一:简介
netstat 命令用于显示各种网络相关信息,如网络连接,路由表,接口状态 (Interface Statistics),masquerade 连接,多播成员 (Multicast Memberships) 等等。
二:netstat --help 命令
# netstat --help usage: netstat [-vWeenNcCF] [<Af>] -r netstat {-V|--version|-h|--help} netstat [-vWnNcaeol] [<Socket> ...] netstat { [-vWeenNac] -I[<Iface>] | [-veenNac] -i | [-cnNe] -M | -s [-6tuw] } [delay] -r, --route display routing table # 显示路由 -I, --interfaces=<Iface> display interface table for <Iface> # 显示网络界面信息 -i, --interfaces display interface table # 显示网络界面信息
-g, --groups display multicast group memberships # 显示多重广播功能群组组员名单 -s, --statistics display networking statistics (like SNMP) # 显示网络统计表 -M, --masquerade display masqueraded connections -v, --verbose be verbose # 显示指令执行过程 -W, --wide don't truncate IP addresses # 不能截断IP地址 -n, --numeric don't resolve names # 直接使用ip地址,而不通过域名服务器 --numeric-hosts don't resolve host names --numeric-ports don't resolve port names --numeric-users don't resolve user names -N, --symbolic resolve hardware names # 显示网络硬件外围设备的符号链接名称 -e, --extend display other/more information # 显示网络的其他相关信息 -p, --programs display PID/Program name for sockets # 显示正在使用socket的程序PID和程序名称 -o, --timers display timers # 显示计时器 -c, --continuous continuous listing # 持续显示网络状态 -l, --listening display listening server sockets # 显示监控中的服务器socket -a, --all display all sockets (default: connected) # 显示所有连接中的socket -F, --fib display Forwarding Information Base (default) # 显示FIB信息 -C, --cache display routing cache instead of FIB # 显示路由器的缓存信息来替代FIB信息
-Z, --context display SELinux security context for sockets <Socket>={-t|--tcp} {-u|--udp} {-U|--udplite} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom <AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: inet List of possible address families (which support routing): inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25) netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP) x25 (CCITT X.25)
三:选项(上面help命令选项)
-a或--all:显示所有连线中的Socket; -A<网络类型>或--<网络类型>:列出该网络类型连线中的相关地址; -c或--continuous:持续列出网络状态; -C或--cache:显示路由器配置的快取信息; -e或--extend:显示网络其他相关信息; -F或--fib:显示FIB; -g或--groups:显示多重广播功能群组组员名单; -h或--help:在线帮助; -i或--interfaces:显示网络界面信息表单; -l或--listening:显示监控中的服务器的Socket; -M或--masquerade:显示伪装的网络连线; -n或--numeric:直接使用ip地址,而不通过域名服务器; -N或--netlink或--symbolic:显示网络硬件外围设备的符号连接名称; -o或--timers:显示计时器; -p或--programs:显示正在使用Socket的程序识别码和程序名称; -r或--route:显示Routing Table; -s或--statistice:显示网络工作信息统计表; -t或--tcp:显示TCP传输协议的连线状况; -u或--udp:显示UDP传输协议的连线状况; -v或--verbose:显示指令执行过程; -V或--version:显示版本信息; -w或--raw:显示RAW传输协议的连线状况; -x或--unix:此参数的效果和指定"-A unix"参数相同; --ip或--inet:此参数的效果和指定"-A inet"参数相同。
提示:LISTEN和LISTENING的状态只有用-a或者-l才能看到
四:输出信息含义
在centos命令行,执行netstat后,其输出结果为
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 2 210.34.6.89:telnet 210.34.6.96:2873 ESTABLISHED
tcp 296 0 210.34.6.89:1165 210.34.6.84:netbios-ssn ESTABLISHED
tcp 0 0 localhost.localdom:9001 localhost.localdom:1162 ESTABLISHED
tcp 0 0 localhost.localdom:1162 localhost.localdom:9001 ESTABLISHED
tcp 0 80 210.34.6.89:1161 210.34.6.10:netbios-ssn CLOSE
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 1 [ ] STREAM CONNECTED 16178 @000000dd
unix 1 [ ] STREAM CONNECTED 16176 @000000dc
unix 9 [ ] DGRAM 5292 /dev/log
