A detailed introduction to the netstat command in Linux

1. Introduction

Netstat is a console command and a very useful tool for monitoring TCP/IP networks. It can display routing tables, actual network connections, and status information of each network interface device.

Netstat is used to display statistical data related to IP, TCP, UDP and ICMP protocols, and is generally used to check the network connection status of each port on the local machine.

2. Output Information Description

The output after executing netstat is as follows:

[root@sy-suz-srv51 ~]# netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 k8sdev.sui:sun-sr-https k8sdev.suiyi.com.:34880 SYN_RECV
tcp 0 0 k8sdev.suiyi.com.c:2379 10.1.62.21:47910 ESTABLISHED
tcp 0 0 k8sdev.suiyi.com.c:2379 k8sdev.suiyi.com.:37790 ESTABLISHED
tcp 0 0 sy-suz-srv:pcsync-https 10.1.62.162:49200 ESTABLISHED
tcp 0 0 k8sdev.suiyi.com.:52866 k8sdev.sui:sun-sr-https ESTABLISHED
tcp 0 0 k8sdev.suiyi.com.:37728 k8sdev.suiyi.com.c:2379 ESTABLISHED
tcp 0 0 k8sdev.sui:sun-sr-https k8sdev.suiyi.com.:52852 ESTABLISHED
tcp 0 0 k8sdev.sui:sun-sr-https 10.1.62.162:32841 ESTABLISHED
tcp 0 0 sy-suz-srv:pcsync-https sy-suz-srv51:60094 ESTABLISHED
tcp 0 0 localhost:webcache localhost:40136 ESTABLISHED
tcp 0 0 k8sdev.suiyi.com.:35466 10.1.62.21:sun-sr-https ESTABLISHED
tcp 0 0 k8sdev.suiyi.com.:34358 10.1.62.21:sun-sr-https ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 3 [ ] DGRAM 18442 /run/systemd/notify
unix 2 [ ] DGRAM 18444 /run/systemd/cgroups-agent
unix 2 [ ] DGRAM 23822 /var/run/chrony/chronyd.sock
unix 8 [ ] DGRAM 18455 /run/systemd/journal/socket
unix 18 [ ] DGRAM 18457 /dev/log
unix 2 [ ] DGRAM 14151 /var/run/nscd/socket
unix 2 [ ] DGRAM 584 /run/systemd/shutdownd
unix 3 [ ] STREAM CONNECTED 124439388 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 42312 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 39909
unix 3 [ ] STREAM CONNECTED 21675
unix 3 [ ] STREAM CONNECTED 47538
unix 3 [ ] STREAM CONNECTED 124585242 /var/run/docker/containerd/docker-containerd.sock
unix 3 [ ] STREAM CONNECTED 21658
unix 2 [ ] STREAM CONNECTED 30160
unix 3 [ ] STREAM CONNECTED 33750 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 124614293 @/containerd-shim/moby/c44e49ee0f86d8a4109afb176701795c64f44655abb1861275bbd3b2a9f76394/shim.sock
unix 3 [ ] STREAM CONNECTED 124609611 @/containerd-shim/moby/a736ba153c07f0bbf099ae1a1069530e35bfa28ae93f8f235d6c35a6c5ed9ce7/shim.sock
unix 3 [ ] STREAM CONNECTED 124601653 @/containerd-shim/moby/20d3fd59d03455d45b1da2636fca25d0edd79dac1947c17045a797eb8506157c/shim.sock

The output of netstat can be divided into two parts

1. Active Internet connections are active TCP connections, where "Recv-Q" and "Send-Q" refer to the receive queue and send queue. These numbers should generally be 0. If not then packages are piling up in the queue. This situation can only be seen in very rare cases.

2. Active UNIX domain sockets are active Unix domain sockets (same as network sockets, but can only be used for local communication, and the performance can be doubled).

Column name explanation:

Proto: Displays the protocol used by the connection.

RefCnt: ​​Indicates the process number connected to this socket.

Types: Displays the type of socket.

State: Displays the current state of the socket.

Path: Indicates the path name used by other processes connected to the socket.

3. Common parameters of netstat

-a (all) displays all options. By default, LISTEN-related options are not displayed.

-t (tcp) Display only tcp related options.

-u (udp) Display only udp related options.

-n refuses to display aliases and converts all displayed numbers into numbers.

-l only lists the services in Listen state.

-p Display the name of the program that creates the relevant link

-r Display routing information, routing table

-e Display extended information, such as uid, etc.

-s Statistics by protocol

-c Execute the netstat command at a fixed time interval.

The LISTEN and LISTENING states can only be seen with -a or -l.

4. Detailed explanation of netstat network status

A normal TCP connection has three stages: 1. TCP three-way handshake; 2. data transmission; 3. TCP four-way handshake

As shown in the figure:

SYN : (Synchronize Sequence Numbers) This flag is only valid when a TCP connection is established through a three-way handshake. Indicates a new TCP connection request.

ACK : (Acknowledgement Number) is a confirmation mark for the TCP request, and it also prompts the peer system that all data has been successfully received.

FIN : (end flag, FINish) is used to end a TCP session. But the corresponding port is still open, ready to receive subsequent data.

LISTEN : First, the server needs to open a socket for listening. The status is LISTEN. The socket is listening for incoming connections. Listen for connection requests from remote TCP ports.

