本文最初发表于我的个人站点
1. netstat (show network status) 显示网络状态
使用: netstat [OPTION]
netstat
不带任何参数的情况下,默认输出如下
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.135.140.109:http ec2-52-221-254-177.ap:15672 SYN_RECV
tcp 0 40 10.135.140.109:opsec-uaa 171.212.208.223:51167 ESTABLISHED
tcp 0 0 10.135.140.109:43963 101.226.68.166:nsesrvr ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 6 [ ] DGRAM 60962 /dev/log
unix 2 [ ] DGRAM 49689 @/org/kernel/udev/udevd
unix 2 [ ] DGRAM 18148696
unix 2 [ ] DGRAM 18143862
unix 3 [ ] STREAM CONNECTED 17474862 /usr/local/sa/agent/secubase/secu-tcs-agent-v5.unix
Active Internet connections (w/o servers)
正如字面的意思就是:正在活跃的英特网网络连接。也就是当前所有连接到本机器的所有连接状态 。
| Proto | Recv-Q | Send-Q | Local Address | Foreign Address | State |
|---|---|---|---|---|---|
| 协议类型 | 接收队列 | 发送队列 | 本地地址 | 外部地址 | 状态 |
协议类型: 这里会出现 UDP、TCP、SCTP、ICMP 和 IP 协议 , 最常见的应该就是TCP和UDP
接收队列: 一般都是0,表示没有堆积的数据包
发送队列: 一般都是0,表示没有堆积的数据包
本地地址: 一般是在内网的地址,也有可能看到localhost或者127.0.0.1
-
外部地址: 与外部建立连接的外部ip以及端口。
这里可以看到171.212.208.223这个地址的用户通过端口51167,与服务器的 http(80端口),opsec-uaa建立了连接
状态
CLOSED -- 初始(无连接)状态。
LISTEN -- 侦听状态,等待远程机器的连接请求。
SYN_SEND -- 在TCP三次握手期间,主动连接端发送了SYN包后,进入SYN_SEND状态,等待对方的ACK包。
SYN_RECV -- 在TCP三次握手期间,主动连接端收到SYN包后,进入SYN_RECV状态。
ESTABLISHED -- 完成TCP三次握手后,主动连接端进入。
ESTABLISHED -- 状态。此时,TCP连接已经建立,可以进行通信。
FIN_WAIT_1 -- 在TCP四次挥手时,主动关闭端发送FIN包后,进入FIN_WAIT_1状态。
FIN_WAIT_2 -- 在TCP四次挥手时,主动关闭端收到ACK包后,进入FIN_WAIT_2状态。
TIME_WAIT -- 在TCP四次挥手时,主动关闭端发送了ACK包之后,进入TIME_WAIT状态,等待最多MSL时间,让被动关闭端收到ACK包。
CLOSING -- 在TCP四次挥手期间,主动关闭端发送了FIN包后,没有收到对应的ACK包,却收到对方的FIN包,此时,进入CLOSING状态。
CLOSE_WAIT -- 在TCP四次挥手期间,被动关闭端收到FIN包后,进入CLOSE_WAIT状态。
LAST_ACK -- 在TCP四次挥手时,被动关闭端发送FIN包后,进入LAST_ACK状态,等待对方的ACK包。
Active UNIX domain sockets (w/o servers)
Unix系统上的一个IPC机制(InterProcess Communication -进程间通信),这里可以简单理解为进程间通信需要的数据管道,由于不用经过网络,所以程序之间通过这个数据管道交互时,不需要打包拆包、计算校验和、维护序号和应答等,关于IPC机制的简介,可以看这篇博客:《IPC 机制简介》,如果了解一点C的话,还可以看看这篇 《Linux下的IPC-UNIX Domain Socket》
| Proto | RefCnt | Flags | Type | State | I-Node | Path
| --- | --- | --- | --- | --- | ---
| 协议类型| 引用次数 | TODO |数据传输类型 | 连接的状态 | Linux中的文件标识号 | 使用的路径
协议类型: 这里可以看见只有unix,表示这是一个unix socket
引用次数: 被程序引用的次数,不同的程序或者同一个程序中可以使用同一个管道来交换数据。
Flags : 未查到,TODO
-
数据传输类型:
byte streams 字节流
datagram 数据包 连接的状态: 与上面网络Socket的状态相同
Linux中的文件标识号: Linux的Inode,可以看这篇博客了解 《Linux的inode的理解》
使用的路径: 顾名思义,就是这个管道使用的文件路径
netstat -a (all) 显示所有网络连接状态
[root@VM_140_109_centos ~]# netstat -a | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:opsec-uaa *:* LISTEN
tcp 0 0 localhost:smtp *:* LISTEN
tcp 0 0 *:terabase *:* LISTEN
tcp 0 0 10.135.140.109:http li1598-70.members.lin:39184 TIME_WAIT
tcp 0 0 10.135.140.109:43963 101.226.68.166:nsesrvr ESTABLISHED
tcp 0 40 10.135.140.109:opsec-uaa 251.78.70.125.broad.cd.:bcs ESTABLISHED
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 60862 public/showq
unix 2 [ ACC ] STREAM LISTENING 60866 private/error
unix 2 [ ACC ] STREAM LISTENING 60870 private/retry
netstat -n 以数字形式代替符号形式的地址
[root@VM_140_109_centos ~]# netstat -n | more
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.135.140.109:43963 101.226.68.166:9988 ESTABLISHED
tcp 0 40 10.135.140.109:19191 125.70.78.251:4677 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 6 [ ] DGRAM 60962 /dev/log
unix 2 [ ] DGRAM 49689 @/org/kernel/udev/udevd
