netstat命令详解

netstat命令详解

简介

Netstat 命令用于显示各种网络相关信息,如网络连接,路由表,接口状态 (Interface Statistics),masquerade 连接,多播成员 (Multicast Memberships) 等等。

输出信息含义

执行netstat后,其输出结果为

[root@netstat ~]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0     52 ssh01:ssh               192.168.200.1:58307     ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  5      [ ]         DGRAM                    8960     /run/systemd/journal/socket
unix  11     [ ]         DGRAM                    8962     /dev/log
unix  2      [ ]         DGRAM                    13609    /run/systemd/shutdownd
unix  2      [ ]         DGRAM                    17004    /var/run/chrony/chronyd.sock
unix  3      [ ]         DGRAM                    8937     /run/systemd/notify
unix  2      [ ]         DGRAM                    8939     /run/systemd/cgroups-agent
#以下省略若干。。。

从整体上看,netstat的输出结果可以分为两个部分:

一个是Active Internet connections,称为有源TCP连接,其中"Recv-Q"和"Send-Q"指%0A的是接收队列和发送队列。这些数字一般都应该是0。如果不是则表示软件包正在队列中堆积。这种情况只能在非常少的情况见到。

另一个是Active UNIX domain sockets,称为有源Unix域套接口(和网络套接字一样,但是只能用于本机通信,性能可以提高一倍)。
Proto显示连接使用的协议,RefCnt表示连接到本套接口上的进程号,Types显示套接口的类型,State显示套接口当前的状态,Path表示连接到套接口的其它进程使用的路径名。

常见参数

  • -a (all)显示所有选项,默认不显示LISTEN相关
  • -t (tcp)仅显示tcp相关选项
  • -u (udp)仅显示udp相关选项
  • -n 拒绝显示别名,能显示数字的全部转化成数字。
  • -l 仅列出有在 Listen (监听) 的服務状态
  • -p 显示建立相关链接的程序名
  • -r 显示路由信息,路由表
  • -e 显示扩展信息,例如uid等
  • -s 按各个协议进行统计
  • -c 每隔一个固定时间,执行该netstat命令。

提示:LISTEN和LISTENING的状态只有用-a或者-l才能看到

实用命令实例

1. 列出所有端口 (包括监听和未监听的)

1.1 列出所有端口 netstat -a

[root@netstat ~]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0     52 netstat:ssh             192.168.200.1:58307     ESTABLISHED
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
udp        0      0 localhost:323           0.0.0.0:*                          
udp6       0      0 localhost:323           [::]:*                             
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  5      [ ]         DGRAM                    8960     /run/systemd/journal/socket
unix  11     [ ]         DGRAM                    8962     /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     13588    /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     18959    private/tlsmgr
unix  2      [ ACC ]     STREAM     LISTENING     18962    private/rewrite
unix  2      [ ACC ]     SEQPACKET  LISTENING     13605    /run/udev/control
#以下省略若干。。。

1.2 列出所有 tcp 端口 netstat -at

[root@netstat ~]# netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0     52 netstat:ssh             192.168.200.1:58307     ESTABLISHED
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN  

1.3 列出所有 udp 端口 netstat -au

[root@netstat ~]# netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
udp        0      0 localhost:323           0.0.0.0:*                          
udp6       0      0 localhost:323           [::]:*     

2. 列出所有处于监听状态的 Sockets

2.1 只显示监听端口 netstat -l

[root@netstat ~]# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
udp        0      0 localhost:323           0.0.0.0:*                          
udp6       0      0 localhost:323           [::]:*                             
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     13588    /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     18959    private/tlsmgr
unix  2      [ ACC ]     STREAM     LISTENING     18962    private/rewrite
unix  2      [ ACC ]     SEQPACKET  LISTENING     13605    /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     18965    private/bounce
unix  2      [ ACC ]     STREAM     LISTENING     18968    private/defer
unix  2      [ ACC ]     STREAM     LISTENING     13607    /run/lvm/lvmpolld.socket
#以下省略。。。

2.2 只列出所有监听 tcp 端口 netstat -lt

[root@netstat ~]# netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN 

2.3 只列出所有监听 udp 端口 netstat -lu

[root@netstat ~]# netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
udp        0      0 localhost:323           0.0.0.0:*                          
udp6       0      0 localhost:323           [::]:*  

