Use of network debugging tool netstat tcpdump

Network debugging tool netstat tcpdump common netstat parameters-a (all) show all options, default does not show LISTEN related-t (tcp) only show tcp related options-u (udp) only show udp-related options-n decline display alias, can show all the numbers into numbers. -L only list the service status in the Listen (listener).-p: the program name that establishes the relevant link.-r: The route information is displayed. Route table-e: the extended information is displayed, for example, uid and other-s are counted according to each protocol.-c runs the netstat command at every fixed time. Tip: The LISTEN and LISTENING statuses can be viewed only when-a or-l is used. list all ports (including listeners and ports not monitored) list all ports netstat-a # netstat-a | more Active Internet connections (servers and established) proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 localhost: 30037 *: * LISTEN udp 0 0 *: bootpc *: * Active UNIX domain sockets (servers and established) proto RefCnt Flags Type State I-Node Path unix 2 [ACC] STREAM LISTENING 6135/tmp /. X11-unix/X0 unix 2 [ACC] stream listening 5140/var/run/acpid. socket lists all tcp ports netstat-at # netstat-at Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost: 30037 *: * LISTEN tcp 0 localhost: ipp *: * LISTEN tcp 0 *: smtp *: * LISTEN tcp6 0 localhost: ipp [:]: * LISTEN lists all udp ports. netstat-au # netstat-au Active Inter Net connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 *: bootpc *: * udp 0 0 *: 49119 *: * udp 0 0 *: mdns *: * 2. list all Sockets in the listening status. only the listening port netstat-l # netstat-l Active Internet connections (only servers) is displayed) proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 localhost: ipp *: * LISTEN tcp6 0 0 localhost: ipp [:]: * LISTEN udp 0 0 *: 49119 *:* Only list all listening tcp ports netstat-lt # netstat-lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost: 30037 *: * LISTEN tcp 0 0 *: smtp *: * LISTEN tcp6 0 localhost: ipp [:]: * LISTEN only lists all listening udp ports netstat-lu # netstat-lu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 *: 49119 *: * u Dp 0 0 *: mdns *: * only list all listening UNIX ports netstat-lx # netstat-lx Active UNIX domain sockets (only servers) proto RefCnt Flags Type State I-Node Path unix 2 [ACC] STREAM LISTENING 6294 private/maildrop unix 2 [ACC] STREAM LISTENING 6203 public/cleanup unix 2 [ACC] STREAM LISTENING 6302 private /ifmail unix 2 [ACC] stream listening 6306 private/bsmtp 3. show statistics for each protocol show statistics for all ports netstat-s # netstat -S Ip: 11150 total packets received 1 with invalid addresses 0 forwarded 0 incoming packets discarded 11149 incoming packets delivered 11635 requests sent out Icmp: 0 ICMP messages received ED 0 input ICMP message failed. tcp: 582 active connections openings 2 failed connection attempts 25 connection resets received ed Udp: 1183 packets received ed 4 packets to unknown port received ed ...... display TCP or UDP ports Netstat-st or-su # netstat-st # netstat-su4. PID and process name netstat-pnetstat-p can be used with other switches in the netstat output, you can add the "PID/process name" to the netstat output. In this way, you can easily find programs running on specific ports during debugging. # Netstat-pt Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 1 0 ramesh-laptop.loc: 47212 192.168.185.75: www CLOSE_WAIT 2109/firefox tcp 0 0 ramesh-laptop.loc: 52750 lax: www ESTABLISHED 2109/firefox5. the host, port, and user name (host, port or user) are not displayed in the netstat output) when you do not want the host, port, and user name to be displayed, use netstat-n. The names will be replaced by numbers. The output can also be accelerated because comparison queries are not required. # Netstat-an if you just don't want one of the three names to be displayed, run the following command # netsat-a -- numeric-ports # netsat-a -- numeric-hosts # netsat-a -- numeric-users6. continuous output of netstat information netstat will output network information every second. # Netstat-c Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 ramesh-laptop.loc: 36130 101-101-181-225.ama: www ESTABLISHED tcp 1 ramesh-laptop.loc: 52564 101.11.169.230: www CLOSING tcp 0 0 ramesh-laptop.loc: 43758 server-101-101-43-2: www ESTABLISHED tcp 1 1 ramesh-laptop.loc: 42367 101.101.34.101: www CLOSING ^ C 