Introduction
to Netstat Netstat is a command line tool that can be used to list all network socket connections on the system, including tcp, udp and unix sockets, and it can also list the listening state (that is, waiting for access requests ) socket. If you want to make sure that the web service on the system is up, you can check if port 80 is open. The above features make netstat an essential tool for network administrators and system administrators. In this tutorial, I will list a few examples to teach you how to use netstat to find network connection information and port numbers opened by the system.
The following brief introduction comes from the netstat man page:
netstat - prints network connections, routing tables, connection statistics, masquerading connections, and broadcast domain membership.
1. List all connections
The first one to introduce is the simplest command: list all current connections. Just use the -a option.
$ netstat -a
Active Internet connections (servers and established)
Proto Recv -Q Send-Q Local Address Foreign Address State
tcp 0 0 enlightened:domain *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 enlightened.local:54750 li240-5.members.li:http ESTABLISHED
tcp 0 0 enlightened.local:49980 del01s07-in-f14.1:https ESTABLISHED
tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN
udp 0 0 enlightened:domain *:*
udp 0 0 *:bootpc *:*
udp 0 0 enlightened.local:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp *:*
udp 0 0 *:58570 *:*
udp 0 0 *:mdns *:*
udp 0 0 *:49459 *:*
udp6 0 0 fe80::216:36ff:fef8:ntp [::]:*
udp6 0 0 ip6-localhost:ntp [::]:*
udp6 0 0 [::]:ntp [::]:*
udp6 0 0 [::]:mdns [::]:*
udp6 0 0 [::]:63811 [::]:*
udp6 0 0 [::]:54952 [::]:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 12403 @/tmp/dbus-IDgfj3UGXX
unix 2 [ ACC ] STREAM LISTENING 40202 @/dbus-vfs-daemon/socket-6nUC6CCx
The above command lists all connections to all sockets under the tcp, udp and unix protocols. However, this information is not detailed enough, and administrators often need to view the specific connection status of a certain protocol or port.
2. Only list connections with TCP or UDP protocol
Use TCP protocol:
$ netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 enlightened:domain *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 enlightened.local:36310 del01s07-in-f24.1:https ESTABLISHED
tcp 0 0 enlightened.local:45038 a96-17-181-10.depl:http ESTABLISHED
tcp 0 0 enlightened.local:37892 ABTS-North-Static-:http ESTABLISHED
.....
使用 -u 选项列出 UDP 协议的连接:
$ netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 *:34660 *:*
udp 0 0 enlightened:domain *:*
udp 0 0 *:bootpc *:*
udp 0 0 enlightened.local:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp *:*
udp6 0 0 fe80::216:36ff:fef8:ntp [::]:*
udp6 0 0 ip6-localhost:ntp [::]:*
udp6 0 0 [::]:ntp [::]:*
上面同时显示了 IPv4 和 IPv6 的连接。
3. 禁用反向域名解析,加快查询速度
By default netstat will look up the hostname corresponding to each IP address through reverse domain name resolution technology. This slows down lookups. Use the -n option to disable domain name resolution if you feel that IP addresses are sufficient and you don't need to know the hostname.
$ netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0: * LISTEN
tcp 0 0 192.168.1.2:49058 173.255.230.5:80 ESTABLISHED
tcp 0 0 192.168.1.2:33324 173.194.36.117:443 ESTABLISHED
tcp6 0 0 ::1:631 ::::* LISTEN
The above command lists all TCP protocols The connection does not use domain name resolution technology. So easy? Very good.
4. List only listening connections The background process of
any network service will open a port for listening for incoming requests. These listening sockets can also be listed by netstat, just like connected sockets. Use the -l option to list listening sockets.
$ netstat -tnl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp6 0 0 ::1:631 :::* LISTEN
Now we can see the listening TCP ports and connections. If you see all listening ports, remove the -t option. If you only want to see UDP ports, use the -u option instead of the -t option.
Note: Do not use the -a option, otherwise netstat will list all connections, not just listening ports.
5. Get the process name, process ID and user ID
When viewing port and connection information, it is very helpful for system administrators to be able to view their corresponding process names and process numbers. For example, Apache's httpd service opens port 80. If you want to check whether the http service has been started, or whether the http service is started by apache or nginx, you can look at the process name at this time.
Use the -p option to view process information.
~$ sudo netstat -nlpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 1144/dnsmasq
tcp 0 0 127.0 .0.1:631 0.0.0.0:* LISTEN 661/cupsd
tcp6 0 0 ::1:631 :::* LISTEN 661/cupsd
With the -p option, netstat must be run under root privileges, otherwise it cannot be run The name of the process under root authority, and many services including http and ftp run under root authority.
