Home >php教程 >PHP开发 >Detailed explanation of Netstat command (under windows)

Detailed explanation of Netstat command (under windows)

高洛峰
高洛峰Original
2016-12-15 09:12:461400browse

Netstat is used to display statistical data related to IP, TCP, UDP and ICMP protocols. It is generally used to check the network connection of each port of the machine.

If your computer sometimes receives datagrams that cause erroneous data or malfunctions, don’t be surprised. TCP/IP can tolerate these types of errors and automatically resend datagrams. But if the cumulative number of error conditions accounts for a large percentage of received IP datagrams, or if its number is increasing rapidly, then you should use Netstat to find out why these conditions occur.

Netstat detailed parameter list

(Winxp)

C:>netstat /?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]

-a Show all connections and listening port.
-b Shows the executable components involved in creating each connection or listening port. In some cases executable components are known to have multiple independent components, and in these cases the sequence of components involved in creating a connection or listening port is shown.执 In this case, the component name can be executed in [] at the bottom, the top is the component of its call, etc., until the TCP/IP
part. Note that this option may take a long time and may fail if you do not have sufficient permissions.
-e Display Ethernet statistics. This option can be used in combination with the -s
​​​​ option.
-n Display the address and port number in numerical form.
-o Displays the process ID associated with each connection.
-p proto Displays the connection of the protocol specified by proto; proto can be
one of the following protocols: TCP, UDP, TCPv6 or UDPv6.一起 If you use it with -S options to display statistics according to the agreement, Proto can be one of the following protocols:
IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP or UDPv6.
-r Display routing table.
-s Display statistics by protocol. By default, statistics for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6 are displayed; the -p option is used to specify a subset of the default cases. When the 项 -V and -b options are used together, it will display
components containing
to all executable components to create a connection or listening port.
interval                                                                                                                                                                                                                                     off off . Press CTRL+C to stop displaying statistics again. If omitted, netstat displays the current configuration information (only displayed once)

(Win2000)

C:>netstat /?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [- e] [-n] [-s] [-p proto] [-r] [interval]

  -a            Displays all connections and listening ports.
  -e            Displays Ethernet statistics. This may be combined with the -s
                option.
  -n            Displays addresses and port numbers in numerical form.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be TCP or UDP.  If used with the -s option to display
                per-protocol statistics, proto may be TCP, UDP, or IP.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics are
                shown for TCP, UDP and IP; the -p option may be used to specify
                a subset of the default.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.

Netstat 的一些常用选项  
netstat -s ——本选项能够按照各个协议分别显示其统计数据。如果你的应用程序(如Web 浏览器)运行速度比较慢,或者不能显示Web 页之类的数据,那么你就可以用本选项来查看一下所显示的信息。你需要仔细查看统计数据的各行,找到出错的关键字,进而确定问题所在。 

netstat -e ——本选项用于显示关于以太网的统计数据。它列出的项目包括传送的数据报的总字节数、错误数、删除数、数据报的数量和广播的数量。这些统计数据既有发送的数据报数量,也有接收的数据报数量。这个选项可以用来统计一些基本的网络流量。 

netstat -r ——本选项可以显示关于路由表的信息,类似于后面所讲使用route print 命令时看到的 信息。除了显示有效路由外,还显示当前有效的连接。 

netstat -a ——本选项显示一个所有的有效连接信息列表,包括已建立的连接(ESTABLISHED ),也包括监听连接请求(LISTENING )的那些连接,断开连接(CLOSE_WAIT )或者处于联机等待状态的(TIME_WAIT )等 

netstat -n ——显示所有已建立的有效连接。

 

    微软公司故意将这个功能强大的命令隐藏起来是因为它对于普通用户来说有些复杂。我们已经知道:Netstat 它可以用来获得你的系统网络连接的信息(使用的端口,在使用的协议等 ),收到和发出的数据,被连接的远程系统的端口,Netstat 在内存中读取所有的网络信息。

    在Internet RFC 标准中,Netstat 的定义是: Netstat 是在内核中访问网络及相关信息的程序,它能提供TCP 连接,TCP 和UDP 监听,进程内存管理的相关报告。

    对于好奇心极强的人来说,紧紧有上面的理论是远远不够的,接下来我们来详细的解释一下各个参数的使用,看看执行之后会发生什么,显示的信息又是什么意思,好了,废话不说了,让我们一起来实践一下吧:)

