netstat 常用命令
$sudo netstat -antp|grep 8080 查找占用8080端口的程序 这个最常用
$sudo netstat -np|grep java|wc -l 查看java的并发数
查看80端口请求数最高的20个ip (查找攻击源)
$netstat -anlp|grep 80|grep tcp|awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -n20
查看tcp端口的状态
$netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn
参数汇总
-a show both listening and none-listening sockets.默认是不显示listening sockets -t 仅显示tcp相关 默认是都显示 -u 仅显示udp相关 默认是都显示 -n 拒绝显示别名,显示数字 -l 仅列出有在Listen(监听)的服务状态 -p 显示建立相关连接的程序名 需要sudo才能看到其他用户起动的程序pid -r 显示路由表 -c 每隔一段时间(秒),执行该netstat命令 -i 显示各个网络接口的状况 -s 按照协议进行统计 前面锁所示的 -antp 大家可以对照看一下 TCP端口状态 TCP端口有如下几个常见的状态 1.LISTENING 对应netstat的LISTEN 我们开一个80端口的服务,也就是使80端口处于LISTEN状态, 这样浏览器就可以与我们的80端口进行连接 2.ESTABLISED 表示两个端口建立连接成功,正在通信 3.CLOSE_WAIT 对方主动关闭连接或者网络异常导致连接中断,这时我方的状态就会变为CLOSE_WAIT, 此时我方要主动调用close()来关闭连接 4.TIME_WAIT 我方主动调用close()断开连接,收到对方确认后变为TIME_WAIT. TCP协议规定TIME_WAIT状态会一直持续2MSL(两倍的分段最大生存期), 以此确保旧的连接状态不会对新连接产生影响。处于TIME_WAIT状态的连接不会被内核释放, 所以作为服务器,在可能的情况下,尽量不要主动断开连接,以减少TIME_WAIT状态造成的资源浪费。 -a 参数 show both listening and none-listening sockets.默认是不显示listening sockets $netstat Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 hu_bo1:47054 hu_bo1:8961 TIME_WAIT tcp 0 0 hu_bo1:6981 192.168.6.80:54645 ESTABLISHED tcp 41 0 localhost:8092 localhost:25272 CLOSE_WAIT $netstat -a tcp 0 0 *:acnet *:* LISTEN #多了这个 tcp 0 0 hu_bo1:47054 hu_bo1:8961 TIME_WAIT tcp 0 0 hu_bo1:6981 192.168.6.80:54645 ESTABLISHED tcp 41 0 localhost:8092 localhost:25272 CLOSE_WAIT 其中Recv-Q 表示接受队列 Send-Q表示发送队列 这些数字一般是0,如果不是则表示网络包正在堆积 -t 参数 只显示tcp端口 默认是全部显示 $netstat Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 hu_bo1:47054 hu_bo1:8961 TIME_WAIT tcp 0 0 hu_bo1:6981 192.168.6.80:54645 ESTABLISHED tcp 41 0 localhost:8092 localhost:25272 CLOSE_WAIT tcp 0 0 SHTU-ABC-05.abc:griffin SHTU-REDIS-21-104.abc:6062 ESTABLISHED Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 7 [ ] DGRAM 74370628 /dev/log unix 2 [ ] DGRAM 834846110 其中Active UNIX doamin sockets 为Unix域套接字,只能用于本机进程间通讯,性能比TCP高 $netstat -t Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 hu_bo1:47054 hu_bo1:8961 TIME_WAIT tcp 0 0 hu_bo1:6981 192.168.6.80:54645 ESTABLISHED tcp 41 0 localhost:8092 localhost:25272 CLOSE_WAIT tcp 0 0 SHTU-ABC-05.abc:griffin SHTU-REDIS-91-14.abc:6062 ESTABLISHED -u 参数 只显示udp 端口,默认是全部显示 -n 参数 -n 拒绝显示别名,显示数字 $netstat Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 hu_bo1:47054 hu_bo1:8961 TIME_WAIT tcp 0 0 hu_bo1:6981 192.168.6.80:54645 ESTABLISHED tcp 41 0 localhost:8092 localhost:25272 CLOSE_WAIT tcp 0 0 SHTU-ABC-05.abc:griffin SHTU-REDIS-21-104.abc:6062 ESTABLISHED 如下所示,显示的都是ip地址 $netstat -n tcp 0 0 192.168.17.13:47054 192.168.17.13:8961 TIME_WAIT tcp 0 0 192.168.17.13:6981 192.168.6.80:54645 ESTABLISHED tcp 41 0 127.0.0.1:8092 127.0.0.1:25272 CLOSE_WAIT -l 参数 -l 仅列出有在Listen(监听)的服务状态 $netstat -l tcp 0 0 hu_bo1:6981 *:* LISTEN tcp 0 0 *:2189 *:* LISTEN tcp 0 0 hu_bo1:11213 *:* LISTEN tcp 0 0 hu_bo1:6586 *:* LISTEN -p 参数 -p 显示建立相关连接的程序名 需要sudo才能看到其他用户起动的程序pid $sudo netstat -p tcp 0 0 hu_bo1:6981 192.168.77.80:52256 ESTABLISHED 6458/redis-server 1 tcp 0 0 hu_bo1:6980 hu_bo1:11802 ESTABLISHED 6418/redis-server 1 tcp 0 0 hu_bo1:6980 192.168.77.80:65120 ESTABLISHED 6418/redis-server 1 -r 参数 -r 显示路由表 $ netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.77.0 * 255.255.255.0 U 0 0 0 em2 link-local * 255.255.0.0 U 0 0 0 em1 link-local * 255.255.0.0 U 0 0 0 em2 192.168.0.0 192.168.77.1 255.255.0.0 UG 0 0 0 em2 -i 参数 -i 显示各个网络接口的状况 $netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg em1 1500 0 120567162 0 0 0 90527177 0 0 0 BMRU em2 1500 0 5357249686 0 0 0 4400173145 0 0 0 BMRU lo 65536 0 49625810403 0 0 0 49625810403 0 0 0 LRU 参数解释 RX-OK 接收时,正确的数据包数 RX-ERR 接受时,错误的数据包数 RX-DRP 接受时,丢弃的数据包数 RX-OVR 接收时,由于过速(在数据传输中,由于接收设备不能接收按照发送速率传送来的数据而使数据丢失)而丢失的数据包数。 TX-OK 发送时,正确的数据包数。 TX-ERR 发送时,产生错误的数据包数。 TX-DRP 发送时,丢弃的数据包数。 TX-OVR 发送时,由于过速而丢失的数据包数。 Flg 标志。 B 已经设置了一个广播地址。 L 该接口是一个回送设备。 M 接收所有数据包(混乱模式)。 N 避免跟踪。 