Common usage of netstat command

1. Introduction

Netstat is a console command that is a very useful tool for monitoring TCP/IP networks. It can display routing tables, actual network connections, and status information for each network interface device. Netstat is used to display statistical data related to IP, TCP, UDP and ICMP protocols, and is generally used to check the network connection of each port of the machine.

2. Common parameters of netstat

Explanation of column names:

Proto: Displays the protocol used by the connection.

RefCnt: ‚Äč‚ÄčIndicates the process number connected to this socket.

Types: Displays the types of sockets.

State: Displays the current state of the socket.

Path: Indicates the path name used by other processes connected to the socket.

3. Common usage

Find out the port the program is running on

#netstat  -ap | grep ':80'
  • 1

View the IP addresses with the most connections to a service port (top 20)

#netstat -nat | grep "10.1.62.23:443" |awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -20
  • 1

List of various TCP states

#netstat -nat |awk '{print $6}'
  • 1


Count the number of connections

#netstat -nat |awk '{print $6}'|sort|uniq -c
  • 1


sort

#netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn

#netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'

  • 1
  • 2
  • 3


Directly count the number of tcp number monitoring

#netstat -ant | wc -l
  • 1

Find out the port the program is running on

netstat -ap | grep 'program name'
  • 1


Display kernel routing information
Use the -r option to print kernel routing information. The information printed is the same as the information output by the route command. We can also disable domain name resolution with the -n option.

$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
  • 1
  • 2
  • 3
  • 4
  • 5

print network interface
netstat can also print network interface information, the -i option is born for this function.

$ netstat -i
Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0     31611      0      0 0         27503      0      0      0 BMRU
lo        65536 0      2913      0      0 0          2913      0      0      0 LRU
  • 1
  • 2
  • 3
  • 4
  • 5

The information output above is relatively primitive. We use the -e option with the -i option to output user-friendly information.

$ netstat -ie
Kernel Interface table
eth0      Link encap:Ethernet  HWaddr 00:16:36:f8:b2:64  
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::216:36ff:fef8:b264/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:31682 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27573 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:29637117 (29.6 MB)  TX bytes:4590583 (4.5 MB)
          Interrupt:18 Memory:da000000-da020000 
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11

Display multicast group information
The option -g outputs multicast group information for IPv4 and IPv6.

$ netstat -g
IPv6/IPv4 Group Memberships
Interface       RefCnt Group
--------------- ------ ---------------------
lo              1      all-systems.mcast.net
eth0            1      224.0.0.251
eth0            1      all-systems.mcast.net
lo              1      ip6-allnodes
lo              1      ff01::1
eth0            1      ff02::fb
eth0            1      ff02::1:fff8:b264
eth0            1      ip6-allnodes
eth0            1      ff01::1
wlan0           1      ip6-allnodes
wlan0           1      ff01::1
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15

Find a specific connection status

$ netstat -atnp | grep ESTA
  • 1

print active connections
active socket connections are represented by the "ESTABLISHED" field, so we can use the grep command to get
active state connection:

Use the watch command to monitor active connections:

$ watch -d -n0 "netstat -atnp | grep ESTA"
  • 1


View TCP connection status

netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn
netstat -n |awk '/^tcp/ {print $NF}'|sort|uniq -c|sort -rn
netstat -n | awk '/^tcp/ {++S[$NF]};END {for(a in S) print a, S[a]}'
netstat -n | awk '/^tcp/ {++state[$NF]}; END {for(key in state) print key,"\t",state[key]}'
netstat -n | awk '/^tcp/ {++arr[$NF]};END {for(k in arr) print k,"\t",arr[k]}'
netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6

Find IP s with more TIME_WAIT and SYN connections

netstat -n|grep TIME_WAIT|awk '{print $5}'|sort|uniq -c|sort -rn|head -n20
  • 1

Use tcpdump to sniff port 80 to see which IP is accessed most frequently

tcpdump -i eth0 -tnn dst port 80 -c 1000 | awk -F"." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr |head -n 20
  • 1

Find the number of requests please 10 IP s
This combination of commands is often used to find the source IP of website attacks. The commands are as follows:

netstat -anlp|grep 80|grep tcp|awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -n10
netstat -ant |awk '/:80/{split($5,ip,":");++A[ip[1]]}END{for(i in A) print A[i],i}' |sort -rn|head -n10
  • 1
  • 2

This command is most often used, especially when website traffic is inexplicably increased, for example:

[root@test ~]# netstat -anlp|grep 80|grep tcp|awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -n5
124 27.148.154.216
85 27.148.154.162
82 27.148.154.217
81 27.148.154.159
78 221.235.244.60
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6

See which crawlers are crawling my site

tcpdump -i eth0 -l -s 0 -w - dst port 80 | strings | grep -i user-agent | grep -i -E 'bot|crawler|slurp|spider'
  • 1

Get the most visited files or pages, take the top 10

[root@test logs]# cat miivey_access.log |awk '{print $11}'|sort|uniq -c|sort -nr|head -n 10
12817067 "http://www.abc.com/"
1279583 "http://www.abc.com/cn/"
387843 "http://www.habcd.com/"
  • 1
  • 2
  • 3
  • 4

Statistics http connection status
First, count all the connection status codes in the log and the number of each status code:

[root@test logs]# cat miivey_access.log |awk '{print $9}'|sort|uniq -c|sort -rn
457030 200
17035 404
  • 1
  • 2
  • 3

There are 457030 status codes of 200, and 17035 of status codes of 404, which are also very large. So many 404 statuses will definitely affect the website, so let's take a look at which 404 pages are:

[root@test logs]# awk '($9 ~/404/)' miivey_access.log | awk '{print $9,$7}' | sort
404 /zzb.php
404 //zzk.aspx
  • 1
  • 2
  • 3

Reference link:

Detailed explanation of netstat command under Linux https://blog.csdn.net/dongl890426/article/details/86981901

                                </div><div data-report-view="{&quot;mod&quot;:&quot;1585297308_001&quot;,&quot;dest&quot;:&quot;https://blog.csdn.net/qq_40907977/article/details/107365020&quot;,&quot;extend1&quot;:&quot;pc&quot;,&quot;ab&quot;:&quot;new&quot;}"><div></div></div>
            <link href="https://csdnimg.cn/release/phoenix/mdeditor/markdown_views-e0530931f4.css" rel="stylesheet">
                            </div>

Tags: CentOS

Posted by katuki on Wed, 18 May 2022 12:49:06 +0300