linux netstat 命令用法

linux 系统常用的网络操作命令包括netstat、nslookup、 host、 finger 和ping。netstat 命令的功能是显示网络连接、路由表和网络接口信息,可以让用户得知目前都有哪些网络连接正在运作。

is under attack or not. You can also list abusive IP address using this method.
# netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
Output:
    1 CLOSE_WAIT
        1 established)
        1 Foreign
        3 FIN_WAIT1
        3 LAST_ACK
       13 ESTABLISHED
       17 LISTEN
       154 FIN_WAIT2
       327 TIME_WAIT
Dig out more information about a specific ip address:
# netstat -nat |grep {IP-address} | awk '{print $6}' | sort | uniq -c | sort -n
        2 LAST_ACK
        2 LISTEN
        4 FIN_WAIT1
       14 ESTABLISHED
       91 TIME_WAIT
       130 FIN_WAIT2
Busy server can give out more information:
# netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c | sort -n
Output:
15 CLOSE_WAIT
37 LAST_ACK
64 FIN_WAIT_1
65 FIN_WAIT_2
1251 TIME_WAIT
3597 SYN_SENT
5124 ESTABLISHED
Get List Of All Unique IP Address
To print list of all unique IP address connected to server, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq
To print total of all unique IP address, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq | wc -l
Output:
449
Find Out If Box is Under DoS Attack or Not
If you think your Linux box is under attack, print out a list of open connections on your box and sorts them by according to IP address, enter:
# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
Output:
       1 10.0.77.52
        2 10.1.11.3
       4 12.109.42.21
        6 12.191.136.3
.....
...
....
       13 202.155.209.202
       18 208.67.222.222
       28 0.0.0.0
       233 127.0.0.1
You can simply block all abusive
IPs using iptables or just null route them .
Get Live View of TCP Connections
You can use
tcptrack command to display the status of TCP connections that it sees on a given network interface. tcptrack monitors their state and displays information such as state, source/destination addresses and bandwidth usage in a sorted, updated list very much like the top command.
Display Summary Statistics for Each Protocol
Simply use netstat -s:
# netstat -s | less
# netstat -t -s | less
# netstat -u -s | less
# netstat -w -s | less
# netstat -s
Output:
Ip:
       88354557 total packets received
       0 forwarded
       0 incoming packets discarded
       88104061 incoming packets delivered
       96037391 requests sent out
       13 outgoing packets dropped
       66 fragments dropped after timeout
       295 reassemblies required
       106 packets reassembled ok
       66 packet reassembles failed
       34 fragments failed
Icmp:
       18108 ICMP messages received
       58 input ICMP message failed.
       ICMP input histogram:
          destination unreachable: 7173
          timeout in transit: 472
          redirects: 353
          echo requests: 10096
       28977 ICMP messages sent
       0 ICMP messages failed
       ICMP output histogram:
          destination unreachable: 18881
          echo replies: 10096
Tcp:
       1202226 active connections openings
       2706802 passive connection openings
       7394 failed connection attempts
       47018 connection resets received
       23 connections established
       87975383 segments received
       95235730 segments send out
       681174 segments retransmited
       2044 bad segments received.
       80805 resets sent
Udp:
       92689 packets received
       14611 packets to unknown port received.
       0 packet receive errors
       96755 packets sent
TcpExt:
       48452 invalid SYN cookies received
       7357 resets received for embryonic SYN_RECV sockets
       43 ICMP packets dropped because they were out-of-window
       5 ICMP packets dropped because socket was locked
       2672073 TCP sockets finished time wait in fast timer
       441 time wait sockets recycled by time stamp
       368562 delayed acks sent
       430 delayed acks further delayed because of locked socket
       Quick ack mode was activated 36127 times
       32318597 packets directly queued to recvmsg prequeue.
       741479256 packets directly received from backlog
       1502338990 packets directly received from prequeue
       18343750 packets header predicted
       10220683 packets header predicted and directly queued to user
       17516622 acknowledgments not containing data received
       36549771 predicted acknowledgments
       102672 times recovered from packet loss due to fast retransmit
     Detected reordering 1596 times using reno fast retransmit
       Detected reordering 1 times using time stamp
       8 congestion windows fully recovered
       32 congestion windows partially recovered using Hoe heuristic
       19 congestion windows recovered after partial ack
       0 TCP data loss events
       39951 timeouts after reno fast retransmit
       29653 timeouts in loss state
       197005 fast retransmits
       186937 retransmits in slow start
       131433 other TCP timeouts
       TCPRenoRecoveryFail: 20217
       147 times receiver scheduled too late for direct processing
       29010 connections reset due to unexpected data
       365 connections reset due to early user close
       6979 connections aborted due to timeout
Display Interface Table
You can easily display dropped and total transmitted packets with netstat for eth0:
# netstat --interfaces=eth0
Output:
Kernel Interface table
Iface          MTU Met       RX-OK RX-ERR RX-DRP RX-OVR       TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0          1500      0  2040929         0         0         0  3850539        0

