netstat命令详解

简介

Netstat 命令用于显示各种网络相关信息,如网络连接,路由表,接口状态 (Interface Statistics),masquerade 连接,多播成员 (Multicast Memberships) 等等。

输出信息含义

执行netstat后,其输出结果为

复制代码
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 2 210.34.6.89:telnet 210.34.6.96:2873 ESTABLISHED
tcp 296 0 210.34.6.89:1165 210.34.6.84:netbios-ssn ESTABLISHED
tcp 0 0 localhost.localdom:9001 localhost.localdom:1162 ESTABLISHED
tcp 0 0 localhost.localdom:1162 localhost.localdom:9001 ESTABLISHED
tcp 0 80 210.34.6.89:1161 210.34.6.10:netbios-ssn CLOSE

Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 1 [ ] STREAM CONNECTED 16178 @000000dd
unix 1 [ ] STREAM CONNECTED 16176 @000000dc
unix 9 [ ] DGRAM 5292 /dev/log
unix 1 [ ] STREAM CONNECTED 16182 @000000df
复制代码


从整体上看,netstat的输出结果可以分为两个部分:

一个是Active Internet connections,称为有源TCP连接,其中"Recv-Q"和"Send-Q"指%0A的是接收队列和发送队列。这些数字一般都应该是0。如果不是则表示软件包正在队列中堆积。这种情况只能在非常少的情况见到。

另一个是Active UNIX domain sockets,称为有源Unix域套接口(和网络套接字一样,但是只能用于本机通信,性能可以提高一倍)。
Proto显示连接使用的协议,RefCnt表示连接到本套接口上的进程号,Types显示套接口的类型,State显示套接口当前的状态,Path表示连接到套接口的其它进程使用的路径名。

常见参数

-a (all)显示所有选项,默认不显示LISTEN相关
-t (tcp)仅显示tcp相关选项
-u (udp)仅显示udp相关选项
-n 拒绝显示别名,能显示数字的全部转化成数字。
-l 仅列出有在 Listen (监听) 的服務状态

-p 显示建立相关链接的程序名
-r 显示路由信息,路由表
-e 显示扩展信息,例如uid等
-s 按各个协议进行统计
-c 每隔一个固定时间,执行该netstat命令。

提示:LISTEN和LISTENING的状态只有用-a或者-l才能看到

 

实用命令实例

 

1. 列出所有端口 (包括监听和未监听的)

  列出所有端口 netstat -a

复制代码
# netstat -a | more
 Active Internet connections (servers and established)
 Proto Recv-Q Send-Q Local Address           Foreign Address         State
 tcp        0      0 localhost:30037         *:*                     LISTEN
 udp        0      0 *:bootpc                *:*
 
Active UNIX domain sockets (servers and established)
 Proto RefCnt Flags       Type       State         I-Node   Path
 unix  2      [ ACC ]     STREAM     LISTENING     6135     /tmp/.X11-unix/X0
 unix  2      [ ACC ]     STREAM     LISTENING     5140     /var/run/acpid.socket
复制代码

  列出所有 tcp 端口 netstat -at

复制代码
# netstat -at
 Active Internet connections (servers and established)
 Proto Recv-Q Send-Q Local Address           Foreign Address         State
 tcp        0      0 localhost:30037         *:*                     LISTEN
 tcp        0      0 localhost:ipp           *:*                     LISTEN
 tcp        0      0 *:smtp                  *:*                     LISTEN
 tcp6       0      0 localhost:ipp           [::]:*                  LISTEN
复制代码

  列出所有 udp 端口 netstat -au

# netstat -au
 Active Internet connections (servers and established)
 Proto Recv-Q Send-Q Local Address           Foreign Address         State
 udp        0      0 *:bootpc                *:*
 udp        0      0 *:49119                 *:*
 udp        0      0 *:mdns                  *:*

 

2. 列出所有处于监听状态的 Sockets

  只显示监听端口 netstat -l

# netstat -l
 Active Internet connections (only servers)
 Proto Recv-Q Send-Q Local Address           Foreign Address         State
 tcp        0      0 localhost:ipp           *:*                     LISTEN
 tcp6       0      0 localhost:ipp           [::]:*                  LISTEN
 udp        0      0 *:49119                 *:*

