netstat
netstat常用說明:用來顯示網路系統的資訊(連線、路由表、網路卡等等)
使用概念
- 第一個參數,決定資訊類型選擇
- 輸出格式控制(format)
Type of information
(none) By default, netstat displays a list of open sockets.
If you don't specify any address families,
then the active sockets of all configured address families will be printed.
--route , -r
Display the kernel routing tables. See the description in route(8) for details.
netstat -r and route -e produce the same output.
--groups , -g
Display multicast group membership information for IPv4 and IPv6.
--interfaces=iface , -I=iface , -i
Display a table of all network interfaces, or the specified iface.
--masquerade , -M
Display a list of masqueraded connections.
--statistics , -s(統計)
Display summary statistics for each protocol.
None Options(none時候的參數)
netstat [address_family_options]
[--tcp|-t] [--udp|-u] [--udplite|-U] [--sctp|-S] [--raw|-w]
[--listening|-l]
[--all|-a]
[--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users]
[--symbolic|-N]
[--extend|-e[--extend|-e]]
[--timers|-o] [--program|-p]
[--verbose|-v]
[--continuous|-c]
[--wide|-W]
[delay]
Common Options
--verbose , -v
Tell the user what is going on by being verbose.
Especially print some useful information about unconfigured address families.
--wide , -W
Do not truncate IP addresses by using output as wide as needed.
This is optional for now to not break existing scripts.
--numeric , -n
Show numerical addresses instead of trying to determine symbolic host,
port or user names.
--numeric-hosts
shows numerical host addresses but does not affect the resolution
of port or user names.
--numeric-ports
shows numerical port numbers but does not affect the resolution
of host or user names.
--numeric-users
shows numerical user IDs but does not affect the resolution of host or port names.
--protocol=family , -A
Specifies the address families (perhaps better described as low level protocols)
for which connections are to be shown. family is a comma (',') separated list of
address family keywords like inet, inet6, unix, ipx, ax25, netrom, econet, and ddp.
This has the same effect as using the --inet|-4, --inet6|-6, --unix|-x, --ipx,
--ax25, --netrom, and --ddp options.
The address family inet (Iv4) includes raw, udp, udplite and tcp protocol sockets.
-c, --continuous
This will cause netstat to print the selected information every second continuously.
-e, --extend
Display additional information. Use this option twice for maximum detail.
-o, --timers
Include information related to networking timers.
-p, --program
Show the PID and name of the program to which each socket belongs.
-l, --listening
Show only listening sockets. (These are omitted by default.)
-a, --all
Show both listening and non-listening
(for TCP this means established connections) sockets.
With the --interfaces option, show interfaces that are not up
-F
Print routing information from the FIB. (This is the default.)
-C
Print routing information from the route cache.
delay
Netstat will cycle printing through statistics every delay seconds.
Output(重要的輸出項目)
Proto
The protocol (tcp, udp, udpl, raw) used by the socket.
Recv-Q
Established: The count of bytes not copied by the user program connected to this socket.
Listening: Since Kernel 2.6.18 this column contains the current syn back‐log.
Send-Q
Established: The count of bytes not acknowledged by the remote host.
Listening: Since Kernel 2.6.18 this column contains the maximum size of the syn backlog.
Local Address
Address and port number of the local end of the socket.
Unless the --numeric (-n) option is specified,
the socket address is resolved to its canonical host name
(FQDN), and the port number is translated into the corresponding service name.
Foreign Address
Address and port number of the remote end of the socket. Analogous to "Local Address."
State
The state of the socket. Since there are no states in raw mode
and usually no states used in UDP and UDPLite, this column may be left blank.
Normally this can be one of several values:
ESTABLISHED
The socket has an established connection.
SYN_SENT
The socket is actively attempting to establish a connection.
SYN_RECV
A connection request has been received from the network.
FIN_WAIT1
The socket is closed, and the connection is shutting down.
FIN_WAIT2
Connection is closed, and the socket is waiting for a shutdown from the remote end.
TIME_WAIT
The socket is waiting after close to handle packets still in the network.
CLOSE The socket is not being used.
CLOSE_WAIT
The remote end has shut down, waiting for the socket to close.
LAST_ACK
The remote end has shut down, and the socket is closed. Waiting for acknowledgement.
LISTEN The socket is listening for incoming connections.
Such sockets are not included in the output
unless you specify the --listening (-l) or --all (-a) option.
CLOSING
Both sockets are shut down but we still don't have all our data sent.
UNKNOWN
The state of the socket is unknown.
User
The username or the user id (UID) of the owner of the socket.
PID/Program name
Slash-separated pair of the process id (PID) and process name of the process that owns the socket.
--program causes this column to be included. You will also
need superuser privileges to see this information on sockets you don't own.
This identification information is not yet available for IPX sockets.
Example
顯示所有listening or established的tcpnetstat -at
顯示所有listening的tcp
netstat -lt
顯示tcp的統計
netstat -st
顯示每個tcp socket所屬的程式PID跟名稱
netstat -apt //listening and established netstat -pt //established only netstat -ap | grep ssh //使用grep篩選