7. the Address Families) Netstat -- verbose will display the following information at the end of the output: netstat: no support for 'af ipx' on this system. netstat: no support for 'af ax25' on this system. netstat: no support for 'af x25' on this system. netstat: no support for 'af NETROM 'on this system.8. display the core route information netstat-r # netstat-r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0*255.255.255.0 U 0 0 0 eth2 link-local * 25 5.2.160.0 U 0 0 0 eth2 default 192.168.1.1 0.0.0.0 UG 0 0 0 eth2 note: Use netstat-rn to display the numeric format and do not query the host name. 9. Find out the port where the program is running. Not all processes can find the port. If you do not have the permission, the port is not displayed. Use the root permission to view all the information. # Netstat-ap | grep ssh tcp 1 0 dev-db: ssh 101.174.100.22: 39213 CLOSE_WAIT-tcp 1 0 dev-db: ssh 101.174.100.22: 57643 CLOSE_WAIT-find the process running on the specified port # netstat-an | grep ': 80' 10. show Network Interface list # netstat-I Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP Flg eth0 1500 0 0 0 0 0 0 0 0 BMU eth2 1500 0 0 0 0 26883 6 0 0 BMRU lo 16436 0 4 0 0 0 4 0 0 0 LRU display details, For example, ifconfig uses netstat-ie: # netstat-ie Kernel Interface table eth0 Link encap: Ethernet HWaddr 00: 10: 40: 11: 11: 11 up broadcast multicast mtu: 1500 Metric: 1 RX packets: 0 errors: 0 dropped: 0 overruns: 0 frame: 0 TX packets: 0 errors: 0 dropped: 0 overruns: 0 carrier: 0 collisions: 0 txqueuelen: 1000 RX bytes: 0 (0.0 B) TX bytes: 0 (0.0 B) Memory: f6ae0000-f6b00000 11. view the IP address wss8848 @ ubuntu :~ $ Netstat-nat | grep "192.168.1.15: 22" | awk '{print $5}' | awk-F: '{print $1}' | sort | uniq-c | sort-nr | head-2018 reschedule 255.255.192.168.1.142 255.119.145.41.22 114.20.41.301 75.102.11.99 TCP Status List wss8848 @ ubuntu :~ $ Netstat-nat | awk '{print $6} 'Established) ForeignLISTENTIME_WAITESTABLISHEDTIME_WAITSYN_SENT first Retrieves all states, then uses uniq-c statistics, and then sorts them. Wss8848 @ ubuntu :~ $ Netstat-nat | awk '{print $6}' | sort | uniq-c143 ESTABLISHED1 FIN_WAIT11 Foreign1 LAST_ACK36 LISTEN6 SYN_SENT113 TIME_WAIT1 established) the final command is as follows: netstat-nat | awk '{print $6}' | sort | uniq-c | sort-rn analysis access. log to obtain the first 10 IP addresses awk '{print $1}' access. log | sort | uniq-c | sort-nr | head-10 tcpdump: A packet analysis tool used to intercept packets on the network according to user definitions. Tcpdump can completely intercept the "Header" of the packets transmitted in the network for analysis. It supports filtering network layer, protocol, host, network or port, and provides logical statements such as and, or, not to help you remove useless information. By default, tcpdump is enabled for a command instance. In normal cases, directly starting tcpdump will monitor all data packets flowing through the first network interface. Monitor the network interface data packet tcpdump-I eth1 if no Nic is specified, the default tcpdump only monitors the first network interface, which is usually eth0. In the following example, no network interface is specified. Monitors the data packets of the specified host and prints all data packets that enter or exit sundown. tcpdump host sundown can also specify ip addresses, for example, it intercepts all the packets received and sent by the 210.27.48.1 host tcpdump host 210.27.48.1 and prints the helios and hot packets or tcpdump host helios and \ (hot or ace \) intercept the communication between the host 210.27.48.1 and the host 210.27.48.2 or 210.27.48.3 tcpdump host 210.27.48.1 and \ (210.27.48.2 or 210.27.48.3 \) to print the IP address, data packet for communications, but does not include data packets with helios. tcpdump ip host ace and not helios if you want to obtain the host 210.27.48.1 Division And all hosts except 210.27.48.2. Run the command tcpdump ip host 210.27.48.1 and! 210.27.48.2 intercept all data sent by the host hostname tcpdump-I eth0 src host hostname monitor all data packets sent to the host hostname tcpdump-I eth0 dst host hostname monitor the data packets of the specified host and port if you want to obtain the host 210.27.48.1 telnet packets received or sent, run the following command tcpdump tcp port 23 host 210.27.48.1 to monitor udp port 123 of the Local Machine. port 123 is the ntp service port tcpdump udp port 123.