Detailed explanation and usage examples of Linux netstat command (display various network-related information)-PHP开发-php.cn

Don’t be surprised if your computer sometimes receives datagrams that cause erroneous data or malfunctions. TCP/IP can tolerate these types of errors and can automatically resend datagrams. But if the cumulative number of error conditions accounts for a large percentage of the IP datagrams received, or if its number is increasing rapidly, then you should use netstat to find out why these conditions occur.

1. Command format:

netstat [-acCeFghilMnNoprstuvVwx][-A][--ip]

2. Command function:

netstat is used to display statistical data related to IP, TCP, UDP and ICMP protocols. It is generally used to check the network connection of each port of the machine.

3. Command parameters:

-a or –all displays all connected Sockets.

-A or – lists the relevant addresses in the connection of this network type.

-c or –continuous lists network status continuously.

-C or –cache displays the cache information of the router configuration.

-e or –extend displays other related information about the network.

-F or –fib displays FIB.

-g or –groups displays the list of group members with multicast function.

-h or –help online help.

-i or –interfaces displays the network interface information form.

-l or –listening displays the Socket of the monitored server.

-M or –masquerade displays masqueraded network connections.

-n or –numeric Use the IP address directly without going through the domain name server.

-N or –netlink or –symbolic displays the symbolic link name of the network hardware peripheral.

-o or –timers displays timers.

-p or –programs displays the program identification code and program name that are using Socket.

-r or –route displays the Routing Table.

-s or –statistice displays network work information statistics table.

-t or –tcp displays the connection status of the TCP transmission protocol.

-u or –udp displays the connection status of UDP transmission protocol.

-v or –verbose displays the command execution process.

-V or –version displays version information.

-w or –raw displays the connection status of RAW transfer protocol.

-x or –unix The effect of this parameter is the same as specifying the "-A unix" parameter.

–ip or –inet This parameter has the same effect as specifying the “-A inet” parameter.

4． Usage example:

Example 1: No parameters to use

Command: netstat

Output:

[root@localhost ~]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State 
tcp 0 268 192.168.120.204:ssh 10.2.0.68:62420 ESTABLISHED 
udp 0 0 192.168.120.204:4371 10.58.119.119:domain ESTABLISHED 
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 1491 @/org/kernel/udev/udevd
unix 4 [ ] DGRAM 7337 /dev/log
unix 2 [ ] DGRAM 708823 
unix 2 [ ] DGRAM 7539 
unix 3 [ ] STREAM CONNECTED 7287 
unix 3 [ ] STREAM CONNECTED 7286 
[root@localhost ~]#

Copy after login

Explanation:

On the whole, the output result of netstat can be divided into two parts:

One is Active Internet connections , called an active TCP connection, where "Recv-Q" and "Send-Q" refer to the receive queue and send queue. These numbers should generally be 0. If not it means packages are piling up in the queue. This situation can only be seen in very rare cases.

The other is Active UNIX domain sockets, called active Unix domain sockets (the same as network sockets, but can only be used for local communication, and the performance can be doubled).

Proto displays the protocol used for the connection, RefCnt represents the process number connected to this socket, Types displays the type of the socket, State displays the current status of the socket, and Path represents the path name used by other processes connected to the socket.

Socket type:

-t: TCP

-u: UDP

-raw: RAW type

--unix: UNIX domain type

--ax25: AX25 type

--ipx: ipx type

--netrom: netrom type

Status description:

LISTEN: Listen for connection requests from remote TCP ports

SYN-SENT: Wait for matching connection requests after sending the connection request (if there are a large number of such statuses package, check whether it is infected)

SYN-RECEIVED: After receiving and sending a connection request, wait for the other party’s confirmation of the connection request (if there are a large number of this status, it is estimated to be flooded)

ESTABLISHED: Represents an open Connection

FIN-WAIT-1: Waiting for a connection interruption request from the remote TCP, or acknowledgment of a previous connection interruption request

FIN-WAIT-2: Waiting for a connection interruption request from the remote TCP

CLOSE-WAIT: Waiting for a connection interruption request from the local user The connection interruption request sent

