首先,使用netstat命令需要安装net-tools工具包
yum -y install net-tools
这样你就有了两个linux的常用命令,netstat以及ifconfig
第一部分:用法
1、如果查看所有的linux的socker(套接字)
[root@production-001 ~]# netstat -a
显示如下(我粘出了一部分),会打印出Active Internet connections (servers and established和Active UNIX domain sockets (servers and established)两段;分别是活跃的网络连接和活跃的unix套接字连接
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 VM_0_7_cento:cslistener 0.0.0.0:* LISTEN
tcp 0 0 VM_0_7_centos:6379 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 syt-production-00:48873 19.54.0.5:lsi-bobcat ESTABLISHED
tcp 0 36 syt-production-001:ssh 12.12.11.19:51590 ESTABLISHED
tcp6 0 0 [::]:mysql [::]:* LISTEN
udp 0 0 0.0.0.0:bootpc 0.0.0.0:*
udp 0 0 syt-production-001:ntp 0.0.0.0:*
udp 0 0 VM_0_7_centos:ntp 0.0.0.0:*
udp6 0 0 syt-production-001:ntp [::]:*
udp6 0 0 VM_0_7_centos:ntp [::]:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 12048 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 899033 /usr/local/yd.socket.client
unix 2 [ ACC ] STREAM LISTENING 14887 /var/run/lsm/ipc/sim
unix 2 [ ACC ] STREAM LISTENING 1267868 /opt/mysql/mysql/data/mysql.sock
unix 3 [ ] DGRAM 8032 /run/systemd/notify
unix 2 [ ] DGRAM 8034 /run/systemd/cgroups-agent
unix 2 [ ACC ] STREAM LISTENING 8042 /run/systemd/journal/stdout
unix 5 [ ] DGRAM 8045 /run/systemd/journal/socket
unix 11 [ ] DGRAM 8047 /dev/log
unix 2 [ ACC ] STREAM LISTENING 14471 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 13980 /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 899772 /usr/local/yd.socket.server
unix 2 [ ACC ] SEQPACKET LISTENING 14506 /run/udev/control
2、查询所有的TCP或者UDP连接
TCP连接是-t,UDP连接是-u
[root@production-001 ~]# netstat -at
以下可以看到Local Address段显示了主机的域名,这种情况会拖慢netstat命令的执行速度
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 VM_0_7_cento:cslistener 0.0.0.0:* LISTEN
tcp 0 0 VM_0_7_centos:6379 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 production-00:48873 19.54.0.5:lsi-bobcat ESTABLISHED
tcp 0 36 production-001:ssh 12.12.11.19:51590 ESTABLISHED
tcp 0 0 production-001:http dynamicip-176-215:53436 TIME_WAIT
tcp6 0 0 [::]:mysql [::]:* LISTEN
3、拒绝名称解析
[root@production-001 ~]# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 172.17.0.7:48873 169.254.0.55:5574 ESTABLISHED
tcp 0 36 172.17.0.7:22 12.12.11.19:51590 ESTABLISHED
tcp6 0 0 :::3306 :::* LISTEN
4、显示服务器监听的连接(LISTEN状态的连接,可用于查询服务状态)
[root@production-001 ~]# netstat -lnt
可以看出我的服务器跑了php、web、数据库之类的服务
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::3306 :::* LISTEN
5、显示socket对应的进程、用户等,这也是我们最常用的两种方法
如下查询server的LISTEN状态的TCP socket
[root@production-001 ~]# netstat -lnpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 11821/php-fpm: mast
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 2058/redis-server 1
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 344/nginx: master p
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3301/sshd
tcp6 0 0 :::3306 :::* LISTEN 10668/mysqld
如下查询server的所有存在的TCP socket
[root@production-001 ~]# netstat -anpt
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 11821/php-fpm: mast
tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 2058/redis-server 1
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 344/nginx: master p
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3301/sshd
tcp 0 0 172.17.0.7:48873 169.254.0.55:5574 ESTABLISHED 24217/YDService
tcp 0 36 172.17.0.7:22 12.12.11.19:51590 ESTABLISHED 19772/sshd: root@pt
tcp6 0 0 :::3306 :::* LISTEN 10668/mysqld
6、打印统计数据
[root@syt-production-001 ~]# netstat -s
Ip:
4938968 total packets received
0 forwarded
0 incoming packets discarded
4938957 incoming packets delivered
4805326 requests sent out
16 dropped because of missing route
Icmp:
769554 ICMP messages received
16 input ICMP message failed.
