Detailed explanation of Netstat command

Its main usage and detailed explanation!
(netstat -na command), this article mainly talks about the netstat tool under Linux, and then explains in detail the various network connection statuses.
netstat -nat |awk '{print $6}'|sort|uniq -c|sort -nr
1. Detailed explanation of netstat command
In fact, what I commonly use is netstat -tnl | grep 443 (check whether port 443 is occupied), if If I am currently a root user, I like to use netstat -pnl | grep 443 (it can also display the PID of the process occupying port 443 of the local machine).
netstat
Function description: Display network status.
Syntax: netstat [-acCeFghilMnNoprstuvVwx] [-A][--ip]
Supplementary Note: Using the netstat command can let you know the network status of the entire Linux system.
Parameters:
-a or –all Display all connected Sockets. A & lt; network type & gt; or-& lt; network type & gt; list the related address in the network type connection.
-c or –continuous Continuously list network status.
-C or –cache Display the cache information of the router configuration.
-e or –extend Display other related information about the network.
-F or –fib displays FIB.
-g or –groups Display the list of group members with multicast function.
-h or –help online help.
-i or –interfaces Display the network interface information form.
-l or –listening Display the Socket of the monitored server.
-M or –masquerade Display masqueraded network connections.
-n or –numeric Use the IP address directly without going through the domain name server.
-N or –netlink or –symbolic Display the symbolic link name of the network hardware peripheral.
-o or –timers Display timers.
-p or –programs Display the program identification code and program name that is using Socket.
-r or –route Display Routing Table.
-s or –statistice displays network work information statistics table.
-t or –tcp displays the connection status of the TCP transmission protocol.
-u or –udp displays the connection status of UDP transmission protocol.
-v or –verbose displays the instruction execution process.
-V or –version displays version information.
-w or –raw displays the connection status of RAW transfer protocol.
-x or –unix The effect of this parameter is the same as specifying the "-A unix" parameter.
–ip or –inet The effect of this parameter is the same as specifying the “-A inet” parameter.

2. Detailed explanation of network connection status
There are 12 possible states. The first 11 are described according to the three-way handshake of TCP connection establishment and the four-way wave process of TCP connection disconnection.
1), LISTEN: First, the server needs to open a socket for listening, and the status is LISTEN./* The socket is listening for incoming connections. Listen for connection requests from remote TCP ports*/

2), SYN_SENT: Client Active open is performed by calling connect through the application. Then the client tcp sends a SYN to request to establish a connection. The status is then set to SYN_SENT./*The socket is actively attempting to establish a connection. After sending the connection request, it waits for a matching connection request. */

3), SYN_RECV: The server should send an ACK to confirm the client's SYN, and at the same time send a SYN to the client. After that, the status is set to SYN_RECV/* A connection request has been received from the network. After receiving and sending Waiting for confirmation of the connection request after a connection request*/

4), ESTABLISHED: Represents an open connection, and both parties can or are already interacting with data. /* The socket has an established connection. Represents an open connection and data can be transmitted to the user */

5), FIN_WAIT1: The active close application calls close, so its TCP issues a FIN request to actively close the connection, and then enters the FIN_WAIT1 state./* The socket is closed, and the connection is shutting down. Waiting for the remote TCP Connection interruption request, or confirmation of previous connection interruption request*/

6), CLOSE_WAIT: After passive close (passive close) TCP receives FIN, it sends ACK in response to FIN request (its reception is also used as the end of file) Passed to the upper application), and enter CLOSE_WAIT./* The remote end has shut down, waiting for the socket to close. Waiting for the connection interruption request from the local user */

7), FIN_WAIT2: Actively close the terminal After receiving ACK, it enters FIN-WAIT-2./* Connection is closed, and the socket is waiting for a shutdown from the remote end. Waiting for connection interruption request from remote TCP*/

8), LAST_ACK: Passive shutdown After a period of time, the application that receives the end-of-file character will call CLOSE to close the connection. This causes its TCP to also send a FIN, waiting for the other party's ACK. It enters LAST-ACK./* The remote end has shut down, and the socket is closed. Waiting for acknowledgment. Waiting for the connection originally sent to the remote TCP to be interrupted. Confirmation of request */

9), TIME_WAIT: After the active closing end receives FIN, TCP sends an ACK packet and enters the TIME-WAIT state. /* The socket is waiting after close to handle packets still in the network. Wait enough time to ensure that the remote TCP receives confirmation of the connection interruption request*/

10), CLOSING: relatively rare./* Both sockets are shut down but we still don't have all our data sent. Waiting for the remote TCP to confirm the connection interruption*/

11), CLOSED: The passive closed end enters the closed state after receiving the ACK packet. The connection ends./* The socket is not being used. There is no connection status */

12), UNKNOWN: Unknown Socket status. /* The state of the socket is unknown. */

SYN: (Synchronize Sequence Numbers) This flag is only valid when the three-way handshake establishes a TCP connection. Represents a new TCP connection request.
ACK: (Acknowledgement Number) is a confirmation mark for the TCP request, and also prompts that the peer system has successfully received all data.
FIN: (Finish flag, FINish) is used to end a TCP conversation. But the corresponding port is still open and ready to receive subsequent data.