  只列出所有监听 tcp 端口 netstat -lt

# netstat -lt
 Active Internet connections (only servers)
 Proto Recv-Q Send-Q Local Address           Foreign Address         State
 tcp        0      0 localhost:30037         *:*                     LISTEN
 tcp        0      0 *:smtp                  *:*                     LISTEN
 tcp6       0      0 localhost:ipp           [::]:*                  LISTEN

  只列出所有监听 udp 端口 netstat -lu

# netstat -lu
 Active Internet connections (only servers)
 Proto Recv-Q Send-Q Local Address           Foreign Address         State
 udp        0      0 *:49119                 *:*
 udp        0      0 *:mdns                  *:*

  只列出所有监听 UNIX 端口 netstat -lx

复制代码
# netstat -lx
 Active UNIX domain sockets (only servers)
 Proto RefCnt Flags       Type       State         I-Node   Path
 unix  2      [ ACC ]     STREAM     LISTENING     6294     private/maildrop
 unix  2      [ ACC ]     STREAM     LISTENING     6203     public/cleanup
 unix  2      [ ACC ]     STREAM     LISTENING     6302     private/ifmail
 unix  2      [ ACC ]     STREAM     LISTENING     6306     private/bsmtp
复制代码
 
  

3. 显示每个协议的统计信息

  显示所有端口的统计信息 netstat -s

复制代码
# netstat -s
 Ip:
 11150 total packets received
 1 with invalid addresses
 0 forwarded
 0 incoming packets discarded
 11149 incoming packets delivered
 11635 requests sent out
 Icmp:
 0 ICMP messages received
 0 input ICMP message failed.
 Tcp:
 582 active connections openings
 2 failed connection attempts
 25 connection resets received
 Udp:
 1183 packets received
 4 packets to unknown port received.
 .....
复制代码

  显示 TCP 或 UDP 端口的统计信息 netstat -st 或 -su

# netstat -st 
# netstat -su

 

4. 在 netstat 输出中显示 PID 和进程名称 netstat -p

netstat -p 可以与其它开关一起使用,就可以添加 “PID/进程名称” 到 netstat 输出中,这样 debugging 的时候可以很方便的发现特定端口运行的程序。

# netstat -pt
 Active Internet connections (w/o servers)
 Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
 tcp        1      0 ramesh-laptop.loc:47212 192.168.185.75:www        CLOSE_WAIT  2109/firefox
 tcp        0      0 ramesh-laptop.loc:52750 lax:www ESTABLISHED 2109/firefox
 
  

5. 在 netstat 输出中不显示主机,端口和用户名 (host, port or user)

当你不想让主机,端口和用户名显示,使用 netstat -n。将会使用数字代替那些名称。

同样可以加速输出,因为不用进行比对查询。

# netstat -an

如果只是不想让这三个名称中的一个被显示,使用以下命令

# netsat -a --numeric-ports
# netsat -a --numeric-hosts
# netsat -a --numeric-users

 

6. 持续输出 netstat 信息

netstat 将每隔一秒输出网络信息。

复制代码
# netstat -c
 Active Internet connections (w/o servers)
 Proto Recv-Q Send-Q Local Address           Foreign Address         State
 tcp        0      0 ramesh-laptop.loc:36130 101-101-181-225.ama:www ESTABLISHED
 tcp        1      1 ramesh-laptop.loc:52564 101.11.169.230:www      CLOSING
 tcp        0      0 ramesh-laptop.loc:43758 server-101-101-43-2:www ESTABLISHED
 tcp        1      1 ramesh-laptop.loc:42367 101.101.34.101:www      CLOSING
 ^C
复制代码

 

7. 显示系统不支持的地址族 (Address Families)

netstat --verbose

在输出的末尾,会有如下的信息

netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.

 

8. 显示核心路由信息 netstat -r

# netstat -r
 Kernel IP routing table
 Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
 192.168.1.0     *               255.255.255.0   U         0 0          0 eth2
 link-local      *               255.255.0.0     U         0 0          0 eth2
 default         192.168.1.1     0.0.0.0         UG        0 0          0 eth2

注意: 使用 netstat -rn 显示数字格式,不查询主机名称。

 

9. 找出程序运行的端口

并不是所有的进程都能找到,没有权限的会不显示,使用 root 权限查看所有的信息。

# netstat -ap | grep ssh
 tcp        1      0 dev-db:ssh           101.174.100.22:39213        CLOSE_WAIT  -
 tcp        1      0 dev-db:ssh           101.174.100.22:57643        CLOSE_WAIT  -

