簡介
Netstat 命令用于顯示各種網(wǎng)絡(luò)相關(guān)信息,如網(wǎng)絡(luò)連接,路由表,接口狀態(tài) (Interface Statistics),masquerade 連接,多播成員 (Multicast Memberships) 等等。
輸出信息含義
執(zhí)行netstat后,其輸出結(jié)果為
?
Active?Internet?connections?(w/o?servers) Proto?Recv-Q?Send-Q?Local?Address?Foreign?Address?State tcp?0?2?210.34.6.89:telnet?210.34.6.96:2873?ESTABLISHED tcp?296?0?210.34.6.89:1165?210.34.6.84:netbios-ssn?ESTABLISHED tcp?0?0?localhost.localdom:9001?localhost.localdom:1162?ESTABLISHED tcp?0?0?localhost.localdom:1162?localhost.localdom:9001?ESTABLISHED tcp?0?80?210.34.6.89:1161?210.34.6.10:netbios-ssn?CLOSE Active?UNIX?domain?sockets?(w/o?servers) Proto?RefCnt?Flags?Type?State?I-Node?Path unix?1?[?]?STREAM?CONNECTED?16178?@000000dd unix?1?[?]?STREAM?CONNECTED?16176?@000000dc unix?9?[?]?DGRAM?5292?/dev/log unix?1?[?]?STREAM?CONNECTED?16182?@000000df
?
從整體上看,netstat的輸出結(jié)果可以分為兩個部分:
一個是Active Internet connections,稱為有源TCP連接,其中"Recv-Q"和"Send-Q"指%0A的是接收隊(duì)列和發(fā)送隊(duì)列。這些數(shù)字一般都應(yīng)該是0。如果不是則表示軟件包正在隊(duì)列中堆積。這種情況只能在非常少的情況見到。
另一個是Active UNIX domain sockets,稱為有源Unix域套接口(和網(wǎng)絡(luò)套接字一樣,但是只能用于本機(jī)通信,性能可以提高一倍)。Proto顯示連接使用的協(xié)議,RefCnt表示連接到本套接口上的進(jìn)程號,Types顯示套接口的類型,State顯示套接口當(dāng)前的狀態(tài),Path表示連接到套接口的其它進(jìn)程使用的路徑名。
常見參數(shù)
-a (all)顯示所有選項(xiàng),默認(rèn)不顯示LISTEN相關(guān) -t (tcp)僅顯示tcp相關(guān)選項(xiàng) -u (udp)僅顯示udp相關(guān)選項(xiàng) -n 拒絕顯示別名,能顯示數(shù)字的全部轉(zhuǎn)化成數(shù)字。-l 僅列出有在 Listen (監(jiān)聽) 的服務(wù)狀態(tài)
-p 顯示建立相關(guān)鏈接的程序名 -r 顯示路由信息,路由表 -e 顯示擴(kuò)展信息,例如uid等 -s 按各個協(xié)議進(jìn)行統(tǒng)計(jì) -c 每隔一個固定時間,執(zhí)行該netstat命令。
提示:LISTEN和LISTENING的狀態(tài)只有用-a或者-l才能看到
實(shí)用命令實(shí)例
1. 列出所有端口 (包括監(jiān)聽和未監(jiān)聽的)
列出所有端口 netstat -a
?
#?netstat?-a?|?more ?Active?Internet?connections?(servers?and?established) ?Proto?Recv-Q?Send-Q?Local?Address???????????Foreign?Address?????????State ?tcp????????0??????0?localhost:30037?????????*:*?????????????????????LISTEN ?udp????????0??????0?*:bootpc????????????????*:* ? Active?UNIX?domain?sockets?(servers?and?established) ?Proto?RefCnt?Flags???????Type???????State?????????I-Node???Path ?unix??2??????[?ACC?]?????STREAM?????LISTENING?????6135?????/tmp/.X11-unix/X0 ?unix??2??????[?ACC?]?????STREAM?????LISTENING?????5140?????/var/run/acpid.socket
?
列出所有 tcp 端口 netstat -at
?
#?netstat?-at ?Active?Internet?connections?(servers?and?established) ?Proto?Recv-Q?Send-Q?Local?Address???????????Foreign?Address?????????State ?tcp????????0??????0?localhost:30037?????????*:*?????????????????????LISTEN ?tcp????????0??????0?localhost:ipp???????????*:*?????????????????????LISTEN ?tcp????????0??????0?*:smtp??????????????????*:*?????????????????????LISTEN ?tcp6???????0??????0?localhost:ipp???????????[::]:*??????????????????LISTEN
?
列出所有 udp 端口 netstat -au
?
#?netstat?-au ?Active?Internet?connections?(servers?and?established) ?Proto?Recv-Q?Send-Q?Local?Address???????????Foreign?Address?????????State ?udp????????0??????0?*:bootpc????????????????*:* ?udp????????0??????0?*:49119?????????????????*:* ?udp????????0??????0?*:mdns??????????????????*:*
?
