Use the netstat command to view network information in the linux environment
- parameter options
- Execute without parameters
- Common Command Combinations
netstatThis command has always been thought to be the abbreviation of net status. Today, I found that I did not find the official statement. Then I referred to the man manual and found that this word is more like the abbreviation of net statistics. The function of the command is to display network connections and [routing tables.] , interface connections, invalid connections, and multicast membership, the man manual describes this command as follows:
netstat – Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships
This command is very powerful, but the parameters I often use are very simple. It is usually used to query the port occupancy problem. The command is
netstat -anp | grep xxxPORT, because when I test my project program, there are always some processes that try to occupy the port I use, such as the one used by me. The TIM client that has been killed n times can be easily found by using netstat which process occupies your port.
Although this command is often used, the meanings of these parameters are not very clear, so I will summarize and summarize other common usages and record them for subsequent search and use.
- -a : Display all connections, including those in LISTEN state
- -l : show only connections in LISTEN state
- -t : show only tcp related options
- -u : show only udp related options
- -n : refuse to display aliases, can display all numbers converted into numbers
- -o : Include information related to network timers in the display information
- -e : Display extended information, such as uid, etc.
- -p : Display the name of the program that created the relevant link
- -r : Display routing information, routing table
- -s : Statistics by each protocol
- -c : Execute the netstat command every fixed time.
Execute without parameters
When the command is executed without parameters, the displayed data will be less, so that we can see the result of the command execution. The content is as follows:
[root@node1 ~]# netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.0.201:ssh 184.108.40.206.b:19450 ESTABLISHED tcp 0 52 192.168.0.201:ssh 220.127.116.11.b:17626 ESTABLISHED tcp 0 0 192.168.0.201:57784 18.104.22.168:https TIME_WAIT tcp 0 0 192.168.0.201:42298 100.125.2.72:https ESTABLISHED Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ] DGRAM 11550 /run/systemd/shutdownd unix 2 [ ] DGRAM 13355412 /var/run/chrony/chronyd.sock unix 3 [ ] DGRAM 1228 /run/systemd/notify unix 2 [ ] DGRAM 1230 /run/systemd/cgroups-agent unix 5 [ ] DGRAM 1241 /run/systemd/journal/socket unix 16 [ ] DGRAM 1243 /dev/log unix 3 [ ] STREAM CONNECTED 15663 unix 3 [ ] STREAM CONNECTED 15662 ...
The output can be divided into
Active Internet connectionsand
Active UNIX domain socketstwo parts:
Active Internet connections refers to valid network connections, and 6 columns are displayed by default:
- Proto: protocol name, including tcp, udp, udpl, raw, etc.
- Recv-Q: Indicates the network receiving queue, indicating that the received data has been buffered locally, and how much has not been taken away by the application
- Send-Q: Indicates the network sending queue, indicating that there is a local buffer, but the other party has not received data or has no ACK
- Local Address: Local IP address and port
- Foreign Address: External IP address and port
- State: Network connection status, including ESTABLISHED, SYN_SENT, SYN_RECV, FIN_WAIT1, FIN_WAIT2, TIME_WAIT, CLOSE, CLOSE_WAIT, LAST_ACK, LISTEN, CLOSING, UNKNOWN, etc.
Active UNIX domain sockets refers to local sockets. We know that sockets can also be used for inter-process (IPC) communication on the same host, but sockets are more efficient for IPC: no need to go through the network protocol stack, no need to pack and unpack, calculate Checksum, maintenance sequence number and response, etc., just copy application layer data from one process to another process
, and it is full-duplex, and the API interface has rich semantics, which has obvious advantages compared with other inter-process communication mechanisms.
