explain

netstat command is a very useful tool for monitoring TCP/IP network. It can display routing table, actual network connection and status information of each network interface device, as well as statistical data related to IP, TCP, UDP and ICMP protocols. It is generally used to check the network connection of each port of the machine and analyze network problems. It is very convenient.

Usage introduction

#netstat -h
usage: netstat [-vWeenNcCF] [<Af>] -r
       netstat {-V|--version|-h|--help}
       netstat [-vWnNcaeol] [<Socket> ...]
       netstat { [-vWeenNac] -i | [-cnNe] -M | -s [-6tuw] }

        -r, --route              display routing table
        -i, --interfaces         display interface table
        -g, --groups             display multicast group memberships
        -s, --statistics         display networking statistics (like SNMP)
        -M, --masquerade         display masqueraded connections

        -v, --verbose            be verbose
        -W, --wide               don't truncate IP addresses
        -n, --numeric            don't resolve names
        --numeric-hosts          don't resolve host names
        --numeric-ports          don't resolve port names
        --numeric-users          don't resolve user names
        -N, --symbolic           resolve hardware names
        -e, --extend             display other/more information
        -p, --programs           display PID/Program name for sockets
        -o, --timers             display timers
        -c, --continuous         continuous listing

        -l, --listening          display listening server sockets
        -a, --all                display all sockets (default: connected)
        -F, --fib                display Forwarding Information Base (default)
        -C, --cache              display routing cache instead of FIB
        -Z, --context            display SELinux security context for sockets

  <Socket>={-t|--tcp} {-u|--udp} {-U|--udplite} {-S|--sctp} {-w|--raw}
           {-x|--unix} --ax25 --ipx --netrom
  <AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: inet
  List of possible address families (which support routing):
    inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
    netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
    x25 (CCITT X.25)

Use example

netstat -anpt
-a displays the sockets in all connections
-n use the ip address directly, not through the domain name server
-p shows the program ID and program name of the Socket being used
-Tdisplays the connection status of TCP transport protocol

#netstat -anpt
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:10050           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:6011          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:6012          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      -

Display result resolution
Proto: protocol name (tcp protocol or udp protocol)
Recv-Q: network receive queue
Send-Q: network send queue
Local Address: local IP address and port
Foreign Address: peer IP address and port
State: state
PID/Program name: process and process name

Recv-Q and Send-Q can be used to analyze the receiving and sending of network packets. Normal conditions should be zero.
With the grep command, you can view the network status of the corresponding process, such as netstat -anpt | grep test.
The type and description of state are excerpted below.

LISTEN: first, the server needs to open a socket to LISTEN. The status is LISTEN/* The socket is listening for incoming connections. LISTEN for connection requests from remote TCP ports*/

SYN_SENT: the client calls connect through the application program for activeopen The client tcp then sends a syn to request the establishment of a connection After status SYN_SENT. /* The socket is actively attempting to establish aconnection. Wait for a matching connection request after sending the connection request*/

SYN_RECV: the server shall send an ACK to confirm the syn of the client and send a syn to the client After that, the status is set to SYN_RECV/* A connection request has been received from the network. Wait for confirmation of the connection request after receiving and sending a connection request*/

ESTABLISHED: represents an open connection. Both parties can or have been in data interaction/* The socket has an established connection. Represents an open connection where data can be transmitted to the user*/

FIN_WAIT1: the active close end application calls close, so its TCP sends a fin request to actively close the connection, and then enters FIN_WAIT1 status/* The socket is closed, and the connection is shutting down. Wait for the connection interruption request from the remote TCP or the confirmation of the previous connection interruption request*/

FIN_WAIT2: after the active shutdown terminal is connected to the ACK, it enters fin-wait-2/* Connection is closed, and the socket is waiting for a shutdownfrom the remote end. Waiting for connection interruption request from remote TCP*/

CLOSE_WAIT: after receiving the FIN, the TCP at the passive close end sends an ACK in response to the FIN request (its reception is also passed to the upper application as a file terminator) and enters the CLOSE_WAIT./* The remote end has shut down, waiting for the socketto close. Waiting for connection interruption request from local user*/

LAST_ACK: after passively closing the end for a period of time, the application receiving the file terminator will call CLOSE to CLOSE the connection. This causes its TCP to also send a FIN and wait for the other party's ack Entered last-ack/* The remote end has shut down, and the socket is closed. Waiting foracknowledgement. Wait for the confirmation of the original connection interruption request sent to the remote TCP*/

TIME_WAIT: after the active shutdown end receives the FIN, TCP sends an ACK packet and enters the TIME-WAIT state/* Thesocket is waiting after close to handle packets still in the network. Wait enough time to ensure that the remote TCP receives an acknowledgement of the connection interruption request*/

CLOSING: relatively rare/* Bothsockets are shut down but we still don’t have all our datasent. Wait for the remote TCP to confirm the connection interruption*/

Closed: the passive closed end enters the closed state after receiving the ACK packet. End of connection/* The socket is not being used. No connection status*/

UNKNOWN: UNKNOWN Socket status/* Thestate of the socket is unknown. */