unix 2 [ ] DGRAM 18426269
[root@VM_140_109_centos ~]# netstat -na | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:19191 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:4000 0.0.0.0:* LISTEN
tcp 0 0 10.135.140.109:43963 101.226.68.166:9988 ESTABLISHED
tcp 0 40 10.135.140.109:19191 125.70.78.251:4677 ESTABLISHED
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 60862 public/showq
unix 2 [ ACC ] STREAM LISTENING 60866 private/error
unix 2 [ ACC ] STREAM LISTENING 60870 private/retry
unix 2 [ ACC ] STREAM LISTENING 60874 private/discard
unix 2 [ ACC ] STREAM LISTENING 60878 private/local
unix 2 [ ACC ] STREAM LISTENING 60882 private/virtual
netstat -p 程序的名字打印出来
[root@VM_140_109_centos ~]# netstat -p | more
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 10.135.140.109:41434 10.190.93.159:nsesrvr ESTABLISHED 4919/secu-tcs-agent
tcp 0 40 10.135.140.109:opsec-uaa 182.148.57.124:27584 ESTABLISHED 10865/sshd
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 6 [ ] DGRAM 60962 4674/rsyslogd /dev/log
unix 2 [ ] DGRAM 49689 3680/udevd @/org/kernel/udev/udevd
unix 2 [ ] DGRAM 23386059 10865/sshd
unix 2 [ ] DGRAM 23382189 10037/pickup
unix 3 [ ] STREAM CONNECTED 20534979 4919/secu-tcs-agent /usr/local/sa/agent/secubase/secu-tcs-agent-v5.unix
unix 3 [ ] STREAM CONNECTED 20534978 1930/sap1005
unix 3 [ ] STREAM CONNECTED 20534977 4919/secu-tcs-agent /usr/local/sa/agent/secubase/secu-tcs-agent.unix
unix 3 [ ] STREAM CONNECTED 20534976 1930/sap1005
unix 3 [ ] STREAM CONNECTED 20489154 4919/secu-tcs-agent /usr/local/sa/agent/secubase/secu-tcs-agent.unix
unix 3 [ ] STREAM CONNECTED 20489153 24376/sap1004
unix 3 [ ] STREAM CONNECTED 17474862 4919/secu-tcs-agent /usr/local/sa/agent/secubase/secu-tcs-agent-v5.unix
unix 3 [ ] STREAM CONNECTED 17474861 30420/sap1009
netstat -l 只列出 Listening 状态的网络连接
[root@VM_140_109_centos ~]# netstat -l | more
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:opsec-uaa *:* LISTEN
tcp 0 0 localhost:smtp *:* LISTEN
tcp 0 0 *:terabase *:* LISTEN
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 60862 public/showq
unix 2 [ ACC ] STREAM LISTENING 60866 private/error
unix 2 [ ACC ] STREAM LISTENING 60870 private/retry
unix 2 [ ACC ] STREAM LISTENING 60874 private/discard
unix 2 [ ACC ] STREAM LISTENING 60878 private/local
unix 2 [ ACC ] STREAM LISTENING 60882 private/virtual
unix 2 [ ACC ] STREAM LISTENING 60886 private/lmtp
unix 2 [ ACC ] STREAM LISTENING 60890 private/anvil
unix 2 [ ACC ] STREAM LISTENING 60894 private/scache
netstat [--tcp|-t] 只列出tcp端口 [--udp|-u] 只列出udp端口
- TCP
[root@VM_140_109_centos ~]# netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.135.140.109:41434 10.190.93.159:nsesrvr ESTABLISHED
tcp 0 40 10.135.140.109:opsec-uaa 182.148.57.124:27584 ESTABLISHED
- UDP
[root@VM_140_109_centos ~]# netstat -u
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
可以看到这里没有udp的连接
netstat -s 显示每个协议的统计信息
[root@VM_140_109_centos ~]# netstat -s
Ip:
14150245 total packets received
2 with invalid addresses
0 forwarded
8 with unknown protocol
0 incoming packets discarded
11105122 incoming packets delivered
11088052 requests sent out
12 reassemblies required
5 packets reassembled ok
Icmp:
2012695 ICMP messages received
3621 input ICMP message failed.
