Linux netstat command description

Taken as a whole, the netstat output can be divided into two parts:

One is Active Internet Connections, called Active TCP connections, where “recv-q” and “send-q” refer to %0A for receiving and sending queues. These numbers should always be 0. If not, it indicates that the software package is piled up in the queue. This can only be seen in very rare cases.

The other is Active UNIX Domain Sockets, called Active UNIX Domain Sockets (the same as network sockets, but only for native communication, with twice the performance). Types indicates the type of the socket. State indicates the current status of the socket. Path indicates the pathname used by other processes connected to the socket.

Common parameters

-T (TCP) Displays only TCP-related options. -u (udp) Displays only UDP-related options. -n Rejects aliases and converts all numbers that can be displayed to numbers. -l Lists only the status of the services that are listening

-r Displays routing information. -e displays extended information, such as uid. -s Collects statistics by protocol.

Note: The LISTEN and LISTENING states can only be seen with -a or -l

Utility command example

1. List all ports (listening and unlistening)

Example List all ports netstat -a

List all TCP ports netstat -at

Example List all UDP ports netstat-au

# netstat -au

Active Internet connections (servers andestablished)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

udp        0      0 *:bootpc                *:*

udp        0      0 *:49119                *:*

udp        0      0 *:mdns                  *:*

2. List all listening Sockets

Only the listening port netstat -l is displayed

# netstat -l

Active Internet connections (onlyservers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

tcp        0      0 localhost:ipp           *:*                     LISTEN

tcp6       0      0 localhost:ipp           [::]:*                  LISTEN

udp        0      0 *:49119                 *:*

Only all listening TCP ports netstat -lt are listed

# netstat -lt

Active Internet connections (onlyservers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

tcp        0      0 localhost:30037         *:*                     LISTEN

tcp        0      0 *:smtp                  *:*                     LISTEN

tcp6       0      0 localhost:ipp           [::]:*                  LISTEN

Only all udp port netstat-Lu listening is listed

# netstat -lu

Active Internet connections (onlyservers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State

udp        0      0 *:49119                *:*

udp        0      0 *:mdns                  *:*

Only all listening UNIX ports, netstat -lx, are listed

3. Display the statistics of each protocol

Netstat -s Displays the statistics of all ports

Display TCP or UDP port statistics netstat -st or -su

# netstat -st

# netstat -su

4. In the netstat output, PID and the process name netstat -p are displayed

Netstat -p can be used together with other switches to add PID/ process name to the netstat output. In this way, you can easily find the programs running on a specific port during debugging.

# netstat -pt

Active Internet connections (w/oservers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        1      0 ramesh-laptop.loc:47212 192.168.185.75:www        CLOSE_WAIT  2109/firefox

tcp        0      0 ramesh-laptop.loc:52750 lax:www ESTABLISHED 2109/firefox

5. Do not display the host, port, or user name in netstat output.

Use netstat -n when you do not want the host, port, and username to be displayed. Numbers will be used instead of those names.

The output can also be accelerated because no comparison queries are required.

# netstat -an

If you just don’t want one of these three names to be displayed, use the following command

# netsat -a–numeric-ports

# netsat -a –numeric-hosts

# netsat -a –numeric-users

6. Continuously output Netstat information

Netstat will output network information every second.

7. Display unsupported Address Families

netstat –verbose

At the end of the output, there is the following information

netstat: nosupport for `AF IPX’ on this system.

netstat: no support for `AF AX25′ on this system.

netstat: no support for `AF X25′ on this system.

netstat: no support for `AF NETROM’ on this system.

8. Display the core route information netstat -r

# netstat -r

Kernel IP routing table

Destination     Gateway         Genmask         Flags  MSS Window  irtt Iface

192.168.1.0     *               255.255.255.0   U         0 0          0 eth2

link-local      *               255.255.0.0     U         0 0          0 eth2

default         192.168.1.1     0.0.0.0         UG        0 0          0 eth2

Note: Use netstat -rn to display the number format and do not query the host name.

9. Find the port on which the program is running

Not all processes can be found. If you do not have permission, you will not be displayed. Use root to view all information.

1 0 # netstat – ap | grep SSH TCP dev – db: SSH 101.174.100.22: CLOSE_WAIT – TCP 1 0 dev – 39213 db: SSH 101.174.100.22:57643 CLOSE_WAIT –

Finds the process running on the specified port

# netstat -an |grep ‘:80’

10. The network interface list is displayed

# netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRPRX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 0 0 0 0 0 0 0 0 BMU eth2 1500 0 26196 0 0 0 26883 6 0 0 BMRU lo 16436 0 4 0 0 0 4 0 0 0 LRU

Display details such as ifconfig using netstat -ie:

11. IP and TCP analysis

View the IP addresses that connect to a service port most frequently

TCP status list

First pull out all the states, then use uniQ-C statistics, and then sort.

The final command is as follows:

netstat -nat |awk ‘{print $6}’|sort|uniq -c|sort -rn

Access. Log is analyzed to obtain the top 10 IP addresses

awk ‘{print $1}’ access.log |sort|uniq -c|sort -nr|head -10

Reference :blog.maxiang.net/10-netstat-…

www.ipcpu.com/2011/07/net…