Netstat is used to display statistical data related to IP, TCP, UDP and ICMP protocols. It is generally used to check the network connection of each port of the machine.
Don’t be surprised if your computer sometimes receives datagrams that cause erroneous data or malfunctions. TCP/IP can tolerate these types of errors and can automatically resend datagrams. But if the cumulative number of error conditions accounts for a large percentage of received IP datagrams, or if its number is increasing rapidly, then you should use Netstat to find out why these conditions occur.
Netstat detailed parameter list
(winXP)
C:>netstat /?
Display protocol statistics and current TCP/IP network connection.
NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]
-a Display all connections and listeners port.
-b Shows the executable components involved in creating each connection or listening port. In some cases an executable is known to have multiple independent components, and in these cases the sequence of components involved in creating a connection or listening port is shown. In this case, the executable component name is in [] at the bottom, the component it calls at the top, and so on, up to the TCP/IP part. Note that this option may take a long time and may fail if you do not have sufficient permissions.
-e Display Ethernet statistics. This option can be combined with the -s option.
-n Display address and port number in numerical form.
-o Displays the process ID associated with each connection.
-p proto Display the connection of the protocol specified by proto; proto can be one of the following protocols: TCP, UDP, TCPv6 or UDPv6. If used with the -s option to display per-protocol statistics, proto can be one of the following protocols: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or ()UDPv6.
-r Display routing table.
-s Display statistics by protocol. By default, statistics for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6 are displayed; the -p option is used to specify a subset of the default cases. When the 项 -V and -b options are used together, it will display the
component containing the
to all executable components to create a connection or monitoring port.
interval Redisplays the selected statistics, with a
pause interval (in seconds) between each display. Press CTRL+C to stop displaying statistics again. If omitted, netstat displays the current configuration information (only displayed once)
(win2000)
C:>netstat /?
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-e] [- n] [-s] [-p proto] [-r] [interval]
-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the -s
-n option. Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto
may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP. , or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are
shown for TCP, UDP and IP; the -p option may be used to specify
a subset of the default.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.
(linux)
[john11@john ~]$ netstat /?
usage: netstat [-veenNcCF] [] -r netstat {-V|--version|-h|--help}
netstat [-vnNcaeol] [ ...]
netstat { [-veenNac] -i[] | [-cnNe] -M | -s } [delay]
-r, --route display routing table
-i, --interfaces=[] display interface table
-g, --groups display multicast group memberships
-s, --statistics display networking statistics (like SNMP)
-M, --masquerade display masqueraded connections
-v, --verbose be verbose
-n, --numeric don't resolve names
--numeric-hosts don't resolve host names
--numeric-ports don't resolve port names
--numeric-users don't resolve user names
-N, --symbolic resolve hardware names
-e, --extend display other/more information
-p, --programs display PID/Program name for sockets
-c, --continuous continuous listing
-l, --listening display listening server sockets
-a, --all, --listening display all sockets (default: connected)
-o, --timers display timers
-F, --fib display Forwarding Information Base (default)
-C, --cache display routing cache instead of FIB
: Name of interface to monitor/list.
={-t|--tcp} {-u|--udp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom
=Use '-A ' or '--'; default: inet
List of possible address families (which support routing):
inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
x25 (CCITT X.25)
Netstat的一些常用选项
netstat -s——本选项能够按照各个协议分别显示其统计数据。如果你的应用程序(如Web浏览器)运行速度比较慢,或者不能显示Web页之类的数据,那么你就可以用本选项来查看一下所显示的信息。你需要仔细查看统计数据的各行,找到出错的关键字,进而确定问题所在。
netstat -e——本选项用于显示关于以太网的统计数据。它列出的项目包括传送的数据报的总字节数、错误数、删除数、数据报的数量和广播的数量。这些统计数据既有发送的数据报数量,也有接收的数据报数量。这个选项可以用来统计一些基本的网络流量。
netstat -r - This option can display information about the routing table, similar to the information seen when using the route print command described later. In addition to displaying valid routes, currently valid connections are also displayed.
netstat -a - This option displays a list of all valid connection information, including established connections (ESTABLISHED), including those connections that are listening for connection requests (LISTENING), disconnected (CLOSE_WAIT) or in the online waiting state (TIME_WAIT) etc.
netstat -n - displays all established valid connections.
netstat supports a set of options for displaying active or passive sockets. Options -t, -u, -w, and -
x represent TCP, UDP, RAW, and UNIX socket connections respectively. If you also provide a -
a flag, sockets waiting for connections (that is, in listening mode) will also be displayed. This will give you a list of servers that are currently running on the system.