C:>netstat -a

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    Eagle:ftp              Eagle:0                LISTENING
  TCP    Eagle:telnet           Eagle:0                LISTENING
  TCP    Eagle:smtp             Eagle:0                LISTENING
  TCP    Eagle:http             Eagle:0                LISTENING
  TCP    Eagle:epmap            Eagle:0                LISTENING
  TCP    Eagle:https            Eagle:0                LISTENING
  TCP    Eagle:microsoft-ds     Eagle:0                LISTENING
  TCP    Eagle:1030             Eagle:0                LISTENING
  TCP    Eagle:6059             Eagle:0                LISTENING
  TCP    Eagle:8001             Eagle:0                LISTENING
  TCP    Eagle:8005             Eagle:0                LISTENING
  TCP    Eagle:8065             Eagle:0                LISTENING
  TCP    Eagle:microsoft-ds     localhost:1031         ESTABLISHED
  TCP    Eagle:1031             localhost:microsoft-ds  ESTABLISHED
  TCP    Eagle:1040             Eagle:0                LISTENING
  TCP    Eagle:netbios-ssn      Eagle:0                LISTENING
  TCP    Eagle:1213             218.85.139.65:9002     CLOSE_WAIT
  TCP    Eagle:2416             219.133.63.142:https   CLOSE_WAIT
  TCP    Eagle:2443             219.133.63.142:https   CLOSE_WAIT
  TCP    Eagle:2907             192.168.1.101:2774     CLOSE_WAIT
  TCP    Eagle:2916             192.168.1.101:telnet   ESTABLISHED
  TCP    Eagle:2927             219.137.227.10:4899    TIME_WAIT
  TCP    Eagle:2928             219.137.227.10:4899    TIME_WAIT
  TCP    Eagle:2929             219.137.227.10:4899    ESTABLISHED
  TCP    Eagle:3455             218.85.139.65:9002     ESTABLISHED
  TCP    Eagle:netbios-ssn      Eagle:0                LISTENING
  UDP    Eagle:microsoft-ds     *:*
  UDP    Eagle:1046             *:*
  UDP    Eagle:1050             *:*
  UDP    Eagle:1073             *:*
  UDP    Eagle:1938             *:*
  UDP    Eagle:2314             *:*
  UDP    Eagle:2399             *:*
  UDP    Eagle:2413             *:*
  UDP    Eagle:2904             *:*
  UDP    Eagle:2908             *:*
  UDP    Eagle:3456             *:*
  UDP    Eagle:4000             *:*
  UDP    Eagle:4001             *:*
  UDP    Eagle:6000             *:*
  UDP    Eagle:6001             *:*
  UDP    Eagle:6002             *:*
  UDP    Eagle:6003             *:*
  UDP    Eagle:6004             *:*
  UDP    Eagle:6005             *:*
  UDP    Eagle:6006             *:*
  UDP    Eagle:6007             *:*
  UDP    Eagle:6008             *:*
  UDP    Eagle:6009             *:*
  UDP    Eagle:6010             *:*
  UDP    Eagle:6011             *:*
  UDP    Eagle:1045             *:*
  UDP    Eagle:1051             *:*
  UDP    Eagle:netbios-ns       *:*
  UDP    Eagle:netbios-dgm      *:*
  UDP    Eagle:netbios-ns       *:*
  UDP    Eagle:netbios-dgm      *:*

 

我们拿其中一行来解释吧:

Proto  Local Address          Foreign Address        State

TCP    Eagle:2929             219.137.227.10:4899    ESTABLISHED

 

协议(Proto ):TCP ,指是传输层通讯协议(什么?不懂?请用baidu 搜索"TCP" ,OSI 七层和TCP/IP 四层可是基础^_^ ) 
本地机器名(Local  Address ):Eagle ,俗称计算机名了,安装系统时设置的,可以在“我的电脑”属性中修改,本地打开并用于连接的端口:2929 )    
远程机器名(Foreign  Address ): 219.137.227.10
远程端口: 4899  
状态:ESTABLISHED  

 

状态列表

LISTEN   :在监听状态中。    
ESTABLISHED :已建立联机的联机情况。 
TIME_WAIT :该联机在目前已经是等待的状态。 

 

