Some problems in the use of Netstat and lsof under MacOS

Source: Internet
Author: User
Tags ack apm macbook

[-= blog Directory =-]
    • 1-related instructions
      • 1.1-Blog Introduction
      • 1.2-netstat and Lsof
    • 2-Learning process
      • 2.1-netstat
      • 2.2-lsof
      • 2.3-netstat and lsof differences and associations
    • 3-Information
1-related instructions1.1-Blog Introduction

This blog mainly describes the use of Netstat and lsof in the MAC environment and its role.

1.2-netstat and Lsof

Netstat

The Netstat command is used to display various network-related information, such as network connections, routing tables, Interface states (Interface Statistics), masquerade connections, multicast members (multicast memberships), and so on.

Lsof

Lsof (list open files) is a tool that lists open files for the current system. Enter lsof at the terminal to display the file opened by the system, because lsof needs to access core memory and various files, so it must be run as root to fully perform its functions.

Back to Catalog

2-Learning process2.1-netstat

We run the common instruction Netstat-a, and the following information appears:

Active Internet connections (including servers)Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)    tcp4       0      0  localhost.53617        tg-in-f138.1e100.https SYN_SENT   tcp4       0      0  localhost.53616        tg-in-f138.1e100.https SYN_SENT   tcp4       0      0  localhost.53615        tg-in-f101.1e100.https SYN_SENT   

Netstat is used to show the network status of our machine, the following is how to print out the parameters to the results we want:
Let's start by describing each parameter:
-A (All) displays all options and does not show listen related by default
-N refuses to display aliases, showing all numbers converted to numbers.
-B Show the number of bytes in and out
-S statistics according to each protocol
-W Wait (s) to display every number of seconds
More detailed information refer to man netstat, not listed here (mainly too troublesome, too lazy to write)
Hint: The status of listen and listening must be added-A to see
Note: Mac and Linux instructions are in the same direction, remember not to take the Linux instructions in the Mac

As an example:
List all TCP/UDP ports netstat -f address_family , this is more commonly used, we usually need to use the Internet in the basic will go through these two ports:

Active Internet connectionsProto Recv-Q Send-Q  Local Address          Foreign Address        (state)    tcp4       0      0  172.30.3.1.56841       ti-in-f102.1e100.https SYN_SENT   tcp4       0      0  172.30.3.1.56840       ti-in-f102.1e100.https SYN_SENT   tcp4       0      0  172.30.3.1.56839       hkg07s24-in-f10..https SYN_SENT   tcp4       0      0  172.30.3.1.56838       ti-in-f113.1e100.https SYN_SENT   udp4       0      0  *.65444                *.*                               udp4       0      0  *.52623                *.*                               udp4       0      0  *.59390                *.*                               udp4       0      0  *.63755                *.*      

About the address_family after-F is entered in man with the write to:

-f address_family           Limit statistics or address control block reports to those of the specified address family.  The           following address families are recognized: inet, for AF_INET, inet6, for AF_INET6 and unix, for           AF_UNIX.

Here again the state of science:

  • LISTEN: (Listening for a connection.) Listening for connection requests from a remote TCP port

  • Syn-sent: (Active; SENT SYN. Waiting for a matching connection request after having SENT a connection request.) Wait for a matching connection request after sending the connection request again

  • Syn-received: (Sent and RECEIVED SYN. Waiting for a confirming connection request acknowledgment after have both RECEIVED and sent connection requests.) Wait for confirmation of the connection request after receiving and sending a connection request

  • Established: (Connection established.) Represents an open connection

  • Fin-wait-1: (Closed; sent FIN.) Waiting for a remote TCP connection to interrupt the request, or the acknowledgement of a previous connection interrupt request

  • Fin-wait-2: (Closed; FIN is acknowledged; Awaiting FIN.) Waiting for connection interrupt request from remote TCP

  • Close-wait: (Received FIN; waiting to receive CLOSE.) Waiting for a connection interrupt request from a local user