CLOSING: Waiting for the remote TCP to confirm the connection interruption

LAST-ACK: Waiting for the original connection interruption request sent to the remote TCP to confirm (not a good thing, this item appears, check whether it is Attack)

TIME-WAIT: Wait enough time to ensure that the remote TCP receives acknowledgment of the connection interruption request

CLOSED: No connection status

Example 2: List all ports

Command: netstat -a

Output:

[root@localhost ~]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State 
tcp 0 0 localhost:smux *:* LISTEN 
tcp 0 0 *:svn *:* LISTEN 
tcp 0 0 *:ssh *:* LISTEN 
tcp 0 284 192.168.120.204:ssh 10.2.0.68:62420 ESTABLISHED 
udp 0 0 localhost:syslog *:* 
udp 0 0 *:snmp *:* 
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 708833 /tmp/ssh-yKnDB15725/agent.15725
unix 2 [ ACC ] STREAM LISTENING 7296 /var/run/audispd_events
unix 2 [ ] DGRAM 1491 @/org/kernel/udev/udevd
unix 4 [ ] DGRAM 7337 /dev/log
unix 2 [ ] DGRAM 708823 
unix 2 [ ] DGRAM 7539 
unix 3 [ ] STREAM CONNECTED 7287 
unix 3 [ ] STREAM CONNECTED 7286 
[root@localhost ~]#

Copy after login

Description:

Displays a list of all valid connection information, including established connections (ESTABLISHED) and those connections that are listening for connections (LISTENING).

Instance 3: Display the current UDP connection status

Command: netstat -nu

Output:

[root@andy ~]# netstat -nu
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State 
udp 0 0 ::ffff:192.168.12:53392 ::ffff:192.168.9.120:10000 ESTABLISHED 
udp 0 0 ::ffff:192.168.12:56723 ::ffff:192.168.9.120:10000 ESTABLISHED 
udp 0 0 ::ffff:192.168.12:56480 ::ffff:192.168.9.120:10000 ESTABLISHED 
udp 0 0 ::ffff:192.168.12:58154 ::ffff:192.168.9.120:10000 ESTABLISHED 
udp 0 0 ::ffff:192.168.12:44227 ::ffff:192.168.9.120:10000 ESTABLISHED 
udp 0 0 ::ffff:192.168.12:36954 ::ffff:192.168.9.120:10000 ESTABLISHED 
udp 0 0 ::ffff:192.168.12:53984 ::ffff:192.168.9.120:10000 ESTABLISHED 
udp 0 0 ::ffff:192.168.12:57703 ::ffff:192.168.9.120:10000 ESTABLISHED 
udp 0 0 ::ffff:192.168.12:53613 ::ffff:192.168.9.120:10000 ESTABLISHED 
[root@andy ~]#

Copy after login

Instance 4: Display the usage of UDP port number

Command: netstat -apu

Output:

[root@andy ~]# netstat -apu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
udp 0 0 *:57604 *:* 28094/java 
udp 0 0 *:40583 *:* 21220/java 
udp 0 0 *:45451 *:* 14583/java 
udp 0 0 ::ffff:192.168.12:53392 ::ffff:192.168.9.120:ndmp ESTABLISHED 19327/java 
udp 0 0 *:52370 *:* 15841/java 
udp 0 0 ::ffff:192.168.12:56723 ::ffff:192.168.9.120:ndmp ESTABLISHED 15841/java 
udp 0 0 *:44182 *:* 31757/java 
udp 0 0 *:48155 *:* 5476/java 
udp 0 0 *:59808 *:* 17333/java 
udp 0 0 ::ffff:192.168.12:56480 ::ffff:192.168.9.120:ndmp ESTABLISHED 28094/java 
udp 0 0 ::ffff:192.168.12:58154 ::ffff:192.168.9.120:ndmp ESTABLISHED 15429/java 
udp 0 0 *:36780 *:* 10091/java 
udp 0 0 *:36795 *:* 24594/java 
udp 0 0 *:41922 *:* 20506/java 
udp 0 0 ::ffff:192.168.12:44227 ::ffff:192.168.9.120:ndmp ESTABLISHED 17333/java 
udp 0 0 *:34258 *:* 8866/java 
udp 0 0 *:55508 *:* 11667/java 
udp 0 0 *:36055 *:* 12425/java 
udp 0 0 ::ffff:192.168.12:36954 ::ffff:192.168.9.120:ndmp ESTABLISHED 16532/java 
udp 0 0 ::ffff:192.168.12:53984 ::ffff:192.168.9.120:ndmp ESTABLISHED 20506/java 
udp 0 0 ::ffff:192.168.12:57703 ::ffff:192.168.9.120:ndmp ESTABLISHED 31757/java 
udp 0 0 ::ffff:192.168.12:53613 ::ffff:192.168.9.120:ndmp ESTABLISHED 3199/java 
udp 0 0 *:56309 *:* 15429/java 
udp 0 0 *:54007 *:* 16532/java 
udp 0 0 *:39544 *:* 3199/java 
udp 0 0 *:43900 *:* 19327/java 
[root@andy ~]#

