Netstat是控制台命令,是一个监控TCP/IP网络的非常有用的工具,它可以显示路由表、实际的网络连接以及每一个网络接口设备的状态信息。Netstat用于显示与IP、TCP、UDP和ICMP协议相关的统计数据,一般用于检验本机各端口的网络连接情况。
netstat 的帮助信息如下:
[root@S0 ~]# netstat --help
usage: netstat [-veenNcCF] [<Af>] -r netstat {-V|--version|-h|--help}
netstat [-vnNcaeol] [<Socket> ...]
netstat { [-veenNac] -I[<Iface>] | [-veenNac] -i | [-cnNe] -M | -s } [delay]
-r, --route display routing table
-I, --interfaces=<Iface> display interface table for <Iface>
-i, --interfaces display interface table
-g, --groups display multicast group memberships
-s, --statistics display networking statistics (like SNMP) 显示网络统计数据
-M, --masquerade display masqueraded connections
-v, --verbose be verbose
-n, --numeric don't resolve names
--numeric-hosts don't resolve host names
--numeric-ports don't resolve port names
--numeric-users don't resolve user names
-N, --symbolic resolve hardware names
-e, --extend display other/more information 显示更多信息
-p, --programs display PID/Program name for sockets 显示连接的PID和程序名
-c, --continuous continuous listing
-l, --listening display listening server sockets 只显示监听中的socket服务
-a, --all, --listening display all sockets (default: connected) 显示所有连接
-o, --timers display timers
-F, --fib display Forwarding Information Base (default)
-C, --cache display routing cache instead of FIB
-T, --notrim stop trimming long addresses
-Z, --context display SELinux security context for sockets
<Iface>: Name of interface to monitor/list.
<Socket>={-t|--tcp} {-u|--udp} {-S|--sctp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom
<AF>=Use '-A <af>' or '--<af>'; default: inet
List of possible address families (which support routing):
inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
x25 (CCITT X.25)-a:列出所有连接
-t:只列出 tcp 连接
-u:只列出 udp 连接
-x:只列出所有监听unix端口
-n:选项禁用域名解析功能,默认情况下 netstat 会通过反向域名解析技术查找每个 IP 地址对应的主机名,这会降低查找速度。如果你觉得 IP 地址已经足够,而没有必要知道主机名。
-l:列出正在监听的套接字
-p:获取进程名、进程号以及用户ID
-r:显示路由信息,路由表
-e:显示扩展信息,例如uid等
-s:按各个协议进行统计
-c:每隔一个固定时间,执行该netstat命令。
-a, --all, --listening display all sockets (default: connected)
[root@S0 ~]# netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:8009 *:* LISTEN tcp 0 0 *:webcache *:* LISTEN tcp 0 0 *:ssh *:* LISTEN Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 8544 @/com/ubuntu/upstart unix 2 [ ] DGRAM 30891 @/org/kernel/udev/udevd
# 只列出 TCP [root@S0 ~]# netstat -t Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 112 192.168.238.200:ssh 192.168.238.1:4534 ESTABLISHED tcp 0 0 192.168.238.200:ssh 192.168.238.1:ehs ESTABLISHED # 只列出 UDP [root@S0 ~]# netstat -u Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State # 只列出Unix端口 root@S0 ~]# netstat -x Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ] DGRAM 30891 @/org/kernel/udev/udevd unix 4 [ ] DGRAM 40137 /dev/log unix 2 [ ] DGRAM 76057 unix 3 [ ] STREAM CONNECTED 75487
默认情况下 netstat 会通过反向域名解析技术查找每个 IP 地址对应的主机名,这会降低查找速度。如果你觉得 IP 地址已经足够,而没有必要知道主机名,就使用 -n 选项禁用域名解析功能。
[root@S0 ~]# netstat -tn Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 48 192.168.238.200:22 192.168.238.1:4534 ESTABLISHED tcp 0 0 192.168.238.200:22 192.168.238.1:4535 ESTABLISHED
任何网络服务的后台进程都会打开一个端口,用于监听接入的请求。这些正在监听的套接字也和连接的套接字一样,也能被 netstat 列出来。使用 -l 选项列出正在监听的套接字,-t列出tcp协议的连接,-u列出udp协议的连接。
[root@S0 ~]# netstat -tnl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 :::8009 :::* LISTEN tcp 0 0 :::8080 :::* LISTEN tcp 0 0 :::22 :::* LISTEN tcp 0 0 ::ffff:127.0.0.1:8005 :::* LISTEN
注意:不要使用 -a 选项,否则 netstat 会列出所有连接,而不仅仅是监听端口
使用 -p 选项时,netstat 必须运行在 root 权限之下,不然它就不能得到运行在 root 权限下的进程名,而很多服务包括 http 和 ftp 都运行在 root 权限之下。
[root@S0 ~]# netstat -tnpl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 21325/nginx tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4031/sshd tcp 0 0 :::8009 :::* LISTEN 23517/java tcp 0 0 :::8080 :::* LISTEN 23517/java tcp 0 0 :::22 :::* LISTEN 4031/sshd tcp 0 0 ::ffff:127.0.0.1:8005 :::* LISTEN 23517/java
额外的信息包括用户名和进程的索引节点号
[root@S0 ~]# netstat -ltpe Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 *:http *:* LISTEN root 62752 21325/nginx tcp 0 0 *:ssh *:* LISTEN root 39988 4031/sshd tcp 0 0 *:8009 *:* LISTEN root 75031 23517/java tcp 0 0 *:webcache *:* LISTEN root 75030 23517/java tcp 0 0 *:ssh *:* LISTEN root 39990 4031/sshd tcp 0 0 localhost:mxi *:* LISTEN root 75058 23517/java
打印出网络统计数据,包括某个协议下的收发包数量
[root@S0 ~]# netstat -ts IcmpMsg: InType0: 338 InType3: 2 OutType3: 3 OutType8: 338 Tcp: 1137 active connections openings 705 passive connection openings 450 failed connection attempts 164 connection resets received 2 connections established 3348937 segments received 3282332 segments send out 21 segments retransmited 0 bad segments received. 797 resets sent UdpLite: ...
其中:-t 只统计TCP连接;-u 只统计UDP连接;
[root@S0 ~]# netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 219469 0 0 0 145790 0 0 0 BMRU lo 16436 0 3137282 0 0 0 3137282 0 0 0 LRU
-e 选项和 -i 选项搭配使用,可以输出用户友好的信息(与ip address一样)
[root@S0 ~]# netstat -ie Kernel Interface table eth0 Link encap:Ethernet HWaddr 00:0C:29:44:8C:43 inet addr:192.168.238.200 Bcast:192.168.238.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe44:8c43/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:219481 errors:0 dropped:0 overruns:0 frame:0 TX packets:145798 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:257279551 (245.3 MiB) TX bytes:47793328 (45.5 MiB) Interrupt:19 Base address:0x2000 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:3137282 errors:0 dropped:0 overruns:0 frame:0 TX packets:3137282 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:877832726 (837.1 MiB) TX bytes:877832726 (837.1 MiB)
和ifconfig命令的显示信息类似。
[root@S0 ~]# netstat -g IPv6/IPv4 Group Memberships Interface RefCnt Group --------------- ------ --------------------- lo 1 all-systems.mcast.net eth0 1 all-systems.mcast.net lo 1 ff02::1 eth0 1 ff02::1:ff44:8c43 eth0 1 ff02::1