PS: It’s good to have a small tool under windows. TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. See http ://technet.microsoft.com/en-us/sysinternals/bb897437; Of course, if you want to analyze the data packets in detail, you can use more powerful tools such as sniffer and Wireshark.

References:

http://linux.sheup.com/linux/4/31225.html

http://hi.baidu.com/mqbest_come_on/blog/item/18526dcef73d791a00e928e5.html

http:/ /www.daxigua.com/archives/1355


System connection status article:

1. Check the TCP connection status
netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn

netstat -n | awk '/^tcp/ {++S[$NF]};END {for(a in S) print a, S[a]}' or
netstat -n | awk '/^tcp/ { ++state[$NF]}; END {for(key in state) print key,"t",state[key]}'
netstat -n | awk '/^tcp/ {++arr[$NF]} ;END {for(k in arr) print k,"t",arr[k]}'

netstat -n |awk '/^tcp/ {print $NF}'|sort|uniq -c|sort -rn

netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c

2. Find the number of requests for 20 IPs (commonly used to find the source of attacks):
netstat -anlp|grep 80|grep tcp|awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -n20

netstat -ant |awk '/ :80/{split($5,ip,”:”);++A[ip[1]]}END{for(i in A) print A[i],i}' |sort -rn|head -n20

3. Use tcpdump to sniff port 80 access to see who has the highest number
tcpdump -i eth0 -tnn dst port 80 -c 1000 | awk -F”.” '{print $1″.”$2″.”$3″. "$4}' | sort | uniq -c | sort -nr |head -20

4. Find more time_wait connections
netstat -n|grep TIME_WAIT|awk '{print $5}'|sort|uniq -c|sort -rn|head -n20

5. Find more SYN connections
netstat -an | grep SYN | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -nr | more

6. List processes according to ports
netstat -ntlp | grep 80 | awk '{print $7}' | cut -d/ -f1

Website log analysis part 1 (Apache):

1. Get the top 10 accessed IP addresses
cat access.log|awk '{print $1}'|sort|uniq -c|sort -nr|head -10
cat access.log|awk '{counts[$(11) ]+=1}; END {for(url in counts) print counts[url], url}'

2. The most visited files or pages, take the top 20
cat access.log|awk '{print $11} '|sort|uniq -c|sort -nr|head -20

3. List the largest exe files (commonly used when analyzing download sites)
cat access.log |awk '($7~/.exe /){print $10 ” ” $1 ” ” $4 ” ” $7}'|sort -nr|head -20

4. List the exe files whose output is greater than 200000bytes (about 200kb) and the number of occurrences of the corresponding files
cat access.log |awk '($10 > 200000 && $7~/.exe/){print $7}'|sort -n|uniq -c|sort -nr|head -100

5. If the last column of the log is recorded is the page file transfer time, and the most time-consuming pages to the client are listed
cat access.log |awk '($7~/.php/){print $NF ” ” $1 ” ” $4 ” ” $7}' |sort -nr|head -100

6. List the most time-consuming pages (more than 60 seconds) and the number of occurrences of the corresponding pages
cat access.log |awk '($NF > 60 && $7~/ .php/){print $7}'|sort -n|uniq -c|sort -nr|head -100

7. List files that take more than 30 seconds to transfer
cat access.log |awk '($NF > ; 30){print $7}'|sort -n|uniq -c|sort -nr|head -20

8. Statistics of website traffic (G)
cat access.log |awk '{sum+=$10} END {print sum/1024/1024/1024}'

9. Statistics of 404 connections
awk '($9 ~/404/)' access.log | awk '{print $9,$7}' | sort

10. Statistics of http status .
cat access.log |awk '{counts[$(9)]+=1}; END {for(code in counts) print code, counts[code]}'
cat access.log |awk '{print $9 }'|sort|uniq -c|sort -rn

10. Spider analysis
See which spiders are crawling the content.
/usr/sbin/tcpdump -i eth0 -l -s 0 -w - dst port 80 | strings | grep -i user-agent | grep -i -E 'bot|crawler|slurp|spider'

Website daily analysis 2 (Squid)

2. Traffic statistics by domain
zcat squid_access.log.tar.gz| awk '{print $10,$7}' |awk 'BEGIN{FS="[ /]"}{trfc[$4] +=$1}END{for(domain in trfc){printf "%st%dn",domain,trfc[domain]}}'

For a more efficient perl version, please download it here: http://docs.linuxtone .org/soft/tools/tr.pl

Database Chapter
1. View the sql executed by the database
/usr/sbin/tcpdump -i eth0 -s 0 -l -w - dst port 3306 | strings | egrep -i ' SELECT|UPDATE|DELETE|INSERT|SET|COMMIT|ROLLBACK|CREATE|DROP|ALTER|CALL'

System Debug Analysis

1. Debugging command
strace -p pid

2. Track the PID of the specified process
gdb -p pid

For more detailed explanations of Netstat commands, please pay attention to the PHP Chinese website for related articles!