Shulou(Shulou.com)06/02 Report--

This article introduces the relevant knowledge of "what are the netstat commands under the Linux system". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

I. introduction

Netstat is a console command and a very useful tool for monitoring TCP/IP networks. It can display the routing table, the actual network connections, and the status information of each network interface device.

Netstat is used to display statistics related to IP, TCP, UDP and ICMP protocols, and is generally used to verify the network connectivity of each port of the machine.

2. Description of output information

The output after executing netstat is as follows:

[root@sy-suz-srv51 ~] # netstatActive Internet connections (whammero servers) Proto Recv-Q Send-Q Local Address Foreign Address Statetcp 0 0 k8sdev.sui:sun-sr-https k8sdev.suiyi.com.:34880 SYN_RECVtcp 0 0 k8sdev.suiyi.com.c:2379 10.1.62.21 servers 47910 ESTABLISHEDtcp 0 0 k8sdev.suiyi.com.c:2379 k8sdev.suiyi.com: 37790 ESTABLISHEDtcp 00 sy-suz-srv:pcsync-https 10.1.62.162:49200 ESTABLISHEDtcp 00 k8sdev.suiyi.com.:52866 k8sdev.sui:sun-sr-https ESTABLISHEDtcp 00 k8sdev.suiyi.com.:37728 k8sdev.suiyi.com.c:2379 ESTABLISHEDtcp 00 k8sdev.sui:sun-sr-https k8sdev.suiyi.com.:52852 ESTABLISHEDtcp 00 k8sdev.sui:sun-sr -https 10.1.62.162 sy-suz-srv:pcsync-https sy-suz-srv51:60094 ESTABLISHEDtcp 32841 ESTABLISHEDtcp 00 sy-suz-srv:pcsync-https sy-suz-srv51:60094 ESTABLISHEDtcp 00 localhost:webcache localhost:40136 ESTABLISHEDtcp 00 k8sdev.suiyi.com.:35466 10.1.62.21:sun-sr-https ESTABLISHEDtcp 00 k8sdev.suiyi.com.:34358 10.1.62.21:sun-sr-https ESTABLISHEDActive UNIX Domain sockets (servers) Proto RefCnt Flags Type State I-Node Pathunix 3 [] DGRAM 18442 / run/systemd/notifyunix 2 [] DGRAM 18444 / run/systemd/cgroups-agentunix 2 [] DGRAM 23822 / var/run/chrony / chronyd.sockunix 8 [] DGRAM 18455 / run/systemd/journal/socketunix 18 [] DGRAM 18457 / dev/logunix 2 [] DGRAM 14151 / var/run/nscd/socketunix 2 [] DGRAM 584 / run/systemd/shutdowndunix 3 [] STREAM CONNECTED 124439388 / run/dbus/system_bus_socketunix 3 [] STREAM CONNECTED 42312 / run/systemd/journal/stdoutunix 3 [] STREAM CONNECTED 39909unix 3 [] STREAM CONNECTED 21675unix 3 [] STREAM CONNECTED 47538unix 3 [] STREAM CONNECTED 124585242 / var/run/docker/containerd/docker-containerd.sockunix 3 [] STREAM CONNECTED 21658unix 2 [] STREAM CONNECTED 30160unix 3 [] STREAM CONNECTED 33750 / run/systemd/journal/stdoutunix 3 [] STREAM CONNECTED 124614293 @ / containerd-shim/moby/c44e49ee0f86d8a4109afb176701795c64f44655abb1861275bbd3b2a9f76394/ Shim.sockunix 3 [] STREAM CONNECTED 124609611 @ / containerd-shim/moby/a736ba153c07f0bbf099ae1a1069530e35bfa28ae93f8f235d6c35a6c5ed9ce7/shim.sockunix 3 [] STREAM CONNECTED 124601653 @ / containerd-shim/moby/20d3fd59d03455d45b1da2636fca25d0edd79dac1947c17045a797eb8506157c/shim.sock

The output of netstat can be divided into two parts.

1. Active Internet connections active TCP connection, where "Recv-Q" and "Send-Q" refer to the receiving queue and the sending queue. These numbers are generally supposed to be zero. If not, the package is piling up in the queue. This can only be seen in very rare cases.

2. Active UNIX domain sockets active Unix domain socket (same as network socket, but only for local communication, performance can be doubled).

Column name explanation:

Proto: displays the protocol used by the connection.

RefCnt: indicates the process number connected to this interface.

Types: displays the type of socket.

State: displays the current state of the socket.

Path: represents the pathname used by other processes connected to the socket.

3. Common parameters of netstat

-a (all) shows all options, and LISTEN correlation is not displayed by default.

-t (tcp) displays only tcp-related options.

-u (udp) displays only udp-related options.

-n refuses to display aliases and can show that all numbers are converted into numbers.

-l lists only the service status in Listen (monitoring).

-p displays the name of the program that established the relevant link

-r displays routing information, routing table

-e displays extended information, such as uid, etc.

-s statistics based on each protocol

-c execute the netstat command at regular intervals.

The status of LISTEN and LISTENING can only be seen with-an or-l.

IV. Detailed explanation of netstat network status

A normal TCP connection has three stages: 1. TCP three-way handshake; 2. Data transfer; 3. TCP waving four times.

As shown in the figure:

SYN: (synchronous sequence number, Synchronize Sequence Numbers) this flag is valid only when a three-way handshake establishes an TCP connection. Represents a new TCP connection request.

ACK: (acknowledgement number, Acknowledgement Number) is an acknowledgement flag for the TCP request and indicates that the peer system has successfully received all the data.