Copy after login

Instance 5 : Display the network card list

Command: netstat -i

Output:

[root@andy ~]# netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 151818887 0 0 0 198928403 0 0 0 BMRU
lo 16436 0 107235 0 0 0 107235 0 0 0 LRU
[root@andy ~]#

Copy after login

Example 6: Display the relationship of multicast groups

命令：netstat -g

输出：

[root@andy ~]# netstat -g
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 all-systems.mcast.net
eth0 1 all-systems.mcast.net
lo 1 ff02::1
eth0 1 ff02::1:ffff:9b0c
eth0 1 ff02::1
[root@andy ~]#

Copy after login

实例7：显示网络统计信息

命令：netstat -s

输出：

[root@localhost ~]# netstat -s
Ip:
530999 total packets received
0 forwarded
0 incoming packets discarded
530999 incoming packets delivered
8258 requests sent out
1 dropped because of missing route
Icmp:
90 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
destination unreachable: 17
echo requests: 1
echo replies: 72
106 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 8
echo request: 97
echo replies: 1
IcmpMsg:
InType0: 72
InType3: 17
InType8: 1
OutType0: 1
OutType3: 8
OutType8: 97
Tcp:
8 active connections openings
15 passive connection openings
8 failed connection attempts
3 connection resets received
1 connections established
3132 segments received
2617 segments send out
53 segments retransmited
0 bad segments received.
252 resets sent
Udp:
0 packets received
0 packets to unknown port received.
0 packet receive errors
5482 packets sent
TcpExt:
1 invalid SYN cookies received
1 TCP sockets finished time wait in fast timer
57 delayed acks sent
Quick ack mode was activated 50 times
60 packets directly queued to recvmsg prequeue.
68 packets directly received from backlog
4399 packets directly received from prequeue
520 packets header predicted
51 packets header predicted and directly queued to user
1194 acknowledgments not containing data received
21 predicted acknowledgments
0 TCP data loss events
1 timeouts after reno fast retransmit
9 retransmits in slow start
42 other TCP timeouts
3 connections aborted due to timeout
IpExt:
InBcastPkts: 527777

Copy after login

说明：

按照各个协议分别显示其统计数据。如果我们的应用程序（如Web浏览器）运行速度比较慢，或者不能显示Web页之类的数据，那么我们就可以用本选项来查看一下所显示的信息。我们需要仔细查看统计数据的各行，找到出错的关键字，进而确定问题所在。

实例8：显示监听的套接口

命令：netstat -l

输出：

[root@localhost ~]# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State 
tcp 0 0 localhost:smux *:* LISTEN 
tcp 0 0 *:svn *:* LISTEN 
tcp 0 0 *:ssh *:* LISTEN 
udp 0 0 localhost:syslog *:* 
udp 0 0 *:snmp *:* 
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 708833 /tmp/ssh-yKnDB15725/agent.15725
unix 2 [ ACC ] STREAM LISTENING 7296 /var/run/audispd_events
[root@localhost ~]#

