Detailed explanation of netstat command of Linux command

netstat

Check the status information of the network system in Linux
Recommended online command query: linux command online query

Supplementary Note

The netstat command is used to print the status information of the network system in Linux, which allows you to know the network situation of the entire Linux system.

grammar

netstat(选项)

options

-a或--all：显示所有连线中的Socket；
-A<网络类型>或--<网络类型>：列出该网络类型连线中的相关地址；
-c或--continuous：持续列出网络状态；
-C或--cache：显示路由器配置的快取信息；
-e或--extend：显示网络其他相关信息；
-F或--fib：显示FIB；
-g或--groups：显示多重广播功能群组组员名单；
-h或--help：在线帮助；
-i或--interfaces：显示网络界面信息表单；
-l或--listening：显示监控中的服务器的Socket；
-M或--masquerade：显示伪装的网络连线；
-n或--numeric：直接使用ip地址，而不通过域名服务器；
-N或--netlink或--symbolic：显示网络硬件外围设备的符号连接名称；
-o或--timers：显示计时器；
-p或--programs：显示正在使用Socket的程序识别码和程序名称；
-r或--route：显示Routing Table；
-s或--statistice：显示网络工作信息统计表；
-t或--tcp：显示TCP传输协议的连线状况；
-u或--udp：显示UDP传输协议的连线状况；
-v或--verbose：显示指令执行过程；
-V或--version：显示版本信息；
-w或--raw：显示RAW传输协议的连线状况；
-x或--unix：此参数的效果和指定"-A unix"参数相同；
--ip或--inet：此参数的效果和指定"-A inet"参数相同。

example

List all ports (listened and unlistened)

netstat -a     #列出所有端口
netstat -at    #列出所有tcp端口
netstat -au    #列出所有udp端口                             

List all Sockets in listening state

netstat -l        #只显示监听端口
netstat -lt       #只列出所有监听 tcp 端口
netstat -lu       #只列出所有监听 udp 端口
netstat -lx       #只列出所有监听 UNIX 端口

Show statistics for each protocol

netstat -s   显示所有端口的统计信息
netstat -st   显示TCP端口的统计信息
netstat -su   显示UDP端口的统计信息

​```shell

 **在netstat输出中显示 PID 和进程名称** 

​```shell
netstat -pt

netstat -pCan be used together with other switches, you can add "PID/process name" to the output of netstat, so that you can easily find the program running on a specific port when debugging.

Do not show host, port or user in netstat output

Use when you don't want the host, port and username to be displayed netstat -n. Numbers will be used in place of those names. It can also speed up the output, because no comparison query is required.

netstat -an

If you just don't want one of these three names to be displayed, use the following command:

netsat -a --numeric-ports
netsat -a --numeric-hosts
netsat -a --numeric-users

Continue to output netstat information

netstat -c   #每隔一秒输出网络信息

Display address families not supported by the system (Address Families)

netstat --verbose

At the end of the output, there will be the following information:

netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.

Display core routing information

netstat -r

Use netstat -rnthe display number format and do not query for hostnames.

Find out what port the program is running on

Not all processes can be found, those without permission will not be displayed, use root permission to view all information.

netstat -ap | grep ssh

Find the process running on the specified port:

netstat -an | grep ':80'

Find the process ID by port

netstat -anp|grep 8081 | grep LISTEN|awk '{printf $7}'|cut -d/ -f1

show list of network interfaces

netstat -i

Show detailed information, like ifconfig uses netstat -ie.

IP and TCP Analysis

View the IP addresses most connected to a certain service port:

netstat -ntu | grep :80 | awk '{print $5}' | cut -d: -f1 | awk '{++ip[$1]} END {for(i in ip) print ip[i],"\t",i}' | sort -nr

List of various states of TCP:

netstat -nt | grep -e 127.0.0.1 -e 0.0.0.0 -e ::: -v | awk '/^tcp/ {++state[$NF]} END {for(i in state) print i,"\t",state[i]}'

Check the number of phpcgi processes. If it is close to the preset value, it is not enough and needs to be increased:

netstat -anpo | grep "php-cgi" | wc -l

expand knowledge

Detailed network connection status

There are 12 possible states . The first 11 are described according to the three-way handshake process of TCP connection establishment and the four-way handshake process of TCP connection disconnection:

1. LISTEN: First, the server needs to open a socket to listen, the status is LISTEN, and listen to the connection request from the remote TCP port;

2. SYN_SENT: The client calls connect through the application program to perform active open, so the client tcp sends a SYN to request to establish a connection, then the state is set to SYN_SENT, and waits for a matching connection request after sending the connection request;

3. SYN_RECV: The server should send an ACK to confirm the SYN of the client, and at the same time send a SYN to the client, and then set the status to wait for the confirmation of the connection request after receiving and sending a connection request;

4. ESTABLISHED: represents an open connection, the two parties can perform or have already exchanged data, represents an open connection, and data can be transmitted to the user;

5. FIN_WAIT1: The active close (active close) terminal application calls close, so its TCP sends a FIN request to actively close the connection, and then enters the FIN_WAIT1 state, waiting for the remote TCP connection interruption request, or the confirmation of the previous connection interruption request;

6. CLOSE_WAIT: Passive close (passive close) After TCP receives the FIN, it sends an ACK to respond to the FIN request (its reception is also passed to the upper-layer application as the end of the file), and enters CLOSE_WAIT, waiting for the connection from the local user interrupt request;

7. FIN_WAIT2: After actively closing the terminal and receiving ACK, it enters FIN-WAIT-2, waiting for the connection interruption request from the remote TCP;

8. LAST_ACK: After passively closing the terminal for a period of time, the application that receives the end of file will call CLOSE to close the connection, which causes its TCP to also send a FIN, waiting for the other party's ACK. Then it enters LAST-ACK, waiting for the original send to the remote Acknowledgment of TCP connection interruption request;

9. TIME_WAIT: After the active closing end receives the FIN, the TCP sends an ACK packet and enters the TIME-WAIT state, waiting for enough time to ensure that the remote TCP receives the confirmation of the connection interruption request;

10. CLOSING: relatively rare, waiting for the remote TCP to confirm the connection interruption;

11. CLOSED: After the passively closed terminal receives the ACK packet, it enters the closed state, the connection ends, and there is no connection state;

12. UNKNOWN: Unknown Socket status;

Common Flags

• SYN: (Synchronize Sequence Numbers, Synchronize Sequence Numbers) This flag is only valid when the three-way handshake establishes a TCP connection. Indicates a new TCP connection request.

• ACK: (Acknowledgment Number, Acknowledgment Number) is the acknowledgment mark for the TCP request, and at the same time prompts the peer system to have successfully received all the data.

• FIN: (end flag, FINish) is used to end a TCP session. But the corresponding port is still open and ready to receive subsequent data.