O 在该接口上,禁用ARP。 P 这是一个点到点链接。 R 接口正在运行。 U 接口处于“活动”状态。 -c 参数 $netstat -p -c 10 每隔10秒执行一次该命令 -s 参数 -s 按照协议进行统计 如果机器网络不太好的情况下,我们可以使用此参数来进行分析 $netstat -s Ip: 54102745340 total packets received 0 forwarded 0 incoming packets discarded 54086127151 incoming packets delivered 54101665338 requests sent out Icmp: #Internet Control Message Protocol, Internet 控制报文协议 用于在IP主机、路由器之间传递控制消息 1077840 ICMP messages received 2145 input ICMP message failed. ICMP input histogram: destination unreachable: 2475 timeout in transit: 248 wrong parameters: 1 source quenches: 3 redirects: 1 echo requests: 1075034 echo replies: 69 timestamp request: 3 1129878 ICMP messages sent 0 ICMP messages failed ICMP output histogram: destination unreachable: 54769 echo request: 72 echo replies: 1075034 timestamp replies: 3 IcmpMsg: InType0: 69 InType3: 2475 InType4: 3 InType5: 1 InType8: 1075034 InType11: 248 InType12: 1 InType13: 3 OutType0: 1075034 OutType3: 54769 OutType8: 72 OutType14: 3 Tcp: 4149941351 active connections openings 1022620333 passive connection openings 3095563980 failed connection attempts 100271379 connection resets received 1084 connections established #目前有多少个连接 54083689577 segments received 54084074455 segments send out 15055961 segments retransmited 195874 bad segments received. 3856575743 resets sent Udp: 1241256 packets received 54773 packets to unknown port received. 0 packet receive errors 1405039 packets sent UdpLite: TcpExt: 247872 invalid SYN cookies received 16618 resets received for embryonic SYN_RECV sockets 1240 packets pruned from receive queue because of socket buffer overrun 60 packets pruned from receive queue 1 packets dropped from out-of-order queue because of socket buffer overrun 29 ICMP packets dropped because they were out-of-window 78559379 TCP sockets finished time wait in fast timer 883371423 time wait sockets recycled by time stamp 1535 packets rejects in established connections because of timestamp 182605148 delayed acks sent 32564 delayed acks further delayed because of locked socket Quick ack mode was activated 821546 times 2675061 times the listen queue of a socket overflowed 2675061 SYNs to LISTEN sockets ignored 19271359 packets directly queued to recvmsg prequeue. 7399328202 packets directly received from backlog 6765697193 packets directly received from prequeue 35764943050 packets header predicted 6579353 packets header predicted and directly queued to user 4032336419 acknowledgments not containing data received 34697552082 predicted acknowledgments 2816 times recovered from packet loss due to SACK data Detected reordering 15 times using FACK Detected reordering 89 times using SACK Detected reordering 81 times using time stamp 194 congestion windows fully recovered 1916 congestion windows partially recovered using Hoe heuristic TCPDSACKUndo: 9657 4637954 congestion windows recovered after partial ack 37163 TCP data loss events TCPLostRetransmit: 503 46377 timeouts after SACK recovery 442 timeouts in loss state 13532 fast retransmits 4104 forward retransmits 10183 retransmits in slow start 13670540 other TCP timeouts 192 sack retransmits failed 1 times receiver scheduled too late for direct processing 256454 packets collapsed in receive queue due to low socket buffer 822253 DSACKs sent for old packets 1212 DSACKs sent for out of order packets 42832 DSACKs received 18 DSACKs for out of order packets received 85408336 connections reset due to unexpected data 251901 connections reset due to early user close 8215 connections aborted due to timeout TCPDSACKIgnoredOld: 105 TCPDSACKIgnoredNoUndo: 4023 TCPSpuriousRTOs: 389 TCPSackShifted: 38352 TCPSackMerged: 77354 TCPSackShiftFallback: 285038 TCPBacklogDrop: 4806 TCPChallengeACK: 599326 TCPSYNChallenge: 503530 TCPFromZeroWindowAdv: 52647 TCPToZeroWindowAdv: 52647 TCPWantZeroWindowAdv: 12002148 IpExt: InBcastPkts: 37 InOctets: 12648107098338 OutOctets: 10787636949021 InBcastOctets: 19328