2.4 只列出所有监听 UNIX 端口 netstat -lx

[root@netstat ~]# netstat -lx
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     13588    /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     18959    private/tlsmgr
unix  2      [ ACC ]     STREAM     LISTENING     18962    private/rewrite
unix  2      [ ACC ]     SEQPACKET  LISTENING     13605    /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     18965    private/bounce
unix  2      [ ACC ]     STREAM     LISTENING     18968    private/defer
unix  2      [ ACC ]     STREAM     LISTENING     13607    /run/lvm/lvmpolld.socket
unix  2      [ ACC ]     STREAM     LISTENING     18971    private/trace
unix  2      [ ACC ]     STREAM     LISTENING     18974    private/verify
#以下省略。。。

3. 显示每个协议的统计信息

3.1 显示所有端口的统计信息 netstat -s

[root@netstat ~]# netstat -s
Ip:
    363 total packets received
    0 forwarded
    0 incoming packets discarded
    363 incoming packets delivered
    309 requests sent out
    16 dropped because of missing route
Icmp:
    0 ICMP messages received
    0 input ICMP message failed.
    ICMP input histogram:
    0 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
Tcp:
    0 active connections openings
    1 passive connection openings
    0 failed connection attempts
    0 connection resets received
    1 connections established
    263 segments received
    195 segments send out
    0 segments retransmited
    0 bad segments received.
    0 resets sent
Udp:
    99 packets received
    0 packets to unknown port received.
    0 packet receive errors
    121 packets sent
    0 receive buffer errors
    0 send buffer erros
UdpLite:
TcpExt:
    11 delayed acks sent
    1 packets directly queued to recvmsg prequeue.
    64 packet headers predicted
    48 acknowledgments not containing data payload received
    77 predicted acknowledgments
    TCPRcvCoalesce: 2
    TCPOrigDataSent: 151
IpExt:
    InOctets: 28156
    OutOctets: 51542
    InNoECTPkts: 363

3.2 显示 TCP端口的统计信息 netstat -st

[root@netstat ~]# netstat -st
Tcp:
    0 active connections openings
    1 passive connection openings
    0 failed connection attempts
    0 connection resets received
    1 connections established
    338 segments received
    262 segments send out
    0 segments retransmited
    0 bad segments received.
    0 resets sent
UdpLite:
TcpExt:
    14 delayed acks sent
    1 packets directly queued to recvmsg prequeue.
    92 packet headers predicted
    55 acknowledgments not containing data payload received
    107 predicted acknowledgments
    TCPRcvCoalesce: 2
    TCPOrigDataSent: 211
IpExt:
    InOctets: 34932
    OutOctets: 62342
    InNoECTPkts: 444

3.3 显示 UDP 端口的统计信息 netstat -su

[root@netstat ~]# netstat -su
Udp:
    105 packets received
    0 packets to unknown port received.
    0 packet receive errors
    127 packets sent
    0 receive buffer errors
    0 send buffer errors
UdpLite:
IpExt:
    InOctets: 35516
    OutOctets: 63554
    InNoECTPkts: 452

4. 在 netstat 输出中显示 PID 和进程名称 netstat -p

netstat -p 可以与其它开关一起使用,就可以添加 “PID/进程名称” 到 netstat 输出中,这样 debugging 的时候可以很方便的发现特定端口运行的程序。

[root@netstat ~]# netstat -p
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0     52 netstat:ssh             192.168.200.1:58307     ESTABLISHED 1185/sshd: root@pts 
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  5      [ ]         DGRAM                    8960     1/systemd            /run/systemd/journal/socket
unix  11     [ ]         DGRAM                    8962     1/systemd            /dev/log
unix  2      [ ]         DGRAM                    13609    1/systemd            /run/systemd/shutdownd
unix  2      [ ]         DGRAM                    17004    663/chronyd          /var/run/chrony/chronyd.sock
#以下省略若干。。。
[root@netstat ~]# netstat -pt
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0     52 netstat:ssh             192.168.200.1:58307     ESTABLISHED 1185/sshd: root@pts 

5. 在 netstat 输出中不显示主机,端口和用户名 (host, port or user)