When calling netstat -ta, the output result is as follows:
[root@machine1 /]$ netstat -ta
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 2 210.34. 6.89:telnet 210.34.6.96:2873 ESTABLISHED
tcp 0 0 210.34.6.89:1165 210.34.6.84:netbios-ssn ESTABLISHED
tcp 0 0 localhost.localdom:9001 localhost.localdom:1162 ESTABLISH ED
tcp 0 0 localhost.localdom:1162 localhost.localdom:9001 ESTABLISHED
tcp 0 0 *:9001 *:* LISTEN
tcp 0 0 *:6000 *:* LISTEN
tcp 0 0 *:socks *:* LISTEN
tcp 0 80 210.34.6.89:1161 210.3 4. 6.10:netbios-ssn CLOSE
The above output indicates that some servers are waiting for access connections. Using the -
a option, netstat will also display all sockets. Note that based on the port number, you can determine whether a connection is an outbound connection. For the calling host, the port number listed should always be an
integer, while for the called party where the well known
service port is in use, netstat uses the one taken from /etc/ The symbolic service name of the services file. When called with the -i flag, netstat will display the current configuration characteristics of the network interface. In addition, if called with the -a option, it will also output all interfaces in the kernel, not just the currently configured interfaces. The output of netstat-i is as follows:
[root@machine1 /]$ netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 787165 0 0 1 51655 0 0 0 BRU
eth1 1500 0 520811 0 0 0 1986 0 0 0 BRU
lo 3924 0 1943 0 0 0 43 0 0 0 L RU
Represented by MTU and Met fields is the MTU and metric value of the interface; the RX and TX columns represent how many data packets have been sent and received accurately (RX - OK / TX -
OK) and how many errors have been generated (
RX-ERR/TX- ERR), how many packets were dropped (RX-DRP/TX-DRP), how many packets were lost due to errors (RX-OVR/TX-OVR); the last column shows the flag set for this interface, using ifconfig When displaying the interface configuration, these labels are all one-letter. Their descriptions are as follows:
■ B has set a broadcast address.
■ L This interface is a loopback device.
■ M receives all packets (chaos mode).
■ N Avoid tracking.
■ O On this interface, disable ARP.
■ P This is a point-to-point link.
■ R interface is running.
■ The U interface is in the "active" state. ◆ Display routing table
When calling netstat with the -r flag, the kernel routing table will be displayed, just like we use the route command. The output produced is as follows:
[root@machine1 /]$ netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
210.34.6.0 0.0.0.0 255.255.255.128 U 0 0 0 eth0
192.168.1 .0 0.0 .0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 210.34.6.2 0.0.0.0 UG 0 0 0 eth0
-n option command netstat Four points Outputs the IP address in segmented form instead of the symbolic hostname and network name. This is especially useful if you want to avoid looking up addresses across the network (such as avoiding DNS or NIS servers).
In the netstat output result, the second column shows the gateway pointed to by the routing entry. If no gateway is used, an asterisk (*) or 0.0.0.0 will appear; the third column shows the overview of the route, with
being specific. When finding the most appropriate route from the IP address, the kernel will look at all entries in the routing table, and perform a bitwise AND calculation of the I
P address and genmask before comparing the found route with the target route; fourth The columns show the different tags, and the descriptions of these tags are as follows:
■ G routing will take the gateway.
■ U The interface to be used is in the "active" state.
■ H Only one host can be reached through this route.
■ D This flag is set if the routing table entry is generated by an ICMP redirect message.
■ M This flag is set if the routing table entry has been modified by an ICMP redirect message.
The Iface of the netstat output shows the physical network card used for the connection. For example, eth0 means using the first one, and eth1 means using the second one.
Let’s take a look, what does Microsoft say?
Microsoft deliberately hides this powerful command because it is a bit complicated for ordinary users. We already know: Netstat It can be used to obtain information about your system's network connection (ports used, protocols used, etc.), data received and sent, the port of the remote system being connected, Netstat reads in memory All network information.
In the Internet RFC standard, the definition of Netstat is: Netstat is a program that accesses network and related information in the kernel. It can provide relevant reports on TCP connections, TCP and UDP monitoring, and process memory management.
