Use the netstat command to view network information in the linux environment

Hits: 0

Article directory

foreword

netstatThis command has always been thought to be the abbreviation of net status. Today, I found that I did not find the official statement. Then I referred to the man manual and found that this word is more like the abbreviation of net statistics. The function of the command is to display network connections and [routing tables.] , interface connections, invalid connections, and multicast membership, the man manual describes this command as follows:

netstat – Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships

This command is very powerful, but the parameters I often use are very simple. It is usually used to query the port occupancy problem. The command is netstat -anp | grep xxxPORT, because when I test my project program, there are always some processes that try to occupy the port I use, such as the one used by me. The TIM client that has been killed n times can be easily found by using netstat which process occupies your port.

Although this command is often used, the meanings of these parameters are not very clear, so I will summarize and summarize other common usages and record them for subsequent search and use.

parameter options

  • -a : Display all connections, including those in LISTEN state
  • -l : show only connections in LISTEN state
  • -t : show only tcp related options
  • -u : show only udp related options
  • -n : refuse to display aliases, can display all numbers converted into numbers
  • -o : Include information related to network timers in the display information
  • -e : Display extended information, such as uid, etc.
  • -p : Display the name of the program that created the relevant link
  • -r : Display routing information, routing table
  • -s : Statistics by each protocol
  • -c : Execute the netstat command every fixed time.

Execute without parameters

When the command is executed without parameters, the displayed data will be less, so that we can see the result of the command execution. The content is as follows:

[root@node1 ~]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 192.168.0.201:ssh       178.129.126.124.b:19450 ESTABLISHED
tcp        0     52 192.168.0.201:ssh       178.129.126.124.b:17626 ESTABLISHED
tcp        0      0 192.168.0.201:57784     101.200.35.175:https    TIME_WAIT
tcp        0      0 192.168.0.201:42298     100.125.2.72:https      ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ]         DGRAM                    11550    /run/systemd/shutdownd
unix  2      [ ]         DGRAM                    13355412 /var/run/chrony/chronyd.sock
unix  3      [ ]         DGRAM                    1228     /run/systemd/notify
unix  2      [ ]         DGRAM                    1230     /run/systemd/cgroups-agent
unix  5      [ ]         DGRAM                    1241     /run/systemd/journal/socket
unix  16     [ ]         DGRAM                    1243     /dev/log
unix  3      [ ]         STREAM     CONNECTED     15663
unix  3      [ ]         STREAM     CONNECTED     15662
...

The output can be divided into Active Internet connectionsand Active UNIX domain socketstwo parts:

Active Internet connections refers to valid network connections, and 6 columns are displayed by default:

  • Proto: protocol name, including tcp, udp, udpl, raw, etc.
  • Recv-Q: Indicates the network receiving queue, indicating that the received data has been buffered locally, and how much has not been taken away by the application
  • Send-Q: Indicates the network sending queue, indicating that there is a local buffer, but the other party has not received data or has no ACK
  • Local Address: Local IP address and port
  • Foreign Address: External IP address and port
  • State: Network connection status, including ESTABLISHED, SYN_SENT, SYN_RECV, FIN_WAIT1, FIN_WAIT2, TIME_WAIT, CLOSE, CLOSE_WAIT, LAST_ACK, LISTEN, CLOSING, UNKNOWN, etc.

Active UNIX domain sockets refers to local sockets. We know that sockets can also be used for inter-process (IPC) communication on the same host, but sockets are more efficient for IPC: no need to go through the network protocol stack, no need to pack and unpack, calculate Checksum, maintenance sequence number and response, etc., just copy application layer data from one process to another process
, and it is full-duplex, and the API interface has rich semantics, which has obvious advantages compared with other inter-process communication mechanisms.