SYN_SENT : The client calls connect through the application to perform active open. The client TCP then sends a SYN to request to establish a connection, and then the state is set to SYN_SENT. The socket is actively attempting to establish a connection. After sending the connection request, it waits for a matching connection request.

SYN_RECV : The server should send an ACK to confirm the client's SYN, and at the same time send a SYN to the client, and then the state is set to SYN_RECV.

A connection request has been received from the network. Waiting for confirmation of the connection request after receiving and sending a connection request.

ESTABLISHED : Represents an open connection, both parties can or have already exchanged data. The socket has an established connection. Represents an open connection, data can be transmitted to the user.

FIN_WAIT1 : The active close application calls close, so its TCP sends a FIN request to actively close the connection, and then enters the FIN_WAIT1 state. The socket is closed, and the connection is shutting down. Waiting for the remote TCP's connection shutdown request, or confirmation of the previous connection shutdown request.

CLOSE_WAIT : After receiving FIN, the passive close end TCP sends an ACK in response to the FIN request (its receipt is also passed to the upper-layer application as a file end mark) and enters CLOSE_WAIT. The remote end has shut down, waiting for the socket to close. Waiting for the connection interruption request sent from the local user.

FIN_WAIT2 : After the active closing end receives ACK, it enters FIN-WAIT-2, the Connection is closed, and the socket is waiting for a shutdown request from the remote end. Waiting for the connection interruption request from the remote TCP.

LAST_ACK : After a period of time on the passive closing end, the application that receives the end-of-file character will call CLOSE to close the connection. This causes its TCP to also send a FIN, waiting for the other party's ACK. It then enters LAST-ACK, The remote end has shut down, and the socket is closed. Waiting for acknowledgment. Waiting for confirmation of the connection interruption request originally sent to the remote TCP.

TIME_WAIT : After receiving FIN at the active closing end, TCP sends an ACK packet and enters the TIME-WAIT state. The socket is waiting after close to handle packets still in the network. Wait enough time to ensure that the remote TCP receives confirmation of the connection termination request.

CLOSING : Less common, Both sockets are shut down but we still don't have all our data sent. Waiting for the remote TCP to confirm that the connection is interrupted.

CLOSED : After receiving the ACK packet, the passive closing end enters the closed state. The connection is ended. The socket is not being used. There is no connection status.

The formation of TIME_WAIT state only occurs on the party that actively closes the connection.

After receiving the FIN request from the passive closing party, the active closing party sends an ACK to the other party successfully, and then changes its own state from FIN_WAIT2 to TIME_WAIT. It must wait for 2 times the MSL (Maximum Segment Lifetime, MSL is the time a datagram can exist in the internet) before both parties

Only then can the status be changed to CLOSED to close the connection. Currently, the TIME_WAIT state in RHEL is maintained for 60 seconds.

Related keepalive parameters for Linux

1. tcp_keepalive_time – INTEGER

How often TCP sends out keepalive messages when keepalive is enabled. (Default: 2 hours)

The amount of time, in seconds, that a connection needs to be idle before TCP starts sending keepalive probe packets.

2. tcp_keepalive_probes – INTEGER

How many keepalive probes TCP sends out, until it decides that the connection is broken. (Default value: 9)

The maximum number of TCP keepalive detection packets sent. The default is 9. If the peer still does not respond after sending 9 keepalive detection packets, the connection will be closed.

3. tcp_keepalive_intvl – INTEGER

How frequently the probes are sent out. Multiplied by tcp_keepalive_probes it is time to kill not responding connection,
after probes started. Default value: 75sec ie connection will be aborted after ~11 minutes of retries.

The interval between sending two TCP keepalive detection packets is 75 seconds by default.

5. Commonly used netstat related commands

1. List all ports #netstat -a

2. List all TCP ports #netstat -at

3. List all udp ports #netstat -au

4. Only display the listening port#netstat -l

5. Only list all listening TCP ports #netstat -lt

6. Only list all listening udp ports #netstat -lu

7. List all listening UNIX ports #netstat -lx

8. Display statistics of all ports #netstat -s

9. Display statistics of TCP or UDP ports#netstat -st or -su

10. Display PID and process name in the output #netstat -p

11. The host, port and user name are not displayed in the netstat output (host, port or user)

When you do not want the host, port and username to be displayed, use netstat -n. Numbers will be used in place of those names.

It can also speed up output because no comparison query is required.

#netstat -an

If you just don't want one of the three names to be displayed, use the following command

# netsat -a --numeric-ports
# netsat -a --numeric-hosts
# netsat -a --numeric-users

12. Continuously output netstat information #netstat -c

13. Find out the port where the program is running #netstat -ap | grep ':80'

14. View the IP addresses with the most connections to a service port (top 20)

#netstat -nat | grep "10.1.62.23:443" |awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -20

15. TCP various status list 

#netstat -nat |awk '{print $6}'

Statistical quantity

#netstat -nat |awk '{print $6}'|sort|uniq -c

Sorting

#netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn

#netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'

16. Directly count the number of TCP listeners

#netstat -ant | wc -l

This is the end of this article about the detailed introduction of the netstat command under Linux system. For more relevant content about the netstat command under Linux system, please search the previous articles of 123WORDPRESS.COM or continue to browse the related articles below. I hope everyone will support 123WORDPRESS.COM in the future!