English | 简体中文 | 繁體中文 | Русский язык | Français | Español | Português | Deutsch | 日本語 | 한국어 | Italiano | بالعربية
Introduction
The netstat command is used to display various network-related information, such as network connections, routing tables, interface states (Interface Statistics), masquerade connections, multicast memberships, etc.
Meaning of output information
After executing netstat, the output result is
Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 2 210.34.6.89:telnet 210.34.6.96:2873 ESTABLISHED tcp 296 0 210.34.6.89:1165 210.34.6.84:netbios-ssn ESTABLISHED tcp 0 0 localhost.localdom:9001 localhost.localdom:1162 ESTABLISHED tcp 0 0 localhost.localdom:1162 localhost.localdom:9001 ESTABLISHED tcp 0 80 210.34.6.89:1161 210.34.6.10:netbios-ssn CLOSE Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 1 [ ] STREAM CONNECTED 16178 @000000dd unix 1 [ ] STREAM CONNECTED 16176 @000000dc unix 9 [ ] DGRAM 5292 /dev/log unix 1 [ ] STREAM CONNECTED 16182 @000000df
Overall, the output of netstat can be divided into two parts:
One is Active Internet connections, called Active TCP connections, where "Recv-Q"and "Send-Q"refers to the receive queue and send queue. These numbers should generally be 0. If not, it indicates that packets are piling up in the queue. This situation can only be seen in very few cases.
The other is Active UNIX domain sockets, called Active UNIX Domain Sockets (like network sockets, but can only be used for local communication, and performance can be doubled).
Proto shows the protocol used for the connection, RefCnt indicates the process number connected to this interface, Types shows the type of the socket, State shows the current state of the socket, and Path indicates the pathname used by other processes to connect to the socket.
Common parameters
-a (all) Display all options, the default does not display LISTEN related
-t (tcp) Only display tcp related options
-u (udp) Only display udp related options
-n Refuse to display aliases, convert all numbers that can be displayed into numbers.
-l Only list service states that are in Listen (Monitoring)
-p Display the program name of the established related link
-r Display routing information, routing table
-e Display extended information, such as uid, etc.
-s Statistics by protocol
-c Execute the netstat command at a fixed time interval.
Hint: The LISTEN and LISTENING states can only be used with-a or-only l can see
Practical command examples
1. List all ports (including listening and non-listening)
List all ports netstat -a
# netstat -a | more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:30037 *:* LISTEN udp 0 0 *:bootpc *:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 6135 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 5140 /var/run/acpid.socket
List all tcp ports netstat -at
# netstat -at Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:30037 *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp6 0 0 localhost:ipp [::]:* LISTEN
List all udp ports netstat -au
# netstat -au Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 *:bootpc *:* udp 0 0 *:49119 *:* udp 0 0 *:mdns *:*
2. List all sockets in listening state
List only listening ports netstat -l
# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:ipp *:* LISTEN tcp6 0 0 localhost:ipp [::]:* LISTEN udp 0 0 *:49119 *:*
List all listening tcp ports netstat -lt
# netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:30037 *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp6 0 0 localhost:ipp [::]:* LISTEN
List all listening udp ports netstat -lu
# netstat -lu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 *:49119 *:* udp 0 0 *:mdns *:*
List all listening UNIX ports netstat -lx
# netstat -lx Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 6294 private/maildrop unix 2 [ ACC ] STREAM LISTENING 6203 public/cleanup unix 2 [ ACC ] STREAM LISTENING 6302 private/ifmail unix 2 [ ACC ] STREAM LISTENING 6306 private/bsmtp
3. Display statistics for each protocol
Display all port statistics netstat -s
# netstat -s Ip: 11150 total packets received 1 with invalid addresses 0 forwarded 0 incoming packets discarded 11149 incoming packets delivered 11635 requests sent out Icmp: 0 ICMP messages received 0 input ICMP message failed. Tcp: 582 active connections openings 2 failed connection attempts 25 connection resets received Udp: 1183 packets received 4 packets to unknown port received. .....
Display statistics of TCP or UDP ports netstat -st or -su
# netstat -st # netstat -su
4. Show PID and process name in netstat output -p
netstat -p can be used with other switches to add “PID/Process name” to the netstat output, so it is very convenient to find the program running on a specific port during debugging.