Common Command Combinations

Query port occupancy

[root@node1 /]# netstat -anp | grep 8889
tcp        0      0 0.0.0.0:8889            0.0.0.0:*               LISTEN      27584/tinyproxy

This is the most commonly used command I currently use, in windows it can be changed tonetstat -ano | findstr 8889

show tcp connections

[root@node1 /]# netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:ddi-tcp-2       0.0.0.0:*               LISTEN
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN
tcp        0     52 192.168.0.201:ssh       178.129.126.124.b:19450 ESTABLISHED
tcp        0      0 192.168.0.201:ssh       178.129.126.124.b:17626 ESTABLISHED
tcp        0      0 192.168.0.201:42298     100.125.2.72:https      ESTABLISHED
tcp6       0      0 [::]:squid              [::]:*                  LISTEN
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN

Show ports in LISTEN state

[root@node1 /]# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:ddi-tcp-2       0.0.0.0:*               LISTEN
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN
tcp6       0      0 [::]:squid              [::]:*                  LISTEN
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN
udp        0      0 0.0.0.0:bootpc          0.0.0.0:*
udp        0      0 0.0.0.0:ntp             0.0.0.0:*
udp        0      0 localhost:323           0.0.0.0:*
udp        0      0 0.0.0.0:56034           0.0.0.0:*
udp6       0      0 [::]:42035              [::]:*
udp6       0      0 localhost:323           [::]:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     11533    /run/lvm/lvmpolld.socket
unix  2      [ ACC ]     STREAM     LISTENING     6848304  /var/run/rpcbind.sock
unix  2      [ ACC ]     STREAM     LISTENING     11584    /run/lvm/lvmetad.socket
...

Categorized statistics for each protocol

[root@node1 /]# netstat -s
Ip:
    7902622 total packets received
    60675 forwarded
    127 with unknown protocol
    0 incoming packets discarded
    7841813 incoming packets delivered
    7270606 requests sent out
    8 dropped because of missing route
Icmp:
    928210 ICMP messages received
    25426 input ICMP message failed.
    InCsumErrors: 8
    ICMP input histogram:
        destination unreachable: 71154
        timeout in transit: 484
        echo requests: 856165
        echo replies: 337
        timestamp request: 54
    896502 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 40039
        echo request: 244
        echo replies: 856165
        timestamp replies: 54
Tcp:
    274517 active connections openings
    66347 passive connection openings
    187800 failed connection attempts
    90950 connection resets received
    3 connections established
    6359177 segments received
    5808198 segments send out
    494062 segments retransmited
    4 bad segments received.
    452720 resets sent
Udp:
    539313 packets received
    14902 packets to unknown port received.
...

Display information every second

[root@node1 /]# netstat -c
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0     52 192.168.0.201:ssh       178.129.126.124.b:19450 ESTABLISHED
tcp        0      0 192.168.0.201:ssh       178.129.126.124.b:17626 ESTABLISHED
tcp        0      0 192.168.0.201:42298     100.125.2.72:https      ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ]         DGRAM                    11550    /run/systemd/shutdownd
...

Display core routing information

[root@node1 /]# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         192.168.0.1     0.0.0.0         UG        0 0          0 eth0
169.254.169.254 192.168.0.254   255.255.255.255 UGH       0 0          0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

Display a list of network interfaces

[root@node1 /]# netstat -i
Kernel Interface table
Iface             MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
docker0          1500    36248      0      0 0         33647      0      0      0 BMU
eth0             1500  9119246      0      0 0       8277212      0      0      0 BMRU
lo              65536    27700      0      0 0         27700      0      0      0 LRU

Summarize

  • netstat -anp | grep 8889The command can be used to query which process is occupied by port 8889, which on Windows translates tonetstat -ano | findstr 8889
  • In the network connection information queried by the netstat command, Recv-Qand Send-Qusually should be 0. If it is not 0 for a long time, it may be a problem, and it needs to be checked as soon as possible.
  • If the Recv-Qvalue has been in a state other than 0, it may have suffered a denial of service DOS attack, resulting in slow local message processing
  • If the Send-Qvalue is always in a state other than 0, it may be that an application is sending data packets too fast, or the other party is not fast enough to receive and process data packets.

==>> Anti-crawling links, please do not click, explode in place, no responsibility! <<==

By taking history as a mirror, we can know the rise and fall; by taking copper as a mirror, we can correct our clothes; by taking people as a mirror, we can know the pros and cons. Human growth requires comparison, there is always someone better than you~

Leave a Reply

Your email address will not be published.