  找出运行在指定端口的进程

# netstat -an | grep ':80'

 

10. 显示网络接口列表

# netstat -i
 Kernel Interface table
 Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
 eth0       1500 0         0      0      0 0             0      0      0      0 BMU
 eth2       1500 0     26196      0      0 0         26883      6      0      0 BMRU
 lo        16436 0         4      0      0 0             4      0      0      0 LRU

显示详细信息,像是 ifconfig 使用 netstat -ie:

复制代码
# netstat -ie
 Kernel Interface table
 eth0      Link encap:Ethernet  HWaddr 00:10:40:11:11:11
 UP BROADCAST MULTICAST  MTU:1500  Metric:1
 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
 collisions:0 txqueuelen:1000
 RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
 Memory:f6ae0000-f6b00000
复制代码
 
   

 

11. IP和TCP分析

  查看连接某服务端口最多的的IP地址

复制代码
wss8848@ubuntu:~$ netstat -nat | grep "192.168.1.15:22" |awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -20
18 221.136.168.36
3 154.74.45.242
2 78.173.31.236
2 62.183.207.98
2 192.168.1.14
2 182.48.111.215
2 124.193.219.34
2 119.145.41.2
2 114.255.41.30
1 75.102.11.99
复制代码

  TCP各种状态列表

复制代码
wss8848@ubuntu:~$ netstat -nat |awk '{print $6}'
established)
Foreign
LISTEN
TIME_WAIT
ESTABLISHED
TIME_WAIT
SYN_SENT
复制代码
  先把状态全都取出来,然后使用uniq -c统计,之后再进行排序。
复制代码
wss8848@ubuntu:~$ netstat -nat |awk '{print $6}'|sort|uniq -c
143 ESTABLISHED
1 FIN_WAIT1
1 Foreign
1 LAST_ACK
36 LISTEN
6 SYN_SENT
113 TIME_WAIT
1 established)
复制代码
  最后的命令如下:
netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn
分析access.log获得访问前10位的ip地址
awk '{print $1}' access.log |sort|uniq -c|sort -nr|head -10
 
   

参考资料:http://blog.maxiang.net/10-netstat-command-examples/139/

            http://www.ipcpu.com/2011/07/netstat-linux/



[root@jiratest ~]# man netstat
NETSTAT(8)                 Linux Programmer鈥檚 Manual                NETSTAT(8)


NAME
       netstat  - Print network connections, routing tables, interface statis-
       tics, masquerade connections, and multicast memberships


SYNOPSIS
       netstat  [address_family_options]  [--tcp|-t]   [--udp|-u]   [--raw|-w]
       [--listening|-l] [--all|-a] [--numeric|-n] [--numeric-hosts][--numeric-
       ports][--numeric-ports]   [--symbolic|-N]    [--extend|-e[--extend|-e]]
       [--timers|-o] [--program|-p] [--verbose|-v] [--continuous|-c] [delay]


       netstat              {--route|-r}              [address_family_options]
       [--extend|-e[--extend|-e]]  [--verbose|-v]  [--numeric|-n]  [--numeric-
       hosts][--numeric-ports][--numeric-ports] [--continuous|-c] [delay]


       netstat  {--interfaces|-I|-i}  [iface] [--all|-a] [--extend|-e] [--ver-
       bose|-v]  [--program|-p]  [--numeric|-n]   [--numeric-hosts][--numeric-
       ports][--numeric-ports] [--continuous|-c] [delay]


       netstat   {--groups|-g}   [--numeric|-n]   [--numeric-hosts][--numeric-
       ports][--numeric-ports] [--continuous|-c] [delay]


       netstat  {--masquerade|-M}  [--extend|-e]  [--numeric|-n]   [--numeric-
       hosts][--numeric-ports][--numeric-ports] [--continuous|-c] [delay]


       netstat {--statistics|-s} [--tcp|-t] [--udp|-u] [--raw|-w] [delay]


       netstat {--version|-V}


       netstat {--help|-h}


       address_family_options:


       [--protocol={inet,inet6,unix,ipx,ax25,netrom,ddp,  ...  } ] [--unix|-x]
       [--inet|--ip] [--ax25] [--ipx] [--netrom] [--ddp]


NOTE
       This program is obsolete.  Replacement for netstat is ss.   Replacement
       for  netstat -r is ip route.  Replacement for netstat -i is ip -s link.
       Replacement for netstat -g is ip maddr.


