Detailed explanation of linux Netstat

Others 2022-05-18 23:12:54 views: 0
Introduction
Netstat command is used to display various network related information, such as network connection, routing table, interface status (Interface Statistics), masquerade connection, multicast membership (Multicast Memberships) and so on.

Meaning of output information After
executing netstat, the output result is

Copy code
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 2 210.34.6.89:telnet 210.34.6.96:2873 ESTABLISHED
tcp 296 0 210.34.6.89:1165 210.34.6.84:netbios-ssn ESTABLISHED
tcp 0 0 localhost.localdom:9001 localhost.localdom:1162 ESTABLISHED
tcp 0 0 localhost.localdom:1162 localhost.localdom:9001 ESTABLISHED
tcp 0 80 210.34.6.89 210.34.6.10:netbios-ssn CLOSE

Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 1 [ ] STREAM CONNECTED 16178 @000000dd
unix 1 [ ] STREAM CONNECTED 16176 @000000dc
unix 9 [ ] DGRAM 5292 /dev/log
unix 1 [ ] STREAM CONNECTED 16182 @000000df Overall
, the output of netstat can be divided into There

are two parts:

one is Active Internet connections, called active TCP connections, where "Recv-Q" and "Send-Q" refer to the receive queue and send queue of %0A. These numbers should generally be 0. If not it means the package is piling up in the queue. This situation can only be seen in very rare cases.

The other is Active UNIX domain sockets, called Active UNIX domain sockets (same as network sockets, but only for native communication, with double the performance).
Proto displays the protocol used for the connection, RefCnt represents the process number connected to the socket, Types displays the type of the socket, State displays the current state of the socket, and Path represents the path name used by other processes connected to the socket.

Common parameters
-a (all) display all options, the default does not display LISTEN related
-t (tcp) only display tcp related options
-u (udp) only display udp related options
-n refuse to display aliases, can display all numbers converted into numbers .
-l List only service statuses that are in Listen (listen)

-p Display the name of the program that established the relevant link
-r Display routing information, routing table
-e Display extended information, such as uid, etc.
-s Statistics according to each protocol
-c Execute the netstat command every fixed time.

Tip: The status of LISTEN and LISTENING can only be seen with -a or -l



Practical command example

1. List all ports (including listening and non-listening)
  list all ports netstat -a

copy code
# netstat -a | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:30037 *:* LISTEN
udp 0 0 *:bootpc *:*

Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ACC] STREAM LISTENING 6135 /tmp/.X11-unix/X0
unix 2 [ACC] STREAM LISTENING 5140 /var/run/acpid.socket
list
  all tcp ports netstat -at

#
netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:30037 *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp6 0 0 localhost:ipp[::]:*
LISTEN
  List all udp ports netstat -au

# netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 *:bootpc *:*
udp 0 0 *:49119 *:*
udp 0 0 *:mdns *:*

2. List all listening Sockets
  only show listening ports netstat -l

# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:ipp *:* LISTEN
tcp6 0 0 localhost:ipp [::]:* LISTEN
udp 0 0 *:49119 *:*
  List only all listening tcp ports netstat -lt

# netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:30037 *: * LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp6 0 0 localhost:ipp [::]:* LISTEN
  only list all listening udp ports netstat -lu

# netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 *:49119 *:*
udp 0 0 *:mdns *:* only list all listening UNIX
  ports netstat

-lx private/maildrop unix 2 [ ACC ] STREAM LISTENING 6203 public/cleanup unix 2 [ ACC ] STREAM LISTENING 6302 private/ifmail unix 2 [ ACC ] STREAM LISTENING 6306 private   / bsmtp Stats for netstat -s Copy code # netstat -s Ip: 11150 total packets received

















1 with invalid addresses
0 forwarded
0 incoming packets discarded
11149 incoming packets delivered
11635 requests sent out
Icmp:
0 ICMP messages received
0 input ICMP message failed.
Tcp:
582 active connections openings
2 failed connection attempts
25 connection resets received
Udp:
1183 packets received
4 packets to unknown port received
... .....
copy code to
  display statistics for TCP or UDP ports netstat -st or -su

# netstat -st
# netstat -su


4. Display PID and process name in netstat output netstat -p
netstat -p can be used with other switches to add "PID/process name" to the netstat output, which makes it easy to find programs running on specific ports when debugging.

