Network Status command diagnostic tool --netstat

netstatCommand can be used to query the network status of the entire system. Baidu Encyclopedia is defined as follows:

Netstat of the definition is: Netstat is in the kernel access the network connection status and information about the program , which provides TCP connection, TCP and UDP monitoring, process memory management related reports.

Netstat is a console command, is a very useful tool for monitoring a TCP / IP network, it can display the routing table , the actual network connection status, and each network interface device information. Netstat for displaying the IP, the TCP , the UDP , and ICMP protocol related statistics, testing the machine generally used for each port network connection conditions.

We can see from the above description Wikipedia, netstatthe command is useful when the query network problems. Here's to introduce detailed netstatusage.

Use the syntax

netstat [-acCeFghilMnNoprstuvVwx][-A<网络类型>][--ip]

Parameter Description

-a or --all display all connections in the Socket.
-A <network type> or - <network type> list the type of network connection for an address.
-c or --continuous maintains a list of network status.
Or -C --cache display information routers cache configuration.
-e displays network or --extend other relevant information.
-F or --fib display FIB.
-g or --groups display multiple broadcast function group members list.
-h or --help online help.
-i --interfaces or web interface information display form.
-l or --listening display Socket monitoring server.
-M --masquerade cloaked or network connection.
-n --numeric or directly using IP address, rather than by the domain name server.
Or -N --netlink --symbolic display symbols or network connection name hardware peripherals.
-o or --timers display timer.
-p or --programs display program identification code and the program name being used Socket.
-r or --route display Routing Table.
-s or --statistice display job information network statistics.
-t displays the connection status or --tcp TCP transport protocol.
-u connection status display --udp or UDP transport protocols.
-v --verbose display process or the execution instruction.
-V or --version display version information.
-w or --raw connection status display RAW transmission protocol.
-x and effects of this parameter specifies the same or --unix "-A unix" parameter.
--ip or --inet effect of this parameter and the specified "-A inet" the same parameters.

Use Case


[root@SHA-L0161171 arthas]$ netstat -an            
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:8004            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:11052           0.0.0.0:*               LISTEN     
tcp        0      0 172.24.248.108:8004     192.168.202.31:57588    ESTABLISHED
tcp        0      0 127.0.0.1:51092         127.0.0.1:8091          TIME_WAIT  
tcp        0      0 172.24.248.108:8004     192.168.202.38:32283    ESTABLISHED
tcp        0      0 172.24.248.108:8004     192.168.202.38:58923    TIME_WAIT  
tcp        0      0 172.24.248.108:8004     192.168.202.32:39983    ESTABLISHED
tcp        0      0 172.24.248.108:8004     192.168.202.37:38230    ESTABLISHED
tcp        0      0 172.24.248.108:8004     192.168.202.34:5081     ESTABLISHED
tcp        0      0 172.24.248.108:8004     192.168.202.32:17240    ESTABLISHED
tcp        0      0 127.0.0.1:38784         127.0.0.1:12050         TIME_WAIT  

...

Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  3      [ ]         DGRAM                    18442    /run/systemd/notify
unix  2      [ ]         DGRAM                    18444    /run/systemd/cgroups-agent
unix  2      [ ]         DGRAM                    23822    /var/run/chrony/chronyd.sock
unix  8      [ ]         DGRAM                    18455    /run/systemd/journal/socket
unix  18     [ ]         DGRAM                    18457    /dev/log
unix  2      [ ]         DGRAM                    14151    /var/run/nscd/socket
unix  2      [ ]         DGRAM                    584      /run/systemd/shutdownd
unix  3      [ ]         STREAM     CONNECTED     124439388 /run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     42312    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     39909

The above output contains two parts:

1, Active Internet connections active TCP connection, where "Recv-Q" and "Send-Q" refers to a send queue and receive queue. These numbers are generally should be zero. If not, it means the package is in the queue accumulation. This situation can only be seen in very few cases.

2, Active UNIX domain sockets active Unix domain sockets (socket and the same network, but only for the native communication, the performance can be doubled).