当你不想让主机,端口和用户名显示,使用 netstat -n。将会使用数字代替那些名称。
同样可以加速输出,因为不用进行比对查询。

[root@netstat ~]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0     52 192.168.200.30:22       192.168.200.1:58307     ESTABLISHED
tcp6       0      0 ::1:25                  :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
udp        0      0 127.0.0.1:323           0.0.0.0:*                          
udp6       0      0 ::1:323                 :::*                               
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  5      [ ]         DGRAM                    8960     /run/systemd/journal/socket
unix  11     [ ]         DGRAM                    8962     /dev/log
#以下省略若干。。。
#如果只是不想让这三个名称中的一个被显示,使用以下命令
netsat -a --numeric-ports
netsat -a --numeric-hosts
netsat -a --numeric-users

6. 持续输出 netstat 信息

netstat -c 将每隔一秒输出网络信息

[root@netstat ~]# netstat -c
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0     52 netstat:ssh             192.168.200.1:58307     ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  5      [ ]         DGRAM                    8960     /run/systemd/journal/socket
unix  11     [ ]         DGRAM                    8962     /dev/log
unix  2      [ ]         DGRAM                    13609    /run/systemd/shutdownd
unix  2      [ ]         DGRAM                    17004    /var/run/chrony/chronyd.sock
unix  3      [ ]         DGRAM                    8937     /run/systemd/notify
unix  2      [ ]         DGRAM                    8939     /run/systemd/cgroups-agent
#以下省略若干。。。

7. 显示系统不支持的地址族 (Address Families)

netstat --verbose在输出的末尾,会有如下的信息

#以上省略若干。。。
netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.

8. 显示核心路由信息 netstat -r

[root@netstat ~]# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         gateway         0.0.0.0         UG        0 0          0 ens32
link-local      0.0.0.0         255.255.0.0     U         0 0          0 ens32
192.168.200.0   0.0.0.0         255.255.255.0   U         0 0          0 ens32

注意:使用 netstat -rn 显示数字格式,不查询主机名称。

9. 找出程序运行的端口

并不是所有的进程都能找到,没有权限的会不显示,使用 root 权限查看所有的信息。

[root@netstat ~]# netstat -ap | grep ssh
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      921/sshd            
tcp        0     52 netstat:ssh             192.168.200.1:58307     ESTABLISHED 1185/sshd: root@pts 
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      921/sshd            
unix  3      [ ]         STREAM     CONNECTED     18279    921/sshd             
unix  2      [ ]         DGRAM                    19409    1185/sshd: root@pts 

找出运行在指定端口的进程

[root@netstat ~]# netstat -an | grep ':8080'
tcp        0      0 0.0.0.0:8080            0.0.0.0:*               LISTEN 

10. 显示网络接口列表

[root@netstat ~]# netstat -i
Kernel Interface table
Iface             MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
ens32            1500     1753      0      0 0          1603      0      0      0 BMRU
lo              65536        0      0      0 0             0      0      0      0 LRU
#显示详细信息,像是 ifconfig 使用 netstat -ie
[root@netstat ~]# netstat -ie
Kernel Interface table
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.200.30  netmask 255.255.255.0  broadcast 192.168.200.255
        inet6 fe80::20c:29ff:fef9:d01f  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:f9:d0:1f  txqueuelen 1000  (Ethernet)
        RX packets 1778  bytes 155872 (152.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1622  bytes 916017 (894.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

11. IP和TCP分析

#查看连接某服务端口最多的的IP地址
[root@netstat ~]# netstat -nat | grep "192.168.200.30:22" |awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -20
18 221.136.168.36
3 154.74.45.242
2 78.173.31.236
2 62.183.207.98
2 192.168.1.14
2 182.48.111.215
2 124.193.219.34

#TCP各种状态列表
[root@netstat ~]# netstat -nat |awk '{print $6}'
established)
Foreign
LISTEN
LISTEN
LISTEN
ESTABLISHED
ESTABLISHED
LISTEN
LISTEN

#先把状态全都取出来,然后使用uniq -c统计,之后再进行排序
[root@netstat ~]# netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn
      5 LISTEN
      2 ESTABLISHED
      1 Foreign
      1 established)