unix 1 [ ] STREAM CONNECTED 16182 @000000df
从整体上看,netstat的输出结果可以分为两个部分:
一个是Active Internet connections,称为有源TCP连接,其中"Recv-Q"和"Send-Q"指%0A的是接收队列和发送队列。这些数字一般都应该是0。如果不是则表示软件包正在队列中堆积。这种情况只能在非常少的情况见到。
另一个是Active UNIX domain sockets,称为有源Unix域套接口(和网络套接字一样,但是只能用于本机通信,性能可以提高一倍)。
Proto显示连接使用的协议,RefCnt表示连接到本套接口上的进程号,Types显示套接口的类型,State显示套接口当前的状态,Path表示连接到套接口的其它进程使用的路径名。
五:命令实例
1. 列出所有端口 (包括监听和未监听的)
列出所有端口 netstat -a
# netstat -a | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:30037 *:* LISTEN
udp 0 0 *:bootpc *:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 6135 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 5140 /var/run/acpid.socket
列出所有 tcp 端口 netstat -at
# netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:30037 *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp6 0 0 localhost:ipp [::]:* LISTEN
列出所有 udp 端口 netstat -au
# netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 *:bootpc *:*
udp 0 0 *:49119 *:*
udp 0 0 *:mdns *:*
禁用反向域名解析,加快查询速度
默认情况下 netstat 会通过反向域名解析技术查找每个 IP 地址对应的主机名。这会降低查找速度。如果你觉得 IP 地址已经足够,而没有必要知道主机名,就使用 -n 选项禁用域名解析功能
# netstat -ant Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 192.168.1.2:49058 *.*.*.5:80 ESTABLISHED tcp 0 0 192.168.1.2:33324 *.*.*.117:443 ESTABLISHED tcp6 0 0 ::1:631 :::* LISTEN
2. 列出所有处于监听状态的 Sockets
只显示监听端口 netstat -l
# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:ipp *:* LISTEN
tcp6 0 0 localhost:ipp [::]:* LISTEN
udp 0 0 *:49119 *:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 9472 /run/systemd/private
unix 2 [ ACC ] SEQPACKET LISTENING 9524 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 9537 /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 9540 /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 6807 /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 11162 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 11958 /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 11467 /var/run/lsm/ipc/sim
unix 2 [ ACC ] STREAM LISTENING 11469 /var/run/lsm/ipc/simc
unix 2 [ ACC ] STREAM LISTENING 31743620 /var/lib/mysql/mysql.sock
任何网络服务的后台进程都会打开一个端口,用于监听接入的请求。这些正在监听的套接字也和连接的套接字一样,也能被 netstat 列出来。使用 -l 选项列出正在监听的套接字
现在我们可以看到处于监听状态的 TCP 端口和连接。如果你查看所有监听端口,去掉 -t 选项。如果你只想查看 UDP 端口,使用 -u 选项,代替 -t 选项。
注意:不要使用 -a 选项,否则 netstat 会列出所有连接,而不仅仅是监听端口
# netstat -tnl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::3306 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
只列出所有监听 tcp 端口 netstat -lt
# netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:30037 *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp6 0 0 localhost:ipp [::]:* LISTEN
只列出所有监听 udp 端口 netstat -lu
# netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 *:49119 *:*
udp 0 0 *:mdns *:*
只列出所有监听 UNIX 端口 netstat -lx
# netstat -lx
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 6294 private/maildrop
unix 2 [ ACC ] STREAM LISTENING 6203 public/cleanup
unix 2 [ ACC ] STREAM LISTENING 6302 private/ifmail
unix 2 [ ACC ] STREAM LISTENING 6306 private/bsmtp
3. 显示每个协议的统计信息
显示所有端口的统计信息 netstat -s
# netstat -s
Ip:
11150 total packets received
1 with invalid addresses
0 forwarded
0 incoming packets discarded
11149 incoming packets delivered
11635 requests sent out
Icmp:
0 ICMP messages received
0 input ICMP message failed.
