netstat命令使用方法以及详解

首先,使用netstat命令需要安装net-tools工具包

yum -y install net-tools

这样你就有了两个linux的常用命令,netstat以及ifconfig

 

第一部分:用法

 

1、如果查看所有的linux的socker(套接字)

[root@production-001 ~]# netstat -a
 

显示如下(我粘出了一部分),会打印出Active Internet connections (servers and established和Active UNIX domain sockets (servers and established)两段;分别是活跃的网络连接和活跃的unix套接字连接

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 VM_0_7_cento:cslistener 0.0.0.0:*               LISTEN     
tcp        0      0 VM_0_7_centos:6379      0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0      0 syt-production-00:48873 19.54.0.5:lsi-bobcat ESTABLISHED
tcp        0     36 syt-production-001:ssh  12.12.11.19:51590    ESTABLISHED
tcp6       0      0 [::]:mysql              [::]:*                  LISTEN     
udp        0      0 0.0.0.0:bootpc          0.0.0.0:*                          
udp        0      0 syt-production-001:ntp  0.0.0.0:*                          
udp        0      0 VM_0_7_centos:ntp       0.0.0.0:*                          
udp6       0      0 syt-production-001:ntp  [::]:*                             
udp6       0      0 VM_0_7_centos:ntp       [::]:*                             
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     12048    /run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     899033   /usr/local/yd.socket.client
unix  2      [ ACC ]     STREAM     LISTENING     14887    /var/run/lsm/ipc/sim
unix  2      [ ACC ]     STREAM     LISTENING     1267868  /opt/mysql/mysql/data/mysql.sock
unix  3      [ ]         DGRAM                    8032     /run/systemd/notify
unix  2      [ ]         DGRAM                    8034     /run/systemd/cgroups-agent
unix  2      [ ACC ]     STREAM     LISTENING     8042     /run/systemd/journal/stdout
unix  5      [ ]         DGRAM                    8045     /run/systemd/journal/socket
unix  11     [ ]         DGRAM                    8047     /dev/log
unix  2      [ ACC ]     STREAM     LISTENING     14471    /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     13980    /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     899772   /usr/local/yd.socket.server
unix  2      [ ACC ]     SEQPACKET  LISTENING     14506    /run/udev/control
 

 

2、查询所有的TCP或者UDP连接

TCP连接是-t,UDP连接是-u

[root@production-001 ~]# netstat -at
 

以下可以看到Local Address段显示了主机的域名,这种情况会拖慢netstat命令的执行速度

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 VM_0_7_cento:cslistener 0.0.0.0:*               LISTEN     
tcp        0      0 VM_0_7_centos:6379      0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0      0 production-00:48873 19.54.0.5:lsi-bobcat ESTABLISHED
tcp        0     36 production-001:ssh  12.12.11.19:51590    ESTABLISHED
tcp        0      0 production-001:http dynamicip-176-215:53436 TIME_WAIT  
tcp6       0      0 [::]:mysql              [::]:*                  LISTEN
 

 

3、拒绝名称解析

[root@production-001 ~]# netstat -ant
 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 172.17.0.7:48873        169.254.0.55:5574       ESTABLISHED
tcp        0     36 172.17.0.7:22           12.12.11.19:51590    ESTABLISHED
tcp6       0      0 :::3306                 :::*                    LISTEN
 

 

4、显示服务器监听的连接(LISTEN状态的连接,可用于查询服务状态)

[root@production-001 ~]# netstat -lnt
 

可以看出我的服务器跑了php、web、数据库之类的服务

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp6       0      0 :::3306                 :::*                    LISTEN
 

 

5、显示socket对应的进程、用户等,这也是我们最常用的两种方法

如下查询server的LISTEN状态的TCP socket

[root@production-001 ~]# netstat -lnpt
 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      11821/php-fpm: mast 
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      2058/redis-server 1 
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      344/nginx: master p 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3301/sshd           
tcp6       0      0 :::3306                 :::*                    LISTEN      10668/mysqld
 

 

如下查询server的所有存在的TCP socket

[root@production-001 ~]# netstat -anpt
 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      11821/php-fpm: mast 
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      2058/redis-server 1 
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      344/nginx: master p 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3301/sshd           
tcp        0      0 172.17.0.7:48873        169.254.0.55:5574       ESTABLISHED 24217/YDService     
tcp        0     36 172.17.0.7:22           12.12.11.19:51590    ESTABLISHED 19772/sshd: root@pt 
tcp6       0      0 :::3306                 :::*                    LISTEN      10668/mysqld
 