Common Command Combinations
Query port occupancy
[root@node1 /]# netstat -anp | grep 8889 tcp 0 0 0.0.0.0:8889 0.0.0.0:* LISTEN 27584/tinyproxy
This is the most commonly used command I currently use, in windows it can be changed to
netstat -ano | findstr 8889
show tcp connections
[root@node1 /]# netstat -at Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:ddi-tcp-2 0.0.0.0:* LISTEN tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN tcp 0 52 192.168.0.201:ssh 22.214.171.124.b:19450 ESTABLISHED tcp 0 0 192.168.0.201:ssh 126.96.36.199.b:17626 ESTABLISHED tcp 0 0 192.168.0.201:42298 100.125.2.72:https ESTABLISHED tcp6 0 0 [::]:squid [::]:* LISTEN tcp6 0 0 localhost:smtp [::]:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN
Show ports in LISTEN state
[root@node1 /]# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:ddi-tcp-2 0.0.0.0:* LISTEN tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN tcp6 0 0 [::]:squid [::]:* LISTEN tcp6 0 0 localhost:smtp [::]:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN udp 0 0 0.0.0.0:bootpc 0.0.0.0:* udp 0 0 0.0.0.0:ntp 0.0.0.0:* udp 0 0 localhost:323 0.0.0.0:* udp 0 0 0.0.0.0:56034 0.0.0.0:* udp6 0 0 [::]:42035 [::]:* udp6 0 0 localhost:323 [::]:* Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 11533 /run/lvm/lvmpolld.socket unix 2 [ ACC ] STREAM LISTENING 6848304 /var/run/rpcbind.sock unix 2 [ ACC ] STREAM LISTENING 11584 /run/lvm/lvmetad.socket ...
Categorized statistics for each protocol
[root@node1 /]# netstat -s Ip: 7902622 total packets received 60675 forwarded 127 with unknown protocol 0 incoming packets discarded 7841813 incoming packets delivered 7270606 requests sent out 8 dropped because of missing route Icmp: 928210 ICMP messages received 25426 input ICMP message failed. InCsumErrors: 8 ICMP input histogram: destination unreachable: 71154 timeout in transit: 484 echo requests: 856165 echo replies: 337 timestamp request: 54 896502 ICMP messages sent 0 ICMP messages failed ICMP output histogram: destination unreachable: 40039 echo request: 244 echo replies: 856165 timestamp replies: 54 Tcp: 274517 active connections openings 66347 passive connection openings 187800 failed connection attempts 90950 connection resets received 3 connections established 6359177 segments received 5808198 segments send out 494062 segments retransmited 4 bad segments received. 452720 resets sent Udp: 539313 packets received 14902 packets to unknown port received. ...
Display information every second
[root@node1 /]# netstat -c Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 52 192.168.0.201:ssh 188.8.131.52.b:19450 ESTABLISHED tcp 0 0 192.168.0.201:ssh 184.108.40.206.b:17626 ESTABLISHED tcp 0 0 192.168.0.201:42298 100.125.2.72:https ESTABLISHED Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ] DGRAM 11550 /run/systemd/shutdownd ...
Display core routing information
[root@node1 /]# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 169.254.169.254 192.168.0.254 255.255.255.255 UGH 0 0 0 eth0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Display a list of network interfaces
[root@node1 /]# netstat -i Kernel Interface table Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg docker0 1500 36248 0 0 0 33647 0 0 0 BMU eth0 1500 9119246 0 0 0 8277212 0 0 0 BMRU lo 65536 27700 0 0 0 27700 0 0 0 LRU
netstat -anp | grep 8889The command can be used to query which process is occupied by port 8889, which on Windows translates to
netstat -ano | findstr 8889
- In the network connection information queried by the netstat command,
Send-Qusually should be 0. If it is not 0 for a long time, it may be a problem, and it needs to be checked as soon as possible.
- If the
Recv-Qvalue has been in a state other than 0, it may have suffered a denial of service DOS attack, resulting in slow local message processing
- If the
Send-Qvalue is always in a state other than 0, it may be that an application is sending data packets too fast, or the other party is not fast enough to receive and process data packets.
By taking history as a mirror, we can know the rise and fall; by taking copper as a mirror, we can correct our clothes; by taking people as a mirror, we can know the pros and cons. Human growth requires comparison, there is always someone better than you~