- 查看TCP各个状态的数量
[root@localhost ~]# netstat -ant Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 10.0.29.37:22 172.16.4.40:14005 ESTABLISHED tcp 0 64 10.0.29.37:22 172.16.4.40:13945 ESTABLISHED tcp 0 0 10.0.29.37:22 172.16.4.40:13946 ESTABLISHED tcp 0 0 :::8080 :::* LISTEN tcp 0 0 ::ffff:10.0.29.37:8082 :::* LISTEN tcp 0 0 :::22 :::* LISTEN tcp 0 0 ::1:25 :::* LISTEN tcp 0 0 ::ffff:127.0.0.1:8005 :::* LISTEN tcp 0 0 ::ffff:10.0.29.37:57229 ::ffff:10.0.101.213:7003 ESTABLISHED
-
- Recv-Q:网络接收队列,表示收到的数据已经在本地接收缓冲,但是还有多少没有被进程取走。如果一直处于阻塞状态,可能是遭受了拒绝服务 denial-of-service 攻击
- Send-Q:网络发送队列,表示对方没有收到的数据或者说没有Ack的,还是本地缓冲区。如果不能很快的清零,可能是有应用向外发送数据包过快,或者是对方接收数据包不够快。
- 这两个值通常应该为0,如果不为0可能是有问题的。packets在两个队列里都不应该有堆积状态。可接受短暂的非0情况。通过netstat的这两个值就可以简单判断程序收不到包到底是包没到还是包没有被进程recv。
- 过滤指定端口号
[root@localhost ~]# netstat -nat|grep -i "8082"
tcp 0 0 ::ffff:10.0.29.37:8082 :::* LISTEN
tcp 0 0 ::ffff:10.0.29.37:8082 ::ffff:10.0.29.3:42348 ESTABLISHED
注:增加属性【-c】,会每隔一秒输出一次。
- 过滤【ESTABLISHED】状态的对方IP特征
[root@localhost ~]# netstat -na |grep ESTABLISHED|more
tcp 0 0 10.0.29.37:22 172.16.4.40:14005 ESTABLISHED
tcp 0 0 10.0.29.37:22 172.16.4.40:14003 ESTABLISHED
tcp 0 64 10.0.29.37:22 172.16.4.40:13945 ESTABLISHED
tcp 0 0 10.0.29.37:22 172.16.4.40:13946 ESTABLISHED
tcp 0 0 ::ffff:10.0.29.37:49617 ::ffff:10.0.101.215:7002 ESTABLISHED
tcp 0 0 ::ffff:10.0.29.37:33047 ::ffff:10.0.101.5:7000 ESTABLISHED
tcp 0 0 ::ffff:10.0.29.37:56644 ::ffff:10.0.101.213:7003 ESTABLISHED
- 分组统计tcp端口各种状态的数量
# netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
TIME_WAIT 42349
CLOSE_WAIT 1
SYN_SENT 4
FIN_WAIT1 298
FIN_WAIT2 33
ESTABLISHED 12775
SYN_RECV 259
CLOSING 6
LAST_ACK 432
- 统计端口8086的连接数
netstat -nat | grep -i "8086" | wc -l
- 查看打开套接字的状况
[root@mmc ~]# lsof -i:8085 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME java 10068 root 61u IPv6 117807169 0t0 TCP 10.0.101.210:8085->10.0.101.104:21527 (ESTABLISHED) java 10068 root 62u IPv6 117807197 0t0 TCP 10.0.101.210:8085->10.0.101.102:30499 (ESTABLISHED) java 10068 root 64u IPv6 117807175 0t0 TCP 10.0.101.210:8085->10.0.101.103:9239 (ESTABLISHED) java 10068 root 148u IPv6 117807839 0t0 TCP 10.0.101.210:8085->10.0.101.102:30555 (ESTABLISHED)
