Linux 命令 - netstat

netstat命令用于显示与IP、TCP、UDP和ICMP协议相关的统计数据,一般用于检验本机各端口的网络连接情况。netstat是在内核中访问网络及相关信息的程序,它能提供TCP连接,TCP和UDP监听,进程内存管理的相关报告。

参数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
-a,–all 显示所有连线中的Socket。
-A<网络类型>或–<网络类型> 列出该网络类型连线中的相关地址。
-c,–continuous 持续列出网络状态。
-C,–cache 显示路由器配置的快取信息。
-e,–extend 显示网络其他相关信息。
-F,–fib 显示FIB。
-g,–groups 显示多重广播功能群组组员名单。
-h,–help 在线帮助。
-i,–interfaces 显示网络界面信息表单。
-l,–listening 显示监控中的服务器的Socket。
-M,–masquerade 显示伪装的网络连线。
-n,–numeric 直接使用IP地址,而不通过域名服务器。
-N,–netlink或–symbolic 显示网络硬件外围设备的符号连接名称。
-o,–timers 显示计时器。
-p,–programs 显示正在使用Socket的程序识别码和程序名称。
-r,–route 显示Routing Table。
-s,–statistice 显示网络工作信息统计表。
-t,–tcp 显示TCP传输协议的连线状况。
-u,–udp 显示UDP传输协议的连线状况。
-v,–verbose 显示指令执行过程。
-V,–version 显示版本信息。
-w,–raw 显示RAW传输协议的连线状况。
-x,–unix 此参数的效果和指定”-A unix”参数相同。
–ip,–inet 此参数的效果和指定”-A inet”参数相同。

实例

  1. 列出所有端口

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    [root@VM_106_118_centos ~]# netstat
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 10.141.106.118:35672 10.53.192.14:nsesrvr ESTABLISHED
    tcp 0 36 10.141.106.118:ssh 43.246.231.98:4236 ESTABLISHED
    Active UNIX domain sockets (w/o servers)
    Proto RefCnt Flags Type State I-Node Path
    unix 2 [ ] DGRAM 9480 /run/systemd/shutdownd
    unix 2 [ ] DGRAM 6637 /run/systemd/notify
    unix 5 [ ] DGRAM 6648 /run/systemd/journal/socket
    unix 7 [ ] DGRAM 6650 /dev/log
    unix 3 [ ] STREAM CONNECTED 11556 /run/systemd/journal/stdout
    unix 3 [ ] STREAM CONNECTED 11433
    unix 3 [ ] STREAM CONNECTED 14970
    unix 3 [ ] STREAM CONNECTED 11434 /var/run/dbus/system_bus_socket
    unix 3 [ ] STREAM CONNECTED 11601
    unix 3 [ ] STREAM CONNECTED 12738
    unix 3 [ ] STREAM CONNECTED 30650062 /usr/local/sa/agent/secubase/secu-tcs-agent.unix
    unix 3 [ ] STREAM CONNECTED 30650049
    unix 3 [ ] STREAM CONNECTED 10414
    unix 3 [ ] STREAM CONNECTED 11599
    unix 2 [ ] DGRAM 46950561

    说明:

    从整体上看,netstat的输出结果可以分为两个部分:

    一个是Active Internet connections,称为有源TCP连接,其中”Recv-Q”和”Send-Q”指的是接收队列和发送队列。这些数字一般都应该是0。如果不是则表示软件包正在队列中堆积。这种情况只能在非常少的情况见到。

    另一个是Active UNIX domain sockets,称为有源Unix域套接口(和网络套接字一样,但是只能用于本机通信,性能可以提高一倍)。

    Proto显示连接使用的协议,RefCnt表示连接到本套接口上的进程号,Types显示套接口的类型,State显示套接口当前的状态,Path表示连接到套接口的其它进程使用的路径名。

    套接口类型:

    -t :TCP

    -u :UDP

    -raw :RAW类型

    –unix :UNIX域类型

    –ax25 :AX25类型

    –ipx :ipx类型

    –netrom :netrom类型

    状态说明:

    LISTEN:侦听来自远方的TCP端口的连接请求

    SYN-SENT:再发送连接请求后等待匹配的连接请求(如果有大量这样的状态包,检查是否中招了)

    SYN-RECEIVED:再收到和发送一个连接请求后等待对方对连接请求的确认(如有大量此状态,估计被flood攻击了)