DESCRIPTION
       Netstat prints information about the Linux networking  subsystem.   The
       type  of  information  printed  is controlled by the first argument, as
       follows:


   (none)
       By default, netstat displays a list of  open  sockets.   If  you  don鈥檛
       specify any address families, then the active sockets of all configured
       address families will be printed.


   --route , -r
       Display the kernel routing tables.


   --groups , -g
       Display multicast group membership information for IPv4 and IPv6.


   --interfaces=iface , -I=iface , -i
       Display a table of all network interfaces, or the specified iface.


   --masquerade , -M
       Display a list of masqueraded connections.


   --statistics , -s
       Display summary statistics for each protocol.


OPTIONS
   --verbose , -v
       Tell the user what is going on by being verbose. Especially print  some
       useful information about unconfigured address families.


   --numeric , -n
       Show  numerical addresses instead of trying to determine symbolic host,
       port or user names.


   --numeric-hosts
       shows numerical host addresses but does not affect  the  resolution  of
       port or user names.


   --numeric-ports
       shows numerical port numbers but does not affect the resolution of host
       or user names.


   --numeric-users
       shows numerical user IDs but does not affect the resolution of host  or
       port names.


   --protocol=family , -A
       Specifies  the  address families (perhaps better described as low level
       protocols) for which connections are to be shown.  family  is  a  comma
       (鈥?鈥? separated list of address family keywords like inet, inet6, unix,
       ipx, ax25, netrom, and ddp.  This has the  same  effect  as  using  the
       --inet,  --inet6,  --unix  (-x),  --ipx,  --ax25,  --netrom,  and --ddp
       options.


       The address family inet includes raw, udp and tcp protocol sockets.


   -c, --continuous
       This will cause netstat to print the selected information every  second
       continuously.


   -e, --extend
       Display  additional  information.   Use  this  option twice for maximum
       detail.


   -o, --timers
       Include information related to networking timers.


   -p, --program
       Show the PID and name of the program to which each socket belongs.


   -l, --listening
       Show only listening sockets.  (These are omitted by default.)


   -a, --all
       Show both listening and non-listening (for TCP this  means  established
       connections)  sockets.   With  the --interfaces option, show interfaces
       that are not marked


   -F
       Print routing information from the FIB.  (This is the default.)


   -C
       Print routing information from the route cache.


   -Z --context
       If SELinux enabled print SELinux context.


   -T --notrim
       Stop trimming long addresses.


   delay
       Netstat will cycle printing through  statistics  every  delay  seconds.
       UP.


OUTPUT
   Active Internet connections (TCP, UDP, raw)
   Proto
       The protocol (tcp, udp, raw) used by the socket.


   Recv-Q
       The  count  of  bytes  not copied by the user program connected to this
       socket.


   Send-Q
       The count of bytes not acknowledged by the remote host.


   Local Address
       Address and port number of the local end of  the  socket.   Unless  the
       --numeric  (-n)  option is specified, the socket address is resolved to
       its canonical host name (FQDN), and the port number is translated  into
       the corresponding service name.


   Foreign Address
       Address  and port number of the remote end of the socket.  Analogous to
       "Local Address."


   State
       The state of the socket. Since there are no states in raw mode and usu-
       ally  no  states  used  in UDP, this column may be left blank. Normally
       this can be one of several values:


       ESTABLISHED
              The socket has an established connection.


       SYN_SENT
              The socket is actively attempting to establish a connection.


       SYN_RECV
              A connection request has been received from the network.


       FIN_WAIT1
              The socket is closed, and the connection is shutting down.


       FIN_WAIT2
              Connection is closed, and the socket is waiting for  a  shutdown
              from the remote end.


       TIME_WAIT
              The socket is waiting after close to handle packets still in the
              network.


       CLOSED The socket is not being used.


       CLOSE_WAIT
              The remote end has shut down, waiting for the socket to close.


       LAST_ACK
              The remote end has shut down, and the socket is closed.  Waiting
              for acknowledgement.


       LISTEN The  socket is listening for incoming connections.  Such sockets
              are not included in the output unless you specify the  --listen-
              ing (-l) or --all (-a) option.


