قالب وردپرس درنا توس
Home / Tips and Tricks / How to use netstat on Linux

How to use netstat on Linux



  A terminal prompt on the desktop of a Linux computer.
Fatmawati Achmad Zaenuri / Shutterstock

The Linux netstat command gives you a wealth of information about your network connections, the ports that are in use, and the processes they use. More information about the use.

Ports, processes, and protocols

Network sockets can be connected or waiting for a connection. The connections use network protocols such as Transport Control Protocol (TCP) or User Datagram Protocol UDP. They use Internet Protocol addresses and network ports to establish connections.

The word sockets may invoke images of a physical connection point for a cable or cable, but in this context, a socket is a software construct used to handle one end of a network data connection.

Sockets have two main states: they are either connected and allow continuous network communication, or they are waiting for an incoming connection to connect to it. There are other states, such as the status when a socket is halfway to establish a connection on an external device, but if you put transient states aside, you can regard a socket as connected or waiting (which is often called listening ).

The listening socket is called the server and the socket requesting a connection to the listening socket is called a client . These names have nothing to do with hardware or computer roles. They simply define the role of each socket at each end of the connection.

With the command netstat you can discover which sockets are connected and which sockets are listening. This means that it tells you which ports are in use and which processes they use. It can show you routing tables and statistics about your network interfaces and multicast connections.

The functionality of netstat has been replicated over time in various Linux utilities, such as ip and ss. It is still worth knowing this grandfather of all network analysis commands, as it is available on all Linux and Unix-like operating systems, and even on Windows and Mac.

Here's how to use it, complete with sample commands.

List of all sockets

With the option -a (all), netstat shows all connected and waiting sockets. This command can produce a long list, so we send it to less .

  netstat -a | min 

  netstat -a | less in a terminal window

The list contains TCP (IP), TCP6 (IPv6) and UDP sockets.

 Export of netstat -a | less in a terminal window

The wrapping in the terminal window makes it a bit difficult to see what is going on. Here are a few sections from that list:

  Active internet connections (servers and established)
Proto Recv-Q Send-Q Local address Foreign address State
tcp 0 0 localhost: domain 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost: ipp 0.0.0.0:* LISTEN
tcp 0 0 localhost: smtp 0.0.0.0:* LISTEN
tcp6 0 0 [::]: ssh [::]: * LISTEN
tcp6 0 0 ip6-localhost: ipp [::]: * LISTEN
.
.
.
Active UNIX domain sockets (servers and established ones)
Proto RefCnt Flags Type State I-Node Path
unix 24 [ ] DGRAM 12831 / run / systemd / journal / dev-log
unix 2 [ ACC ] STREAM LISTENING 24747 @ / tmp / dbus-zH6clYmvw8
unix 2 [ ] DGRAM 26372 / run / user / 1000 / systemd / inform
unix 2 [ ] DGRAM 23382 / run / user / 121 / systemd / inform
unix 2 [ ACC ] LISTENING FROM SEQPACKET 12839 / run / udev / control 

The "Active Internet" section displays the connected external connections and local sockets that listen to external connection requests. That is, it lists the network connections that have been (or will be) made with external devices.

The "UNIX Domain" section provides an overview of the connected and listening internal connections. In other words, it lists the connections established within your computer between different applications, processes, and elements of the operating system.

The "Active Internet" columns are:

  • Proto: The protocol used by this socket (for example, TCP or UDP).
  • Recv-Q: The reception queue. These are incoming bytes that have been received and buffered, waiting for the local process that this connection uses to read and use them.
  • Send-Q: The shipping queue. This shows the bytes that are ready to be sent from the send queue.
  • Local address: The address details of the local end of the connection. The default setting is that netstat displays the local host name for the address and the service name for the port.
  • Foreign address: The address and port number of the external end of the connection.
  • State: The status of the local socket. This is usually empty for UDP sockets. See the table below status .

For TCP connections, the value status can be one of the following:

  • LISTEN: Server side only. The socket is waiting for a connection request.
  • SYN-SENT: Client-side only. This socket has made a connection request and is waiting to see if it is accepted.
  • SYN-RECEIVED: Server side only. This socket waits for a connection confirmation after accepting a connection request.
  • FIXED: Server and clients. A working connection has been established between the server and the client, allowing data to be transferred between the two.
  • FIN-WAIT-1: Server and clients. This socket waits for a connection request from the external socket or for confirmation of a connection request that was previously sent from this socket.
  • FIN-WAIT-2: Server and clients. This socket is waiting for a connection request from the external socket.
  • CLOSE-WAIT: Server and client. This socket is waiting for a connection request from the local user.
  • CLOSURE: Server and clients. This socket waits for confirmation of the request to terminate the connection via the external socket.
  • LAST-ACK: Server and client. This socket is waiting for a confirmation of the connection request sent to the external socket.
  • TIME-WAIT: Server and clients. This socket has sent a confirmation to the external socket to let it know that it has received the termination request from the external socket. It is now waiting to ensure that the confirmation has been received.
  • CLOSED: There is no connection, so the socket is terminated.

The "Unix Domain" columns are:

  • Proto: The protocol used by this socket. It will & # 39; unix & # 39; to be.
  • RefCnt: ​​ Reference Count. The number of connected processes that is connected to this socket.
  • Flags: This is usually set to ACC which stands for SO_ACCEPTON which means that the socket is waiting for a connection request. SO_WAITDATA represented as W means that data is waiting to be read. SO_NOSPACE represented as N means that there is no space to write data to the socket (the send buffer is full).
  • Type: The socket type. See the table below type .
  • State: The state of the socket. See the table below status .
  • I-Node: The inode of the file system associated with this socket.
  • Path : The path from the file system to the socket.

The Unix domain socket type can be one of the following:

  • DGRAM: The socket is used in datagram mode, with fixed length messages. Datagrams are not guaranteed to be reliable, sequenced or duplicated.
  • STREAM: This socket is a stream socket. This is the usual "normal" type of socket connection. These sockets are designed to offer reliable consecutive (in order) delivery of packages.
  • RAW: This socket is used as a raw socket. Raw sockets work at the network level of the OSI model and do not refer to TCP and UDP headers from transport level.
  • RDM: This socket is located at one end of a reliably delivered message connection.
  • SEQPACKET: This socket works as a sequential packet socket, which is another means for delivering reliable, sequenced and non-duplicated package delivery.
  • PACKET: Raw interface access connection. Package connections are used to receive or send raw packages at the level of the OSI model's device driver (ie data link layer).

The Unix domain bus state can be one of the following: [19659023] FREE: This connection is not assigned.

  • LISTEN: This connection listens for incoming connection requests.
  • CONNECT: This connection is connecting.
  • CONNECTED: A connection has been established and the socket can receive and send data.
  • TERMINATION: The connection is currently being broken.
  • Wow, that's a lot of information! Many of the options netstat somehow refine the results, but they do not change the content too much. Let's see.

    Sockets listing by type

    The netstat -a command can provide more information than you need to see. If you want or need to see only the TCP sockets, you can use the -t (TCP) option to limit the display so that only TCP sockets are displayed.

      netstat -at | less 

     netstat -at | less in a terminal window

    The display is considerably reduced. The few sockets listed are all TCP sockets.

     Export of netstat -at | less in a terminal window

    The options -u (UDP) and -x (UNIX) behave in the same way and limit the results to the type of socket specified on the command line. Here is the -u (UDP) option that is used:

      netstat -au | less 

     netstat -au | less in a terminal window

    Only UDP connections are listed.

     Export of netstat -au | less in a terminal window

    Sockets listing by State

    Use the option -l (listening).

      netstat To view the sockets that are in the listening or waiting state. -l | less 

     netstat -l | less in a terminal window

    The listed sockets are those in the listening state.

     Output from netstat -1 less in a terminal window

    This can be combined with the -t (TCP, -u (UDP) and -x (UNIX)) options to move on to the interesting sockets. Let's listen to TCP sockets. :

      netstat -lt | less 

     netstat -lt | less in a terminal window

    Now we only see TCP listening sockets.

     output of netstat -lt | less in a terminal window

    Network statistics by protocol

    Use the -s (statistics) and enter the -t [door] to view statistics for a protocol. (TCP), -u (UDP) or -x (UNIX) options If you only see the option -s (statistics) used on you the statistics for all protocols Let's look at the statistics for the TCP protocol.

      netstat -st | less 

     netstat -st | less in a ter Minal window

    A collection of statistics for the TCP conne ctions is displayed in less .

     Export of netstat -st | less in a terminal window

    Show process names and PIDs

    It can be useful to see the process ID (PID) of the process with a socket, along with the name of that process. The option -p (program) does exactly that. Let's see what the PID & process names are for the processes that use a TCP socket in the listening state. We use sudo to ensure that we receive all available information, including all information that normally requires root permissions.

      sudo netstat -p -at 

     sudo netstat -p -at in a terminal window

    This is the output in a formatted table:

      Active internet connections (servers and established) )
    Proto Recv-Q Send-Q Local address Foreign address State PID / Program name
    tcp 0 0 localhost: domain 0.0.0.0:* LISTEN 6927 / systemd-resolv
    tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 751 / sshd
    tcp 0 0 localhost: ipp 0.0.0.0:* LISTEN 7687 / cupsd
    tcp 0 0 localhost: smtp 0.0.0.0:* LISTEN 1176 / master
    tcp6 0 0 [::]: ssh [::]: * LISTEN 751 / sshd
    tcp6 0 0 ip6-localhost: ipp [::]: * LISTEN 7687 / cupsd
    tcp6 0 0 ip6-localhost: smtp [::]: * LISTEN 1176 / master 

    We have an extra column called & # 39; PID / program name & # 39 ;. This column lists the PID and the name of the process using each of the sockets.

    List of numerical addresses

    Another step that we can take to remove any ambiguity is to display the local and external addresses as IP addresses instead of their resolved domain and host names. If we use the option -n (numeric), the IPv4 addresses are displayed with a decimal notation:

      sudo netstat -an | less 

     sudo netstat -an | less in a terminal window

    The IP addresses are displayed as numeric values. The port numbers are also displayed, separated by a colon ": " from the IP address.

     Exports of sudo netstat -an | less in a terminal window

    An IP address of 127.0.0.1 indicates that the socket is bound to the loopback address of the local computer. You can think of an IP address of 0.0.0.0 as the "standard route" for local addresses and "any IP address" for foreign addresses. IPv6 addresses represented as " :: " are also all zero addresses.

    The listed ports can easily be checked to see their usual purpose:

    RELATED: [19659107] What is the difference between 127.0.0.1 and 0.0.0.0? cialis19459015. Cialis19459021 {cialis19659012 expansionView the routing table

    The -r (route) option displays the kernel routing table. [19659014] sudo netstat -r

     sudo netstat -r in a terminal window

    This is the output in a well-arranged table:

      Kernel IP routing table
    Destination Gateway Genmask Flags MSS Window irtt Iface
    standard Vigor.router 0.0.0.0 UG 0 0 0 enp0s3
    link-local 0.0.0.0 255.255.0.0 U 0 0 0 enp0s3
    192.168.4.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s3 

    And this is what the columns mean:

    • Destination: The target network or device (if the destination is not a network).
    • Gateway: The gateway address. An asterisk " * " appears here if no gateway address is set.
    • Genmask: The subnet mask for the route.
    • Flags: See the flags table below.
    • MSS: Standard maximum segment size for TCP connections via this route – this is the largest amount of data that can be received in one TCP segment.
    • Window: The standard window size for TCP connections via this route, which specifies the number of packets that can be transferred and received before the receiving buffer is full. In practice, the packages are consumed by the receiving application.
    • irtt: The initial tour time. This value is referenced by the kernel to make dynamic adjustments to TCP parameters for external connections that respond slowly.
    • Iface: The network interface from which the packets sent via this route are sent.

    The flags value can be one of the following:

    • U: The route is up.
    • H: Doel is a host and the only possible destination on this route.
    • G: Use the gateway.
    • R: Restore the route for dynamic routing.
    • D: Installed dynamically by the routing daemon.
    • M: Adapted by the routing daemon when it received an Internet Control Message Protocol (ICMP) package.
    • A: Installed by addrconf the automated DNS and DHCP configuration file generator.
    • C: Cache entry.
    • !: Refuse route.

    Finding the port used by a process

    If we implement the output from on to grep we can find a process by name and identify the port it uses . We use the options -a (all), -n (numeric) and -p (program) previously used options, and search for "sshd." [19659014] sudo netstat -anp | grep "sshd"

     sudo netstat -anp | grep

    grep finds the target string and we see that the sshd uses daemon gate 22.

    Of course we can also do this the other way around. If we search for ": 22", we can find out which process that port uses, if any.

      sudo netstat -anp | grep ": 22" 

     sudo netstat -anp | grep

    This time grep finds the ": 22" target string and we see that the process that uses this port is the sshd daemon, process ID 751. [19659012] A list of the network interfaces

    The option -i (interfaces) displays a table of the network interfaces that can discover netstat .

      sudo netstat -i 

    ]  Kernel interface table in a terminal window

    Here is the output in a more readable way:

      Kernel interface table
    Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
    enp0s3 1500 4520671 0 0 0 4779773 0 0 0 BMRU
    lo 65536 30175 0 0 0 30175 0 0 0 LRU 

    This is what the columns mean:

    • Iface: The name of the interface. The enp0s3 interface is the network interface to the outside world, and the lo interface is the loopback interface. The loopback interface allows processes to communicate with the computer through within via network protocols, even if the computer is not connected to a network.
    • MTU: The Maximum Transmission Unit (MTU). This is the largest "package" that can be sent. It consists of a header with routing and protocol flags and other metadata, plus the data that is actually being transported.
    • RX-OK: The number of received packages without errors.
    • RX-ERR: The number of packets received with errors. We want this to be as low as possible.
    • RX-DRP: The number of deleted packages (i.e., lost). We also want this to be as low as possible.
    • RX-OVR: Number of lost packages due to overflow upon receipt. This usually means that the receiving buffer was full and could no longer accept data, but that more data was received and had to be discarded. The lower this figure, the better and zero is perfect.
    • TX-OK: The number of sent packages without errors.
    • RX-ERR: The number of sent packages with errors. We want this to be zero.
    • RX-DRP: The number of packets that were dropped when sending. Ideally, this should be zero.
    • RX-OVR: The number of packages lost due to flooding during shipping. This usually means that the send buffer was full and could no longer accept data, but that more data was ready to be sent and had to be deleted.
    • Flg: Flags. See the table below flags .

    The flags represent the following:

    • B: A broadcast address is in use.
    • L: This interface is a loopback device.
    • M: All packages are received (ie in promiscuous mode). Nothing is filtered or thrown away.
    • O: Address Resolution Protocol (ARP) is disabled for this interface.
    • P: This is a point-to-point (PPP) connection. [19659024] R: The interface is active.
    • U: The interface is active.

    Multicast Group Membership List

    Simply put, a multicast transmission allows a packet to be sent only once, regardless of the number of recipients. For services such as video streaming, for example, this increases efficiency from the point of view of the sender by an enormous amount.

    The option -g (groups) makes the list netstat the multicast group membership of sockets on each interface.

      sudo netstat -g 

     sudo netstat -g in a terminal window

    The columns are fairly simple:

    • Interface: The name of the interface over which the socket is sending.
    • RefCnt: ​​ The reference count, which is the number of processes that are linked to the socket.
    • Group: The name or ID of the multicast group.

    The New Kids on the Block

    The route, ip, ifconfig and ss commands can offer a lot that netstat can show you. They are all great assignments and worth seeing.

    We focused on netstat because it is universally available, regardless of which Unix-like operating system you work with, even the obscure.




    Source link