  • CLOSING: (Closed; exchanged fin; waiting for Fin.) Wait for the remote TCP acknowledgement of the connection interruption

  • Last-ack: (Received fin and CLOSE; waiting for Fin ACK.) Acknowledgement of the connection interrupt request waiting for the original send to remote TCP

  • Time-wait: (in 2 MSL (twice the maximum segment length) quiet WAIT after close.) Wait enough time to ensure that the remote TCP receives a connection interrupt request acknowledgement

  • CLOSED: (Connection is CLOSED.) No connection Status

Back to Catalog

2.2-lsof

We execute lsof the command directly and generate the following information:

  COMMAND PID USER FD TYPE DEVICE size/off NODE NAME ... (slightly) Atom 65310 mac 19u kqueue count=0, State=0xaatom 65310 mac 2            0 npolicy Atom 65310 mac PIPE 0x929a75eee67536e9 16384 ->0x929a75eee67528a9atom 65310 mac PIPE 0x929a75eee67528a9 16384->0x929a75e Ee67536e9atom 65310 mac 653 PIPE 0x929a75eee67527e9 16384->0x929a75eee6752669atom  Ten Mac pipe 0x929a75eee6752669 16384->0x929a75eee67527e9atom 65310 mac      0x929a75eee6753c29 16384->0x929a75eee6750fe9atom 65310 mac. PIPE 0x929a75eee6750fe9 16384->0x929a75eee6753c29atom 65310 mac 27u Kqueue Co Unt=0, state=0x8  

Here is an introduction to each of the fields:

    • COMMAND: Name of the process
    • PID: Process Identifier
    • USER: Process Owner
    • FD: File descriptor in which the application recognizes the file through a file descriptor. such as CWD, TXT, etc.
    • Type: File types, such as Dir, Reg, etc.
    • DEVICE: Specifies the name of the disk
    • Size: Sizes of files
    • Node: Index node (the identity of the file on disk)
    • Name: Open the exact name of the file

Several common operations

  1. Use lsof -i :[端口号] to see how a port is now running:

    blackay-macbook-air:~ mac$ lsof-i:443command PID USER FD TYPE DEVICE size/off NODE NAMEnode 2465 9 mac 38u IPv4 0x929a75eee50611b1 0t0 TCP 172.30.3.1:60430->ec2-50-16-240-181.compute-1.amazonaws.com:https ( Established) node 33752 mac 38u IPv4 0x929a75eee74831b1 0t0 TCP 192.168.43.135:55147->ec2-50-17-234-140.c OMPUTE-1.AMAZONAWS.COM:HTTPS (established) node 40504 mac 23u IPv4 0x929a75eeed976ef1 0t0 TCP 172.30.3.1:621      75->EC2-50-19-252-69.COMPUTE-1.AMAZONAWS.COM:HTTPS (established) node 40504 mac 36u IPv4 0x929a75eee94fa851 0t0 TCP 172.30.3.1:62180->ec2-50-19-252-69.compute-1.amazonaws.com:https (established) node 41729 mac 30u IP V4 0X929A75EEEAD5EB11 0t0 TCP 192.168.43.135:64612->ec2-50-16-232-79.compute-1.amazonaws.com:https (ESTABLISHED) Google 48559 mac 19u IPv4 0x929a75eee9c25b11 0t0 TCP 172.30.3.1:56594->ti-in-f100.1e100.net:https (Syn_sen   T) Google 48559 mac81u IPv4 0x929a75eee9d87b11 0t0 TCP 172.30.3.1:56598->ti-in-f113.1e100.net:https (syn_sent) 
  2. Use sudo lsof-np-itcp-stcp:listen to view the program that occupies the port

      macbook-air:~ mac$ sudo lsof-np-itcp- Stcp:listencommand PID USER FD TYPE DEVICE size/off NODE nameqqmacmgrm mac 3u IPv4 0x929a75 eee5126851 0t0 TCP 127.0.0.1:50154 (LISTEN) qqmacmgrm mac 10u IPv4 0x929a75eee5568851 0t0 TCP 127.0.0   .1:30100 (LISTEN) qqmacmgrm-mac 32u IPv4 0x929a75eee5568851 0t0 TCP 127.0.0.1:30100 (LISTEN) adobe\x20 663 Mac 8u IPv4 0x929a75eee5799591 0t0 TCP 127.0.0.1:15292 (LISTEN)  
  3. Use lsof -p [pid] search for all files opened by the program and associated processes for open files

