netstat/lsof
The netstat command is used to display statistical data related to IP, TCP, UDP and ICMP protocols, and is generally used to test the network connection of each port of the machine
-a Displays a list of all valid connection information (including established connections) , also including those connections listening for connection requests)
-n show all established valid connections
-t tcp protocol
-u udp protocol
-l query the program that is listening
-p show the program identifier and program name that is using the socket
For example : netstat -ntupl|grep processname
how to query only the connection of tomcat?
netstat -na|grep ESTAB |grep 80 |wc-l
netstat -na|grep ESTAB |grep 8080 |wc-l
Common port introduction:
Port: 21
Service: The port opened by the FTP server for uploading and downloading.
Port: 22
Service: ssh
Port: 80
Service: HTTP for web browsing
Port : 389
Service: LDAP ILS Lightweight Directory Access Protocol and NetMeetingInternet Locator Server
Port: 443
HTTP
port: 8080
Service: proxy port
Open the terminal and execute the following command to check the port occupied by each process:
# ps -ef|wc -l //Check the total number of processes running in the background
# ps -fu csvn //Check the csvn process
# netstat -lntp // Check which ports are opened
# netstat -r //This option can display information about the routing table
# netstat -a //This option displays a list of all valid connection information
# netstat -an|grep 8080
# netstat -na|grep - i listen //You can see the port number currently being listened to by the system
# netstat -antup //View the ports occupied by the established connection process.
netstat -anp|grep1487
lsof -i:1487
Check which processes have opened the specified port 1487.
Closing a port is actually closing its corresponding service. For example, port 80 is HTTPD. Closing port 80 can be achieved by closing the httpd service.
Each port has a The daemon process, just kill the daemon process. The port of the
host is divided into the listening port and the random available advanced port
. Listening port: The listening port is what services are enabled by the host. This service will enable a port in the linux system to listen to the client. Request
Randomly available advanced port:
When linux wants to request a service from a host, the linux host needs to enable a port to connect externally. linux will randomly use an unused port with a port number greater than 1024 to connect.
Only the root user can open ports 1-1024 to show root privileges
netstat-n show the connection status
netstat-tl show the name of the service currently being monitored
linux is a tool that lists the current system open files. exists in the form of a file.
The output information of lsof can display the files opened by the system. By default, all files opened by all processes are
displayed lsof filename Displays all processes that open the specified file
lsof -c string Displays all open files of the process that contains the specified character in the command column
lsof -u username Displays the ownership The files opened by the user process
lsof -g gid Display the process status of the belonging gid
lsof -i Display the qualified process status
lsof -d Display the process of the specified file descriptor
lsof -a Indicates that both parameters must be satisfied before displaying the result
For example : lsof-i:1487
View the files with the file type txt opened by the root user process:
lsof -a -u root -d txt
lsof use example
1. Find the file system in use When
unmounting the file system, if there is any open file in the file system file, an error occurs. You can find out which processes are using the currently unmounted file system through lsof
# lsof /GTES11/
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 4208 root cwd DIR 3,1 40962 /GTES11/
vim 4230 root cwd DIR 3,1 40962 /GTES11/
2. Recover deleted files
When a linux computer is compromised, it is common for log files to be deleted, and management errors will also lead to accidental deletion of important files.
When a process opens a file, as long as the process keeps the file open, even if it is deleted, it still exists on disk. This means that the process does not know that the file has been deleted, and in the /proc directory contains various files that reflect the kernel and process tree.