 

6、打印统计数据

[root@syt-production-001 ~]# netstat -s
 
Ip:
    4938968 total packets received
    0 forwarded
    0 incoming packets discarded
    4938957 incoming packets delivered
    4805326 requests sent out
    16 dropped because of missing route
Icmp:
    769554 ICMP messages received
    16 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 28
        timeout in transit: 1
        echo requests: 769523
        echo replies: 2
    769525 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 2
        echo replies: 769523
IcmpMsg:
        InType0: 2
        InType3: 28
        InType8: 769523
        InType11: 1
        OutType0: 769523
        OutType3: 2
Tcp:
    535366 active connections openings
    6904 passive connection openings
    828 failed connection attempts
    634 connection resets received
    2 connections established
    4094321 segments received
    3971608 segments send out
    4377 segments retransmited
    8 bad segments received.
    5335 resets sent
Udp:
    142930 packets received
    2 packets to unknown port received.
    0 packet receive errors
    143872 packets sent
    0 receive buffer errors
    0 send buffer errors
UdpLite:
TcpExt:
    201 invalid SYN cookies received
    637 resets received for embryonic SYN_RECV sockets
    6606 TCP sockets finished time wait in fast timer
    900 TCP sockets finished time wait in slow timer
    888 delayed acks sent
    5 delayed acks further delayed because of locked socket
    Quick ack mode was activated 438 times
    8 SYNs to LISTEN sockets dropped
    38 packets directly queued to recvmsg prequeue.
    34 bytes directly in process context from backlog
    124 bytes directly received in process context from prequeue
    1145495 packet headers predicted
    2 packets header predicted and directly queued to user
    1666927 acknowledgments not containing data payload received
    87604 predicted acknowledgments
    2 times recovered from packet loss due to fast retransmit
    2 congestion windows fully recovered without slow start
    2172 congestion windows recovered without slow start after partial ack
    2 timeouts after reno fast retransmit
    191 timeouts in loss state
    12 fast retransmits
    42 retransmits in slow start
    4019 other TCP timeouts
    245 connections reset due to unexpected data
    60 connections reset due to early user close
    198 connections aborted due to timeout
    TCPSpuriousRTOs: 147
    TCPRcvCoalesce: 529861
    TCPOFOQueue: 348
    TCPOFOMerge: 2
    TCPChallengeACK: 14
    TCPSYNChallenge: 13
    TCPFastOpenCookieReqd: 1
    TCPSpuriousRtxHostQueues: 3
    TCPWantZeroWindowAdv: 16373
    TCPSynRetrans: 550
    TCPOrigDataSent: 1907609
    TCPHystartTrainDetect: 6
    TCPHystartTrainCwnd: 281
    TCPHystartDelayDetect: 3
    TCPHystartDelayCwnd: 288
    TCPACKSkippedSynRecv: 4
    TCPACKSkippedSeq: 1
IpExt:
    InNoRoutes: 4
    InMcastPkts: 15886
    OutMcastPkts: 14
    InOctets: 1169867332
    OutOctets: 581042663
    InMcastOctets: 572027
    OutMcastOctets: 669
    InNoECTPkts: 4969489
    InECT1Pkts: 10
    InECT0Pkts: 32
 

 

第二部分:选项解释(详情可参阅netstat --help,拿过来翻译工具走一波)

        -r, --route              display routing table /显示路由信息
        -I, --interfaces=<Iface> display interface table for <Iface> /显示某个网卡信息
        -i, --interfaces         display interface table /显示网卡信息
        -g, --groups             display multicast group memberships /显示多播组信息;什么网卡、loopback口ipv4、ipv6的,还有wlan的等等信息
        -s, --statistics         display networking statistics (like SNMP) /打印netstat各种协议类型的连接统计信息
        -M, --masquerade         display masqueraded connections /显示ip_masqueraded的连接,这里解释以下ip_masqueraded,实际是NAT实现的一种,可以使多个ip发送数据包的源ip转换为同一个ip去发送,用于伪装原本发送数据的设备的ip
        
        -v, --verbose            be verbose /打印详细信息
        -W, --wide               don't truncate IP addresses /不截断IP地址,避免该命令截断ip连接
        -n, --numeric            don't resolve names /不解析名称
        --numeric-hosts          don't resolve host names /不解析主机名称
        --numeric-ports          don't resolve port names /不解析端口名称
        --numeric-users          don't resolve user names /不解析用户名称
        -N, --symbolic           resolve hardware names /解析硬件名称
        -e, --extend             display other/more information /显示其他或者更多信息
        -p, --programs           display PID/Program name for sockets /打印socket连接的PID、进程名
        -o, --timers             display timers /显示计时器
        -c, --continuous         continuous listing /连续监听,会一直输出