    MacBook-Air:~ mac$ lsof -p 59037COMMAND   PID USER   FD      TYPE             DEVICE   SIZE/OFF       NODE NAMEQQ      59037  mac  cwd       DIR                1,4        384     915270 /Users/mac/Library/Containers/com.tencent.qq/DataQQ      59037  mac  txt       REG                1,4   39443376 8594340462 /Applications/QQ.app/Contents/MacOS/QQQQ      59037  mac  txt       REG                1,4     585744 8594339489 /Applications/QQ.app/Contents/Frameworks/FTMiniNN.framework/Versions/A/FTMiniNNQQ      59037  mac  txt       RE

    The Ps:pid (process identification) operating system refers to the identification number of processes, which is the process identifier. Each program opened in the operating system will create a process ID, which is the PID. As soon as you run a program, the system automatically assigns an identity. Temporarily unique: Once the process is aborted, the number is recycled and may be assigned to another new process.
    This PID continues to be assigned to the program that is currently running, as long as no other programs are running successfully.
    If you run a program successfully and then run another program, the system automatically assigns another PID.

Back to Catalog

2.3-netstat and lsof differences and associations

Netstat no rights control, lsof have permission to control, only see this user
LOSF can see the PID and the user, can find which process takes up this port

Some people may think that these two seem to be quite a lot of functions are similar? Think about the difference between them is very big, even some functions are complementary, combined with the use of Simply invincible. The main reason I use lsof is that when I use the Netstat query to the network link state, there is no name of the port using the program and its related information, so we can compensate for this defect by lsof.
How does it work? For example, I found a link using port 55147 via netstat:

Proto Recv-Q Send-Q  Local Address          Foreign Addresstcp4       0      0  192.168.43.135.55147   50.17.234.140.443

So I'm going to look for Port 55147, the program uses this port, then you can use the lsof command:

COMMAND   PID USER   FD   TYPE             DEVICE SIZE/OFF NODE NAMEnode    24659  mac   38u  IPv4 0x929a75eee50611b1      0t0  TCP 172.30.3.1:60430->ec2-50-16-240-181.compute-1.amazonaws.com:https (ESTABLISHED)

Find this program, know its PID, I can even see what he moved me file: lsof-p [PID]

COMMAND   PID USER   FD      TYPE             DEVICE   SIZE/OFF       NODE NAMEnode    24659  mac  cwd       DIR                1,4       1120          2 /node    24659  mac  txt       REG                1,4   30482564 8597437279 /Applications/Atom.app/Contents/Resources/app/apm/bin/nodenode    24659  mac  txt       REG                1,4    1112560 8597441970 /Applications/Atom.app/Contents/Resources/app/apm/node_modules/git-utils/build/Release/git.node

So the question is, what's the point of doing it ... The point is that I was trying to analyze the computer for malicious code or a program running through network monitoring, and by using these two commands, I would pinpoint all the states of each suspicious link.

Back to Catalog

3-References

Refer to the blog for more than 30 +, here are some of the most important.

    • Mac OS X view network port conditions
    • Pid
    • --"bold emphasis" lsof command use detailed (original)
    • Lsof view port corresponding process number
    • To view a program that occupies a port
    • Netstat and lsof see the difference between ports
    • The use and difference of netstat lsof
    • Say how to view Listen status with netstat under MAC OS
    • Netstat State Analysis
    • Mac under Netstat
    • MAC os/linux Command queries network port usage

Back to Catalog

Some problems in the use of Netstat and lsof under MacOS

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.