For those who are extremely curious, the above theory is not enough. Next, let’s explain the use of each parameter in detail to see what will happen after execution and what information is displayed. Meaning, okay, stop talking nonsense, let’s practice it together:)
C:>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP Eagle:ftp Eagle:0 LISTENING
TCP Eagle: telnet Eagle:0 LISTENING
TCP Eagle:epmap Eagle:0 Eagle:https LISTENING
TCP Eagle:micro soft-ds Eagle: 0 Listeningp TCP EAGLE: 1030 Eagle: 0 Listening
TCP EAGLE: 6059 EAGLE: 0 Listening
TCP EAGLE: 8001 EAGLE: 0 Listening
TCP EAGLE: 8005 EAGLE: 0 Listening
Isteening
TCP EAGLE :microsoft-ds localhost:1031 TCP Eagle:1031 localhost:microsoft-ds TCP Eagle:1040 Eagle:0 LISTENING
TCP Eagle:netbios-ssn Eagle:0 LISTENING
TCP Eagle:1213 218.85.139.65:9002 CLOSE_WAIT
TCP Eagle:2416 219.133.63.142:https CLOSE_WAIT
TCP Eagle:2443 219.133.63.142:https CLOSE_WAIT
TCP Eagle :2907 192.168.1.101:2774 CLOSE_WAIT
TCP Eagle:2916 192.168.1.101:telnet ESTABLISHED
TCP Eagle:2927 219.137 .227.10:4899 TIME_WAIT
TCP Eagle:2928 219.137.227.10:4899 TIME_WAIT
TCP Eagle:2929 219.137.227.10:4899 ESTABLISHED
TCP Eagle:3455 218.85.139.65:9002 ESTABLISHED
TCP Eagle:netbios-ssn Eagle:0 LISTENING
UDP Eagle:microsoft-ds *:*
UDP Eagle:1046 *:*
UDP Eagle:1050 *:*
UDP Eagle:1073 *:*
UDP Eagle:1938 *:*
UDP Eagle:2314 *:*
UDP Eagle:2399 *:*
UDP Eagle:2413 *:*
UDP Eagle:2904 *:*
UDP Eagle:2908 *:*
UDP Eagle:3456 *:*
UDP Eagle:4000 *:*
UDP Eagle:4001 *:*
UDP Eagle:6000 *:*
UDP Eagle:6001 *:*
UDP Eagle:6002 *:*
UDP Eagle:6003 *:*
UDP Eagle:6004 *:*
UDP Eagle:6005 *:*
UDP Eagle:6006 *:*
UDP Eagle:6007 *:*
UDP Eagle:6008 *:*
UDP Eagle:6009 *:*
UDP Eagle:6010 *:*
UDP Eagle:6011 *:*
UDP Eagle:1045 *:*
UDP Eagle:1051 *:*
UDP Eagle:netbios-ns *:*
UDP Eagle:netbios-dgm *:*
UDP Eagle:netbios-ns *:*
UDP Eagle:netbios-dgm *:*
我们拿其中一行来解释吧:
Proto Local Address Foreign Address State
TCP Eagle:2929 219.137.227.10:4899 ESTABLISHED
协议(Proto):TCP,指是传输层通讯协议(什么?不懂?请用baidu搜索"TCP",OSI七层和TCP/IP四层可是基础^_^)
本地机器名(Local Address):Eagle,俗称计算机名了,安装系统时设置的,可以在“我的电脑”属性中修改,本地打开并用于连接的端口:2929)
远程机器名(Foreign Address):219.137.227.10
远程端口:4899
状态:ESTABLISHED
状态列表
LISTEN :在监听状态中。
ESTABLISHED:已建立联机的联机情况。
TIME_WAIT:该联机在目前已经是等待的状态。
-a 参数常用于获得你的本地系统开放的端口,用它您可以自己检查你的系统上有没有被安装木马(ps:有很多好程序用来检测木马,但你的目的是想成为真正的hacker,手工检测要比只按一下“scan”按钮好些----仅个人观点)。如果您Netstat你自己的话,发现下面的信息:
Port 12345(TCP) Netbus
Port 31337(UDP) Back Orifice
Congratulations! You have won the most common Trojan (^_^, the 4899 above are mine and others, and this radmin is a commercial software, currently my favorite Remote control software)
If you need a list of Trojans and their ports, go to the domestic H station to find it, or Baidu or Google
****************** ************************************************
#some Principle: Maybe you have this question: "What does the port number after the machine name represent?
Example: Eagle:2929
Ports less than 1024 usually run some network services, and ports greater than 1024 are used to establish connections with remote machines.