# netstat -pt Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 1 0 ramesh-laptop.loc:47212 192.168.185.75:www CLOSE_WAIT 2109/firefox tcp 0 0 ramesh-laptop.loc:52750 lax:www ESTABLISHED 2109/firefox
5. Do not display host, port, or username (host, port or user) in netstat output
When you don't want to display the host, port, and username, use netstat -n. It will use numbers to replace those names.
It can also speed up the output because it does not need to perform comparison queries.
# netstat -an
If you don't want one of these three names to be displayed, use the following command
# netsat -a --numeric-ports # netsat -a --numeric-hosts # netsat -a --numeric-users
6. Continuously output netstat information
netstat outputs network information every second.
# netstat -c Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 ramesh-laptop.loc:36130 101-101-181-225.ama:www ESTABLISHED tcp 1 1 ramesh-laptop.loc:52564 101.11.169.230:www CLOSING tcp 0 0 ramesh-laptop.loc:43758 server-101-101-43-2:www ESTABLISHED tcp 1 1 ramesh-laptop.loc:42367 101.101.34.101:www CLOSING ^C
7. It shows the address family (Address Families) that the system does not support
netstat --verbose
At the end of the output, there will be information like the following
netstat: no support for `AF IPX' on this system. netstat: no support for `AF AX'25on this system. netstat: no support for `AF X25on this system. netstat: no support for `AF NETROM' on this system.
8. Display core routing information netstat -r
# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth2 link-local * 255.255.0.0 U 0 0 0 eth2 default 192.168.1.1 0.0.0.0 UG 0 0 0 eth2
Note: Use netstat -rn Display in numeric format, do not query the host name.
9. Find out the port where the program is running
Not all processes can be found, those without permission will not be displayed, use root privileges to view all information.
# netstat -ap | grep ssh tcp 1 0 dev-db:ssh 101.174.100.22:39213 CLOSE_WAIT - tcp 1 0 dev-db:ssh 101.174.100.22:57643 CLOSE_WAIT -
Find out the process running on the specified port
# netstat -an | grep ':80'
10. Display network interface list
# netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 0 0 0 0 0 0 0 0 BMU eth2 1500 0 26196 0 0 0 26883 6 0 0 BMRU lo 16436 0 4 0 0 0 4 0 0 0 LRU
Display detailed information, similar to ifconfig using netstat -ie:
# netstat -ie Kernel Interface table eth0 Link encap:Ethernet HWaddr 00:10:40:11:11:11 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Memory:f6ae0000-f6b00000
11IP and TCP analysis
View the IP address with the most connections to a service port
wss8848@ubuntu:~$ netstat -nat | grep "192.168.1.15:22" |awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -20
18 221.136.168.36
3 154.74.45.242
2 78.173.31.236
2 62.183.207.98
2 192.168.1.14
2 182.48.111.215
2 124.193.219.34
2 119.145.41.2
2 114.255.41.30
1 75.102.11.99
List of various TCP states
wss8848@ubuntu:~$ netstat -nat |awk '{print $6}
established)
Foreign
LISTEN
TIME_WAIT
ESTABLISHED
TIME_WAIT
SYN_SENT
First, take out all the states, and then use uniq -c count, and then sort.
wss8848@ubuntu:~$ netstat -nat |awk '{print $6}'|sort|uniq -c
143 ESTABLISHED
1 FIN_WAIT1
1 Foreign
1 LAST_ACK
36 LISTEN
6 SYN_SENT
113 TIME_WAIT
1 established)
The final command is as follows:
netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn
analyze access.log to obtain the access before10IP address
awk '{print $1}' access.log |sort|uniq -c|sort -nr|head -10
The above-mentioned are some common usages of the netstat command under Linux introduced by the editor, hoping it will be helpful to everyone!
Declaration: The content of this article is from the Internet, and the copyright belongs to the original author. The content is contributed and uploaded by Internet users spontaneously. This website does not own the copyright, has not been manually edited, and does not assume any relevant legal responsibility. If you find any content suspected of copyright infringement, please send an email to notice#w3Please send an email to codebox.com (replace # with @ when sending an email) to report violations, and provide relevant evidence. Once verified, this site will immediately delete the content suspected of infringement.