Netstat介绍
netstat
是一款命令行工具,可用于列出系统上所有的网络套接字连接情况,包括 tcp, udp 以及 unix 套接字,另外它还能列出处于监听状态(即等待接入请求)的套接字。如果你想确认系统上的Web服务有没有起来,你可以查看80端口有没有打开。以上功能使netstat
成为网管和系统管理员的必备利器。
语法:
-a或--all 显示所有连线中的Socket。
-A<网络类型>或--<网络类型> 列出该网络类型连线中的相关地址。
-c或--continuous 持续列出网络状态。
-C或--cache 显示路由器配置的快取信息。
-e或--extend 显示网络其他相关信息。
-F或--fib 显示FIB。
-g或--groups 显示多重广播功能群组组员名单。
-h或--help 在线帮助。
-i或--interfaces 显示网络界面信息表单。
-l或--listening 显示监控中的服务器的Socket。
-M或--masquerade 显示伪装的网络连线。
-n或--numeric 直接使用IP地址,而不通过域名服务器。
-N或--netlink或--symbolic 显示网络硬件外围设备的符号连接名称。
-o或--timers 显示计时器。
-p或--programs 显示正在使用Socket的程序识别码和程序名称。
-r或--route 显示Routing Table。
-s或--statistice 显示网络工作信息统计表。
-t或--tcp 显示TCP传输协议的连线状况。
-u或--udp 显示UDP传输协议的连线状况。
-v或--verbose 显示指令执行过程。
-V或--version 显示版本信息。
-w或--raw 显示RAW传输协议的连线状况。
-x或--unix 此参数的效果和指定"-A unix"参数相同。
--ip或--inet 此参数的效果和指定"-A inet"参数相同。
下面介绍几种我们在工作中经常会用到的netstat使用情况
netstat -a: 列出tcp、udp和unix协议下所有套接字的所有连接 netstat -at: 列出所有tcp端口 netstat -au: 列出所有udp端口
[root@Labhost1 ~]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:6379 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 10.0.3.23:ssh 10.0.3.5:55734 ESTABLISHED
tcp 0 0 *:6379 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 6564 @/com/ubuntu/upstart
unix 2 [ ] DGRAM 6707 @/org/kernel/udev/udevd
unix 2 [ ACC ] STREAM LISTENING 7696 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 7759 /var/run/acpid.socket
unix 4 [ ] DGRAM 7667 /dev/log
unix 2 [ ] DGRAM 115905
unix 2 [ ] DGRAM 7761
unix 3 [ ] STREAM CONNECTED 7708 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 7707
unix 3 [ ] STREAM CONNECTED 7701
unix 3 [ ] STREAM CONNECTED 7700
unix 3 [ ] DGRAM 6723
unix 3 [ ] DGRAM 6722
[root@Labhost1 ~]# netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:6379 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 48 10.0.3.23:ssh 10.0.3.5:55734 ESTABLISHED
tcp 0 0 *:6379 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
[root@Labhost1 ~]# netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
[root@Labhost1 ~]#
netstat -l: 列出所有处于监听状态的Sockets netstat -lt: 列出所有处于监听状态的tcp端口 netstat -lu: 列出所有处于监听状态的udp端口
[root@Labhost1 ~]# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:6379 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:6379 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 6564 @/com/ubuntu/upstart
unix 2 [ ACC ] STREAM LISTENING 7696 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 7759 /var/run/acpid.socket
[root@Labhost1 ~]# netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:6379 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:6379 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
[root@Labhost1 ~]# netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
netstat -s: 显示所有端口统计信息 netstat -st: 显示所有tcp端口统计信息 netstat -su: 显示所有udp端口统计信息
[root@Labhost1 ~]# netstat -s
Ip:
9294103 total packets received
73 with invalid addresses
0 forwarded
0 incoming packets discarded
9061117 incoming packets delivered
7007558 requests sent out
Icmp:
195 ICMP messages received
13 input ICMP message failed.
ICMP input histogram:
destination unreachable: 13
redirects: 164
echo requests: 15
echo replies: 3
43 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 25
echo request: 3
echo replies: 15
IcmpMsg:
InType0: 3
InType3: 13
InType5: 164
InType8: 15
OutType0: 15
OutType3: 25
OutType8: 3
Tcp:
46 active connections openings
29 passive connection openings
1 failed connection attempts
9 connection resets received
1 connections established
8629807 segments received
7007244 segments send out
141 segments retransmited
0 bad segments received.
78023 resets sent
Udp:
79 packets received
12 packets to unknown port received.
0 packet receive errors
130 packets sent
.................[root@Labhost1 ~]# netstat -st
IcmpMsg:
InType0: 3
InType3: 13
InType5: 164
InType8: 15
OutType0: 15
OutType3: 25
OutType8: 3
Tcp:
46 active connections openings
29 passive connection openings
1 failed connection attempts
9 connection resets received
1 connections established
8629841 segments received
7007264 segments send out
142 segments retransmited
0 bad segments received.
78023 resets sent
UdpLite:
TcpExt:
2 packets pruned from receive queue because of socket buffer overrun
44 TCP sockets finished time wait in fast timer
2367 delayed acks sent
84 delayed acks further delayed because of locked socket
Quick ack mode was activated 77 times
8 packets directly queued to recvmsg prequeue.