Copy after login

实例9：显示所有已建立的有效连接

命令：netstat -n

输出：

[root@localhost ~]# netstat -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State 
tcp 0 268 192.168.120.204:22 10.2.0.68:62420 ESTABLISHED 
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 1491 @/org/kernel/udev/udevd
unix 4 [ ] DGRAM 7337 /dev/log
unix 2 [ ] DGRAM 708823 
unix 2 [ ] DGRAM 7539 
unix 3 [ ] STREAM CONNECTED 7287 
unix 3 [ ] STREAM CONNECTED 7286 
[root@localhost ~]#

Copy after login

实例10：显示关于以太网的统计数据

命令：netstat -e

输出：

[root@localhost ~]# netstat -e
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode 
tcp 0 248 192.168.120.204:ssh 10.2.0.68:62420 ESTABLISHED root 708795 
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 1491 @/org/kernel/udev/udevd
unix 4 [ ] DGRAM 7337 /dev/log
unix 2 [ ] DGRAM 708823 
unix 2 [ ] DGRAM 7539 
unix 3 [ ] STREAM CONNECTED 7287 
unix 3 [ ] STREAM CONNECTED 7286 
[root@localhost ~]#

Copy after login

说明：

用于显示关于以太网的统计数据。它列出的项目包括传送的数据报的总字节数、错误数、删除数、数据报的数量和广播的数量。这些统计数据既有发送的数据报数量，也有接收的数据报数量。这个选项可以用来统计一些基本的网络流量）

实例11：显示关于路由表的信息

命令：netstat -r

输出：

[root@localhost ~]# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.120.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 192.168.120.1 255.255.0.0 UG 0 0 0 eth0
10.0.0.0 192.168.120.1 255.0.0.0 UG 0 0 0 eth0
default 192.168.120.240 0.0.0.0 UG 0 0 0 eth0
[root@localhost ~]#

Copy after login

实例12：列出所有 tcp 端口

命令：netstat -at

输出：

[root@localhost ~]# netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State 
tcp 0 0 localhost:smux *:* LISTEN 
tcp 0 0 *:svn *:* LISTEN 
tcp 0 0 *:ssh *:* LISTEN 
tcp 0 284 192.168.120.204:ssh 10.2.0.68:62420 ESTABLISHED 
[root@localhost ~]#

Copy after login

实例13：统计机器中网络连接各个状态个数

命令：netstat -a | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'

输出：

[root@localhost ~]# netstat -a | awk &#39;/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}&#39;
ESTABLISHED 1
LISTEN 3
[root@localhost ~]#

Copy after login

实例14：把状态全都取出来后使用uniq -c统计后再进行排序

命令：netstat -nat |awk '{print $6}'|sort|uniq -c

输出：

[root@andy ~]# netstat -nat |awk &#39;{print $6}&#39;|sort|uniq -c
14 CLOSE_WAIT
1 established)
578 ESTABLISHED
1 Foreign
43 LISTEN
5 TIME_WAIT
[root@andy ~]# netstat -nat |awk &#39;{print $6}&#39;|sort|uniq -c|sort -rn
576 ESTABLISHED
43 LISTEN
14 CLOSE_WAIT
5 TIME_WAIT
1 Foreign
1 established)
[root@andy ~]#

Copy after login

实例15：查看连接某服务端口最多的的IP地址

命令：netstat -nat | grep "192.168.120.20:16067" |awk '{print $5}'|awk -F: '{print $4}'|sort|uniq -c|sort -nr|head -20

输出：

[root@andy ~]# netstat -nat | grep "192.168.120.20:16067" |awk &#39;{print $5}&#39;|awk -F: &#39;{print $4}&#39;|sort|uniq -c|sort -nr|head -20
8 10.2.1.68
7 192.168.119.13
6 192.168.119.201
6 192.168.119.20
6 192.168.119.10
4 10.2.1.199
3 10.2.1.207
2 192.168.120.20
2 192.168.120.15
2 192.168.119.197
2 192.168.119.11
2 10.2.1.206
2 10.2.1.203
2 10.2.1.189
2 10.2.1.173
1 192.168.120.18
1 192.168.119.19
1 10.2.2.227
1 10.2.2.138
1 10.2.1.208
[root@andy ~]#

