netstat

View network system status information in Linux

Supplementary instructions

netstat command is used to print the status information of the network system in Linux, allowing you to know the network status of the entire Linux system.

grammar

netstat(options)

Options

-a or --all: Display all connected Sockets;
-A<Network type> or --<Network type>: List the relevant addresses in the connection of this network type;
-c or --continuous: Continuously list network status;
-C or --cache: Display cache information of router configuration;
-e or --extend: Display other network-related information;
-F or --fib: display FIB;
-g or --groups: Display the list of members of the multicast function group;
-h or --help: online help;
-i or --interfaces: Display the network interface information form;
-l or --listening: Display the Socket of the server being monitored;
-M or --masquerade: Display masqueraded network connections;
-n or --numeric: use the IP address directly instead of passing the domain name server;
-N or --netlink or --symbolic: Displays the symbolic link name of network hardware peripherals;
-o or --timers: display timers;
-p or --programs: Display the program identification code and program name that are using Socket;
-r or --route: display Routing Table;
-s or --statistice: Display network work information statistics table;
-t or --tcp: Display the connection status of TCP transmission protocol;
-u or --udp: Display the connection status of UDP transmission protocol;
-v or --verbose: display the instruction execution process;
-V or --version: display version information;
-w or --raw: Display the connection status of RAW transmission protocol;
-x or --unix: The effect of this parameter is the same as specifying the "-A unix" parameter;
--ip or --inet: The effect of this parameter is the same as specifying the "-A inet" parameter.

Example

List all ports (including listening and unlistening ones)

netstat -a #List all ports
netstat -at #List all tcp ports
netstat -au #List all udp ports

List all Sockets in listening state

netstat -l #Only show listening ports
netstat -lt #Only list all listening tcp ports
netstat -lu #Only list all listening udp ports
netstat -lx #Only list all listening UNIX ports

Show statistics for each protocol

netstat -s displays statistics for all ports
netstat -st displays TCP port statistics
netstat -su displays UDP port statistics

​```shell

  **Show PID and process name in netstat output**

​```shell
netstat -pt

netstat -p can be used together with other switches to add "PID/process name" to the netstat output, so that you can easily discover programs running on specific ports during debugging.

Do not display host, port or user in netstat output

When you don't want the host, port and username to be displayed, use netstat -n. Numbers will be used in place of those names. It can also speed up the output because there is no need to perform comparison queries.

netstat -an

If you don't want only one of the three names to be displayed, use the following command:

netsat -a --numeric-ports
netsat -a --numeric-hosts
netsat -a --numeric-users

Continuously output netstat information

netstat -c #Output network information every second

Show address families that are not supported by the system

netstat --verbose

At the end of the output, there will be the following information:

netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.

Show core routing information

netstat -r

Use netstat -rn to display the number format without querying the host name.

Find out the port the program is running on

Not all processes can be found, and those without permission will not be displayed. Use root permissions to view all information.

netstat -ap | grep ssh

Find the processes running on a specified port:

netstat -an | grep ':80'

Find process ID through port

netstat -anp|grep 8081 | grep LISTEN|awk '{printf $7}'|cut -d/ -f1

Show network interface list

netstat -i

Show detailed information, such as ifconfig using netstat -ie.

IP and TCP Analysis

Check the IP address with the most connections to a service port:

netstat -ntu | grep :80 | awk '{print $5}' | cut -d: -f1 | awk '{++ip[$1]} END {for(i in ip) print ip[i],"\t ",i}' | sort -nr

List of various TCP states:

netstat -nt | grep -e 127.0.0.1 -e 0.0.0.0 -e ::: -v | awk '/^tcp/ {++state[$NF]} END {for(i in state) print i," \t",state[i]}'

Check the number of phpcgi processes. If it is close to the default value, it means it is not enough and needs to be increased:

netstat -anpo | grep "php-cgi" | wc -l

Expand knowledge

Detailed explanation of network connection status

There are 12 possible states. The first 11 are described according to the three-way handshake when the TCP connection is established and the four-way wave process when the TCP connection is disconnected:

• LISTEN: First, the server needs to open a socket for listening, the status is LISTEN, and listen for connection requests from the remote TCP port;

• SYN_SENT: The client calls connect through the application program for active open, so the client tcp sends a SYN to request to establish a connection, and then the status is set to SYN_SENT, and after sending the connection request, it waits for a matching connection request;

• SYN_RECV: The server should send an ACK to confirm the client's SYN, and at the same time send a SYN to the client, and then set the status to wait for the confirmation of the connection request after receiving and sending a connection request;

• ESTABLISHED: Represents an open connection, the two parties can or are already interacting with data, represents an open connection, and data can be transmitted to the user;

• FIN_WAIT1: The active close end application calls close, so its TCP issues a FIN request to actively close the connection, and then enters the FIN_WAIT1 state, waiting for the remote TCP's connection interruption request, or the confirmation of the previous connection interruption request;

• CLOSE_WAIT: After receiving the FIN, the passive close TCP sends an ACK in response to the FIN request (its reception is also passed to the upper-layer application as an end-of-file character), and enters CLOSE_WAIT, waiting to be sent from the local user. connection interruption request;

• FIN_WAIT2: After actively closing the terminal and receiving ACK, it enters FIN-WAIT-2 and waits for the connection interruption request from the remote TCP;

• LAST_ACK: After passively closing the end for a period of time, the application that receives the end-of-file character will call CLOSE to close the connection, which causes its TCP to also send a FIN and wait for the other party's ACK. Then it enters LAST-ACK and waits for the original sender. Acknowledgment of connection interruption request to remote TCP;

• TIME_WAIT: After receiving the FIN at the active closing end, TCP sends an ACK packet and enters the TIME-WAIT state, waiting for enough time to ensure that the remote TCP receives acknowledgment of the connection interruption request;

• CLOSING: relatively rare, waiting for the remote TCP to confirm the connection interruption;

• CLOSED: After receiving the ACK packet, the passive closed end enters the closed state, the connection ends, and there is no connection status;

• UNKNOWN: Unknown Socket status;

Common flags

• SYN: (Synchronize Sequence Numbers) This flag is only valid when the three-way handshake establishes a TCP connection. Represents a new TCP connection request.

• ACK: (Acknowledgement Number) is a confirmation mark for the TCP request, and also prompts that the peer system has successfully received all data.

• FIN: (End Flag, FINish) is used to end a TCP reply. But the corresponding port is still open and ready to receive subsequent data.