- 查看tcp创建的连接数
[root@mmc ~]# sar -n SOCK Linux 2.6.32-431.el6.x86_64 (mmc) 01/20/2021 _x86_64_ (1 CPU) 12:00:01 AM totsck tcpsck udpsck rawsck ip-frag tcp-tw 12:10:01 AM 631 12 8 0 0 0 12:20:01 AM 630 12 8 0 0 0 12:30:01 AM 630 12 8 0 0 0 12:40:01 AM 628 12 8 0 0 0 12:50:01 AM 625 11 8 0 0 0 01:00:01 AM 627 11 8 0 0 0 01:10:01 AM 623 11 8 0 0 0 01:20:01 AM 623 11 8 0 0 0 01:30:01 AM 622 11 8 0 0 0 01:40:01 AM 622 11 8 0 0 0
- 对tcp端口8085进行抓包
[root@mmc ~]# tcpdump -iany tcp port 8085 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 12:20:13.056978 IP 10.0.101.102.30478 > 10.0.101.210.8085: Flags [P.], seq 2507835916:2507836946, ack 943612003, win 229, options [nop,nop,TS val 2293112433 ecr 3296957473], length 1030 12:20:13.073465 IP 10.0.101.210.8085 > 10.0.101.102.30478: Flags [P.], seq 1:100, ack 1030, win 2989, options [nop,nop,TS val 3296990215 ecr 2293112433], length 99 12:20:13.073662 IP 10.0.101.102.30478 > 10.0.101.210.8085: Flags [.], ack 100, win 229, options [nop,nop,TS val 2293112450 ecr 3296990215], length 0
...............
- 查看socket状态
IPv4请看:cat /proc/net/sockstat IPv6请看:cat /proc/net/sockstat6
sockets: used 137 TCP: inuse 49 orphan 0 tw 3272 alloc 52 mem 46UDP: inuse 1 mem 0RAW: inuse 0 FRAG: inuse 0 memory 0
说明:
- sockets: used:已使用的所有协议套接字总量
- TCP: inuse:正在使用(正在侦听)的TCP套接字数量。其值≤ netstat –lnt | grep ^tcp | wc –l
- TCP: orphan:无主(不属于任何进程)的TCP连接数(无用、待销毁的TCP socket数)
- TCP: tw:等待关闭的TCP连接数。其值等于netstat –ant | grep TIME_WAIT | wc –l
- TCP:alloc(allocated):已分配(已建立、已申请到sk_buff)的TCP套接字数量。其值等于netstat –ant | grep ^tcp | wc –l
- TCP:mem:套接字缓冲区使用量(单位不详。用scp实测,速度在4803.9kB/s时:其值=11,netstat –ant 中相应的22端口的Recv-Q=0,Send-Q≈400)
- UDP:inuse:正在使用的UDP套接字数量
- RAW:
- FRAG:使用的IP段数量
- TCP状态及其描述
状态 | 描述 |
---|---|
LISTEN | 等待来自远程TCP应用程序的请求 |
SYN_SENT | 发送连接请求后等待来自远程端点的确认。TCP第一次握手后客户端所处的状态 |
SYN-RECEIVED | 该端点已经接收到连接请求并发送确认。该端点正在等待最终确认。TCP第二次握手后服务端所处的状态 |
ESTABLISHED | 代表连接已经建立起来了。这是连接数据传输阶段的正常状态 |
FIN_WAIT_1 | 等待来自远程TCP的终止连接请求或终止请求的确认 |
FIN_WAIT_2 | 在此端点发送终止连接请求后,等待来自远程TCP的连接终止请求 |
CLOSE_WAIT | 该端点已经收到来自远程端点的关闭请求,此TCP正在等待本地应用程序的连接终止请求 |
CLOSING | 等待来自远程TCP的连接终止请求确认 |
LAST_ACK | 等待先前发送到远程TCP的连接终止请求的确认 |
TIME_WAIT | 等待足够的时间来确保远程TCP接收到其连接终止请求的确认 |