netstat command of Linux

[quick reference manual of Linux common commands] pay attention to [entry station], and the background replies to "1001" for self access.

The netstat command is used to display statistics related to IP, TCP, UDP and ICMP protocols. It is generally used to check the network connection of each port of the machine. Netstat is a program that accesses the network and related information in the kernel. It can provide reports on TCP connection, TCP and UDP monitoring, and process memory management.

Detailed explanation of TCP connection status

  • LISTEN: LISTEN for connection requests from remote TCP ports
  • SYN-SENT: wait for the matching connection request after sending the connection request again
  • SYN-RECEIVED: wait for the other party's confirmation of the connection request after receiving and sending another connection request
  • ESTABLISHED: represents an open connection
  • FIN-WAIT-1: wait for the remote TCP connection interruption request or the confirmation of the previous connection interruption request
  • FIN-WAIT-2: wait for connection interruption request from remote TCP
  • CLOSE-WAIT: wait for the connection interruption request from the local user
  • CLOSING: wait for the remote TCP to confirm the connection interruption
  • LAST-ACK: wait for the confirmation of the original connection interruption request sent to the remote TCP
  • TIME-WAIT: wait enough time to ensure that the remote TCP receives the confirmation of the connection interruption request
  • CLOSED: no connection status

Command format

Netstat (option)

Command options

  • -a or – all: displays the sockets in all connections;
  • -A < network type > or – < network type >: list the relevant addresses in the connection of the network type;
  • -c or – continuous: continuously list the network status;
  • -C ache or cache configuration information of router;
  • -e or – extend: display other network related information;
  • -F or – FIB: display FIB;
  • -g or – groups: display the list of members of multiple broadcast function groups;
  • -h or – help: online help;
  • -i or – interfaces: displays the network interface information form;
  • -l or – listening: displays the Socket of the server under monitoring;
  • -M or – masquerade: display the camouflaged network connection;
  • -n or – numeric: directly use the ip address instead of the domain name server;
  • -N or – netlink or – symbolic: displays the symbolic connection name of the network hardware peripheral;
  • -o or – timers: display the timer;
  • -p or - programs: displays the program ID and program name of the Socket being used;
  • -r or – route: displays the Routing Table;
  • -s or – statistics: displays the statistical table of network work information;
  • -t or – TCP: displays the connection status of TCP transmission protocol;
  • -u or – UDP: displays the connection status of UDP transmission protocol;
  • -v or – verbose: display the instruction execution process;
  • -V or – version: display version information;
  • -w or – raw: displays the connection status of raw transmission protocol;
  • -x or – unix: the effect of this parameter is the same as that of specifying "- A unix" parameter;
  • – ip or – inet: this parameter has the same effect as specifying "- A inet" parameter.

List all ports (including TCP and UDP)

> netstat -a

List all TCP ports

> netstat -at

List all UDP ports

> netstat -au

List all Sockets in listening status

> netstat -l

Only all listening tcp ports are listed

> netstat -lt

Only all listening udp ports are listed

> netstat -lu

List all listening UNIX ports only

> netstat -lx

Displays statistics for all ports

> netstat -s
Ip:
    1007495197 total packets received
    0 forwarded
    582 with unknown protocol
    0 incoming packets discarded
    1007422115 incoming packets delivered
Icmp:
    66583265 ICMP messages received
    63899 input ICMP message failed.
    InCsumErrors: 384
    ICMP input histogram:
        destination unreachable: 115410
        timeout in transit: 12840
        source quenches: 11
        redirects: 563
        echo requests: 66453453
        echo replies: 152
        timestamp request: 438
        address mask request: 4
    66987000 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 533106
        echo request: 4
        echo replies: 66453453
        timestamp replies: 437
IcmpMsg:
        InType0: 152
        InType3: 115410
        InType4: 11
        InType5: 563

IpExt:
    InNoRoutes: 15
    InMcastPkts: 1291307
    InOctets: 211446050816
    OutOctets: 481070069194

