1. Introduction
Netstat is a console command that is a very useful tool for monitoring TCP/IP networks. It can display routing tables, actual network connections, and status information for each network interface device. Netstat is used to display statistical data related to IP, TCP, UDP and ICMP protocols, and is generally used to check the network connection of each port of the machine.
2. Common parameters of netstat
Explanation of column names:
Proto: Displays the protocol used by the connection.
RefCnt: Indicates the process number connected to this socket.
Types: Displays the types of sockets.
State: Displays the current state of the socket.
Path: Indicates the path name used by other processes connected to the socket.
3. Common usage
Find out the port the program is running on
#netstat -ap | grep ':80'
- 1
View the IP addresses with the most connections to a service port (top 20)
#netstat -nat | grep "10.1.62.23:443" |awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -20
- 1
List of various TCP states
#netstat -nat |awk '{print $6}'
- 1
Count the number of connections
#netstat -nat |awk '{print $6}'|sort|uniq -c
- 1
sort
#netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn
#netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
- 1
- 2
- 3
Directly count the number of tcp number monitoring
#netstat -ant | wc -l
- 1
Find out the port the program is running on
netstat -ap | grep 'program name'
- 1
Display kernel routing information
Use the -r option to print kernel routing information. The information printed is the same as the information output by the route command. We can also disable domain name resolution with the -n option.
$ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
- 1
- 2
- 3
- 4
- 5
print network interface
netstat can also print network interface information, the -i option is born for this function.
$ netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 31611 0 0 0 27503 0 0 0 BMRU lo 65536 0 2913 0 0 0 2913 0 0 0 LRU
- 1
- 2
- 3
- 4
- 5
The information output above is relatively primitive. We use the -e option with the -i option to output user-friendly information.
$ netstat -ie Kernel Interface table eth0 Link encap:Ethernet HWaddr 00:16:36:f8:b2:64 inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::216:36ff:fef8:b264/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:31682 errors:0 dropped:0 overruns:0 frame:0 TX packets:27573 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:29637117 (29.6 MB) TX bytes:4590583 (4.5 MB) Interrupt:18 Memory:da000000-da020000
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
Display multicast group information
The option -g outputs multicast group information for IPv4 and IPv6.
$ netstat -g IPv6/IPv4 Group Memberships Interface RefCnt Group --------------- ------ --------------------- lo 1 all-systems.mcast.net eth0 1 224.0.0.251 eth0 1 all-systems.mcast.net lo 1 ip6-allnodes lo 1 ff01::1 eth0 1 ff02::fb eth0 1 ff02::1:fff8:b264 eth0 1 ip6-allnodes eth0 1 ff01::1 wlan0 1 ip6-allnodes wlan0 1 ff01::1
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
Find a specific connection status
$ netstat -atnp | grep ESTA
- 1
print active connections
active socket connections are represented by the "ESTABLISHED" field, so we can use the grep command to get
active state connection:
Use the watch command to monitor active connections:
$ watch -d -n0 "netstat -atnp | grep ESTA"
- 1
View TCP connection status
netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn netstat -n |awk '/^tcp/ {print $NF}'|sort|uniq -c|sort -rn netstat -n | awk '/^tcp/ {++S[$NF]};END {for(a in S) print a, S[a]}' netstat -n | awk '/^tcp/ {++state[$NF]}; END {for(key in state) print key,"\t",state[key]}' netstat -n | awk '/^tcp/ {++arr[$NF]};END {for(k in arr) print k,"\t",arr[k]}' netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
- 1
- 2
- 3
- 4
- 5
- 6
Find IP s with more TIME_WAIT and SYN connections
netstat -n|grep TIME_WAIT|awk '{print $5}'|sort|uniq -c|sort -rn|head -n20
- 1
Use tcpdump to sniff port 80 to see which IP is accessed most frequently
tcpdump -i eth0 -tnn dst port 80 -c 1000 | awk -F"." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr |head -n 20
- 1
Find the number of requests please 10 IP s
This combination of commands is often used to find the source IP of website attacks. The commands are as follows:
netstat -anlp|grep 80|grep tcp|awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -n10 netstat -ant |awk '/:80/{split($5,ip,":");++A[ip[1]]}END{for(i in A) print A[i],i}' |sort -rn|head -n10
- 1
- 2
This command is most often used, especially when website traffic is inexplicably increased, for example:
[root@test ~]# netstat -anlp|grep 80|grep tcp|awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -n5 124 27.148.154.216 85 27.148.154.162 82 27.148.154.217 81 27.148.154.159 78 221.235.244.60
- 1
- 2
- 3
- 4
- 5
- 6
See which crawlers are crawling my site
tcpdump -i eth0 -l -s 0 -w - dst port 80 | strings | grep -i user-agent | grep -i -E 'bot|crawler|slurp|spider'
- 1
Get the most visited files or pages, take the top 10
[root@test logs]# cat miivey_access.log |awk '{print $11}'|sort|uniq -c|sort -nr|head -n 10 12817067 "http://www.abc.com/" 1279583 "http://www.abc.com/cn/" 387843 "http://www.habcd.com/"
- 1
- 2
- 3
- 4
Statistics http connection status
First, count all the connection status codes in the log and the number of each status code:
[root@test logs]# cat miivey_access.log |awk '{print $9}'|sort|uniq -c|sort -rn 457030 200 17035 404
- 1
- 2
- 3
There are 457030 status codes of 200, and 17035 of status codes of 404, which are also very large. So many 404 statuses will definitely affect the website, so let's take a look at which 404 pages are:
[root@test logs]# awk '($9 ~/404/)' miivey_access.log | awk '{print $9,$7}' | sort 404 /zzb.php 404 //zzk.aspx
- 1
- 2
- 3
Reference link:
Detailed explanation of netstat command under Linux https://blog.csdn.net/dongl890426/article/details/86981901
</div><div data-report-view="{"mod":"1585297308_001","dest":"https://blog.csdn.net/qq_40907977/article/details/107365020","extend1":"pc","ab":"new"}"><div></div></div> <link href="https://csdnimg.cn/release/phoenix/mdeditor/markdown_views-e0530931f4.css" rel="stylesheet"> </div>