The Netstat of Linux commands

The netstat command is used to display statistics related to IP, TCP, UDP, and ICMP protocols, and is typically used to verify the network connectivity of each port on the machine. Netstat is a program that accesses the network and related information in the kernel, and it provides reports on TCP connections, TCP and UDP snooping, and process memory management.

If your computer sometimes receives datagrams that cause error data or failures, you don't have to be surprised that TCP/IP can tolerate these types of errors and be able to automatically re-send datagrams. But if the cumulative number of errors accounts for a significant percentage of the IP datagram received, or if its number is increasing rapidly, then you should use Netstat to find out why these situations occur.

1. Command format:

Netstat [-accefghilmnnoprstuvvwx][-a< network type >][--IP]

2. Command function:

The netstat is used to display statistics related to IP, TCP, UDP, and ICMP protocols, and is typically used to verify the network connectivity of each port on the machine.

3. Command parameters:

-A or –all shows all sockets in the connection.

-a< network type > or –< network type > lists the relevant addresses in the network type connection.

-C or –continuous continues to list network status.

-C or –cache displays the cache information for the router configuration.

-E or –extend displays other relevant information about the network.

-F or –FIB displays the fib.

-G or –groups displays the multi-broadcast feature group members list.

-h or Help online Help.

-I or –interfaces displays the Web interface information form.

-L or –listening displays the socket of the server in the monitor.

-M or –masquerade displays the spoofed network connection.

-N or –numeric uses the IP address directly, not through the domain name server.

-N or –netlink or –symbolic displays the symbolic connection name of the network hardware peripherals.

-O or –timers displays the timer.

-P or –programs shows the program identification code and program name that are using the socket.

-R or –route displays routing Table.

-S or –statistice displays the statistics of network work information.

-T or –tcp shows the connection status of the TCP transport protocol.

-U or –UDP shows the connection status of the UDP transport protocol.

-V or –verbose shows the instruction execution process.

-V or –version displays version information.

-W or –raw shows the connection status of the raw transport protocol.

-X or –unix the effect of this parameter is the same as specifying the "-A Unix" parameter.

– IP or –inet the effect of this parameter is the same as specifying the "-A inet" parameter.

4. Usage examples:

Example 1: No parameter usage

Command:

Netstat

Output:

[[Email protected] ~]# netstatactive Internet connections (w/o servers) Proto Recv-Q send-Q Local Address Foreign address State TCP0 268 192.168.120.204:ssh 10.2.0.68:62420established UDP0 0 192.168.120.204:4371 10.58.119.119:D Omain established Active UNIX domain sockets (w/o servers) Proto refcnt Flags Type State I-Node Pathunix2 [] Dgram 1491 @/org/kernel/udev/Udevdunix4 [] Dgram 7337/dev/Logunix2 [] Dgram 708823Unix2 [] Dgram 7539Unix3 [] STREAM CONNECTED 7287Unix3 [] STREAM CONNECTED 7286[[Email protected]~]#

Description

As a whole, the output of Netstat can be divided into two parts:

One is the active Internet connections, called the active TCP connection, where "recv-q" and "Send-q" refer to the Receive queue and the send queue. These figures are generally supposed to be 0. If not, it means that the package is accumulating in the queue. This situation can only be seen in very few cases.

The other is the active UNIX domain sockets, known as the active UNIX Domains socket interface (as with network sockets, but only for native communication, which can be increased by one-fold performance).

Proto shows the protocol used by the connection, refcnt represents the process number connected to this set of interfaces, types shows the type of the socket interface, state shows the current status of the socket interface, and path represents the pathname used by other processes connected to the socket.

Set of interface types:

-t:tcp

-u:udp

-raw:raw type

--unix:unix Domain type

--AX25:AX25 type

--IPX:IPX type

--netrom:netrom type

Status Description:

LISTEN: Listening for connection requests from a remote TCP port

Syn-sent: Wait for a matching connection request after the connection request is sent (if there is a large number of such status packs, check if it is a trick)

Syn-received: After receiving and sending a connection request, wait for the other party to confirm the connection request (if there is a large number of this state, estimated to be flood attack)

Established: Represents an open connection

Fin-wait-1: Waiting for a remote TCP connection interrupt request, or confirmation of a previous connection interrupt request