2. 列出所有處于監(jiān)聽狀態(tài)的 Sockets
只顯示監(jiān)聽端口 netstat -l
?
#?netstat?-l ?Active?Internet?connections?(only?servers) ?Proto?Recv-Q?Send-Q?Local?Address???????????Foreign?Address?????????State ?tcp????????0??????0?localhost:ipp???????????*:*?????????????????????LISTEN ?tcp6???????0??????0?localhost:ipp???????????[::]:*??????????????????LISTEN ?udp????????0??????0?*:49119?????????????????*:*
?
只列出所有監(jiān)聽 tcp 端口 netstat -lt
?
#?netstat?-lt ?Active?Internet?connections?(only?servers) ?Proto?Recv-Q?Send-Q?Local?Address???????????Foreign?Address?????????State ?tcp????????0??????0?localhost:30037?????????*:*?????????????????????LISTEN ?tcp????????0??????0?*:smtp??????????????????*:*?????????????????????LISTEN ?tcp6???????0??????0?localhost:ipp???????????[::]:*??????????????????LISTEN
?
只列出所有監(jiān)聽 udp 端口 netstat -lu
?
#?netstat?-lu ?Active?Internet?connections?(only?servers) ?Proto?Recv-Q?Send-Q?Local?Address???????????Foreign?Address?????????State ?udp????????0??????0?*:49119?????????????????*:* ?udp????????0??????0?*:mdns??????????????????*:*
?
只列出所有監(jiān)聽 UNIX 端口 netstat -lx
?
#?netstat?-lx ?Active?UNIX?domain?sockets?(only?servers) ?Proto?RefCnt?Flags???????Type???????State?????????I-Node???Path ?unix??2??????[?ACC?]?????STREAM?????LISTENING?????6294?????private/maildrop ?unix??2??????[?ACC?]?????STREAM?????LISTENING?????6203?????public/cleanup ?unix??2??????[?ACC?]?????STREAM?????LISTENING?????6302?????private/ifmail ?unix??2??????[?ACC?]?????STREAM?????LISTENING?????6306?????private/bsmtp
?
3. 顯示每個協(xié)議的統(tǒng)計(jì)信息
顯示所有端口的統(tǒng)計(jì)信息 netstat -s
?
#?netstat?-s ?Ip: ?11150?total?packets?received ?1?with?invalid?addresses ?0?forwarded ?0?incoming?packets?discarded ?11149?incoming?packets?delivered ?11635?requests?sent?out ?Icmp: ?0?ICMP?messages?received ?0?input?ICMP?message?failed. ?Tcp: ?582?active?connections?openings ?2?failed?connection?attempts ?25?connection?resets?received ?Udp: ?1183?packets?received ?4?packets?to?unknown?port?received. ?.....
?
顯示 TCP 或 UDP 端口的統(tǒng)計(jì)信息 netstat -st 或 -su
?
#?netstat?-st? #?netstat?-su
?
4. 在 netstat 輸出中顯示 PID 和進(jìn)程名稱 netstat -p
netstat -p 可以與其它開關(guān)一起使用,就可以添加 “PID/進(jìn)程名稱” 到 netstat 輸出中,這樣 debugging 的時候可以很方便的發(fā)現(xiàn)特定端口運(yùn)行的程序。
?
#?netstat?-pt ?Active?Internet?connections?(w/o?servers) ?Proto?Recv-Q?Send-Q?Local?Address???????????Foreign?Address?????????State???????PID/Program?name ?tcp????????1??????0?ramesh-laptop.loc:47212?192.168.185.75:www????????CLOSE_WAIT??2109/firefox ?tcp????????0??????0?ramesh-laptop.loc:52750?lax:www?ESTABLISHED?2109/firefox
?
5. 在 netstat 輸出中不顯示主機(jī),端口和用戶名 (host, port or user)
當(dāng)你不想讓主機(jī),端口和用戶名顯示,使用 netstat -n。將會使用數(shù)字代替那些名稱。
同樣可以加速輸出,因?yàn)椴挥眠M(jìn)行比對查詢。
?
#?netstat?-an
?
如果只是不想讓這三個名稱中的一個被顯示,使用以下命令
?
#?netsat?-a?--numeric-ports #?netsat?-a?--numeric-hosts #?netsat?-a?--numeric-users
?
6. 持續(xù)輸出 netstat 信息
netstat 將每隔一秒輸出網(wǎng)絡(luò)信息。
?
