Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Analysis of the use of netstat commands in Linux

2025-01-17 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >

Share

Shulou(Shulou.com)05/31 Report--

This article introduces the relevant knowledge of "case analysis of the use of netstat commands in Linux". In the operation of actual cases, many people will encounter this dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Brief introduction

The netstat command is used to display a variety of network-related information, such as network connections, routing tables, interface status (interface statistics), masquerade connections, multicast members (multicast memberships), and so on.

Meaning of output information

After executing the netstat, the output is

The copy code is as follows:

Active internet connections (w _ servers)

Proto recv-q send-q local address foreign address state

Tcp 0 2 210.34.6.89:telnet 210.34.6.96:2873 established

Tcp 296 0 210.34.6.89:1165 210.34.6.84:netbios-ssn established

Tcp 00 localhost.localdom:9001 localhost.localdom:1162 established

Tcp 00 localhost.localdom:1162 localhost.localdom:9001 established

Tcp 0 80 210.34.6.89:1161 210.34.6.10:netbios-ssn close

Active unix domain sockets (w _ servers)

Proto refcnt flags type state i-node path

Unix 1 [] stream connected 16178 @ 000000dd

Unix 1 [] stream connected 16176 @ 000000dc

Unix 9 [] dgram 5292 / dev/log

Unix 1 [] stream connected 16182 @ 000000df

Overall, the output of netstat can be divided into two parts:

One is active internet connections, which is called an active tcp connection, where "recv-q" and "send-q" refer to the receive queue and send queue of% 0a. These numbers are generally supposed to be zero. If not, the package is piling up in the queue. This can only be seen in very rare cases.

The other is active unix domain sockets, called the active unix domain socket (like network sockets, but only for native communication, and performance can be doubled).

Proto shows the protocol used for the connection, refcnt indicates the process number connected to this socket, types shows the type of socket, state shows the current status of the socket, and path indicates the path name used by other processes connected to the socket.

Common parameters

-a (all) shows all options, but does not show listen correlation by default

-t (tcp) displays only tcp related options

-u (udp) shows only udp related options

-n refuses to display aliases and can show that all numbers are converted into numbers.

-l lists only the status of services in listen (monitoring)

-p displays the name of the program that established the relevant link

-r displays routing information, routing table

-e displays extended information, such as uid, etc.

-s statistics based on each protocol

-c execute the netstat command at regular intervals.

Tip: the status of listen and listening can only be seen with-an or-l

Practical command example

1. List all ports (both monitored and unmonitored)

List all ports netstat-a

The copy code is as follows:

# netstat-a | more

Active internet connections (servers and established)

Proto recv-q send-q local address foreign address state

Tcp 00 localhost:30037 *: * listen

Udp 0 0 *: bootpc *: *

Active unix domain sockets (servers and established)

Proto refcnt flags type state i-node path

Unix 2 [acc] stream listening 6135 / tmp/.x11-unix/x0

Unix 2 [acc] stream listening 5140 / var/run/acpid.socket

List all tcp ports netstat-at

The copy code is as follows:

# netstat-at

Active internet connections (servers and established)

Proto recv-q send-q local address foreign address state

Tcp 00 localhost:30037 *: * listen

Tcp 0 0 localhost:ipp *: * listen

Tcp 0 0 *: smtp *: * listen

Tcp6 0 0 localhost:ipp [:]: * listen

List all udp ports netstat-au

The copy code is as follows:

# netstat-au

Active internet connections (servers and established)

Proto recv-q send-q local address foreign address state

Udp 0 0 *: bootpc *: *

Udp 0 0 *: 49119 *: *

Udp 0 0 *: mdns *: *

two。 List all sockets that are in the listening state

Only the listening port netstat-l is displayed

The copy code is as follows:

# netstat-l

Active internet connections (only servers)

Proto recv-q send-q local address foreign address state

Tcp 0 0 localhost:ipp *: * listen

Tcp6 0 0 localhost:ipp [:]: * listen

Udp 0 0 *: 49119 *: *

List only all listening tcp ports netstat-lt

The copy code is as follows:

# netstat-lt

Active internet connections (only servers)

Proto recv-q send-q local address foreign address state

Tcp 00 localhost:30037 *: * listen

Tcp 0 0 *: smtp *: * listen

Tcp6 0 0 localhost:ipp [:]: * listen

List only all listening udp ports netstat-lu

The copy code is as follows:

# netstat-lu

Active internet connections (only servers)

Proto recv-q send-q local address foreign address state

Udp 0 0 *: 49119 *: *

Udp 0 0 *: mdns *: *

List only all listening unix ports netstat-lx

The copy code is as follows:

# netstat-lx

Active unix domain sockets (only servers)

Proto refcnt flags type state i-node path

Unix 2 [acc] stream listening 6294 private/maildrop

Unix 2 [acc] stream listening 6203 public/cleanup

Unix 2 [acc] stream listening 6302 private/ifmail

Unix 2 [acc] stream listening 6306 private/bsmtp

3. Display statistics for each protocol

Display statistics for all ports netstat-s

The copy code is as follows:

# netstat-s

Ip:

Total packets received

With invalid addresses

Forwarded

Incoming packets discarded

Incoming packets delivered

Requests sent out

Icmp:

Icmp messages received

Input icmp message failed.