ICMP input histogram:
destination unreachable: 28
timeout in transit: 1
echo requests: 769523
echo replies: 2
769525 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 2
echo replies: 769523
IcmpMsg:
InType0: 2
InType3: 28
InType8: 769523
InType11: 1
OutType0: 769523
OutType3: 2
Tcp:
535366 active connections openings
6904 passive connection openings
828 failed connection attempts
634 connection resets received
2 connections established
4094321 segments received
3971608 segments send out
4377 segments retransmited
8 bad segments received.
5335 resets sent
Udp:
142930 packets received
2 packets to unknown port received.
0 packet receive errors
143872 packets sent
0 receive buffer errors
0 send buffer errors
UdpLite:
TcpExt:
201 invalid SYN cookies received
637 resets received for embryonic SYN_RECV sockets
6606 TCP sockets finished time wait in fast timer
900 TCP sockets finished time wait in slow timer
888 delayed acks sent
5 delayed acks further delayed because of locked socket
Quick ack mode was activated 438 times
8 SYNs to LISTEN sockets dropped
38 packets directly queued to recvmsg prequeue.
34 bytes directly in process context from backlog
124 bytes directly received in process context from prequeue
1145495 packet headers predicted
2 packets header predicted and directly queued to user
1666927 acknowledgments not containing data payload received
87604 predicted acknowledgments
2 times recovered from packet loss due to fast retransmit
2 congestion windows fully recovered without slow start
2172 congestion windows recovered without slow start after partial ack
2 timeouts after reno fast retransmit
191 timeouts in loss state
12 fast retransmits
42 retransmits in slow start
4019 other TCP timeouts
245 connections reset due to unexpected data
60 connections reset due to early user close
198 connections aborted due to timeout
TCPSpuriousRTOs: 147
TCPRcvCoalesce: 529861
TCPOFOQueue: 348
TCPOFOMerge: 2
TCPChallengeACK: 14
TCPSYNChallenge: 13
TCPFastOpenCookieReqd: 1
TCPSpuriousRtxHostQueues: 3
TCPWantZeroWindowAdv: 16373
TCPSynRetrans: 550
TCPOrigDataSent: 1907609
TCPHystartTrainDetect: 6
TCPHystartTrainCwnd: 281
TCPHystartDelayDetect: 3
TCPHystartDelayCwnd: 288
TCPACKSkippedSynRecv: 4
TCPACKSkippedSeq: 1
IpExt:
InNoRoutes: 4
InMcastPkts: 15886
OutMcastPkts: 14
InOctets: 1169867332
OutOctets: 581042663
InMcastOctets: 572027
OutMcastOctets: 669
InNoECTPkts: 4969489
InECT1Pkts: 10
InECT0Pkts: 32
第二部分:选项解释(详情可参阅netstat --help,拿过来翻译工具走一波)
-r, --route display routing table /显示路由信息
-I, --interfaces=<Iface> display interface table for <Iface> /显示某个网卡信息
-i, --interfaces display interface table /显示网卡信息
-g, --groups display multicast group memberships /显示多播组信息;什么网卡、loopback口ipv4、ipv6的,还有wlan的等等信息
-s, --statistics display networking statistics (like SNMP) /打印netstat各种协议类型的连接统计信息
-M, --masquerade display masqueraded connections /显示ip_masqueraded的连接,这里解释以下ip_masqueraded,实际是NAT实现的一种,可以使多个ip发送数据包的源ip转换为同一个ip去发送,用于伪装原本发送数据的设备的ip