Copy after login

实例16：找出程序运行的端口

命令：netstat -ap | grep ssh

输出：

[root@andy ~]# netstat -ap | grep ssh
tcp 0 0 *:ssh *:* LISTEN 2570/sshd 
tcp 0 0 ::ffff:192.168.120.206:ssh ::ffff:10.2.1.205:54508 ESTABLISHED 13883/14 
tcp 0 0 ::ffff:192.168.120.206:ssh ::ffff:10.2.0.68:62886 ESTABLISHED 20900/6 
tcp 0 0 ::ffff:192.168.120.206:ssh ::ffff:10.2.2.131:52730 ESTABLISHED 20285/sshd: root@no 
unix 2 [ ACC ] STREAM LISTENING 194494461 20900/6 /tmp/ssh-cXIJj20900/agent.20900
unix 3 [ ] STREAM CONNECTED 194307443 20285/sshd: root@no 
unix 3 [ ] STREAM CONNECTED 194307441 20285/sshd: root@no 
[root@andy ~]#

Copy after login

实例17：在 netstat 输出中显示 PID 和进程名称

命令：netstat -pt

输出：

[root@localhost ~]# netstat -pt
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
tcp 0 248 192.168.120.204:ssh 10.2.0.68:62420 ESTABLISHED 15725/0 
[root@localhost ~]#

Copy after login

说明：

netstat -p 可以与其它开关一起使用，就可以添加 “PID/进程名称” 到 netstat 输出中，这样 debugging 的时候可以很方便的发现特定端口运行的程序。

实例18：找出运行在指定端口的进程

命令：netstat -anpt | grep ':16064'

输出：

[root@andy ~]# netstat -anpt | grep &#39;:16064&#39;
tcp 0 0 :::16064 :::* LISTEN 24594/java 
tcp 0 0 ::ffff:192.168.120.20:16064 ::ffff:192.168.119.201:6462 ESTABLISHED 24594/java 
tcp 0 0 ::ffff:192.168.120.20:16064 ::ffff:192.168.119.20:26341 ESTABLISHED 24594/java 
tcp 0 0 ::ffff:192.168.120.20:16064 ::ffff:192.168.119.20:32208 ESTABLISHED 24594/java 
tcp 0 0 ::ffff:192.168.120.20:16064 ::ffff:192.168.119.20:32207 ESTABLISHED 24594/java 
tcp 0 0 ::ffff:192.168.120.20:16064 ::ffff:10.2.1.68:51303 ESTABLISHED 24594/java 
tcp 0 0 ::ffff:192.168.120.20:16064 ::ffff:10.2.1.68:51302 ESTABLISHED 24594/java 
tcp 0 0 ::ffff:192.168.120.20:16064 ::ffff:10.2.1.68:50020 ESTABLISHED 24594/java 
tcp 0 0 ::ffff:192.168.120.20:16064 ::ffff:10.2.1.68:50019 ESTABLISHED 24594/java 
tcp 0 0 ::ffff:192.168.120.20:16064 ::ffff:10.2.1.68:56155 ESTABLISHED 24594/java 
tcp 0 0 ::ffff:192.168.120.20:16064 ::ffff:10.2.1.68:50681 ESTABLISHED 24594/java 
tcp 0 0 ::ffff:192.168.120.20:16064 ::ffff:10.2.1.68:50680 ESTABLISHED 24594/java 
tcp 0 0 ::ffff:192.168.120.20:16064 ::ffff:10.2.1.68:52136 ESTABLISHED 24594/java 
tcp 0 0 ::ffff:192.168.120.20:16064 ::ffff:10.2.1.68:56989 ESTABLISHED 24594/java 
tcp 0 0 ::ffff:192.168.120.20:16064 ::ffff:10.2.1.68:56988 ESTABLISHED 24594/java 
[root@andy ~]#

Copy after login

说明：

运行在端口16064的进程id为24596，再通过ps命令就可以找到具体的应用程序了。