*************************************************** ***************
Continue our discussion and use the -n parameter (Netstat -n)
Netstat -n is basically the numeric form of the -a parameter:
C: >netstat -n
Active Connections
Proto Local Address Foreign Address State
TCP 127.0.0.1:445 127.0.0.1:1031 ESTABLISHED
TCP 127.0.0.1:1031 127.0.0.1:445 ESTABLISHED
TCP 192.168.1.180:1213 218.85. 139.65:9002 CLOSE_WAIT
TCP 192.168.1.180:2416 219.133.63.142:443 CLOSE_WAIT
TCP 192.168.1.180:2443 2 19.133.63.142:443 CLOSE_WAIT
TCP 192.168.1.180:2907 192.168.1.101:2774 CLOSE_WAIT
TCP 192.168.1.180:2916 192.168.1.101:23 ESTABLISHED
TCP 192.168.1.180:2929 219.137.227.10:4899 ESTABLISHED
TCP 192.168.1.180:3048 192.168.1.1:8004 SYN_SENT
TCP 192.168.1.180:3455 218.85.139.65:9002 ESTABLISHED
-a and -n is the two most commonly used. According to my incomplete testing, the following results are obtained:
1. -n displays the digitized host name, that is, the IP address, instead of compute_name [eagle]
2. -n only displays the TCP connection ( I haven’t seen any relevant documents from Microsoft anywhere. If any friends have seen it, remember to tell me^_^)
Getting IP is equal to getting everything. It is the most vulnerable thing that makes the machine vulnerable, so hide your IP and get Other people's IPs are very important to hackers. Hiding IP technology is very popular now, but do those hiding tools or services really make you invisible? I can’t see, haha, proxy and springboard are not part of today’s discussion. For a simple example of obtaining the other party’s IP, please refer to my previous article [
Use DOS commands to check the IP address of QQ friends
]
-a and -n are the most commonly used command, if you want to display more detailed information of some protocols, you must use the -p parameter. It is actually a variant of -a and -n. Let's take a look at an example and you will understand: [netstat -p @ @@ Where @@@ is TCP or UDP】
C:>netstat -p tcp
Active Connections
Proto Local Address Foreign Address State
TCP Eagle:microsoft-ds localhost:1031 ESTABLISHED
TC P Eagle:1031 localhost:microsoft- ds ESTABLISHED
TCP Eagle:1213 218.85.139.65:9002 CLOSE_WAIT
TCP Eagle:2416 219.133.63.142:https CLOSE_WA IT
TCP Eagle:2443 219.133.63.142:https CLOSE_WAIT
TCP Eagle:2907 192.168.1.101:2774 CLOSE_WAIT
TCP Eagle: 2916 192.168.1.101:telnet ESTABLISHED
TCP Eagle:2929 219.137.227.10:4899 ESTABLISHED
TCP Eagle:3455 218.85.139.65:9002 ESTABLISHED
Continue with our parameter explanation -e
Meaning: This option is used to display statistical data about Ethernet. Items listed include the total number of bytes of datagrams transmitted, the number of errors, deletions, number of datagrams, and number of broadcasts. These statistics are both the number of datagrams sent and the number of datagrams received. This option can be used to count some basic network traffic. C: & GT; Netstat -E
Interface Statistics
Received SENT
BYTES 143090206 44998789
Unicast Packets 691805 363603
NON -Unicast Packets 886526Di Scards 0 0orerrors 0 0
UNKNOWN Protocols 4449
If it is zero or all zeros, there is no problem with the network interface. But when these two fields have more than 100 error groups, it can be considered a high error rate. A high sending error indicates that the local network is saturated or there is a poor physical connection between the host and the network; a high receiving error indicates that the overall network is saturated, the local host is overloaded or there is a problem with the physical connection. You can use the Ping command to count the bit error rate to further determine The extent of the failure. The combination of netstat -e and ping can solve most network problems.