-a parameter is often used to obtain the open ports of your local system. You can use it to check whether there are Trojans installed on your system (ps: There are many good programs for detecting Trojans, but your goal is to become a real For hackers, manual detection is better than just clicking the "scan" button ---- only personal opinion). If you Netstat yourself, you will find the following information: Port 12345(TCP) Netbus Port 31337(UDP) Back Orifice Congratulations! You have won the most common Trojan (^_^, the above 4899 is me and others Yes, and this radmin is a commercial software, currently my favorite remote control software)
If you need a list of Trojans and their ports, go to the domestic H station to find it, or Baidu, Google
 
  ****** *************************************************** *********
 
  # Some principles: Maybe you have this question: "What does the port number after the machine name represent?
  Example: Eagle:2929
  Ports less than 1024 usually run some network services, Ports greater than 1024 are used to establish connections with remote machines.
 ****************************************** ******************************



Continue our discussion and use the -n parameter (Netstat -n)
 Netstat - n is basically the numeric form of the -a parameter:

C:>netstat -n

Active Connections

Proto Local Address Foreign Address State 127.0.0.1:445 127.0 .0.1:1031 ESTABLISHED

TCP 127.0 .0.1:1031 127.0.0.1:445 ESTABLISHED

TCP 192.168.1.180:1213 218.85.139.65:9002 CLOSE_WAIT

TCP 192 .168.1.180:2416 219.133.63.142:443 CLOSE_WAIT

TCP 192.168.1.180:2443 219.133.63.142:443 CLOSE_WAIT

TCP 192.168.1.180:2907 192.168.1.101:2774 CLOSE_WAIT
TCP 192.168.1.180:2916 192.168.1.101:23 ESTABLISHED
TCP 192.168.1.180:2929 219.137.227.10:4899 ESTABLISHED
TCP 192.168.1.180:3048 192.168.1.1:8004 SYN_SENT
TCP 192.168.1.180:3455 218.85.139.65:9002 ESTABLISHED



-a and -n are the two most commonly used. According to my incomplete testing, the following results are obtained:

1. -n displays digital host Name, that is, IP address, not compute_name [eagle]

2. -n Only displays TCP connections (I haven’t seen Microsoft’s relevant documents anywhere. If any friends see it, remember to tell me^_^)

Obtaining IP is equal to getting everything. It is the most vulnerable thing to make the machine vulnerable, so hiding one's own IP and obtaining other people's IP is very important for hackers. Hiding IP technology is very popular now, but those hidden tools or services really make it difficult for hackers to get IP. Are you invisible? I can’t see it, haha, proxy and springboard are not part of today’s discussion. For a simple example of obtaining the other party’s IP, please refer to my previous article [Use DOS commands to check QQ friend’s IP address]

-a and -n are the most commonly used command, if you want to display more detailed information of some protocols, you must use the -p parameter. It is actually a variant of -a and -n. Let’s look at an example and you will understand: [netstat -p @@ @ Where @@@ is TCP or UDP】

C:>netstat -p tcp


Active Connections

Proto Local Address Foreign Address State
TCP Eagle:microsoft-ds localhost:1031 ESTABLISHED TCP Eagle:1031 localhost:microsoft-ds ESTABLISHED
TCP Eagle:1213 218.85.139.65:9002 CLOSE_WAIT
TCP Eagle:2416 219.133.63.142:https CLOSE_WAIT
TCP Eagle:2443 219.133.63.142:https CLOSE_WAIT
TCP Eagle:2907 192.168.1.101:2774 CLOSE_WAIT
TCP Eagle:2916 192.168.1.101:telnet ESTABLISHED
TCP Eagle:2929 219.137.227.10:4899 ESTABLISHED
TCP Eagle:3455 218.85.139.65:9002 ESTABLISHED

Continue our parameter explanation -e

Meaning: This option is used to display statistical data about Ethernet. Items listed include the total number of bytes of datagrams transmitted, the number of errors, the number of deletions, the number of datagrams, and the number of broadcasts. These statistics are both the number of datagrams sent and the number of datagrams received. This option can be used to count some basic network traffic.