        -l, --listening          display listening server sockets /打印LISTEN状态的连接
        -a, --all                display all sockets (default: connected) /打印所有
        -F, --fib                display Forwarding Information Base (default) /显示转发信息库,路由表(默认)
        -C, --cache              display routing cache instead of FIB /显示路由缓存
        -Z, --context            display SELinux security context for sockets /显示selinux安全上下文连接
 

 

第三部分:连接状态解析

 

通常情况下:一个正常的TCP连接,都会有三个阶段(1、TCP三次握手 2、数据传送 3、TCP四次挥手)

SYN: (同步序列编号,Synchronize Sequence Numbers)该标志仅在三次握手建立TCP连接时有效。表示一个新的TCP连接请求。

ACK: (确认编号,Acknowledgement Number)是对TCP请求的确认标志,同时提示对端系统已经成功接收所有数据。

FIN:(结束标志,finish)用来结束一个TCP回话.但对应端口仍处于开放状态,准备接收后续数据。

1)、LISTEN:首先服务端需要打开一个socket进行监听,状态为LISTEN. /* The socket is listening for incoming connections. 侦听来自远方TCP端口的连接请求 */

2)、SYN_SENT:客户端通过应用程序调用connect进行active open.于是客户端tcp发送一个SYN以请求建立一个连接.之后状态置为SYN_SENT. /*The socket is actively attempting to establish a connection. 在发送连接请求后等待匹配的连接请求 */

3)、SYN_RECV:服务端应发出ACK确认客户端的SYN,同时自己向客户端发送一个SYN. 之后状态置为SYN_RECV /* A connection request has been received from the network. 在收到和发送一个连接请求后等待对连接请求的确认 */

4)、ESTABLISHED: 代表一个打开的连接,双方可以进行或已经在数据交互了。/* The socket has an established connection. 代表一个打开的连接,数据可以传送给用户 */

5)、FIN_WAIT1:主动关闭(active close)端应用程序调用close,于是其TCP发出FIN请求主动关闭连接,之后进入FIN_WAIT1状态./* The socket is closed, and the connection is shutting down. 等待远程TCP的连接中断请求,或先前的连接中断请求的确认 */

6)、CLOSE_WAIT:被动关闭(passive close)端TCP接到FIN后,就发出ACK以回应FIN请求(它的接收也作为文件结束符传递给上层应用程序),并进入CLOSE_WAIT. /* The remote end has shut down, waiting for the socket to close. 等待从本地用户发来的连接中断请求 */

7)、FIN_WAIT2:主动关闭端接到ACK后,就进入了FIN-WAIT-2 ./* Connection is closed, and the socket is waiting for a shutdown from the remote end. 从远程TCP等待连接中断请求 */

8)、LAST_ACK:被动关闭端一段时间后,接收到文件结束符的应用程序将调用CLOSE关闭连接。这导致它的TCP也发送一个 FIN,等待对方的ACK.就进入了LAST-ACK . /* The remote end has shut down, and the socket is closed. Waiting for acknowledgement. 等待原来发向远程TCP的连接中断请求的确认 */

9)、TIME_WAIT:在主动关闭端接收到FIN后,TCP就发送ACK包,并进入TIME-WAIT状态。/* The socket is waiting after close to handle packets still in the network.等待足够的时间以确保远程TCP接收到连接中断请求的确认 */

10)、CLOSING:比较少见./* Both sockets are shut down but we still don’t have all our data sent. 等待远程TCP对连接中断的确认 */

11)、CLOSED:被动关闭端在接受到ACK包后,就进入了closed的状态。连接结束./* The socket is not being used. 没有任何连接状态 */

TIME_WAIT状态的形成只发生在主动关闭连接的一方。

主动关闭方在接收到被动关闭方的FIN请求后,发送成功给对方一个ACK后,将自己的状态由FIN_WAIT2修改为TIME_WAIT,而必须再等2倍 的MSL(Maximum Segment Lifetime,MSL是一个数据报在internetwork中能存在的时间)时间之后双方才能把状态 都改为CLOSED以关闭连接。目前RHEL里保持TIME_WAIT状态的时间为60秒。

上一篇:Linux 查看端口占用情况


下一篇:第十节 网络通信