When a file in the system is accidentally deleted, as long as there are still processes accessing the file in the system at this time, you can restore the file from the /proc directory through lsof
Use lsof to check whether a process currently opens the /var/logmessages file
# lsof |grep /var/log/messages syslogd 1283 root 2w REG 3,3 5381017 1773647 /var/log/messages (deleted) from /proc/1283/fd/2
For many applications, especially log files and databases, This method of recovering deleted files is very useful
The netstat command is used to display statistical data related to IP, TCP, UDP and ICMP protocols, and is generally used to test the network connection of each port of the machine
-a Displays a list of all valid connection information (including established connections) , also including those connections listening for connection requests)
-n show all established valid connections
-t tcp protocol
-u udp protocol
-l query the program that is listening
-p show the program identifier and program name that is using the socket
For example : netstat -ntupl|grep processname
how to query only the connection of tomcat?
netstat -na|grep ESTAB |grep 80 |wc-l
netstat -na|grep ESTAB |grep 8080 |wc-l
Common port introduction:
Port: 21
Service: The port opened by the FTP server for uploading and downloading.
Port: 22
Service: ssh
Port: 80
Service: HTTP for web browsing
Port : 389
Service: LDAP ILS Lightweight Directory Access Protocol and NetMeetingInternet Locator Server
Port: 443
HTTP
port: 8080
Service: proxy port
Open the terminal and execute the following command to check the port occupied by each process:
# ps -ef|wc -l //Check the total number of processes running in the background
# ps -fu csvn //Check the csvn process
# netstat -lntp // Check which ports are opened
# netstat -r //This option can display information about the routing table
# netstat -a //This option displays a list of all valid connection information
# netstat -an|grep 8080
# netstat -na|grep - i listen //You can see the port number currently being listened to by the system
# netstat -antup //View the ports occupied by the established connection process.
netstat -anp|grep1487
lsof -i:1487
Check which processes have opened the specified port 1487.
Closing a port is actually closing its corresponding service. For example, port 80 is HTTPD. Closing port 80 can be achieved by closing the httpd service.
Each port has a The daemon process, just kill the daemon process. The port of the
host is divided into the listening port and the random available advanced port
. Listening port: The listening port is what services are enabled by the host. This service will enable a port in the linux system to listen to the client. Request
Randomly available advanced port:
When linux wants to request a service from a host, the linux host needs to enable a port to connect externally. linux will randomly use an unused port with a port number greater than 1024 to connect.
Only the root user can open ports 1-1024 to show root privileges
netstat-n show the connection status
netstat-tl show the name of the service currently being monitored
linux is a tool that lists the current system open files. exists in the form of a file.
The output information of lsof can display the files opened by the system. By default, all files opened by all processes are
displayed lsof filename Displays all processes that open the specified file
lsof -c string Displays all open files of the process that contains the specified character in the command column
lsof -u username Displays the ownership The files opened by the user process
lsof -g gid Display the process status of the belonging gid
lsof -i Display the qualified process status
lsof -d Display the process of the specified file descriptor
lsof -a Indicates that both parameters must be satisfied before displaying the result
For example : lsof-i:1487
View the files with the file type txt opened by the root user process:
lsof -a -u root -d txt
lsof use example
1. Find the file system in use When
unmounting the file system, if there is any open file in the file system file, an error occurs. You can find out which processes are using the currently unmounted file system through lsof
# lsof /GTES11/
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
bash 4208 root cwd DIR 3,1 40962 /GTES11/
vim 4230 root cwd DIR 3,1 40962 /GTES11/
2. Recover deleted files
When a linux computer is compromised, it is common for log files to be deleted, and management errors will also lead to accidental deletion of important files.
When a process opens a file, as long as the process keeps the file open, even if it is deleted, it still exists on disk. This means that the process does not know that the file has been deleted, and in the /proc directory contains various files that reflect the kernel and process tree.
When a file in the system is accidentally deleted, as long as there are still processes accessing the file in the system at this time, you can restore the file from the /proc directory through lsof
Use lsof to check whether a process currently opens the /var/logmessages file
# lsof |grep /var/log/messages syslogd 1283 root 2w REG 3,3 5381017 1773647 /var/log/messages (deleted) from /proc/1283/fd/2
For many applications, especially log files and databases, This method of recovering deleted files is very useful