Tcp:
582 active connections openings
2 failed connection attempts
25 connection resets received
Udp:
1183 packets received
4 packets to unknown port received.
.....
显示 TCP 或 UDP 端口的统计信息 netstat -st 或 -su
# netstat -st
# netstat -su
4. 在 netstat 输出中显示 PID 和进程名称 netstat -p
netstat -p 可以与其它开关一起使用,就可以添加 “PID/进程名称” 到 netstat 输出中,这样 debugging 的时候可以很方便的发现特定端口运行的程序。
使用 -p 选项时,netstat 必须运行在 root 权限之下,不然它就不能得到运行在 root 权限下的进程名,而很多服务包括 http 和 ftp 都运行在 root 权限之下。
# netstat -pt
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 1 0 ramesh-laptop.loc:47212 192.168.185.75:www CLOSE_WAIT 2109/firefox
tcp 0 0 ramesh-laptop.loc:52750 lax:www ESTABLISHED 2109/firefox
相比进程名和进程号而言,查看进程的拥有者会更有用。使用 -ep 选项可以同时查看进程名和用户名。
# netstat -ltpe Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 localhost:cslistener 0.0.0.0:* LISTEN root 28774494 11886/php-fpm: mast tcp 0 0 localhost:6379 0.0.0.0:* LISTEN root 5368096 31546/redis-s tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN root 28255272 16701/nginx: master tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN root 12459 468/sshd tcp6 0 0 [::]:mysql [::]:* LISTEN mysql 31743619 9672/mysqld tcp6 0 0 [::]:ssh [::]:* LISTEN root 12468 468/sshd
5. 在 netstat 输出中不显示主机,端口和用户名 (host, port or user)
当你不想让主机,端口和用户名显示,使用 netstat -n。将会使用数字代替那些名称。
同样可以加速输出,因为不用进行比对查询。
# netstat -an
如果只是不想让这三个名称中的一个被显示,使用以下命令
# netsat -a --numeric-ports
# netsat -a --numeric-hosts
# netsat -a --numeric-users
6. 持续输出 netstat 信息
netstat 将每隔一秒输出网络信息。
# netstat -c
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 ramesh-laptop.loc:36130 aaa.ama:www ESTABLISHED
tcp 1 1 ramesh-laptop.loc:52564 *.*.169.230:www CLOSING
tcp 0 0 ramesh-laptop.loc:43758 server-43-2:www ESTABLISHED
7. 显示系统不支持的地址族 (Address Families)
netstat --verbose
在输出的末尾,会有如下的信息
netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.
8. 显示核心路由信息 netstat -r
# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth2
link-local * 255.255.0.0 U 0 0 0 eth2
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth2
注意: 使用 netstat -rn 显示数字格式,不查询主机名称。
# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 172.*.0.1 0.0.0.0 UG 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 172.*.0.0 0.0.0.0 255.255.240.0 U 0 0 0 eth0
9. 找出程序运行的端口
并不是所有的进程都能找到,没有权限的会不显示,使用 root 权限查看所有的信息。
# netstat -ap | grep ssh
tcp 1 0 dev-db:ssh 101.174.100.22:39213 CLOSE_WAIT -
tcp 1 0 dev-db:ssh 101.174.100.22:57643 CLOSE_WAIT -
找出运行在指定端口的进程
# netstat -an | grep ':80'
打印链接状态
active 状态的套接字连接用 "ESTABLISHED" 字段表示,所以我们可以使用 grep 命令获得 active 状态的连接
# netstat -atnp | grep ESTA tcp 0 52 172.*.*.15:22 *.*.105.255:49938 ESTABLISHED 14370/sshd: root@pt tcp 0 0 172.*.*.15:22 *.*.105.255:47108 ESTABLISHED 11384/sshd: centos tcp 0 0 172.*.*.*:22 *.*.*.43:55607 ESTABLISHED 15964/sshd: root [p tcp 0 0 172.*.*.*:39182 *.*.0.55:5574 ESTABLISHED 1851/YDService
10. 显示网络接口列表
# netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 0 0 0 0 0 0 0 0 BMU
eth2 1500 0 26196 0 0 0 26883 6 0 0 BMRU
lo 16436 0 4 0 0 0 4 0 0 0 LRU
显示详细信息, 使用 netstat -ie
此命令类似 ifconfig
# netstat -ie
Kernel Interface table
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.*.*.* netmask 255.255.240.0 broadcast *.*.*.*
ether 52:*:*:*:*:* txqueuelen 1000 (Ethernet)