ICMP input histogram:
destination unreachable: 4071
timeout in transit: 135
redirects: 6
echo requests: 2008442
echo replies: 39
timestamp request: 2
2212368 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 203924
echo replies: 2008442
timestamp replies: 2
IcmpMsg:
InType0: 39
InType3: 4071
InType5: 6
InType8: 2008442
InType11: 135
InType13: 2
OutType0: 2008442
OutType3: 203924
OutType14: 2
Tcp:
1852 active connections openings
20442 passive connection openings
5494 failed connection attempts
661 connection resets received
2 connections established
8820870 segments received
8805804 segments send out
15430 segments retransmited
63 bad segments received.
7878728 resets sent
Udp:
44596 packets received
226787 packets to unknown port received.
45 packet receive errors
54450 packets sent
UdpLite:
TcpExt:
359 invalid SYN cookies received
5486 resets received for embryonic SYN_RECV sockets
89 ICMP packets dropped because they were out-of-window
6570 TCP sockets finished time wait in fast timer
12 packets rejects in established connections because of timestamp
24366 delayed acks sent
29 delayed acks further delayed because of locked socket
Quick ack mode was activated 1867 times
590 packets directly queued to recvmsg prequeue.
14240 packets directly received from backlog
372729 packets directly received from prequeue
521641 packets header predicted
208 packets header predicted and directly queued to user
118812 acknowledgments not containing data received
255005 predicted acknowledgments
846 times recovered from packet loss due to SACK data
Detected reordering 2 times using FACK
Detected reordering 1 times using SACK
Detected reordering 22 times using time stamp
28 congestion windows fully recovered
86 congestion windows partially recovered using Hoe heuristic
TCPDSACKUndo: 37
253 congestion windows recovered after partial ack
2913 TCP data loss events
TCPLostRetransmit: 685
2 timeouts after reno fast retransmit
163 timeouts after SACK recovery
537 timeouts in loss state
4780 fast retransmits
460 forward retransmits
6083 retransmits in slow start
1742 other TCP timeouts
298 sack retransmits failed
1690 DSACKs sent for old packets
455 DSACKs received
2 DSACKs for out of order packets received
13 connections reset due to unexpected data
36 connections reset due to early user close
134 connections aborted due to timeout
TCPDSACKIgnoredOld: 1
TCPDSACKIgnoredNoUndo: 152
TCPSpuriousRTOs: 8
TCPSackShifted: 450
TCPSackMerged: 4580
TCPSackShiftFallback: 3187
TCPChallengeACK: 62
TCPSYNChallenge: 10
IpExt:
InMcastPkts: 3
InOctets: 1246493421
OutOctets: 759134784
InMcastOctets: 108
2. netstat 常用组合命令
2.1 找出指定程序正在使用的网络端口
netstat -anp | grep ssh (找到ssh使用的网路端口)
非root的账户,提示如下,需要root权限
wzy@wzt-dev2-PC:~$ netstat -anp | grep ssh
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
切换root之后
root@wzt-dev2-PC:/home/wzy# netstat -anp | grep ssh
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 861/sshd
tcp 0 26556 192.168.0.187:22 192.168.0.174:59863 ESTABLISHED 10766/sshd: wzy [pr
tcp 0 0 192.168.0.187:22 192.168.0.115:57336 ESTABLISHED 12838/sshd: wzy [pr
tcp6 0 0 :::22 :::* LISTEN 861/sshd
unix 2 [ ] DGRAM 1137722 10766/sshd: wzy [pr
unix 3 [ ] STREAM CONNECTED 16016 861/sshd
unix 3 [ ] STREAM CONNECTED 1162258 12838/sshd: wzy [pr
unix 2 [ ] DGRAM 1162250 12838/sshd: wzy [pr
unix 3 [ ] STREAM CONNECTED 1137737 10766/sshd: wzy [pr
netstat -anp | grep mysqld (找到mysqld使用的网路端口)
root@wzt-dev2-PC:/home/wzy# netstat -anp | grep mysqld
tcp6 0 0 :::3306 :::* LISTEN 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:25408 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:25406 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:26278 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:25554 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:25832 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:21390 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:26336 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:25864 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:22198 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:26342 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:21350 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:25958 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:26024 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:19907 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.174:59848 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:26280 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:21352 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:20518 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:19904 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.174:59847 ESTABLISHED 2311/mysqld
tcp6 0 0 192.168.0.187:3306 192.168.0.187:19906 ESTABLISHED 2311/mysqld
unix 2 [ ACC ] STREAM LISTENING 23752 2311/mysqld /tmp/mysql.sock
2.1 找出指定端口的网络状态,打印出使用程序
netstat -anpl | grep :8088 (找到使用8088端口的程序)
root@wzt-dev2-PC:/home/wzy# netstat -anpl | grep :8088
tcp 0 0 0.0.0.0:8088 0.0.0.0:* LISTEN 928/nginx.conf
这里可以看到nginx正在监听8088端口