FIN: (end flag, FINish) is used to end a TCP reply. However, the corresponding port is still open and ready to receive subsequent data.

LISTEN: first of all, the server needs to open a socket to listen, the status is LISTEN, The socket is listening for incoming connections. Listen for connection requests from remote TCP ports.

SYN_SENT: the client calls connect through the application for active open. So the client tcp sends a SYN to request a connection, and then the status is set to SYN_SENT,The socket is actively attempting to establish a connection. Wait for a matching connection request after sending a connection request.

SYN_RECV: the server should issue ACK to confirm the SYN of the client, send a SYN to the client, and then set the status to SYN_RECV

A connection request has been received from the network. Wait for the confirmation of the connection request after receiving and sending a connection request.

ESTABLISHED: represents an open connection where both parties can or are already exchanging data, The socket has an established connection. Represents an open connection where data can be transmitted to the user.

FIN_WAIT1: an active shutdown (active close) side application calls close, so its TCP issues a FIN request to actively close the connection, and then enters the FIN_WAIT1 state. The socket is closed, and the connection is shutting down. Wait for the connection break request from the remote TCP, or the confirmation of the previous connection break request.

CLOSE_WAIT: after the passive close TCP receives the FIN, it sends out an ACK in response to the FIN request (its reception is also passed to the upper application as a file Terminator) and enters CLOSE_WAIT, The remote end has shut down, waiting for the socket to close. Wait for a connection disconnection request from the local user.

FIN_WAIT2: after actively shutting down the terminal to ACK, you will enter FIN-WAIT-2, Connection is closed, and the socket is waiting for a shutdown from the remote end. Wait for the connection disconnection request from the remote TCP.

LAST_ACK: after passively shutting down the end for a period of time, the application that receives the file Terminator will call CLOSE to close the connection. This causes its TCP to also send a FIN, waiting for the other party's ACK. I entered LAST-ACK, The remote end has shut down, and the socket is closed. Waiting for acknowledgement. Wait for confirmation of the connection break request that was originally sent to the remote TCP.

TIME_WAIT: after the active shutdown side receives the FIN, the TCP sends the ACK packet and enters the TIME-WAIT state. The socket is waiting after close to handle packets still in the network. Wait enough time to ensure that the remote TCP receives an acknowledgement of the connection disconnection request.

CLOSING: relatively rare, Both sockets are shut down but we still don't have all our data sent. Wait for the remote TCP to confirm that the connection is broken.

CLOSED: after receiving the ACK packet, the passive shutdown side enters the closed state. Connection ends, The socket is not being used. There is no connection status.

The formation of the TIME_WAIT state occurs only on the side that actively closes the connection.

After receiving the FIN request from the passive shutdown party, the active closing party successfully sends an ACK to the other party, then changes its status from FIN_WAIT2 to TIME_WAIT, and has to wait for twice the time of MSL (Maximum Segment Lifetime,MSL is the time for a Datagram to exist in internetwork).

To change the status to CLOSED to close the connection. Currently, the time to maintain TIME_WAIT status in RHEL is 60 seconds.

Related keepalive parameters of Linux

1. Tcp_keepalive_time-INTEGER

How often TCP sends out keepalive messages when keepalive is enabled. (Default: 2hours)

A connection requires the idle time, in seconds, before TCP starts sending keepalive probe packets.

2. Tcp_keepalive_probes-INTEGER

How many keepalive probes TCP sends out, until it decides that the connection is broken. (Default value: 9)

The maximum number of TCP keepalive probe packets sent is 9. 0 by default. If the peer still does not respond after sending 9 keepalive probe packets, close the connection.

3. Tcp_keepalive_intvl-INTEGER

How frequently the probes are send out. Multiplied by tcp_keepalive_probes it is time to kill not responding connection

After probes started. Default value: 75sec I.E. Connection will be aborted after ~ 11 minutes of retries.

The interval between two TCP keepalive probe packets is 75 seconds by default.

Fifth, commonly used netstat related commands

1. List all ports # netstat-a

2. List all tcp ports # netstat-at

3. List all udp ports # netstat-au

4. Only the listening port # netstat-l is displayed.

5. List only all listening tcp ports # netstat-lt

6. List only all listening udp ports # netstat-lu

7. List all listening UNIX ports # netstat-lx

8. Display statistics for all ports # netstat-s

9. Display statistics for TCP or UDP ports # netstat-st or-su

10. PID and process name # netstat-p are displayed in the output

11. Host, port and user name (host, port or user) are not displayed in the netstat output

When you don't want the host, port and user name to be displayed, use netstat-n. Numbers will be used instead of those names.

The output can also be accelerated because there is no need for a comparison query.

# netstat-an

If you just don't want one of the three names to be displayed, use the following command

# netsat-a-numeric-ports# netsat-a-numeric-hosts# netsat-a-numeric-users

12. Continuously output netstat information # netstat-c

13. Find out the port on which the program runs # netstat-ap | grep': 80'

14. Check the IP address with the most connections to a service port (top 20)

# netstat-nat | grep "10.1.62.23 print 443" | awk'{print $5}'| awk-F:'{print $1}'| sort | uniq-c | sort-nr | head-20

15. TCP various status list

# netstat-nat | awk'{print $6}'

Statistical quantity

# netstat-nat | awk'{print $6}'| sort | uniq-c

Sort

# netstat-nat | awk'{print $6}'| sort | uniq-c | sort-rn

# netstat-n | awk'/ ^ tcp/ {+ + S [$NF]} END {for (an in S) print a, S [a]}'

16. Directly count the number of tcp monitors

# netstat-ant | wc-l

This is the end of the content of "what are the netstat commands under the Linux system"? thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.