Fin-wait-2: Waiting for connection interrupt request from remote TCP

Close-wait: Waiting for a connection interrupt request from a local user

CLOSING: Waiting for remote TCP to confirm connection interruption

Last-ack: Wait for acknowledgement of the original connection interrupt request to the remote TCP (not a good thing, this item appears, check whether it is attacked)

Time-wait: Wait enough time to ensure that the remote TCP receives a connection interrupt request acknowledgement

CLOSED: No connection status

Example 2: Show current UDP connection status

Command:

Netstat-nu

Output:

[Email protected] ~]# netstat-nuactive Internet Connections (w/o servers) Proto Recv-Q send-Q Local Address Foreign address State UDP0 0:: ffff:192.168.12:53392:: ffff:192.168.9.120:10000established UDP0 0:: ffff:192.168.12:56723:: ffff:192.168.9.120:10000established UDP0 0:: ffff:192.168.12:56480:: ffff:192.168.9.120:10000established UDP0 0:: ffff:192.168.12:58154:: ffff:192.168.9.120:10000established UDP0 0:: ffff:192.168.12:44227:: ffff:192.168.9.120:10000established UDP0 0:: ffff:192.168.12:36954:: ffff:192.168.9.120:10000established UDP0 0:: ffff:192.168.12:53984:: ffff:192.168.9.120:10000established UDP0 0:: ffff:192.168.12:57703:: ffff:192.168.9.120:10000established UDP0 0:: ffff:192.168.12:53613:: ffff:192.168.9.120:10000established [[email protected]~]#

Example 3: Display of the listening socket interface

Command:

Netstat-l

Output:

[Email protected] ~]# netstat-lactive Internet connections (only servers) Proto Recv-Q send-Q Local Address Foreign address State TCP0 0 Localhost:smux *:*LISTEN TCP0 0 *:SVN *:*LISTEN TCP0 0 *:ssh *:*LISTEN UDP0 0 Localhost:syslog *:*UDP0 0 *:snmp *:*Active UNIX domain sockets (only servers) Proto refcnt Flags Type Stat E I-Node Pathunix2 [ACC] STREAM LISTENING 708833/tmp/ssh-ykndb15725/agent.15725Unix2 [ACC] STREAM LISTENING 7296/var/run/Audispd_events[[email protected]~]#

Example 4: Show all valid connections that have been established

Command:

Netstat-n

Output:

[Email protected] ~]# netstat-nactive Internet Connections (w/o servers) Proto Recv-Q send-Q Local Address Foreign address State TCP0 268 192.168.120.204:22 10.2.0.68:62420established Active UNIX domain sockets (w/o servers) Proto refcnt Flags Type State I-Node Pathunix2 [] Dgram 1491 @/org/kernel/udev/Udevdunix4 [] Dgram 7337/dev/Logunix2 [] Dgram 708823Unix2 [] Dgram 7539Unix3 [] STREAM CONNECTED 7287Unix3 [] STREAM CONNECTED 7286[[Email protected]~]#

Example 5: List all TCP ports

Command:

Netstat-at

Output:

[Email protected] ~]# netstat-atactive Internet connections (servers and established) Proto RECV-Q send-Q Lo Cal address               Foreign address             State      TCP        0      0 Localhost:smux              *:*                         LISTEN      TCP        0      0 *:svn                       *:*                         LISTEN      tcp        0      0 *:ssh                       *:*                          LISTEN      TCP        0    284 192.168.120.204:ssh         10.2.0.68:62420             ~]#

Example 6: Find out which port the program is running on

Command:

Netstat-ap | grep ssh

Output:

[Email protected] ~]# Netstat-ap |grep sshtcp0 0 *:ssh *:* LISTEN 2570/sshd TCP0 0:: Ffff:192.168.120.206:ssh:: ffff:10.2.1.205:54508 established 13883/14TCP0 0:: Ffff:192.168.120.206:ssh:: ffff:10.2.0.68:62886 established 20900/6TCP0 0:: Ffff:192.168.120.206:ssh:: ffff:10.2.2.131:52730 established 20285/sshd: [email protected] Unix2 [ACC] STREAM LISTENING 194494461 20900/6/tmp/ssh-cxijj20900/agent.20900Unix3 [] STREAM CONNECTED 194307443 20285/sshd: [email protected] Unix3 [] STREAM CONNECTED 194307441 20285/sshd: [email protected] [[email protected]~]#

The Netstat of Linux commands