Next we will start to explain the two more complex parameters -r and -s. Because of this, the author will explain them at the end. This may involve other aspects of knowledge. I will explain them in my blog in the future. I will continue to write it out, haha, I have been busy recently
-r is used to display routing table information, let’s take a look at an example:
C:>netstat -r
Route Table (routing table)
======= ================================================== ==================
Interface List (network interface list)
0x1 ........................ ..... MS TCP Loopback interface
0x10003 ...00 0c f1 02 76 81 .... Intel(R) PRO/Wireless LAN 2100 3B Mini PCI
dapter
0x10004 ...00 02 3f 00 05 cb... Realtek RTL8139/810x Family Fast Ethernet
C
==================================== =========================================
======== ================================================== ==================
Active Routes: (Dynamic Routing)
Network Destination . 192.168.1.181 30
0.0. 0.0 0.0.0.0 192.168.1.254 192.168.1.180 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.180 192.168.1.180 20
192.168.1.0 255.255.255.0 192.168.1.181 192.168 .1.181 30
192.168.1.180 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.181 255. 255.255.255 127.0.0.1 127.0.0.1 30
192.168.1.255 255.255.255.255 192.168.1.180 192.168.1.180 20
192.168.1.255 255.255 .255.255 192.168.1.181 192.168.1.181 30
224.0.0.0 240.0.0.0 192.168.1.180 192.168.1.180 20
224.0.0.0 240.0.0.0 192.168.1.181 192.168.1.181 30
255.255.255.255 255.255.255.255 192.168.1.18 0 192.168.1.180 1
255.255.255.255 255.255.255.255 192.168.1.181 192.168.1.181 1
Default Gateway: 192.16 8.1.254 (default Gateway)
================================================== ============================
Persistent Routes: (static routing)
None
C:>
-s The role of the parameter There is a detailed explanation before, look at the example
C:>netstat -s
IPv4 Statistics (IP statistical results)
Packets Received = 369492 (number of received packets)
Received Header Errors = 0 (number of received header errors) )
Received Address ERRORS = 2 (receiving address error)
datagrams Forwarded = 0 (Data newspaper delivery)
UNKNOWPOCOCOLS Received = 0 (Unknown Protocol Receiving)
Received Packets Discarded = 4203 E Received Packets Delivered = 365287 (Number of packets forwarded after reception)
Output Requests using using using use using through through using ’ ’ s ’ ‐ off ‐ ‐ ‐ ‐ ‐ 2172 (number of packet discards)
Output Packet No Route = 0 (no routing Reassembly Required = 0 (number of reassembly requests)
Reassembly Successful = 0 (number of successful reassemblies)
Reassembly Failures = 0 (number of failed reassemblies)
Datagrams Successfully F fragmented = 0 (number of datagrams successfully fragmented)
Datagrams Failing Fragmentation = 0 (number of fragmentation failed datagrams)
Fragments Created = 0 (number of fragments created)
ICMPv4 Statistics (ICMP statistical results) include two states: Received and Sent
Received Sent
Messages 285 784 (Messages Number)
Errors 0 Number of hours)
Parameter Problems 0 Redirects 0 0 (redirectional number)
Echos 25 2111 (response)
Echo REPLIES 207 25 (Reply to response)
Timestamps 0 0 (time stamp number)
Timestamp replies 0 0 (time stamp return number)
Address Masks 0 0 = 5217 (number of active opens)
Passive Opens = 80 (passive Number of opens)
Failed Connection Attempts = 2944 (number of failed connection attempts)
Reset Connections = 529 (number of reset connections)
Current Connections = 9 (number of current connections)
Segments Received = 350143 (currently the number of messages received)
Segments Sent 09 (received data packet)
No Ports = 1360 (no port number)
Receive Errors = 0 (receive errors)
Datagrams Sent = 14524 (data packets sent)
C:>
There are also several commonly used command parameters that are unique to Windows XP, - The two parameters b and –v have been explained in detail before. Let me show you two examples below (mainly to display the corresponding application components and other detailed information. If you have a horse, you will dedicate yourself immediately, ^_^)
C:>netstat -b
Active Connections
Proto Local Address Foreign Address State PID TCP Eagle:microsoft-ds localhost:1031 ESTABLISHED 4
[System]
TCP Eagle:1031 localhost:microsoft-ds ESTABLISHED 4
[System]
TCP Eagle:2929 219.137.227.10:4899 ESTABLISHED 3224
[radmin.exe]
TCP Eagle:3455 21 8.85.139.65:9002 ESTABLISHED 1924
[DCA.exe]
TCP Eagle:1213 218.85.139.65 :9002 CLOSE_WAIT 1924
[DCA.exe]
TCP Eagle:2416 219.133.63.142:https CLOSE_WAIT 596
[QQ.exe]
TCP Eagle:2443 219.133.63.142:https CLOSE_WAIT 596
[QQ.exe]
TCP Eagle:2907 192.168.1.101:2774 CLOSE_WAIT 596
[QQ.exe]
C:>netstat -v
Active Conne