#?netstat?-c ?Active?Internet?connections?(w/o?servers) ?Proto?Recv-Q?Send-Q?Local?Address???????????Foreign?Address?????????State ?tcp????????0??????0?ramesh-laptop.loc:36130?101-101-181-225.ama:www?ESTABLISHED ?tcp????????1??????1?ramesh-laptop.loc:52564?101.11.169.230:www??????CLOSING ?tcp????????0??????0?ramesh-laptop.loc:43758?server-101-101-43-2:www?ESTABLISHED ?tcp????????1??????1?ramesh-laptop.loc:42367?101.101.34.101:www??????CLOSING ?^C
?
7. 顯示系統(tǒng)不支持的地址族 (Address Families)
?
netstat?--verbose
?
在輸出的末尾,會有如下的信息
?
netstat:?no?support?for?`AF?IPX'?on?this?system. netstat:?no?support?for?`AF?AX25'?on?this?system. netstat:?no?support?for?`AF?X25'?on?this?system. netstat:?no?support?for?`AF?NETROM'?on?this?system.
?
8. 顯示核心路由信息 netstat -r
?
#?netstat?-r ?Kernel?IP?routing?table ?Destination?????Gateway?????????Genmask?????????Flags???MSS?Window??irtt?Iface ?192.168.1.0?????*???????????????255.255.255.0???U?????????0?0??????????0?eth2 ?link-local??????*???????????????255.255.0.0?????U?????????0?0??????????0?eth2 ?default?????????192.168.1.1?????0.0.0.0?????????UG????????0?0??????????0?eth2
?
注意:使用 netstat -rn 顯示數(shù)字格式,不查詢主機(jī)名稱。
9. 找出程序運(yùn)行的端口
并不是所有的進(jìn)程都能找到,沒有權(quán)限的會不顯示,使用 root 權(quán)限查看所有的信息。
?
#?netstat?-ap?|?grep?ssh ?tcp????????1??????0?dev-db:ssh???????????101.174.100.22:39213????????CLOSE_WAIT??- ?tcp????????1??????0?dev-db:ssh???????????101.174.100.22:57643????????CLOSE_WAIT??-
?
找出運(yùn)行在指定端口的進(jìn)程
?
#?netstat?-an?|?grep?':80'
?
10. 顯示網(wǎng)絡(luò)接口列表
?
#?netstat?-i ?Kernel?Interface?table ?Iface???MTU?Met???RX-OK?RX-ERR?RX-DRP?RX-OVR????TX-OK?TX-ERR?TX-DRP?TX-OVR?Flg ?eth0???????1500?0?????????0??????0??????0?0?????????????0??????0??????0??????0?BMU ?eth2???????1500?0?????26196??????0??????0?0?????????26883??????6??????0??????0?BMRU ?lo????????16436?0?????????4??????0??????0?0?????????????4??????0??????0??????0?LRU
?
顯示詳細(xì)信息,像是 ifconfig 使用 netstat -ie:
?
#?netstat?-ie ?Kernel?Interface?table ?eth0??????Link?encap:Ethernet??HWaddr?004011:11 ?UP?BROADCAST?MULTICAST??MTU:1500??Metric:1 ?RX?packets:0?errors:0?dropped:0?overruns:0?frame:0 ?TX?packets:0?errors:0?dropped:0?overruns:0?carrier:0 ?collisions:0?txqueuelen:1000 ?RX?bytes:0?(0.0?B)??TX?bytes:0?(0.0?B) ?Memory:f6ae0000-f6b00000
?
11. IP和TCP分析
查看連接某服務(wù)端口最多的的IP地址
?
wss8848@ubuntu:~$?netstat?-nat?|?grep?"192.168.1.15:22"?|awk?'{print?$5}'|awk?-F:?'{print?$1}'|sort|uniq?-c|sort?-nr|head?-20 18?221.136.168.36 3?154.74.45.242 2?78.173.31.236 2?62.183.207.98 2?192.168.1.14 2?182.48.111.215 2?124.193.219.34 2?119.145.41.2 2?114.255.41.30 1?75.102.11.99
?
TCP各種狀態(tài)列表
?
wss8848@ubuntu:~$?netstat?-nat?|awk?'{print?$6}' established) Foreign LISTEN TIME_WAIT ESTABLISHED TIME_WAIT SYN_SENT
?
先把狀態(tài)全都取出來,然后使用uniq -c統(tǒng)計(jì),之后再進(jìn)行排序。
?
wss8848@ubuntu:~$?netstat?-nat?|awk?'{print?$6}'|sort|uniq?-c 143?ESTABLISHED 1?FIN_WAIT1 1?Foreign 1?LAST_ACK 36?LISTEN 6?SYN_SENT 113?TIME_WAIT 1?established)
?
最后的命令如下:
?
netstat?-nat?|awk?'{print?$6}'|sort|uniq?-c|sort?-rn
?
分析access.log獲得訪問前10位的ip地址
?
awk?'{print?$1}'?access.log?|sort|uniq?-c|sort
?
審核編輯:湯梓紅
評論
查看更多