RX packets 33093066 bytes 4113720313 (3.8 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 32928019 bytes 4414472855 (4.1 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1 (Local Loopback)
RX packets 4275400 bytes 1148810073 (1.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4275400 bytes 1148810073 (1.0 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
11. IP和TCP分析
查看连接某服务端口最多的的IP地址
# netstat -nat | grep "192.168.1.101:22" |awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -20
18 221.136.168.36
3 154.74.45.242
2 78.173.31.236
2 62.183.207.98
2 192.168.1.14
2 182.48.111.215
2 124.193.219.34
2 119.145.41.2
2 114.255.41.30
1 75.102.11.99
TCP各种状态列表
# netstat -nat |awk '{print $6}'
established)
Foreign
LISTEN
TIME_WAIT
ESTABLISHED
TIME_WAIT
SYN_SENT
先把状态全都取出来,然后使用uniq -c统计,之后再进行排序。
# netstat -nat |awk '{print $6}'|sort|uniq -c
143 ESTABLISHED
1 FIN_WAIT1
1 Foreign
1 LAST_ACK
36 LISTEN
6 SYN_SENT
113 TIME_WAIT
1 established)
最后的命令如下:
netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn
分析access.log获得访问前10位的ip地址
awk '{print $1}' access.log |sort|uniq -c|sort -nr|head -10
12.查看php进程数
netstat -anpo | grep "php-cgi" | wc -l
13. 打印网络包的统计(netstat 可以打印出网络统计数据,包括某个协议下的收发包数量)
# netstat -s Ip: 36811488 total packets received 0 forwarded 158 with unknown protocol 0 incoming packets discarded 36811318 incoming packets delivered 36957933 requests sent out 40 dropped because of missing route Icmp: 4137854 ICMP messages received 15481 input ICMP message failed. ICMP input histogram: destination unreachable: 15848 timeout in transit: 139 source quenches: 1 redirects: 2 echo requests: 4121824 echo replies: 15 timestamp request: 25 4148314 ICMP messages sent 0 ICMP messages failed ICMP output histogram: destination unreachable: 26465 echo replies: 4121824 timestamp replies: 25 IcmpMsg: InType0: 15 InType3: 15848 InType4: 1 InType5: 2 InType8: 4121824 InType11: 139 InType13: 25 OutType0: 4121824 OutType3: 26465 OutType14: 25 Tcp: 2078274 active connections openings 408218 passive connection openings 8831 failed connection attempts 5683 connection resets received 4 connections established 28410463 segments received 28806036 segments send out 112716 segments retransmited 2788 bad segments received. 2882644 resets sent InCsumErrors: 2701 Udp: 4156204 packets received 27872 packets to unknown port received. 61 packet receive errors 4161787 packets sent 0 receive buffer errors 0 send buffer errors InCsumErrors: 61 UdpLite: TcpExt: 227685 invalid SYN cookies received 8396 resets received for embryonic SYN_RECV sockets 67 packets pruned from receive queue because of socket buffer overrun 35788 TCP sockets finished time wait in fast timer 109 packets rejects in established connections because of timestamp 935149 delayed acks sent 25 delayed acks further delayed because of locked socket Quick ack mode was activated 8903 times
... ... ... ... ...
14.配合 watch 命令监控 active 状态链接
watch -d -n0 "netstat -atnp | grep ESTA"
它是一个动态变化的图
15.查看服务是否运行
如果你想看看 http,smtp 或 ntp 服务是否在运行,使用 grep。
查看http是否运行
# netstat -aple | grep http tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN root 28255272 16701/nginx: master
使用 grep 命令你可以查看 http 或 smtp 或其它任何你想查看的服务
http://man.linuxde.net/netstat
https://linux.cn/article-2434-1.html
http://www.cnblogs.com/ggjucheng/archive/2012/01/08/2316661.html