Displays TCP Port Statistics

> netstat -st
IcmpMsg:
    InType0: 152
    InType3: 115410
    InType4: 11
    InType5: 563
    InType8: 66453492
Tcp:
    55437641 active connections openings
    35899081 passive connection openings
    552243 failed connection attempts
    753118 connection resets received
    7 connections established
UdpLite:
TcpExt:
    162052 SYN cookies sent
    621 SYN cookies received
    4998179 invalid SYN cookies received
    551915 resets received for embryonic SYN_RECV sockets
IpExt:
    InNoRoutes: 15
    InMcastPkts: 1291308
    InOctets: 211446303015
    OutOctets: 481070459735
    InMcastOctets: 46487088

Displays statistics for UDP ports

> netstat -su
IcmpMsg:
    InType0: 152
    InType3: 115410
    InType4: 11
    InType5: 563
    InType8: 66453594
    InType11: 12840
    InType13: 438
    InType17: 4
    InType37: 3
    InType165: 7
    OutType0: 66453594
    OutType3: 533106
    OutType8: 4
    OutType14: 437
Udp:
    17941589 packets received
    637146 packets to unknown port received.
    1649 packet receive errors
    17977050 packets sent
    0 receive buffer errors
    0 send buffer errors
    InCsumErrors: 1640
UdpLite:
IpExt:
    InNoRoutes: 15
    InMcastPkts: 1291310
    InOctets: 211446802283
    OutOctets: 481071405083
    InMcastOctets: 46487160
    InNoECTPkts: 1009629627
    InECT1Pkts: 9955
    InECT0Pkts: 1987096
    InCEPkts: 94039

Display PID and process name in netstat output

> netstat -pt

Host, port or user are not displayed in netstat output

> netstat -an

Continuously output netstat information

Output network information every second

> netstat -c

Display core routing information

> netstat -r

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         gateway         0.0.0.0         UG        0 0          0 eth0
link-local      0.0.0.0         255.255.0.0     U         0 0          0 eth0
172.16.0.0      0.0.0.0         255.255.240.0   U         0 0          0 eth0

Use netstat -rn to display the number format without querying the host name.

> netstat -rn

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         172.16.0.1      0.0.0.0         UG        0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
172.16.0.0      0.0.0.0         255.255.240.0   U         0 0          0 eth0

Find the port where the program runs

> netstat -tunlp | grep ssh

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      4400/sshd

Find the process running on the specified port

> netstat -an | grep ":80"
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 172.16.0.9:80           185.191.171.12:9380     TIME_WAIT
tcp        0      0 172.16.0.9:80           185.191.171.26:52418    TIME_WAIT
tcp        0   3450 172.16.0.9:80           185.191.171.37:25108    FIN_WAIT1
tcp        0      0 172.16.0.9:80           185.191.171.37:55096    TIME_WAIT
tcp        0      0 172.16.0.9:80           144.76.176.171:27832    TIME_WAIT
tcp        0      0 172.16.0.9:80           118.126.124.7:11127     TIME_WAIT
tcp        0      0 172.16.0.9:46628        169.254.0.55:8080       TIME_WAIT
tcp        0      0 172.16.0.9:80           144.76.176.171:23812    ESTABLISHED

Find process ID through port

> netstat -tunlp | grep 80 | awk '{print $7}' | cut -d/ -f1
21323

Displays a list of network interfaces

> netstat -i
Kernel Interface table
Iface             MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
docker0          1500        0      0      0 0             0      0      0      0 BMU
eth0             1450 462305568      0      0 0      276046945      0      0      0 BMRU
lo              65536  7204971      0      0 0       7204971      0      0      0 LRU
vpn_abi          1500 229612389      0 1023383 0      146640133      0    956      0 BMRU

Statistics of TCP status list

> netstat -n | awk '/^tcp/{++S[$NF]}END{for(i in S) print i,S[i]}'
ESTABLISHED 7
FIN_WAIT2 13
TIME_WAIT 18

Original link: https://rumenz.com/rumenbiji/linux-netstat.html
WeChat official account: entry station

[quick reference manual of Linux common commands] pay attention to [entry station], and the background replies to "1001" for self access.

Keywords: Linux

Added by shadiadiph on Wed, 09 Mar 2022 11:01:51 +0200