brief introduction
Netstat command is used to display various network related information, such as network connection, routing table, interface statistics, masquerade connection, multicast members, etc.
Meaning of output information
After executing netstat, the output result is
[vagrant@centos6 ~]$ netstat|more Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.0.2.15:ssh 10.0.2.2:52091 ESTABLISHED Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 11 [ ] DGRAM 11021 /dev/log unix 2 [ ] DGRAM 11556 @/org/freedesktop/hal/udev_event unix 2 [ ] DGRAM 8986 @/org/kernel/udev/udevd unix 3 [ ] STREAM CONNECTED 17777 unix 3 [ ] STREAM CONNECTED 17776
On the whole, the output result of netstat can be divided into two parts:
OUTPUT
Active Internet connections (TCP, UDP, raw)
Proto
The protocol (tcp, udp, raw) used by the socket.
Recv-Q
The count of bytes not copied by the user program connected to this socket.
Send-Q
The count of bytes not acknowledged by the remote host.
One is Active Internet connections, which is called active TCP connections. Recv-Q and Send-Q refer to receive queues and send queues. These numbers should generally be 0. If not, it means that the package is piling up in the queue, which is very rare.
Active UNIX domain Sockets
Proto
The protocol (usually unix) used by the socket.
RefCnt
The reference count (i.e. attached processes via this socket).
Flags
The flags displayed is SO_ACCEPTON (displayed as ACC), SO_WAITDATA (W) or SO_NOSPACE (N). SO_ACCECPTON is used on
unconnected sockets if their corresponding processes are waiting for a connect request. The other flags are not of nor-
mal interest.
Type
There are several types of socket access:
SOCK_DGRAM
The socket is used in Datagram (connectionless) mode.
SOCK_STREAM
This is a stream (connection) socket.
SOCK_RAW
The socket is used as a raw socket.
The other is Active UNIX domain sockets, which is called Active UNIX domain sockets (like network sockets, but can only be used for local communication, and the performance can be doubled).
Proto Displays the protocol used by the connection, RefCnt Indicates the number of processes connected to this set of interfaces, Types Displays the type of socket, State Displays the current status of the socket, Path Represents the pathname used by other processes connected to the socket.
Common parameters
-a (all)Show all options, netstat Not displayed by default LISTEN relevant -t (tcp)Show only tcp Related options -u (udp)Show only udp Related options -n Refuse to display aliases and convert all that can display numbers into numbers.(important) -l List only those with Listen (monitor) Service status of -p Displays the name of the program that established the relevant link(macOS Protocol in -p protocol) -r Display routing information, routing table -e Displays extended information, such as uid etc. -s Statistics according to each agreement (important) -c This is performed at regular intervals netstat Command.
Tip: the status of LISTEN and LISTENING can only be seen with - a or - l
Practical command instance
1. List all ports (including listening and not listening)
List all ports: netstat -a List all tcp port: netstat -at List all udp port: netstat -au
2. List all Sockets in listening status
Show only listening ports: netstat -l List all listeners only tcp port: netstat -lt List all listeners only udp port: netstat -lu List all listeners only UNIX port: netstat -lx
3. Display statistics for each protocol
Display statistics for all ports netstat -s
[vagrant@centos6 ~]$ netstat -s
Ip:
2081 total packets received
2 with invalid addresses
0 forwarded
0 incoming packets discarded
2079 incoming packets delivered
1319 requests sent out
Icmp:
0 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
0 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
Tcp:
0 active connections openings
3 passive connection openings
0 failed connection attempts
0 connection resets received
1 connections established
1957 segments received
1103 segments send out
0 segments retransmited
0 bad segments received.
1 resets sent
Udp:
122 packets received
0 packets to unknown port received.
0 packet receive errors
216 packets sent
UdpLite:
TcpExt:
9 delayed acks sent
1 packets directly queued to recvmsg prequeue.
730 packets header predicted
5 acknowledgments not containing data received
1036 predicted acknowledgments
0 TCP data loss events
IpExt:
InOctets: 146500
OutOctets: 132340
Displays statistics for TCP or UDP ports netstat -st or - su
# netstat -st # netstat -su
4. Display PID and process name
netstat -p can be used with other switches to add "PID / process name" to the output of netstat, so that the programs running on a specific port can be easily found during debugging.
[root@centos6 ~]# netstat -pt Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 10.0.2.15:ssh 10.0.2.2:52964 ESTABLISHED 3008/sshd tcp 0 0 10.0.2.15:ssh 10.0.2.2:52091 ESTABLISHED 2813/sshd
5. Host, port or user are not displayed
When you don't want the host, port and user name to appear, use netstat -n. Numbers will be used instead of those names. This parameter can speed up the output of output because there is no need for comparison query.
# netstat -an
# If you just don't want one of these three names to be displayed, use the following command # netsat -a --numeric-ports # netsat -a --numeric-hosts # netsat -a --numeric-users
6. Continuously output netstat information
netstat will output network information every second.
# netstat -t -c 2
7. Display address families not supported by the system
netstat --verbose
8. Display core routing information
[root@centos6 ~]# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 10.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 0.0.0.0 10.0.2.2 0.0.0.0 UG 0 0 0 eth0 # Note: use netstat -rn to display the number format without querying the host name. The effect is equivalent to route -n
9. Find out the port where the program runs
Not all processes can be found. Those without permission will not be displayed. Use root permission to view all information.
[root@centos6 ~]# netstat -apn | grep ssh tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1438/sshd tcp 0 0 10.0.2.15:22 10.0.2.2:52964 ESTABLISHED 3008/sshd tcp 0 0 10.0.2.15:22 10.0.2.2:52091 ESTABLISHED 2813/sshd tcp 0 0 :::22 :::* LISTEN 1438/sshd unix 3 [ ] STREAM CONNECTED 18443 3008/sshd unix 3 [ ] STREAM CONNECTED 18442 3011/sshd unix 2 [ ] DGRAM 18439 3008/sshd unix 3 [ ] STREAM CONNECTED 17777 2813/sshd unix 3 [ ] STREAM CONNECTED 17776 2816/sshd unix 2 [ ] DGRAM 17773 2813/sshd
Find the process running on the specified port
[root@centos6 ~]# netstat -an | grep ':22' tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 10.0.2.15:22 10.0.2.2:52964 ESTABLISHED tcp 0 0 10.0.2.15:22 10.0.2.2:52091 ESTABLISHED tcp 0 0 :::22 :::* LISTEN
10. Display the list of network interfaces
[root@centos6 ~]# netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 12125 0 0 0 5474 0 0 0 BMRU
lo 65536 0 0 0 0 0 0 0 0 0 LRU
[root@centos6 ~]# netstat -ie
Kernel Interface table
eth0 Link encap:Ethernet HWaddr 52:54:00:5D:A4:AF
inet addr:10.0.2.15 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe5d:a4af/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12131 errors:0 dropped:0 overruns:0 frame:0
TX packets:5477 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7474852 (7.1 MiB) TX bytes:580343 (566.7 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
11. IP and TCP analysis
View the list of IP addresses / TCP statuses with the most connections to a service port:
http://www.cnblogs.com/echo1937/p/6646208.html
Reproduced in the original text: https://www.cnblogs.com/echo1937/p/6677325.html