    ESTABLISHED:代表一个打开的连接

    FIN-WAIT-1:等待远程TCP连接中断请求,或先前的连接中断请求的确认

    FIN-WAIT-2:从远程TCP等待连接中断请求

    CLOSE-WAIT:等待从本地用户发来的连接中断请求

    CLOSING:等待远程TCP对连接中断的确认

    LAST-ACK:等待原来的发向远程TCP的连接中断请求的确认(不是什么好东西,此项出现,检查是否被攻击)

    TIME-WAIT:等待足够的时间以确保远程TCP接收到连接中断请求的确认

    CLOSED:没有任何连接状态

  2. 列出所有端口

    显示一个所有的有效连接信息列表,包括已建立的连接(ESTABLISHED),也包括监听连接请(LISTENING)的那些连接。

    1
    netstat -a
  3. 显示当前UDP连接状况

    1
    netstat -nu
  4. 显示UDP端口号的使用情况

    1
    netstat -apu
  5. 显示网卡列表

    1
    2
    3
    4
    5
    [root@VM_106_118_centos ~]# netstat -i
    Kernel Interface table
    Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
    eth0 1500 14278730 0 0 0 15305264 0 0 0 BMRU
    lo 65536 3970328 0 0 0 3970328 0 0 0 LRU
  6. 显示组播组的关系

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    [root@VM_106_118_centos ~]# netstat -g
    IPv6/IPv4 Group Memberships
    Interface RefCnt Group
    --------------- ------ ---------------------
    lo 1 all-systems.mcast.net
    eth0 1 all-systems.mcast.net
    lo 1 ff02::1
    lo 1 ff01::1
    eth0 1 ff02::1
    eth0 1 ff01::1
  7. 显示网络统计信息

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    [root@VM_106_118_centos ~]# netstat -s
    Ip:
    18230955 total packets received
    0 forwarded
    0 incoming packets discarded
    18230921 incoming packets delivered
    19257576 requests sent out
    32 dropped because of missing route
    Icmp:
    3939074 ICMP messages received
    725 input ICMP message failed.
    ICMP input histogram:
    destination unreachable: 1873
    timeout in transit: 128
    source quenches: 1
    redirects: 7
    echo requests: 3937037
    echo replies: 21
    timestamp request: 7
    3937047 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
    destination unreachable: 3
    echo replies: 3937037
    timestamp replies: 7
    IcmpMsg:
    InType0: 21
    InType3: 1873
    InType4: 1
    InType5: 7
    InType8: 3937037
    InType11: 128
    InType13: 7
    OutType0: 3937037
    OutType3: 3
    OutType14: 7
    Tcp:
    491022 active connections openings
    280992 passive connection openings
    15791 failed connection attempts
    9298 connection resets received
    2 connections established
    14196585 segments received
    14955509 segments send out
    978282 segments retransmited
    8 bad segments received.
    334348 resets sent
    InCsumErrors: 5
    Udp:
    95248 packets received
    3 packets to unknown port received.
    0 packet receive errors
    97603 packets sent
    0 receive buffer errors
    0 send buffer errors
    UdpLite:
    TcpExt:
    28519 SYN cookies sent
    14620 SYN cookies received
    11638 invalid SYN cookies received
    12321 resets received for embryonic SYN_RECV sockets
    33 packets pruned from receive queue because of socket buffer overrun
    129 ICMP packets dropped because they were out-of-window
    373243 TCP sockets finished time wait in fast timer
    330 packets rejects in established connections because of timestamp
    134870 delayed acks sent
    2181 delayed acks further delayed because of locked socket
    Quick ack mode was activated 61222 times
    1381 times the listen queue of a socket overflowed
    30252 SYNs to LISTEN sockets dropped
    15566 packets directly queued to recvmsg prequeue.
    50643 bytes directly received in process context from prequeue
    3129297 packet headers predicted
    56 packets header predicted and directly queued to user
    1931257 acknowledgments not containing data payload received
    3003717 predicted acknowledgments
    21 times recovered from packet loss due to fast retransmit
    4215 times recovered from packet loss by selective acknowledgements
    Detected reordering 8 times using FACK
    Detected reordering 7 times using SACK
    Detected reordering 42 times using time stamp
    30 congestion windows fully recovered without slow start
    39 congestion windows partially recovered using Hoe heuristic
    201 congestion windows recovered without slow start by DSACK
    16653 congestion windows recovered without slow start after partial ack
    TCPLostRetransmit: 6
    9 timeouts after reno fast retransmit
    14486 timeouts after SACK recovery
    840 timeouts in loss state
    6834 fast retransmits
    600 forward retransmits
    5817 retransmits in slow start
    754545 other TCP timeouts
    TCPLossProbes: 186417
    TCPLossProbeRecovery: 34172
    10 classic Reno fast retransmits failed
    1292 SACK retransmits failed
    1118 packets collapsed in receive queue due to low socket buffer
    61428 DSACKs sent for old packets
    5 DSACKs sent for out of order packets
    10428 DSACKs received
    128 DSACKs for out of order packets received
    65 connections reset due to unexpected data
    52 connections reset due to early user close
    1921 connections aborted due to timeout
    TCPDSACKIgnoredOld: 28
    TCPDSACKIgnoredNoUndo: 5661
    TCPSpuriousRTOs: 329
    TCPSackShifted: 395
    TCPSackMerged: 655
    TCPSackShiftFallback: 18400
    TCPTimeWaitOverflow: 7574
    TCPReqQFullDoCookies: 28519
    TCPRcvCoalesce: 410308
    TCPOFOQueue: 30205
    TCPOFOMerge: 7
    TCPChallengeACK: 1414
    TCPSYNChallenge: 4635
    TCPFastOpenCookieReqd: 10
    TCPFromZeroWindowAdv: 1
    TCPToZeroWindowAdv: 1
    TCPWantZeroWindowAdv: 25
    TCPSynRetrans: 516500
    TCPOrigDataSent: 10068841
    TCPHystartTrainDetect: 724
    TCPHystartTrainCwnd: 14858
    TCPHystartDelayDetect: 208
    TCPHystartDelayCwnd: 8528
    TCPACKSkippedSynRecv: 1298
    TCPACKSkippedPAWS: 25
    TCPACKSkippedSeq: 46
    TCPACKSkippedChallenge: 611
    IpExt:
    InNoRoutes: 24
    InMcastPkts: 11
    InOctets: 2578230037
    OutOctets: 2801129266
    InMcastOctets: 396
    InNoECTPkts: 18228913
    InECT1Pkts: 18
    InECT0Pkts: 1956
    InCEPkts: 68
  8. 显示监听的套接口

