Detailed explanation of netstat
- 高洛峰Original
- 2016-12-15 09:43:521602browse
http://www.now163.net/2011/04/460.html Netstat command details how to close the TIME_WAIT connection and how to view nginx access traffic
http://kerry.blog.51cto.com/172631/105233 / Found a large number of TIME_WAIT solutions
================================ Netstat monitoring during stress testing
View concurrency status
# netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}'
This statement returns the following result
LAST_ACK 5
SYN_RECV 30
ESTABLISHED 1597
FIN_WAIT1 51
FIN_WAIT2 504
TIME_WAIT 1057
where SYN_RECV represents the number of requests waiting to be processed; ESTABLISHED represents the normal data transmission status; TIME_WAIT represents the number of requests that have been processed and are waiting for the timeout to end.
View mysql connection
#netstat -anp | grep mysql | wc -l
netstat -n | awk '/^tcp/ {++state[$NF]} END {for(key in state) print key,"t",state[key]}'
You will get results similar to the following, the specific numbers will be different:
LAST_ACK 1
SYN_RECV 14
ESTABLISHED 79
FIN_WAIT1 28
FIN_WAIT2 3
CLOSING 5
TIME_WAIT 1669
Status: Description
CLOSED: No connection is active or in progress
LISTEN: The server is waiting for an incoming call
SYN_RECV: A connection request has arrived, waiting for confirmation
SYN_SENT: The application has been started, opening a connection
ESTABLISHED: OK Data transfer status
FIN_WAIT1: The application says it has completed
FIN_WAIT2: The other side has agreed to release
ITMED_WAIT: Waiting for all packets to die
CLOSING: Both sides are trying to close at the same time
TIME_WAIT: The other side has initialized a release
LAST_ACK: Waiting for all packets to die In other words, this command can classify and summarize the network connection status of the current system.
View the number of TIME_WAIT connections
netstat -ae|grep "TIME_WAIT" |wc -l
netstat -n | awk '/^tcp/ {++state[$NF]} END {for(key in state) print key,"t",state[key]}'
Find more time_wait connections
netstat -n|grep TIME_WAIT|awk '{print $5}'|sort|uniq -c|sort -rn|head -n20
1: netstat -pnt | awk '/^tcp/{print $5}' | cut -d: -f 1 | sort -n |uniq - c
2: netstat -pnt | awk '/^tcp/{s=split($5,N,":");A[N[s-1]]++} END{ for (k in A) print k ,A[k]}'
Netstat is used to display statistical data related to IP, TCP, UDP and ICMP protocols. It is generally used to check the network connection of each port of the machine.
netstat -ntlc Status
netstat -lp identifies the network service that is being monitored
netstat -rn Check the routing table
netstat -s View statistics on the operation of various network protocols
netstat -tln is used to view the port usage of Linuxnetstat --ip -an
Linux view ports and services
# netstat -tulpnOr
# netstat -nplParameters:
-a or –all Display all connected Sockets .
-A
-c or –continuous lists network status continuously.
-e or –extend displays other related information about the network.
-F or –fib displays FIB.
-g or –groups displays the list of members of the multicast function group.
-h or –help online help.
-i or –interfaces displays the network interface information form.
-l or –listening displays the Socket of the monitored server.
-M or –masquerade displays masqueraded network connections.
-n or –numeric uses the IP address directly without going through the domain name server.
-N or –netlink or –symbolic displays the symbolic link name of the network hardware peripheral device.
-o or –timers displays timers.
-p or –programs displays the program identification code and program name that are using Socket.
-r or –route displays the Routing Table.
-s or –statistice displays the network work information statistics table.
-t or –tcp displays the connection status of the TCP transmission protocol.
-u or –udp displays the connection status of UDP transmission protocol.
-v or –verbose displays the instruction execution process.
-V or –version displays version information.
-w or –raw displays the connection status of RAW transfer protocol.
-x or –unix The effect of this parameter is the same as specifying the "-A unix" parameter.
–ip or –inet The effect of this parameter is the same as specifying the "-A inet" parameter
------------------------- ----------Server side, port status changes
First configure the FTP service on this machine (IP address: 192.168.1.10), then access the FTP service on other computers (IP address: 192.168.1.1), and check the port from TCPView Status changes.
The bold text below shows the part intercepted from TCPView.
1. LISTENING state
After the FTP service is started, it is first in the listening (LISTENING) state.
When the State shows LISTENING, it means it is in the listening state, which means that the port is open and waiting for connection, but it has not been connected yet. It's like the door to your house is open, but no one has come in yet.
You can see from TCPView that FTP is opened on this machine. What it means is: the program inetinfo.exe has opened port 21, and the default port for FTP is 21. It can be seen that the FTP service is opened on this machine. Currently in listening state.
inetinfo.exe:1260 TCP 0.0.0.0:21 0.0.0.0:0 LISTENING
2. ESTABLISHED status
Now access the FTP service of 192.168.1.10 from the computer 192.168.1.1. In the TCPView of this machine, you can see that the port status changes to ESTABLISHED.
ESTABLISHED means to establish a connection. Indicates that the two machines are communicating.
The following shows that the FTP service of this machine is being accessed by the computer 192.168.1.1.
inetinfo.exe:1260 TCP 192.168.1.10:21 192.168.1.1:3009 ESTABLISHED
Note: You must pay special attention to the connection in the ESTABLISHED state, because it may not be a normal connection. We will talk about this issue later.
3. TIME_WAIT state
Now the computer 192.168.1.1 ends accessing the FTP service of 192.168.1.10. In the TCPView of this machine, you can see that the port status changes to TIME_WAIT.
TIME_WAIT means ending this connection. It means that port 21 has been accessed before, but the access ended.
[System Process]:0 TCP 192.168.1.10:21 192.168.1.1:3009 TIME_WAIT
4. Tips
a. You can telnet an open port to observe changes in the port. For example, if port 1025 is open, run in the command state (running cmd as shown in Figure 1):
telnet 192.168.1.10 1025
b. You can also test from this machine, but what is displayed is that this machine is connected to this machine
c. Double-click the connection in Tcpview to see the location of the program. Right-click the connection and select End Process to end the connection
Client and port status changes