netstat命令详解
netstat命令详解
简介
Netstat 命令用于显示各种网络相关信息,如网络连接,路由表,接口状态 (Interface Statistics),masquerade 连接,多播成员 (Multicast Memberships) 等等。
输出信息含义
执行netstat后,其输出结果为
[root@netstat ~]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 52 ssh01:ssh 192.168.200.1:58307 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 5 [ ] DGRAM 8960 /run/systemd/journal/socket
unix 11 [ ] DGRAM 8962 /dev/log
unix 2 [ ] DGRAM 13609 /run/systemd/shutdownd
unix 2 [ ] DGRAM 17004 /var/run/chrony/chronyd.sock
unix 3 [ ] DGRAM 8937 /run/systemd/notify
unix 2 [ ] DGRAM 8939 /run/systemd/cgroups-agent
#以下省略若干。。。
从整体上看,netstat的输出结果可以分为两个部分:
一个是Active Internet connections,称为有源TCP连接,其中"Recv-Q"和"Send-Q"指%0A的是接收队列和发送队列。这些数字一般都应该是0。如果不是则表示软件包正在队列中堆积。这种情况只能在非常少的情况见到。
另一个是Active UNIX domain sockets,称为有源Unix域套接口(和网络套接字一样,但是只能用于本机通信,性能可以提高一倍)。
Proto显示连接使用的协议,RefCnt表示连接到本套接口上的进程号,Types显示套接口的类型,State显示套接口当前的状态,Path表示连接到套接口的其它进程使用的路径名。
常见参数
- -a (all)显示所有选项,默认不显示LISTEN相关
- -t (tcp)仅显示tcp相关选项
- -u (udp)仅显示udp相关选项
- -n 拒绝显示别名,能显示数字的全部转化成数字。
- -l 仅列出有在 Listen (监听) 的服務状态
- -p 显示建立相关链接的程序名
- -r 显示路由信息,路由表
- -e 显示扩展信息,例如uid等
- -s 按各个协议进行统计
- -c 每隔一个固定时间,执行该netstat命令。
提示:LISTEN和LISTENING的状态只有用-a或者-l才能看到
实用命令实例
1. 列出所有端口 (包括监听和未监听的)
1.1 列出所有端口 netstat -a
[root@netstat ~]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 52 netstat:ssh 192.168.200.1:58307 ESTABLISHED
tcp6 0 0 localhost:smtp [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
udp 0 0 localhost:323 0.0.0.0:*
udp6 0 0 localhost:323 [::]:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 5 [ ] DGRAM 8960 /run/systemd/journal/socket
unix 11 [ ] DGRAM 8962 /dev/log
unix 2 [ ACC ] STREAM LISTENING 13588 /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 18959 private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 18962 private/rewrite
unix 2 [ ACC ] SEQPACKET LISTENING 13605 /run/udev/control
#以下省略若干。。。
1.2 列出所有 tcp 端口 netstat -at
[root@netstat ~]# netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 52 netstat:ssh 192.168.200.1:58307 ESTABLISHED
tcp6 0 0 localhost:smtp [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
1.3 列出所有 udp 端口 netstat -au
[root@netstat ~]# netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 localhost:323 0.0.0.0:*
udp6 0 0 localhost:323 [::]:*
2. 列出所有处于监听状态的 Sockets
2.1 只显示监听端口 netstat -l
[root@netstat ~]# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp6 0 0 localhost:smtp [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
udp 0 0 localhost:323 0.0.0.0:*
udp6 0 0 localhost:323 [::]:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 13588 /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 18959 private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 18962 private/rewrite
unix 2 [ ACC ] SEQPACKET LISTENING 13605 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 18965 private/bounce
unix 2 [ ACC ] STREAM LISTENING 18968 private/defer
unix 2 [ ACC ] STREAM LISTENING 13607 /run/lvm/lvmpolld.socket
#以下省略。。。
2.2 只列出所有监听 tcp 端口 netstat -lt
[root@netstat ~]# netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp6 0 0 localhost:smtp [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
2.3 只列出所有监听 udp 端口 netstat -lu
[root@netstat ~]# netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 localhost:323 0.0.0.0:*