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    [root@VM_106_118_centos ~]# netstat -l
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 localhost:6379 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
    tcp6 0 0 [::]:ssh [::]:* LISTEN
    udp 0 0 localhost:323 0.0.0.0:*
    udp6 0 0 localhost:323 [::]:*
    Active UNIX domain sockets (only servers)
    Proto RefCnt Flags Type State I-Node Path
    unix 2 [ ACC ] STREAM LISTENING 14972 /tmp/php-cgi.sock
    unix 2 [ ACC ] STREAM LISTENING 30640322 /usr/local/sa/agent/secubase/secu-tcs-agent.unix
    unix 2 [ ACC ] STREAM LISTENING 30640323 /usr/local/sa/agent/secubase/secu-tcs-agent-v5.unix
    unix 2 [ ACC ] STREAM LISTENING 30640324 /usr/local/sa/agent/secubase/secu-tcs-agent-v5-notpl.unix
    unix 2 [ ACC ] SEQPACKET LISTENING 9537 /run/udev/control
    unix 2 [ ACC ] STREAM LISTENING 11875 /var/run/acpid.socket
    unix 2 [ ACC ] STREAM LISTENING 11129 /var/run/dbus/system_bus_socket
    unix 2 [ ACC ] STREAM LISTENING 11939 /var/run/lsm/ipc/sim
    unix 2 [ ACC ] STREAM LISTENING 9404 /run/systemd/private
    unix 2 [ ACC ] STREAM LISTENING 9412 /run/lvm/lvmpolld.socket
    unix 2 [ ACC ] STREAM LISTENING 9415 /run/lvm/lvmetad.socket
    unix 2 [ ACC ] STREAM LISTENING 11986 /var/run/lsm/ipc/simc
    unix 2 [ ACC ] STREAM LISTENING 6645 /run/systemd/journal/stdout
  9. 显示所有已建立的有效连接

    1
    netstat -n
  10. 显示关于以太网的统计数据

    用于显示关于以太网的统计数据。它列出的项目包括传送的数据报的总字节数、错误数、删除数、数据报的数量和广播的数量。这些统计数据既有发送的数据报数量,也有接收的数据报数量。这个选项可以用来统计一些基本的网络流量)