# netstat -pt
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 1 0 ramesh-laptop.loc:47212 192.168.185.75:www CLOSE_WAIT 2109/firefox
tcp 0 0 ramesh-laptop.loc:52750 lax:www ESTABLISHED 2109/firefox
5. Do not show host, port or user in netstat output
When you do not want host, port or user to show, use netstat -n. Numbers will be used in place of those names.

It can also speed up the output, because no comparison query is required.

# netstat -an
If you just don't want one of the three names to be displayed, use the following commands

# netsat -a --numeric-ports
# netsat -a --numeric-hosts
# netsat -a --numeric-users


6. Continuously output netstat information
netstat will output network information every one second.

Copy Code
# netstat -c
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 ramesh-laptop.loc:36130 101-101-181-225.ama:www ESTABLISHED
tcp 1 1 ramesh-laptop.loc:52564 101.11.169.230:www CLOSING
tcp 0 0 ramesh-laptop.loc:43758 server-101-101-43-2:www ESTABLISHED
tcp 1 1 ramesh-laptop.loc:42367 101.101.34.101 :www CLOSING
^ CCopy
Code


7. Display Address Families that are not supported by the system (Address Families)
netstat --verbose
At the end of the output, there will be the following message

netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.


8. Display core routing information netstat -r
# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth2
link-local * 255.255.0.0 U 0 0 0 eth2
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth2
NOTE: Use netstat -rn to display the numeric format without querying the hostname.



9. Find out the port where the program is running
Not all processes can be found, and those without permission will not be displayed. Use root permission to view all information.

# netstat -ap | grep ssh
tcp 1 0 dev-db:ssh 101.174.100.22:39213 CLOSE_WAIT -
tcp 1 0 dev-db:ssh 101.174.100.22:57643 CLOSE_WAIT -
  Find out the process running on the specified port

# netstat -an | grep ':80'


10. Show network interface list
# netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 0 0 0 0 0 0 0 0 BMU
eth2 1500 0 26196 0 0 0 26883 6 0 0 BMRU
lo 16436 0 4 0 0 0 4 0 0 0 LRU
show details like ifconfig use netstat -ie:

copy code
# netstat -ie
Kernel Interface table
eth0 Link encap:Ethernet HWaddr 00:10:40:11:11:11
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors :0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Memory:f6ae0000-f6b00000Copy
code

11. IP and TCP analysis
  to view the connection to a service IP address with the most ports

Copy code
wss8848@ubuntu:~$ netstat -nat | grep "192.168.1.15:22" |awk '{print $5}'|awk -F: '{print $1}'|sort|uniq - c|sort -nr|head -20
18 221.136.168.36
3 154.74.45.242
2 78.173.31.236
2 62.183.207.98
2 192.168.1.14
2 182.48.111.215
2 124.193.219.34
2 119.145.41.2
2 114.255.41.30
1 75.102.11.99
Copy code
  TCP various status list

Copy code
wss8848@ubuntu:~$ netstat -nat |awk '{print $6}'
established)
Foreign
LISTEN
TIME_WAIT
ESTABLISHED
TIME_WAENT
SYN_S
Copy the code
  to take out all the states first, then use uniq -c statistics, and then sort.
Copy code
wss8848@ubuntu:~$ netstat -nat |awk '{print $6}'|sort|uniq -c
143 ESTABLISHED
1 FIN_WAIT1
1 Foreign
1 LAST_ACK
36 LISTEN
6 SYN_SENT
113 TIME_WAIT
1 established)
Copy code
  The final command is as follows:
netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rnAnalyze
access.log to get the top 10 IP addresses
awk '{print $1}' access.log |sort|uniq -c| sort -nr|head -10

Guess you like

Origin http://10.200.1.11:23101/article/api/json?id=326687330&siteId=291194637
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com