C:>netstat -e

Interface Statistics

                Received                                                      44998789

Unicast packets                691805              363603 

Non-unicast packets                    0

Errors 0
Errors 0
Errors 0
Unknown protocols 4449

and send errors are close to zero or all zero, and there is no problem with the network interface. But when these two fields have more than 100 error groups, it can be considered a high error rate. High sending errors indicate that the local network is saturated or there is a poor physical connection between the host and the network; high receiving errors indicate that the overall network is saturated, the local host is overloaded or there is a problem with the physical connection. You can use the Ping command to count the bit error rate to further determine The extent of the failure. The combination of netstat -e and ping can solve most network problems.

Next we will start to explain two more complex parameters -r and -s. Because of this, the author will explain them at the end. This may involve other aspects of knowledge, which will be discussed in my blog in the future. I will continue to write it out, haha, I have been busy recently

-r is used to display routing table information, let’s take a look at an example:

C:>netstat -r

Route Table
============================================ =================================
Interface List (network interface list)
0x1 ..... .................. MS TCP Loopback interface
0x10003 ...00 0c f1 02 76 81 ...... Intel(R) PRO/Wireless LAN 2100 3B Mini PCI
dapter
0x10004...00 02 3f 00 05 cb... Realtek RTL8139/810x Family Fast Ethernet
C
==================== ================================================== =======
============================================ ================================
Active Routes: (dynamic routing)
NetWork DestMask Gateway Internet Metric
0.0 .0.0 0.0.0.0 192.168.1.254 192.168.1.181 30
0.0.0.0 0.0.0.0 192.168.1.254 1 92.168.1.180 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.180 192.168.1.180 20
192.168.1.0 255.255.255.0 192.168.1.181 192.168.1.181 30
192.168.1.18 0 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.181 255.255.255.255 127.0.0.1 12 7.0.0.1 30
192.168.1.255 255.255.255.255 192.168.1.180 192.168.1.180 20
192.168.1.255 255.255.255.255 192.168.1.181 192.168 .1.181 30
224.0.0.0 240.0.0.0 192.168.1.180 192.168.1.180 20
224.0.0.0 240.0.0.0 192.168.1.181 192.168. 1.181 30
255.255.255.255 255.255.255.255 192.168.1.180 192.168.1.180 1
255.255.255.255 255.25 5.255.255 192.168.1.181 192.168.1.181 1
Default Gateway: 192.168.1.254 (default gateway)
======== ================================================== =================
Persistent Routes: (static routing)
None

C:>

-s The function of the parameters is explained in detail earlier, take a look Example

C:>netstat -s

IPv4 Statistics (IP statistics results)

Packets Received = 369492 (number of received packets)
Received Header Errors = 0 (number of received header errors)
Received Address Errors = 2 (number of received address errors)
Datagrams For warded                                                                                                                                                                                                                                                      ​         0 (Unknown protocol received number)
Received Packets Discarded = 4203 (Number of packets discarded after receiving)
Received Packets Delivered = 365287 (Number of packets delivered after receiving)
Output Requests = 369066 (Number of requests)
Routing Discards                                                                                                                                                                                              = 0 Number of route discards)
Discarded Output Packets = 2172 (number of packet discards)
Output Packet No Route = 0 (request packets not routed)
Reassembly Required = 0 (number of reassembly requests)
ly Successful = 0 (number of successful reorganizations)
Reassembly Failures = 0 (Number of reassembly failures)
Datagrams Successfully Fragmented = 0 (Number of datagrams with successful fragmentation)
Datagrams Failing Fragmentation = 0 (Number of datagrams with failed fragmentation)
Fragments Created = 0 (Number of shards created )

ICMPv4 Statistics (ICMP statistical results) include two states: Received and Sent

Received Sent Messages 285 784 Errors 0                                                                                                                                                                                                                                              Parameter error)
Source Quenches                                                                                                                                                                                           0 0( Timestamp replies)
Address Masks 0                                                         )
Passive Opens                                                                                                                                                     use with                 ’ ’ ’s ’ being being attempted ’ out ’s           through out out through out through off ’s ‐ ‐   ‐ ‐ ‐ ‐ , � � � � � � � � � � � � � � 1
Current Connections = 9 (current number of connections)
Segments Received = 350143 (current Number of messages received)
Segments Sent = 347561 (Number of messages currently sent)
Segments Retransmitted = 6108 (number of retransmitted messages)

UDP Statistics for IPv4 (UDP statistics)

Datagrams Received = 14309 (received data packets)
No Ports = 1360 (no port number)
Receive Errors = 0 (received errors)

Datagrams Sent = 14524 (data packets sent)

C:>




Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn