- 查看TCP各个状态的数量
[root@localhost ~]# netstat -ant Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 10.0.29.37:22 172.16.4.40:14005 ESTABLISHED tcp 0 64 10.0.29.37:22 172.16.4.40:13945 ESTABLISHED tcp 0 0 10.0.29.37:22 172.16.4.40:13946 ESTABLISHED tcp 0 0 :::8080 :::* LISTEN tcp 0 0 ::ffff:10.0.29.37:8082 :::* LISTEN tcp 0 0 :::22 :::* LISTEN tcp 0 0 ::1:25 :::* LISTEN tcp 0 0 ::ffff:127.0.0.1:8005 :::* LISTEN tcp 0 0 ::ffff:10.0.29.37:57229 ::ffff:10.0.101.213:7003 ESTABLISHED
- 过滤指定端口号
[root@localhost ~]# netstat -nat|grep -i "8082"
tcp 0 0 ::ffff:10.0.29.37:8082 :::* LISTEN
tcp 0 0 ::ffff:10.0.29.37:8082 ::ffff:10.0.29.3:42348 ESTABLISHED
注:增加属性【-c】,会每隔一秒输出一次。
- 过滤【ESTABLISHED】状态的对方IP特征
[root@localhost ~]# netstat -na |grep ESTABLISHED|more
tcp 0 0 10.0.29.37:22 172.16.4.40:14005 ESTABLISHED
tcp 0 0 10.0.29.37:22 172.16.4.40:14003 ESTABLISHED
tcp 0 64 10.0.29.37:22 172.16.4.40:13945 ESTABLISHED
tcp 0 0 10.0.29.37:22 172.16.4.40:13946 ESTABLISHED
tcp 0 0 ::ffff:10.0.29.37:49617 ::ffff:10.0.101.215:7002 ESTABLISHED
tcp 0 0 ::ffff:10.0.29.37:33047 ::ffff:10.0.101.5:7000 ESTABLISHED
tcp 0 0 ::ffff:10.0.29.37:56644 ::ffff:10.0.101.213:7003 ESTABLISHED
- 分组统计tcp端口各种状态的数量
# netstat -n | awk ‘/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}‘
TIME_WAIT 42349
CLOSE_WAIT 1
SYN_SENT 4
FIN_WAIT1 298
FIN_WAIT2 33
ESTABLISHED 12775
SYN_RECV 259
CLOSING 6
LAST_ACK 432
- 查看打开套接字的状况
[root@mmc ~]# lsof -i:8085 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME java 10068 root 61u IPv6 117807169 0t0 TCP 10.0.101.210:8085->10.0.101.104:21527 (ESTABLISHED) java 10068 root 62u IPv6 117807197 0t0 TCP 10.0.101.210:8085->10.0.101.102:30499 (ESTABLISHED) java 10068 root 64u IPv6 117807175 0t0 TCP 10.0.101.210:8085->10.0.101.103:9239 (ESTABLISHED) java 10068 root 148u IPv6 117807839 0t0 TCP 10.0.101.210:8085->10.0.101.102:30555 (ESTABLISHED)
- 查看tcp创建的连接数
[root@mmc ~]# sar -n SOCK Linux 2.6.32-431.el6.x86_64 (mmc) 01/20/2021 _x86_64_ (1 CPU) 12:00:01 AM totsck tcpsck udpsck rawsck ip-frag tcp-tw 12:10:01 AM 631 12 8 0 0 0 12:20:01 AM 630 12 8 0 0 0 12:30:01 AM 630 12 8 0 0 0 12:40:01 AM 628 12 8 0 0 0 12:50:01 AM 625 11 8 0 0 0 01:00:01 AM 627 11 8 0 0 0 01:10:01 AM 623 11 8 0 0 0 01:20:01 AM 623 11 8 0 0 0 01:30:01 AM 622 11 8 0 0 0 01:40:01 AM 622 11 8 0 0 0
- 对tcp端口8085进行抓包
[root@mmc ~]# tcpdump -iany tcp port 8085 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 12:20:13.056978 IP 10.0.101.102.30478 > 10.0.101.210.8085: Flags [P.], seq 2507835916:2507836946, ack 943612003, win 229, options [nop,nop,TS val 2293112433 ecr 3296957473], length 1030 12:20:13.073465 IP 10.0.101.210.8085 > 10.0.101.102.30478: Flags [P.], seq 1:100, ack 1030, win 2989, options [nop,nop,TS val 3296990215 ecr 2293112433], length 99 12:20:13.073662 IP 10.0.101.102.30478 > 10.0.101.210.8085: Flags [.], ack 100, win 229, options [nop,nop,TS val 2293112450 ecr 3296990215], length 0
...............
- TCP状态及其描述
状态 | 描述 |
---|---|
LISTEN | 等待来自远程TCP应用程序的请求 |
SYN_SENT | 发送连接请求后等待来自远程端点的确认。TCP第一次握手后客户端所处的状态 |
SYN-RECEIVED | 该端点已经接收到连接请求并发送确认。该端点正在等待最终确认。TCP第二次握手后服务端所处的状态 |
ESTABLISHED | 代表连接已经建立起来了。这是连接数据传输阶段的正常状态 |
FIN_WAIT_1 | 等待来自远程TCP的终止连接请求或终止请求的确认 |
FIN_WAIT_2 | 在此端点发送终止连接请求后,等待来自远程TCP的连接终止请求 |
CLOSE_WAIT | 该端点已经收到来自远程端点的关闭请求,此TCP正在等待本地应用程序的连接终止请求 |
CLOSING | 等待来自远程TCP的连接终止请求确认 |
LAST_ACK | 等待先前发送到远程TCP的连接终止请求的确认 |
TIME_WAIT | 等待足够的时间来确保远程TCP接收到其连接终止请求的确认 |