4 packets directly received from prequeue
6774297 packets header predicted
29325 acknowledgments not containing data received
1776532 predicted acknowledgments
1 times recovered from packet loss due to SACK data
3 congestion windows recovered after partial ack
0 TCP data loss events
1 fast retransmits
70 other TCP timeouts
1138 packets collapsed in receive queue due to low socket buffer
79 DSACKs sent for old packets
1 DSACKs sent for out of order packets
7 connections aborted due to timeout
TCPSackShiftFallback: 7
IpExt:
InBcastPkts: 431025
InOctets: 10285747947
OutOctets: 5258545401
InBcastOctets: 44528877
[root@Labhost1 ~]# netstat -su
IcmpMsg:
InType0: 3
InType3: 13
InType5: 164
InType8: 15
OutType0: 15
OutType3: 25
OutType8: 3
Udp:
79 packets received
12 packets to unknown port received.
0 packet receive errors
130 packets sent
UdpLite:
IpExt:
InBcastPkts: 431025
InOctets: 10285748575
OutOctets: 5258547489
InBcastOctets: 44528877
查看端口和连接的信息时,能查看到它们对应的进程名和进程号对系统管理员来说是非常有帮助的。举个栗子,Apache 的 httpd 服务开启80端口,如果你要查看 http 服务是否已经启动,或者 http 服务是由 apache 还是 nginx 启动的,这时候你可以看看进程名。
netstat -p: 输出中显示PID
和进程名称
netstat -p 可以与其它开关一起使用,就可以添加 “PID/进程名称” 到 netstat 输出中,这样 debug的时候可以很方便的发现特定端口运行的程序。
[root@Labhost1 ~]# netstat -pnt
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 48 10.0.3.23:22 10.0.3.5:57993 ESTABLISHED 3745/sshd
使用-p
选项时,netstat必须运行在root
权限之下,不然它就不能得到运行在root
权限下的进程名,而很多服务包括http
和 ftp
都运行在root
权限之下。
相比进程名和进程号而言,查看进程的拥有者会更有用。使用-ep
选项可以同时查看进程名和用户名。
[root@Labhost1 ~]# netstat -lntpe
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN 501 7879 1096/redis-server *
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 7814 1066/sshd
tcp 0 0 :::6379 :::* LISTEN 501 7878 1096/redis-server *
tcp 0 0 :::22 :::* LISTEN 0 7816 1066/sshd
上面列出TCP
协议下的监听套接字,同时显示进程信息和一些额外信息;这些额外的信息包括用户名和进程的索引节点号。这个命令对网管来说很有用。
注意: 假如你将
-n
和-e
选项一起使用,User
列的属性就是用户的ID
号,而不是用户名。
使用-r
选项打印内核路由信息。打印出来的信息与route
命令输出的信息一样。我们也可以使用-n
选项禁止域名解析。
[root@Labhost1 ~]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 10.0.3.1 0.0.0.0 UG 0 0 0 eth0
netstat
信息[root@Labhost1 ~]# netstat -c #netstat 将每隔一秒输出网络信息
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 48 10.0.3.23:ssh 10.0.3.5:57993 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 6707 @/org/kernel/udev/udevd
unix 4 [ ] DGRAM 7667 /dev/log
unix 2 [ ] DGRAM 116410
unix 2 [ ] DGRAM 7761
unix 3 [ ] STREAM CONNECTED 7708 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 7707
unix 3 [ ] STREAM CONNECTED 7701
unix 3 [ ] STREAM CONNECTED 7700
unix 3 [ ] DGRAM 6723
unix 3 [ ] DGRAM 6722 Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.0.3.23:ssh 10.0.3.5:57993 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 6707 @/org/kernel/udev/udevd
unix 4 [ ] DGRAM 7667 /dev/log
unix 2 [ ] DGRAM 116410
unix 2 [ ] DGRAM 7761
unix 3 [ ] STREAM CONNECTED 7708 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 7707
unix 3 [ ] STREAM CONNECTED 7701
unix 3 [ ] STREAM CONNECTED 7700
unix 3 [ ] DGRAM 6723
unix 3 [ ] DGRAM 6722
netstat -i: 打印网络接口信息
[root@Labhost1 ~]# netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 52030085 0 651 0 7034683 0 0 0 BMRU
lo 16436 0 19 0 0 0 19 0 0 0 LRU
上面输出的信息比较原始。我们将-e
选项和-i
选项搭配使用,可以输出用户友好的信息。
[root@Labhost1 ~]# netstat -ie
Kernel Interface table
eth0 Link encap:Ethernet HWaddr 52:54:00:8C:C7:A3
inet addr:10.0.3.23 Bcast:10.0.1.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe8c:c7a3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:52067093 errors:0 dropped:651 overruns:0 frame:0
TX packets:7034772 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:12260773240 (11.4 GiB) TX bytes:5357831569 (4.9 GiB)
Interrupt:11lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:19 errors:0 dropped:0 overruns:0 frame:0
TX packets:19 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1388 (1.3 KiB) TX bytes:1388 (1.3 KiB)
上面的输出信息与 ifconfig 输出的信息一样。
[root@Labhost1 ~]# netstat --verbose # 末尾有如下输出
netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.
并不是所有的进程都能找到,没有权限的会不显示,使用root
权限查看所有的信息。
[root@Labhost1 ~]# netstat -anp |grep ssh
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1066/sshd
tcp 0 48 10.0.3.23:22 10.0.3.5:57993 ESTABLISHED 3745/sshd
tcp 0 0 :::22 :::* LISTEN 1066/sshd
unix 2 [ ] DGRAM 116410 3745/sshd
[root@Labhost1 ~]# netstat -an |grep ':6379'
tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN
tcp 0 0 :::6379 :::* LISTEN
[root@Labhost1 ~]# netstat -nat | grep "10.0.3.23:22" |awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -20
1 10.0.3.5
[root@Labhost1 ~]# netstat -ant |awk '{print $6}' |sort | uniq -c
1 established)
1 ESTABLISHED
1 Foreign
4 LISTEN