For Internet connections part of the output parameters, do the next highlight

Proto: indicates that the connection protocol used, a common tcp, udpand tcp6so on;
Recv-Q: receive queue means, this number should generally be 0, if the packet is not said queue buildup. Take Tomcat server give Liezi: When Tcp connection is established, there will be a Tomcat server accepter thread out of this connection so that worker thread, now if the connection is established much faster than the speed accepter thread take connection, then the connection is in the queue in bulk, Recv-Q at this time will be greater than 0; another possibility is that the system encountered Dos attack can no longer respond to external requests;
Send-Q: the transmission queue, the data recipient does not receive an Ack or do not, or the local buffer, if the transmit queue Send-Q can not be cleared quickly, there may be excessive outward application to send packets, or the other is receiving data packets fast enough;
Local Address: indicates the local address, the field general, there are three forms of value:
- 172.24.248.108:8004: This value is the most common form of value, the machine indicates there ip address 172.24.248.108, there are procedures to establish a connection port 8004 and the external program using the machine;
- 0.0.0.0:8004: This form of value seems rather strange, in fact, one of 0.0.0.0 means that all can represent the machine ip address. We know that the machine can be configured multiple network cards, such as now our machine is configured with two network cards, an address configuration is 172.24.248.108, another configuration of an address is 172.24.248.109, so here is 0.0.0.0 127.0.0.1 represents 172.24.248.108,172.24.248.109 and three IP.
- ::: 8004: where :: indicates the IP address of all zeros, such as ::: * indicates IPv6 address of all 0, * represents any port number, meaning all zeros and 0.0.0.0 of the same meaning.
Foreign Address: IP address of the machine and an external communication, and display similar rules Local Address, not repeat;
State: indicates the connection state, the common connection state as follows:

LISTEN: First, the server needs to open a socket to listen, state LISTEN./ at The socket IS Connections Listening for incoming connection requests from remote TCP listening port. /
SYN_SENT:. Activeopen client calls connect through the application so the client tcp after sending a SYN to establish a connection request the SYN_SENT state. / Of The Socket IS Actively Attempting to the Establish aconnection connection request after sending the connection request waiting match. /
SYN_RECV:. After the server should send ACK acknowledgment client SYN, while their sends a SYN to the client state is set to SYN_RECV / * A connection request has been received from the network after receiving a connection request and transmits a connection request waiting for a confirmation. /
the ESTABLISHED: represents an open connection, or both may be performed already in the data exchange. / Of The AN ESTABLISHED has Socket Connection represents an open connection, data can be transmitted to the user. /
FIN_WAIT1: active close (activeclose) client application calls close, whereupon it emits TCP FIN to close the connection request is active, after entering the state FIN_WAIT1 ./ of The socket is closed, and the connection is shutting down. waiting for the remote TCP connection interrupt request, or a previous connection confirmation interrupt request /
The CLOSE_WAIT: Passive off (passiveclose) After receiving end TCP FIN, ACK sent in response to a request FIN (which also receives as an end of file is transmitted to the upper application), and enters CLOSE_WAIT./ of The End has Remote Shut Down, . waiting for the socketto close waiting sent from a local user connected to the interrupt request /
the FIN_WAIT2: active close to the rear end of the ACK, entered FIN-WAIT-2./ connection closed iS, iS and Socket the shutdownfrom the waiting for a remote end waits for a connection request from a remote interrupt the TCP. /
LAST_ACK: the closed end of the passive period of time, the application receives the end of file will be called CLOSE closes the connection. This led to its TCP also sends a FIN, waiting for each other's ACK. Entered LAST-ACK./ at The End has Remote Shut Down, and at The socket IS Closed. Waiting foracknowledgement. Waiting for the original remote TCP connection to send an interrupt request acknowledgment /
the TIME_WAIT: active after closing receives FIN, TCP sends an ACK packet, and into the TIME-WAIT state. / Thesocket IS Waiting the After use Close to handle packets at The Still in Network. Allow sufficient time to ensure that the remote TCP received the acknowledgment connection interrupt request /
CLOSING: relatively rare ./ Bothsockets WE are Shut Down But Still do not have have to wait All Our datasent remote TCP connection is interrupted for confirmation. /
The CLOSED: passive closed end after receiving an ACK packet, entered the closed state. Connection is ended ./ at The socket Used IS not being without any connection status. /
UNKNOWN: Unknown Socket state. / Thestate of Unknown The Socket IS. * /

Remark

SYN: (synchronous serial numbers, SynchronizeSequence Numbers) This flag is only valid when the three-way handshake to establish a TCP connection. It represents a new TCP connection requests.
ACK: (a confirmation number, AcknowledgementNumber) is a TCP acknowledgment flag of the request, while the tips of the end system has been successfully received all the data.
FIN: (end flag, Finish) used to end a call back but the corresponding TCP port is still open, ready to receive subsequent data.

Common netstat command

1. List all information

netstat -a
# 其中n表示使用IP地址表示机器信息，而不是使用域名
netstat -an

This command with the grepmost commonly used.

2. Display only listening port

netstat -l

3. Display PID and process name

netstat -anp

4. The status information is continuously output

netstat -anpc

5. Check the connection of up to a service port IP address (before 20)

netstat -nat | grep "xx.xx.xx.xx:port" |awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -20

Export

      4 192.168.202.38
      4 192.168.202.37
      4 192.168.202.36
      4 192.168.202.35
      3 192.168.202.34
      3 192.168.202.33
      3 192.168.202.32
      2 192.168.202.31

reference

https://blog.csdn.net/dongl890426/article/details/86981901
https://blog.csdn.net/qq_42014600/article/details/90372315
https://www.cnblogs.com/ggjucheng/archive/2012/01/08/2316661.html