corresponding process number
- To view a program that occupies a port
- Netstat and lsof see the difference between ports
- The use and difference of netstat lsof
- Say how to view Listen status with netstat under MAC OS
- Netstat State Analysis
- Mac under Netstat
- MAC os/linux Command queries network port usage
Back to Catalog
Some problems in the use of Netstat and lsof under MacOS