检查net.ipv4.tcp_tw当前值,将当前的值更改为1分钟:
[root@aaa1 ~]# sysctl -a|grep net.ipv4.tcp_tw
net.ipv4.tcp_tw_reuse = 0
net.ipv4.tcp_tw_recycle = 0
[root@aaa1 ~]#
vi /etc/sysctl
增加或修改net.ipv4.tcp_tw值:
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
使内核参数生效:
[root@aaa1 ~]# sysctl -p
[root@aaa1 ~]# sysctl -a|grep net.ipv4.tcp_tw
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
用netstat再观察正常

这里解决问题的关键是如何能够重复利用time_wait的值,我们可以设置时检查一下time和wait的值
#sysctl -a | grep time | grep wait
net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120
net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60
net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120

设置修改apache的最大线程数
vi /include/httpd.h
将#define DYNAMIC_MODULE_LIMIT 128
改为 #define DYNAMIC_MODULE_LIMIT 2560

这两天搭建了一组Apache服务器,每台服务器4G内存,采用的是prefork模式,一开始设置的连接数太少了,需要较长的时间去响应用户的请求,后来修改了一下Apache 2.0.59的配置文件httpd.conf:
引用
# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
StartServers         10
MinSpareServers      10
MaxSpareServers      15
ServerLimit          2000
MaxClients           2000
MaxRequestsPerChild 10000
--------------------------------------------------------------------------------
  查看httpd进程数(即prefork模式下Apache能够处理的并发请求数):
  Linux命令:
引用
ps -ef | grep httpd | wc -l
  返回结果示例:
  1388
  表示Apache能够处理1388个并发请求,这个值Apache可根据负载情况自动调整,我这组服务器中每台的峰值曾达到过2002。
--------------------------------------------------------------------------------
  查看Apache的并发请求数及其TCP连接状态:
  Linux命令:
引用
netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
  (这条语句是从新浪互动社区事业部新浪互动社区事业部新浪互动社区事业部技术总监王老大那儿获得的,非常不错)
  返回结果示例:
  LAST_ACK 5
  SYN_RECV 30
  ESTABLISHED 1597
  FIN_WAIT1 51
  FIN_WAIT2 504
  TIME_WAIT 1057
  其中的SYN_RECV表示正在等待处理的请求数;ESTABLISHED表示正常数据传输状态;TIME_WAIT表示处理完毕,等待超时结束的请求数。
--------------------------------------------------------------------------------
  关于TCP状态的变迁,可以从下图形象地看出:
    
  状态:描述
  CLOSED:无连接是活动的或正在进行
  LISTEN:服务器在等待进入呼叫
  SYN_RECV:一个连接请求已经到达,等待确认
  SYN_SENT:应用已经开始,打开一个连接
  ESTABLISHED:正常数据传输状态
  FIN_WAIT1:应用说它已经完成
  FIN_WAIT2:另一边已同意释放
  ITMED_WAIT:等待所有分组死掉
  CLOSING:两边同时尝试关闭
  TIME_WAIT:另一边已初始化一个释放
  LAST_ACK:等待所有分组死掉


Linux / Unix netstat command

Quick links
About netstat
Syntax
Examples
Related commands
Linux / Unix main page
About netstat
   
Shows network status.
Syntax
netstat [-a] [-n] [-v]
netstat [-g | -m | -p | -s | -f address_family ] [-n] [-P protocol]
netstat [ -i ] [ -I interface ] [ interval ]
netstat -r [-a] [-n] [-v ]
netstat -M [-n] [-s ]
netstat -D [ -I interface ]
-a Show the state of all sockets and all routing table entries; normally, sockets used by server processes are not shown and only interface, host, network, and default routes are shown.
-n Show network addresses as numbers. netstat normally displays addresses as symbols. This option may be used with any of the display formats.
-v Verbose. Show additional information for the sockets and the routing table.
-g Show the multicast group memberships for all interfaces.
-m Show the STREAMS statistics.
-p Show the address resolution (ARP) tables.
-s Show per-protocol statistics. When used with the -M option, show multicast routing statistics instead.
-i Show the state of the interfaces that are used for TCP/IP traffic.
-r Show the routing tables.
-M Show the multicast routing tables. When used with the -s option, show multicast routing statistics instead.
-d Show the state of all interfaces that are under Dynamic Host Configuration Protocol (DHCP) control.
-D Show the status of DHCP configured interfaces.
-f address_family imit statistics or address control block reports to those of the specified address_family, which can be one of:
inet For the AF_INET address family
unix For the AF_Unix address family
-P protocol Limit display of statistics or state of all sockets to those applicable to protocol.
- I interface Show the state of a particular interface. interface can be any valid interface such as ie0 or
le0.


Examples
netstat
Displays generic net statistics of the host you are currently connected to.
netstat -an
Shows all connections to the server including the source and destination ips and ports if you have proper permissions.
netstat -rn
Displays routing table for all ips bound to the server.
netstat -an |grep :80 |wc -l
Display the amount of active connections on port 80. Removing the pipe and wc command would display each connection.
netstat -natp
Display active Internet connections. See document CH001079 for an example of output.
Related commands
ac
arp
ifconfig
route
rpcinfo

你可能感兴趣的:(linux netstat 命令用法)