It is more useful to look at the owner of the process rather than the process name and process ID. Use the -ep option to view both the process name and the user name.
$ sudo netstat -ltpe
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 enlightened:domain *:* LISTEN root 11090 1144/dnsmasq
tcp 0 0 localhost: ipp *:* LISTEN root 9755 661/cupsd
tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN root 9754 661/cupsd
The above lists the listening sockets under the TCP protocol, and also displays process information and some additional information .
This extra information includes the username and the inode number of the process. This command is useful for network administrators.
Note - If you use the -n and -e options together, the User column attribute is the user's ID number, not the username.
6. Print statistics
netstat can print out network statistics, including the number of packets sent and received under a certain protocol.
The statistics of all network packets are listed below:
$ netstat -s
Ip:
32797 total packets received
0 forwarded
0 incoming packets discarded
32795 incoming packets delivered
29115 requests sent out
60 outgoing packets dropped
Icmp:
125 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
destination unreachable: 125
125 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 125
... OUTPUT TRUNCATED ...
If you want to print only the statistics of the TCP or UDP protocol, just add the corresponding options (-t and -u), so easy.
7. Display kernel routing information
Use the -r option to print kernel routing information. The information printed is the same as the information output by the route command. We can also disable domain name resolution with the -n option.
$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
8. print network interface
netstat It can also print network interface information, the -i option is born for this function.
$ netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 31611 0 0 0 27503 0 0 0 BMRU
lo 65536 0 2913 0 0 0 2913 0 0 0 The information output by the LRU
is relatively original. We use the -e option with the -i option to output user-friendly information.
$ netstat -ie
Kernel Interface table
eth0 Link encap:Ethernet HWaddr 00:16:36:f8:b2:64
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::216:36ff: fef8:b264/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:31682 errors:0 dropped:0 overruns:0 frame:0
TX packets:27573 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:29637117 (29.6 MB) TX bytes:4590583 (4.5 MB)
Interrupt:18 Memory:da000000-da020000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2921 errors:0 dropped:0 overruns:0 frame:0
TX packets:2921 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:305297 (305.2 KB) TX bytes:305297 (305.2 KB)
The output above is the same as ifconfig.
9. netstat continuous output
We can use the -c option of netstat to continuously output information.
$ netstat -ct
This command can continuously output TCP protocol information.
10. Display multicast group information
Option -g will output multicast group information for IPv4 and IPv6.
$ netstat -g
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ----------------- ----
lo 1 all-systems.mcast.net
eth0 1 224.0.0.251
eth0 1 all-systems.mcast.net
lo 1 ip6- allnodes
lo 1 ff01::1
eth0 1 ff02::fb
eth0 1 ff02::1 :fff8:b264
eth0 1 ip6-
allnodes eth0 1 ff01::1
wlan0 1 ip6-
allnodes wlan0 1 ff01::1More
usages
So far we have listed the basic usage of netstat, now let's geek it ~
print the connection
active in the active state The state of the socket connection is represented by the "ESTABLISHED" field, so we can use the grep command to get the connection in the active state:
$ netstat -atnp | grep ESTA
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 192.168.1.2:49156 173.255.230.5:80 ESTABLISHED 1691/chrome
tcp 0 0 192.168.1.2:33324 173.194.36.117:443 ESTABLISHED 1691/chrome
Use the watch command to monitor active connections:
$ watch -d -n0 "netstat -atnp | grep ESTA" to
see if the service is running
If you want to see if the http, smtp or ntp service is running, use grep.
$ sudo netstat -aple | grep ntp
udp 0 0 enlightened.local:ntp *:* root 17430 1789/ntpd
udp 0 0 localhost:ntp *:* root 17429 1789/ntpd
udp 0 0 *:ntp *:* root 17422 1789 /ntpd
udp6 0 0 fe80::216:36ff:fef8:ntp [::]:* root 17432 1789/ntpd
udp6 0 0 ip6-localhost:ntp [::]:* root 17431 1789/ntpd
udp6 0 0 [::]:ntp [::]:* root 17423 1789/ntpd
unix 2 [ ] DGRAM 17418 1789/ntpd
from here You can see that the ntp service is running. With grep you can view http or smtp or whatever service you want.
Well, most of the functions of netstat have been introduced, if you want to know more advanced functions of netstat, read its manual (man netstat).
Feel free to leave your feedback and suggestions below.
netstat
Guess you like
Origin http://43.154.161.224:23101/article/api/json?id=326340007&siteId=291194637
Ranking