       CLOSING
              Both  sockets are shut down but we still don鈥檛 have all our data
              sent.


       UNKNOWN
              The state of the socket is unknown.


   User
       The username or the user id (UID) of the owner of the socket.


   PID/Program name
       Slash-separated pair of the process id (PID) and process  name  of  the
       process  that  owns  the  socket.   --program  causes this column to be
       included.  You will also need superuser privileges to see this informa-
       tion  on sockets you don鈥檛 own.  This identification information is not
       yet available for IPX sockets.


   Timer
       (this needs to be written)


   Active UNIX domain Sockets
   Proto
       The protocol (usually unix) used by the socket.


   RefCnt
       The reference count (i.e. attached processes via this socket).


   Flags
       The flags displayed is SO_ACCEPTON (displayed as ACC), SO_WAITDATA  (W)
       or  SO_NOSPACE  (N).   SO_ACCECPTON  is  used on unconnected sockets if
       their corresponding processes are waiting for a  connect  request.  The
       other flags are not of normal interest.


   Type
       There are several types of socket access:


       SOCK_DGRAM
              The socket is used in Datagram (connectionless) mode.


       SOCK_STREAM
              This is a stream (connection) socket.


       SOCK_RAW
              The socket is used as a raw socket.


       SOCK_RDM
              This one serves reliably-delivered messages.


       SOCK_SEQPACKET
              This is a sequential packet socket.


       SOCK_PACKET
              Raw interface access socket.


       UNKNOWN
              Who ever knows what the future will bring us - just fill in here
              :-)


   State
       This field will contain one of the following Keywords:


       FREE   The socket is not allocated


       LISTENING
              The socket is listening for a connection request.  Such  sockets
              are  only  included in the output if you specify the --listening
              (-l) or --all (-a) option.


       CONNECTING
              The socket is about to establish a connection.


       CONNECTED
              The socket is connected.


       DISCONNECTING
              The socket is disconnecting.


       (empty)
              The socket is not connected to another one.


       UNKNOWN
              This state should never happen.


   PID/Program name
       Process ID (PID) and process name of the process that  has  the  socket
       open.  More info available in Active Internet connections section writ-
       ten above.


   Path
       This is the path name as which the corresponding processes attached  to
       the socket.


   Active IPX sockets
       (this needs to be done by somebody who knows it)


   Active NET/ROM sockets
       (this needs to be done by somebody who knows it)


   Active AX.25 sockets
       (this needs to be done by somebody who knows it)


NOTES
       Starting  with  Linux  release  2.2  netstat -i does not show interface
       statistics for alias interfaces. To get per  alias  interface  counters
       you need to setup explicit rules using the ipchains(8) command.


FILES
       /etc/services -- The services translation file


       /proc  --  Mount  point  for the proc filesystem, which gives access to
       kernel status information via the following files.


       /proc/net/dev -- device information


       /proc/net/raw -- raw socket information


       /proc/net/tcp -- TCP socket information


       /proc/net/udp -- UDP socket information


       /proc/net/igmp -- IGMP multicast information


       /proc/net/unix -- Unix domain socket information


       /proc/net/ipx -- IPX socket information


       /proc/net/ax25 -- AX25 socket information


       /proc/net/appletalk -- DDP (appletalk) socket information


       /proc/net/nr -- NET/ROM socket information


       /proc/net/route -- IP routing information


       /proc/net/ax25_route -- AX25 routing information


       /proc/net/ipx_route -- IPX routing information


       /proc/net/nr_nodes -- NET/ROM nodelist




       /proc/net/nr_neigh -- NET/ROM neighbours


       /proc/net/ip_masquerade -- masqueraded connections


       /proc/net/snmp -- statistics


SEE ALSO
       ss(8),ip(8)


BUGS
       Occasionally strange information may appear if a socket changes  as  it
       is viewed. This is unlikely to occur.


AUTHORS
       The   netstat   user   interface   was   written   by  Fred  Baumgarten
       <[email protected]> the  man  page  basically  by  Matt
       Welsh    <[email protected]>.    It    was   updated   by   Alan   Cox
       <[email protected]> but could do with a bit more work.  It was updated
       again by Tuan Hoang <[email protected]>.
       The  man  page  and  the  command  included in the net-tools package is
       totally rewritten by Bernd Eckenfels <[email protected]>.

你可能感兴趣的:(linux)