udp6 0 0 localhost:323 [::]:*
2.4 只列出所有监听 UNIX 端口 netstat -lx
[root@netstat ~]# netstat -lx
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 13588 /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 18959 private/tlsmgr
unix 2 [ ACC ] STREAM LISTENING 18962 private/rewrite
unix 2 [ ACC ] SEQPACKET LISTENING 13605 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 18965 private/bounce
unix 2 [ ACC ] STREAM LISTENING 18968 private/defer
unix 2 [ ACC ] STREAM LISTENING 13607 /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 18971 private/trace
unix 2 [ ACC ] STREAM LISTENING 18974 private/verify
#以下省略。。。
3. 显示每个协议的统计信息
3.1 显示所有端口的统计信息 netstat -s
[root@netstat ~]# netstat -s
Ip:
363 total packets received
0 forwarded
0 incoming packets discarded
363 incoming packets delivered
309 requests sent out
16 dropped because of missing route
Icmp:
0 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
0 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
Tcp:
0 active connections openings
1 passive connection openings
0 failed connection attempts
0 connection resets received
1 connections established
263 segments received
195 segments send out
0 segments retransmited
0 bad segments received.
0 resets sent
Udp:
99 packets received
0 packets to unknown port received.
0 packet receive errors
121 packets sent
0 receive buffer errors
0 send buffer erros
UdpLite:
TcpExt:
11 delayed acks sent
1 packets directly queued to recvmsg prequeue.
64 packet headers predicted
48 acknowledgments not containing data payload received
77 predicted acknowledgments
TCPRcvCoalesce: 2
TCPOrigDataSent: 151
IpExt:
InOctets: 28156
OutOctets: 51542
InNoECTPkts: 363
3.2 显示 TCP端口的统计信息 netstat -st
[root@netstat ~]# netstat -st
Tcp:
0 active connections openings
1 passive connection openings
0 failed connection attempts
0 connection resets received
1 connections established
338 segments received
262 segments send out
0 segments retransmited
0 bad segments received.
0 resets sent
UdpLite:
TcpExt:
14 delayed acks sent
1 packets directly queued to recvmsg prequeue.
92 packet headers predicted
55 acknowledgments not containing data payload received
107 predicted acknowledgments
TCPRcvCoalesce: 2
TCPOrigDataSent: 211
IpExt:
InOctets: 34932
OutOctets: 62342
InNoECTPkts: 444
3.3 显示 UDP 端口的统计信息 netstat -su
[root@netstat ~]# netstat -su
Udp:
105 packets received
0 packets to unknown port received.
0 packet receive errors
127 packets sent
0 receive buffer errors
0 send buffer errors
UdpLite:
IpExt:
InOctets: 35516
OutOctets: 63554
InNoECTPkts: 452
4. 在 netstat 输出中显示 PID 和进程名称 netstat -p
netstat -p 可以与其它开关一起使用,就可以添加 “PID/进程名称” 到 netstat 输出中,这样 debugging 的时候可以很方便的发现特定端口运行的程序。
[root@netstat ~]# netstat -p
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 52 netstat:ssh 192.168.200.1:58307 ESTABLISHED 1185/sshd: root@pts
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 5 [ ] DGRAM 8960 1/systemd /run/systemd/journal/socket
unix 11 [ ] DGRAM 8962 1/systemd /dev/log
unix 2 [ ] DGRAM 13609 1/systemd /run/systemd/shutdownd
unix 2 [ ] DGRAM 17004 663/chronyd /var/run/chrony/chronyd.sock
#以下省略若干。。。
[root@netstat ~]# netstat -pt
