Netstat 命令用于显示各种网络相关信息,如网络连接,路由表,接口状态 (Interface Statistics),masquerade 连接,多播成员 (Multicast Memberships) 等等。
下面是直接输入netstat后的结果:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
v-lover@vlover-ThinkPad-SL410:~/Desktop/adsf$netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 vlover-ThinkPad-S:52949 m53-177.yeah.net:imap2 ESTABLISHED tcp 0 0 vlover-ThinkPad-S:52939 m53-177.yeah.net:imap2 ESTABLISHED tcp 0 0 localhost:47401 localhost:55172 ESTABLISHED ........ Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 22 [ ] DGRAM 8207 /dev/log unix 2 [ ] DGRAM 10637 /var/run/wpa_supplica nt/wlan0 unix 3 [ ] STREAM CONNECTED 47178 unix 3 [ ] STREAM CONNECTED 25397 unix 3 [ ] STREAM CONNECTED 185364 @/tmp/dbus-sNwQCrdAbC unix 3 [ ] STREAM CONNECTED 103803 @/tmp/dbus-sNwQCrdAbC ......... |
在上面的结果来看,netstat的结果分成了两个部分:
一个是Active Internet connections,称为有源TCP连接,其中”Recv-Q”和”Send-Q”指%0A的是接收队列和发送队列。这些数字一般都应该是0。如果不是则表示软件包正在队列中堆积。这种情况只能在非常少的情况见到。
另一个是Active UNIX domain sockets,称为有源Unix域套接口(和网络套接字一样,但是只能用于本机通信,性能可以提高一倍)。
Proto显示连接使用的协议,RefCnt表示连接到本套接口上的进程号,Types显示套接口的类型,State显示套接口当前的状态,Path表示连接到套接口的其它进程使用的路径名。
参数(需要中文吗?):
–verbose , -v Tell the user what is going on by being verbose. Especially print some useful information about unconfigured address families.
–wide , -W Do not truncate IP addresses by using output as wide as needed. This is optional for now to not break existing scripts.
–numeric , -n Show numerical addresses instead of trying to determine symbolic host, port or user names.(-n: 拒绝显示别名,能显示数字的全部转化成数字)
–numeric-hosts shows numerical host addresses but does not affect the resolution of port or user names.
–numeric-ports shows numerical port numbers but does not affect the resolution of host or user names.
–numeric-users shows numerical user IDs but does not affect the resolution of host or port names.
–protocol=family , -A Specifies the address families (perhaps better described as low level protocols) for which connections are to be shown. family is a comma(‘,’) separated list of address family keywords like inet, unix, ipx, ax25, netrom, and ddp. This has the same effect as using the –inet, –unix (-x), –ipx, –ax25, –netrom, and –ddp options. The address family inet includes raw, udp and tcp protocol sockets.
-c, –continuous This will cause netstat to print the selected information every second continuously.(每隔一个固定时间,执行该netstat命令)
-e, –extend Display additional information. Use this option twice for maximum detail.(示扩展信息,例如uid等)
-o, –timers Include information related to networking timers.
-p, –program Show the PID and name of the program to which each socket belongs.(显示建立相关链接的程序名)
-l, –listening Show only listening sockets. (These are omitted by default.)(仅列出有在 Listen (监听) 的服務状态)
-a, –all Show both listening and non-listening sockets. With the –interfaces option, show interfaces that are not up(显示所有选项,默认不显示LISTEN相关)
-F Print routing information from the FIB. (This is the default.)
-C Print routing information from the route cache.
-t 仅显示tcp相关选项
-u 仅显示udp相关选项
-r 显示路由信息,路由表
-s 各个协议进行统计
(LISTEN和LISTENING的状态只有用-a或者-l才能看到)
例子(屏幕显示出的内容就不拷贝出来了):
1.列出所有端口 netstat -a
2.列出所有 tcp 端口 netstat -at
3.列出所有 udp 端口 netstat -au
4.只显示监听端口 netstat -l
5.只列出所有监听 tcp 端口 netstat -lt
6.只列出所有监听 udp 端口 netstat -lu
7.只列出所有监听 UNIX 端口 netstat -lx
8.显示所有端口的统计信息 netstat -s
9.显示 TCP 或 UDP 端口的统计信息 netstat -st 或 -su
10.在 netstat 输出中显示 PID 和进程名称 netstat -p。netstat -p 可以与其它开关一起使用,就可以添加 “PID/进程名称” 到 netstat 输出中,这样 debugging 的时候可以很方便的发现特定端口运行的程序。
1 2 3 4 5 6 7 8 9 |
v-lover@vlover-ThinkPad-SL410:~/Desktop/adsf$ netstat -pt (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 vlover-ThinkPad-S:52939 m53-177.yeah.net:imap2 ESTABLISHED 4558/thunderbird tcp 0 1909 vlover-ThinkPad-S:45789 123.125.115.43:http ESTABLISHED 4260/chromium-brows tcp 0 0 localhost:47401 localhost:55172 ESTABLISHED 3545/wineserver tcp 0 1951 vlover-ThinkPad-S:45788 123.125.115.43:http ESTABLISHED 4260/chromium-brows |
11.在 netstat 输出中不显示主机,端口和用户名 (host, port or user)。当你不想让主机,端口和用户名显示,使用 netstat -n。将会使用数字代替那些名称。同样可以加速输出,因为不用进行比对查询。
1 2 3 4 5 6 7 |
v-lover@vlover-ThinkPad-SL410:~/Desktop/adsf$ netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:902 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:8307 0.0.0.0:* LISTEN tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN tcp 0 0 192.168.1.101:52939 123.58.177.53:143 ESTABLISHED |
如果只是不想让这三个名称中的一个被显示,使用以下命令
1 2 3 |
# netsat -a --numeric-ports # netsat -a --numeric-hosts # netsat -a --numeric-users |
12.持续输出 netstat 信息。netstat 将每隔一秒输出网络信息。netstat -c
13.显示系统不支持的地址族 (Address Families).netstat –verbose,在输出的最后会显示:
1 2 3 4 |
netstat: no support for `AF IPX' on this system. netstat: no support for `AF AX25' on this system. netstat: no support for `AF X25' on this system. netstat: no support for `AF NETROM' on this system. |
14.显示核心路由信息 netstat -r。使用 netstat -rn 显示数字格式,不查询主机名称。
15.找出程序运行的端口。并不是所有的进程都能找到,没有权限的会不显示,使用 root 权限查看所有的信息。netstat -ap
16.显示网络接口列表. netstat -i.显示详细信息,像是 ifconfig 使用 netstat -ie
17.IP和TCP分析
查看连接某服务端口最多的的IP地址
1 |
netstat -nat | grep "192.168.1.15:22" |awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -20 |
TCP各种状态列表
1 |
netstat -nat |awk '{print $6}' |
先把状态全都取出来,然后使用uniq -c统计,之后再进行排序。
1 |
netstat -nat |awk '{print $6}'|sort|uniq -c |
分析access.log获得访问前10位的ip地址
1 |
awk '{print $1}' access.log |sort|uniq -c|sort -nr|head -10 |
参考:http://www.cnblogs.com/ggjucheng/archive/2012/01/08/2316661.html
http://blog.maxiang.net/10-netstat-command-examples/139/
转载请注明:V-Lover » Linux netstat 命令