-v, --verbose be verbose /打印详细信息
-W, --wide don't truncate IP addresses /不截断IP地址,避免该命令截断ip连接
-n, --numeric don't resolve names /不解析名称
--numeric-hosts don't resolve host names /不解析主机名称
--numeric-ports don't resolve port names /不解析端口名称
--numeric-users don't resolve user names /不解析用户名称
-N, --symbolic resolve hardware names /解析硬件名称
-e, --extend display other/more information /显示其他或者更多信息
-p, --programs display PID/Program name for sockets /打印socket连接的PID、进程名
-o, --timers display timers /显示计时器
-c, --continuous continuous listing /连续监听,会一直输出
-l, --listening display listening server sockets /打印LISTEN状态的连接
-a, --all display all sockets (default: connected) /打印所有
-F, --fib display Forwarding Information Base (default) /显示转发信息库,路由表(默认)
-C, --cache display routing cache instead of FIB /显示路由缓存
-Z, --context display SELinux security context for sockets /显示selinux安全上下文连接
第三部分:连接状态解析
通常情况下:一个正常的TCP连接,都会有三个阶段(1、TCP三次握手 2、数据传送 3、TCP四次挥手)
SYN: (同步序列编号,Synchronize Sequence Numbers)该标志仅在三次握手建立TCP连接时有效。表示一个新的TCP连接请求。
ACK: (确认编号,Acknowledgement Number)是对TCP请求的确认标志,同时提示对端系统已经成功接收所有数据。
FIN:(结束标志,finish)用来结束一个TCP回话.但对应端口仍处于开放状态,准备接收后续数据。
1)、LISTEN:首先服务端需要打开一个socket进行监听,状态为LISTEN. /* The socket is listening for incoming connections. 侦听来自远方TCP端口的连接请求 */
2)、SYN_SENT:客户端通过应用程序调用connect进行active open.于是客户端tcp发送一个SYN以请求建立一个连接.之后状态置为SYN_SENT. /*The socket is actively attempting to establish a connection. 在发送连接请求后等待匹配的连接请求 */
3)、SYN_RECV:服务端应发出ACK确认客户端的SYN,同时自己向客户端发送一个SYN. 之后状态置为SYN_RECV /* A connection request has been received from the network. 在收到和发送一个连接请求后等待对连接请求的确认 */
4)、ESTABLISHED: 代表一个打开的连接,双方可以进行或已经在数据交互了。/* The socket has an established connection. 代表一个打开的连接,数据可以传送给用户 */
5)、FIN_WAIT1:主动关闭(active close)端应用程序调用close,于是其TCP发出FIN请求主动关闭连接,之后进入FIN_WAIT1状态./* The socket is closed, and the connection is shutting down. 等待远程TCP的连接中断请求,或先前的连接中断请求的确认 */
6)、CLOSE_WAIT:被动关闭(passive close)端TCP接到FIN后,就发出ACK以回应FIN请求(它的接收也作为文件结束符传递给上层应用程序),并进入CLOSE_WAIT. /* The remote end has shut down, waiting for the socket to close. 等待从本地用户发来的连接中断请求 */
7)、FIN_WAIT2:主动关闭端接到ACK后,就进入了FIN-WAIT-2 ./* Connection is closed, and the socket is waiting for a shutdown from the remote end. 从远程TCP等待连接中断请求 */
8)、LAST_ACK:被动关闭端一段时间后,接收到文件结束符的应用程序将调用CLOSE关闭连接。这导致它的TCP也发送一个 FIN,等待对方的ACK.就进入了LAST-ACK . /* The remote end has shut down, and the socket is closed. Waiting for acknowledgement. 等待原来发向远程TCP的连接中断请求的确认 */
9)、TIME_WAIT:在主动关闭端接收到FIN后,TCP就发送ACK包,并进入TIME-WAIT状态。/* The socket is waiting after close to handle packets still in the network.等待足够的时间以确保远程TCP接收到连接中断请求的确认 */
10)、CLOSING:比较少见./* Both sockets are shut down but we still don’t have all our data sent. 等待远程TCP对连接中断的确认 */
11)、CLOSED:被动关闭端在接受到ACK包后,就进入了closed的状态。连接结束./* The socket is not being used. 没有任何连接状态 */
TIME_WAIT状态的形成只发生在主动关闭连接的一方。
主动关闭方在接收到被动关闭方的FIN请求后,发送成功给对方一个ACK后,将自己的状态由FIN_WAIT2修改为TIME_WAIT,而必须再等2倍 的MSL(Maximum Segment Lifetime,MSL是一个数据报在internetwork中能存在的时间)时间之后双方才能把状态 都改为CLOSED以关闭连接。目前RHEL里保持TIME_WAIT状态的时间为60秒。