Shulou(Shulou.com)05/31 Report--

Editor to share with you how to use netstat and awk commands to count the number of network connections. I hope you will get something after reading this article. Let's discuss it together.

Netstat-n | awk'/ ^ tcp/ {+ + state [$NF]} END {for (key in state) print key, "t", state [key]}'

You will get results similar to the following, but the specific numbers will be different:

LAST_ACK 1

SYN_RECV 14

ESTABLISHED 79

FIN_WAIT1 28

FIN_WAIT2 3

CLOSING 5

TIME_WAIT 1669

Status: description

CLOSED: connectionless is active or in progress

LISTEN: the server is waiting for an incoming call

SYN_RECV: a connection request has arrived, waiting for confirmation

SYN_SENT: the application has started. Open a connection.

ESTABLISHED: normal data transfer statu

FIN_WAIT1: the application says it's done.

FIN_WAIT2: the other side has agreed to release

ITMED_WAIT: wait for all groups to die

CLOSING: both sides try to shut down at the same time

TIME_WAIT: the other side has initialized a release

LAST_ACK: wait for all groups to die

In other words, this command classifies and summarizes the network connection status of the current system.

Let's explain why it is written this way:

[@ more@]

A simple pipe character connects the netstat and awk commands.

-

Let's take a look at netstat:

Netstat-n

Active Internet connections (w _ servers)

Proto Recv-Q Send-Q Local Address Foreign Address State

Tcp 0 0 123.123.123.123:80 234.234.234.234:12345 TIME_WAIT

When you actually execute this order, you may get thousands of similar records, but we will only take one of them.

-

Let's take a look at awk:

/ ^ tcp/

Filter out the records at the beginning of tcp, and block udp, socket and other irrelevant records.

State []

It is equivalent to defining an array called state

NF

Represents the number of fields of the record. For the record shown above, NF equals 6

$NF

Represents the value of a field. In the record shown above, $NF is $6, which represents the value of the sixth field, TIME_WAIT.

State [$NF]

Represents the value of the array element, and the record shown above is the number of connections in the state [time _ WAIT]

+ + state [$NF]

It means to add a number to one, and the record shown above is to add one to the number of connections in the state [time _ WAIT].

END

Represents the command to be executed in the final stage

For (key in state)

Ergodic array

Print key, "t", state [key]

Print the keys and values of the array and beautify them by dividing them with t tabs.

If it is found that there are a large number of connections in TIME_WAIT state in the system, it can be solved by adjusting kernel parameters.

Vim / etc/sysctl.conf

Edit the file and add the following:

View sourceprint?1.net.ipv4.tcp_syncookies = 1 2.net.ipv4.tcp_tw_reuse = 1 3.net.ipv4.tcp_tw_recycle = 1 4.net.ipv4.tcp_fin_timeout = 30

Then execute / sbin/sysctl-p to make the parameter take effect.

Net.ipv4.tcp_syncookies = 1 means that SYN Cookies is enabled. When a SYN waiting queue overflow occurs, enable cookies to deal with it to prevent a small number of SYN attacks. The default is 0, which means it is turned off.

Net.ipv4.tcp_tw_reuse = 1 means reuse is turned on. Allow TIME-WAIT sockets to be reused for new TCP connections. Default is 0, which means off.

Net.ipv4.tcp_tw_recycle = 1 means to enable fast recycling of TIME-WAIT sockets in TCP connections. Default is 0, which means disabled.

Net.ipv4.tcp_fin_timeout modifies the system's default TIMEOUT time

The meaning of the TIME_WAIT status is attached below:

After the client establishes a TCP/IP connection with the server, the port of the server connection is closed after SOCKET is closed

Status is TIME_WAIT

Will all socket that perform an active shutdown enter the TIME_WAIT state?

Is there any situation that causes the actively closed socket to enter the CLOSED state directly?

After sending the last ack, the party that shuts down actively

Will enter the TIME_WAIT state and stay in 2MSL (max segment lifetime) time

This is indispensable to TCP/IP, that is, it cannot be "solved".

That's how TCP/IP designers designed it.

There are two main reasons.

one. Prevent packets from the last connection from reappearing after getting lost, affecting the new connection

(after 2MSL, all duplicate packets in the last connection will disappear.)

two. Reliable closing of TCP connection

The last ack (fin) sent by the active shutdown party may be lost, and the passive party will resend it.

Fin, if the active party is in the CLOSED state at this time, it will respond to rst instead of ack. So

The active party should be in the TIME_WAIT state, not CLOSED.

TIME_WAIT does not take up a lot of resources unless it is attacked.

Also, if one party times out with send or recv, it will directly enter the CLOSED state.

-

Netstat-an | grep SYN | awk'{print $5}'| awk-F:'{print $1}'| sort | uniq-c | sort-nr | more

Netstat-tna | cut-b 49-| grep TIME_WAIT | sort

Take out the connection IP of all current TIME_WAIT (sorted)

Net.ipv4.tcp_syncookies = 1 means that SYN Cookies is enabled. When a SYN waiting queue overflow occurs, enable cookies to deal with it to prevent a small number of SYN attacks. The default is 0, which means it is turned off.

Net.ipv4.tcp_tw_reuse = 1 means reuse is turned on. Allow TIME-WAIT sockets to be reused for new TCP connections. Default is 0, which means off.

Net.ipv4.tcp_tw_recycle = 1 means to enable fast recycling of TIME-WAIT sockets in TCP connections. Default is 0, which means disabled.

Net.ipv4.tcp_fin_timeout = 30 means that if the socket is closed by the local request, this parameter determines how long it remains in the FIN-WAIT-2 state.

Net.ipv4.tcp_keepalive_time = 1200 indicates how often TCP sends keepalive messages when keepalive is enabled. The default is 2 hours, which changes to 20 minutes.

Net.ipv4.ip_local_port_range = 1024 65000 indicates the range of ports used for outbound connections. Small by default: 32768 to 61000, changed to 1024 to 65000.

Net.ipv4.tcp_max_syn_backlog = 8192 indicates the length of the SYN queue, which defaults to 1024, and increases the queue length to 8192, which can accommodate more network connections waiting for connections.

Net.ipv4.tcp_max_tw_buckets = 5000 indicates that the system maintains the maximum number of TIME_WAIT sockets at the same time, and if this number is exceeded, the TIME_WAIT socket will be cleared immediately and a warning message will be printed. The default is 180000, which changes to 5000. For servers such as Apache, Nginx, and so on, the parameters in the first few lines can well reduce the number of TIME_WAIT sockets, but it has little effect on Squid. This parameter controls the maximum number of TIME_WAIT sockets to prevent the Squid server from being dragged to death by a large number of TIME_WAIT sockets.

After reading this article, I believe you have a certain understanding of "how to use netstat and awk commands to count network connections". If you want to know more about it, please follow the industry information channel. Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.