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 52 netstat:ssh 192.168.200.1:58307 ESTABLISHED 1185/sshd: root@pts
5. 在 netstat 输出中不显示主机,端口和用户名 (host, port or user)
当你不想让主机,端口和用户名显示,使用 netstat -n。将会使用数字代替那些名称。
同样可以加速输出,因为不用进行比对查询。
[root@netstat ~]# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 52 192.168.200.30:22 192.168.200.1:58307 ESTABLISHED
tcp6 0 0 ::1:25 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 127.0.0.1:323 0.0.0.0:*
udp6 0 0 ::1:323 :::*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 5 [ ] DGRAM 8960 /run/systemd/journal/socket
unix 11 [ ] DGRAM 8962 /dev/log
#以下省略若干。。。
#如果只是不想让这三个名称中的一个被显示,使用以下命令
netsat -a --numeric-ports
netsat -a --numeric-hosts
netsat -a --numeric-users
6. 持续输出 netstat 信息
netstat -c 将每隔一秒输出网络信息
[root@netstat ~]# netstat -c
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 52 netstat:ssh 192.168.200.1:58307 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 5 [ ] DGRAM 8960 /run/systemd/journal/socket
unix 11 [ ] DGRAM 8962 /dev/log
unix 2 [ ] DGRAM 13609 /run/systemd/shutdownd
unix 2 [ ] DGRAM 17004 /var/run/chrony/chronyd.sock
unix 3 [ ] DGRAM 8937 /run/systemd/notify
unix 2 [ ] DGRAM 8939 /run/systemd/cgroups-agent
#以下省略若干。。。
7. 显示系统不支持的地址族 (Address Families)
netstat --verbose在输出的末尾,会有如下的信息
#以上省略若干。。。
netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.
8. 显示核心路由信息 netstat -r
[root@netstat ~]# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default gateway 0.0.0.0 UG 0 0 0 ens32
link-local 0.0.0.0 255.255.0.0 U 0 0 0 ens32
192.168.200.0 0.0.0.0 255.255.255.0 U 0 0 0 ens32
注意:使用 netstat -rn 显示数字格式,不查询主机名称。
9. 找出程序运行的端口
并不是所有的进程都能找到,没有权限的会不显示,使用 root 权限查看所有的信息。
[root@netstat ~]# netstat -ap | grep ssh
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 921/sshd
tcp 0 52 netstat:ssh 192.168.200.1:58307 ESTABLISHED 1185/sshd: root@pts
tcp6 0 0 [::]:ssh [::]:* LISTEN 921/sshd
unix 3 [ ] STREAM CONNECTED 18279 921/sshd
unix 2 [ ] DGRAM 19409 1185/sshd: root@pts
找出运行在指定端口的进程
[root@netstat ~]# netstat -an | grep ':8080'
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN
10. 显示网络接口列表
[root@netstat ~]# netstat -i
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
ens32 1500 1753 0 0 0 1603 0 0 0 BMRU
lo 65536 0 0 0 0 0 0 0 0 LRU
#显示详细信息,像是 ifconfig 使用 netstat -ie
[root@netstat ~]# netstat -ie
Kernel Interface table
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.200.30 netmask 255.255.255.0 broadcast 192.168.200.255
inet6 fe80::20c:29ff:fef9:d01f prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:f9:d0:1f txqueuelen 1000 (Ethernet)
RX packets 1778 bytes 155872 (152.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1622 bytes 916017 (894.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
11. IP和TCP分析
#查看连接某服务端口最多的的IP地址
[root@netstat ~]# netstat -nat | grep "192.168.200.30:22" |awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -20
18 221.136.168.36
3 154.74.45.242
2 78.173.31.236
2 62.183.207.98
2 192.168.1.14
2 182.48.111.215
2 124.193.219.34
#TCP各种状态列表
[root@netstat ~]# netstat -nat |awk '{print $6}'
established)
Foreign
LISTEN
LISTEN
LISTEN
ESTABLISHED
ESTABLISHED
LISTEN
LISTEN
#先把状态全都取出来,然后使用uniq -c统计,之后再进行排序
[root@netstat ~]# netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn
5 LISTEN
2 ESTABLISHED
1 Foreign
1 established)