Tcp:

Active connections openings

Failed connection attempts

Connection resets received

Udp:

Packets received

Packets to unknown port received.

.

Displays statistics for tcp or udp ports netstat-st or-su

The copy code is as follows:

# netstat-st

# netstat-su

4. Display pid and process name netstat-p in netstat output

Netstat-p can be used with other switches to add the "pid/ process name" to the netstat output, so that you can easily find the program running on a specific port when you debugging.

The copy code is as follows:

# netstat-pt

Active internet connections (w _ servers)

Proto recv-q send-q local address foreign address state pid/program name

Tcp 10 ramesh-laptop.loc:47212 192.168.185.75:www close_wait 2109/firefox

Tcp 0 0 ramesh-laptop.loc:52750 lax:www established 2109/firefox

5. Host, port, and user name (host, port or user) are not displayed in the netstat output

When you don't want the host, port and user name to be displayed, use netstat-n. Numbers will be used instead of those names.

The output can also be accelerated because there is no need for a comparison query.

The copy code is as follows:

# netstat-an

If you just don't want one of the three names to be displayed, use the following command

The copy code is as follows:

# netsat-a-numeric-ports

# netsat-a-numeric-hosts

# netsat-a-numeric-users

6. Continuously output netstat information

Netstat will output network information every other second.

The copy code is as follows:

# netstat-c

Active internet connections (w _ servers)

Proto recv-q send-q local address foreign address state

Tcp 0 0 ramesh-laptop.loc:36130 101101-181181225.ama:www established

Tcp 11 ramesh-laptop.loc:52564 101.11.169.230:www closing

Tcp 0 0 ramesh-laptop.loc:43758 server-101-101-43-2:www established

Tcp 1 1 ramesh-laptop.loc:42367 101.101.34.101:www closing

^ c

7. Display address families that are not supported by the system (address families)

The copy code is as follows:

Netstat-verbose

At the end of the output, there will be the following information

The copy code is as follows:

Netstat: no support for `af ipx' on this system.

Netstat: no support for `af ax25' on this system.

Netstat: no support for `af x25' on this system.

Netstat: no support for `af netrom' on this system.

8. Display core routing information netstat-r

The copy code is as follows:

# netstat-r

Kernel ip routing table

Destination gateway genmask flags mss window irtt iface

192.168.1.0 * 255.255.255.0 u 000 eth2

Link-local * 255.255.0.0 u 0 000 eth2

Default 192.168.1.1 0.0.0.0 ug 0 0 0 eth2

Note: use netstat-rn to display the numeric format without querying the host name.

9. Find out the port on which the program runs

Not all processes can be found, those without permissions will not be displayed, and use root permissions to view all the information.

The copy code is as follows:

# netstat-ap | grep ssh

Tcp 10 dev-db:ssh 101.174.100.22 close_wait 39213-

Tcp 10 dev-db:ssh 101.174.100.22 close_wait 57643-

Find out which process is running on the specified port

The copy code is as follows:

# netstat-an | grep': 80'

10. Display a list of network interfaces

The copy code is as follows:

# netstat-I

Kernel interface table

Iface mtu met rx-ok rx-err rx-drp rx-ovr tx-ok tx-err tx-drp tx-ovr flg

Eth0 1500 00 00 00 0 bmu

Eth2 1500 0 26196 00 0 26883 6 00 bmru

Lo 16436 0 4 0 0 0 4 0 0 0 lru

Displays details, such as ifconfig using netstat-ie:

The copy code is as follows:

# netstat-ie

Kernel interface table

Eth0 link encap:ethernet hwaddr 00:10:40:11:11:11

Up broadcast multicast mtu:1500 metric:1

Rx packets:0 errors:0 dropped:0 overruns:0 frame:0

Tx packets:0 errors:0 dropped:0 overruns:0 carrier:0

Collisions:0 txqueuelen:1000

Rx bytes:0 (0.0b) tx bytes:0 (0.0b)

Memory:f6ae0000-f6b00000

11. Ip and tcp analysis

View the ip address with the most connections to a service port

The copy code is as follows:

Wss8848@ubuntu:~$ netstat-nat | grep "192.168.1.15 awk 22" | awk'{print $5}'| awk-f:'{print $1}'| sort | uniq-c | sort-nr | head-20

221.136.168.36

154.74.45.242

78.173.31.236

62.183.207.98

192.168.1.14

182.48.111.215

124.193.219.34

119.145.41.2

114.255.41.30

75.102.11.99

Tcp list of various statuses

The copy code is as follows:

Wss8848@ubuntu:~$ netstat-nat | awk'{print $6}'

Established)

Foreign

Listen

Time_wait

Established

Time_wait

Syn_sent

Take all the states out first, then use uniq-c statistics, and then sort them.

The copy code is as follows:

Wss8848@ubuntu:~$ netstat-nat | awk'{print $6}'| sort | uniq-c

Established

Fin_wait1

Foreign

Last_ack

Listen

Syn_sent

Time_wait

Established)

The final command is as follows:

The copy code is as follows:

Netstat-nat | awk'{print $6}'| sort | uniq-c | sort-rn

Analyze the access.log to get the ip address that accesses the first 10 bits

The copy code is as follows:

Awk'{print $1} 'access.log | sort | uniq-c | sort-nr | head-10

This is the end of the content of "netstat Command usage case Analysis of Linux". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Development

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report