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    [root@VM_106_118_centos ~]# netstat -e
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State User Inode
    tcp 0 0 10.141.106.118:35672 10.53.192.14:nsesrvr ESTABLISHED root 45877268
    tcp 0 36 10.141.106.118:ssh 43.246.231.98:4236 ESTABLISHED root 46950480
    Active UNIX domain sockets (w/o servers)
    Proto RefCnt Flags Type State I-Node Path
    unix 2 [ ] DGRAM 9480 /run/systemd/shutdownd
    unix 2 [ ] DGRAM 6637 /run/systemd/notify
    unix 5 [ ] DGRAM 6648 /run/systemd/journal/socket
    unix 7 [ ] DGRAM 6650 /dev/log
    unix 3 [ ] STREAM CONNECTED 11556 /run/systemd/journal/stdout
    unix 3 [ ] STREAM CONNECTED 11433
    unix 3 [ ] STREAM CONNECTED 14970
  11. 显示关于路由表的信息

    1
    2
    3
    4
    5
    6
    [root@VM_106_118_centos ~]# netstat -r
    Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    default 10.141.64.1 0.0.0.0 UG 0 0 0 eth0
    10.141.64.0 0.0.0.0 255.255.192.0 U 0 0 0 eth0
    link-local 0.0.0.0 255.255.0.0 U 0 0 0 eth0
  12. 列出所有 tcp 端口

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    [root@VM_106_118_centos ~]# netstat -at
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address Foreign Address State
    tcp 0 0 localhost:6379 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
    tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
    tcp 0 0 10.141.106.118:32833 10.66.145.146:mysql TIME_WAIT
    tcp 0 0 10.141.106.118:35672 10.53.192.14:nsesrvr ESTABLISHED
    tcp 0 0 10.141.106.118:32831 10.66.145.146:mysql TIME_WAIT
    tcp 0 0 10.141.106.118:32828 10.66.145.146:mysql TIME_WAIT
    tcp 0 0 10.141.106.118:32832 10.66.145.146:mysql TIME_WAIT
    tcp 0 36 10.141.106.118:ssh 43.246.231.98:4236 ESTABLISHED
    tcp 0 0 10.141.106.118:32830 10.66.145.146:mysql TIME_WAIT
    tcp 0 0 10.141.106.118:32829 10.66.145.146:mysql TIME_WAIT
    tcp6 0 0 [::]:ssh [::]:* LISTEN
  13. 统计机器中网络连接各个状态个数

    1
    2
    3
    4
    [root@VM_106_118_centos ~]# netstat -a | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
    LISTEN 4
    ESTABLISHED 2
    TIME_WAIT 6
  14. 把状态全都取出来后使用uniq -c统计后再进行排序

    1
    2
    3
    4
    5
    6
    [root@VM_106_118_centos ~]#  netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn
    4 TIME_WAIT
    4 LISTEN
    2 ESTABLISHED
    1 established)
    1 Foreign
  15. 找出程序运行的端口

    1
    2
    3
    4
    5
    6
    7
    [root@VM_106_118_centos ~]# netstat -ap | grep ssh
    tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 713/sshd
    tcp 0 36 10.141.106.118:ssh 43.246.231.98:6918 ESTABLISHED 18793/sshd: root@pt
    tcp 0 80 10.141.106.118:ssh a94-133-111-209.c:45314 ESTABLISHED 19221/sshd: root [p
    tcp6 0 0 [::]:ssh [::]:* LISTEN 713/sshd
    unix 3 [ ] STREAM CONNECTED 12962 713/sshd
    unix 2 [ ] DGRAM 46967966 18793/sshd: root@pt
  16. 在 netstat 输出中显示 PID 和进程名称

    netstat -p 可以与其它开关一起使用,就可以添加 “PID/进程名称” 到 netstat 输出中,这样 debugging 的时候可以很方便的发现特定端口运行的程序。

    1
    2
    3
    4
    5
    6
    [root@VM_106_118_centos ~]# netstat -pt
    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 10.141.106.118:35672 10.53.192.14:nsesrvr ESTABLISHED 16588/secu-tcs-agen
    tcp 0 36 10.141.106.118:ssh 43.246.231.98:6918 ESTABLISHED 18793/sshd: root@pt
    tcp 0 0 10.141.106.118:ssh a94-133-111-209.c:45314 TIME_WAIT -
  17. 找出运行在指定端口的进程

    运行在端口80的进程id为1576,再通过ps命令就可以找到具体的应用程序了。

    1
    2
    [root@VM_106_118_centos ~]# netstat -anpt | grep ':80'
    tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1576/nginx: master

参考

0%