netstat是一个监控TCP/IP网络的非常有用的工具,它可以显示路由表、实际的网络连接以及每一个网络接口设备的状态信息。
netstat用于显示与IP、TCP、UDP和ICMP协议相关的统计数据,一般用于检验本机各端口的网络连接情况。
1 常用参数
-r # 显示路由表(跟route类似) -n # 不解析域名 -a # 显示所有连接的状态 -t # 仅列出TCP数据包的连接 -u # 仅列出UDP数据包的连接 -l # 列出已在监听的服务的网络状态 -p # 列出pid与program的文件名 -c # 设置几秒钟更新一次 #以下不常用 -I # 显示iFace接口表 -i # 显示接口表 -g # 显示多播组成员 -s # 显示网络统计数据(如SNMP) -M # 显示伪装连接 -v # 显示详细verbose -W # 不要截断IP地址 -N # 解析硬件名称 -e # 显示其他/更多信息 -o # 显示计时器
2 常用参数组合
(1) netstat -rn 列出当前路由表状态和route -n一样
[@tc_62_179 ~]# netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 10.153.63.250 0.0.0.0 UG 0 0 0 eth1 10.0.0.0 10.143.63.254 255.0.0.0 UG 0 0 0 eth0 10.13.0.0 10.153.63.254 255.255.0.0 UG 0 0 0 eth1 10.14.0.0 10.153.63.254 255.255.0.0 UG 0 0 0 eth1 10.143.56.0 0.0.0.0 255.255.248.0 U 0 0 0 eth0 10.144.0.0 10.153.63.254 255.240.0.0 UG 0 0 0 eth1 10.153.56.0 0.0.0.0 255.255.248.0 U 0 0 0 eth1 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1 192.168.0.0 10.143.63.254 255.255.0.0 UG 0 0 0 eth0 [@tc_62_179 ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 10.153.63.250 0.0.0.0 UG 0 0 0 eth1 10.0.0.0 10.143.63.254 255.0.0.0 UG 0 0 0 eth0 10.13.0.0 10.153.63.254 255.255.0.0 UG 0 0 0 eth1 10.14.0.0 10.153.63.254 255.255.0.0 UG 0 0 0 eth1 10.143.56.0 0.0.0.0 255.255.248.0 U 0 0 0 eth0 10.144.0.0 10.153.63.254 255.240.0.0 UG 0 0 0 eth1 10.153.56.0 0.0.0.0 255.255.248.0 U 0 0 0 eth1 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1 192.168.0.0 10.143.63.254 255.255.0.0 UG 0 0 0 eth0
(2)netstat -an 列出当前所有连接的状态,使用ip和port number
[@tc_62_179 ~]# netstat -an Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 10.143.62.179:873 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 10.153.62.179:60458 10.153.17.83:80 TIME_WAIT tcp 0 0 10.153.62.179:60455 10.153.17.83:80 TIME_WAIT tcp 0 0 10.153.62.179:60454 10.153.17.83:80 TIME_WAIT tcp 0 0 10.153.62.179:38905 10.153.10.111:80 TIME_WAIT tcp 0 0 10.153.62.179:60456 10.153.17.83:80 TIME_WAIT tcp 1 0 10.153.62.179:60633 10.153.51.59:10020 CLOSE_WAIT tcp 0 0 10.153.62.179:60459 10.153.17.83:80 TIME_WAIT tcp 0 0 10.153.62.179:38906 10.153.10.111:80 TIME_WAIT tcp 0 0 10.153.62.179:22 10.149.239.20:58823 ESTABLISHED tcp 0 0 10.153.62.179:38914 10.153.10.111:80 TIME_WAIT tcp 0 0 10.153.62.179:38913 10.153.10.111:80 TIME_WAIT tcp 0 0 10.153.62.179:60457 10.153.17.83:80 TIME_WAIT tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:25 :::* LISTEN udp 0 0 10.153.62.179:55802 193.228.143.22:123 ESTABLISHED udp 0 0 10.153.62.179:53007 5.79.108.34:123 ESTABLISHED udp 0 0 127.0.0.1:323 0.0.0.0:* udp 0 0 10.153.62.179:62644 212.47.249.141:123 ESTABLISHED udp6 0 0 ::1:323 :::* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 334871 /run/systemd/private unix 2 [ ACC ] STREAM LISTENING 10274 /run/lvm/lvmetad.socket unix 2 [ ACC ] SEQPACKET LISTENING 10277 /run/udev/control unix 2 [ ] DGRAM 10279 /run/systemd/shutdownd unix 2 [ ACC ] STREAM LISTENING 10320 /run/lvm/lvmpolld.socket unix 2 [ ] DGRAM 7516 /run/systemd/notify
netstat的输出主要有两个部分:
Active Internet connections:称为有源TCP/IP连接,其中"Recv-Q"和"Send-Q"指的是接收队列和发送队列。这些数字一般都应该是0。如果不是则表示软件包正在队列中堆积。这种情况只能在非常少的情况见到。
Active UNIX domain sockets:称为有源Unix域套接口(和网络套接字一样,但是只能用于本机通信,性能可以提高一倍)。
每一列的意思:
Proto :该连接的数据包协议,主要为TCP/UDP数据包
Recv-Q :由非用户程序连接所复制而来的总字节数
Send-Q :由远程主机发送过来,但不具有ACK标志的总字节数,也指主动连接SYN或其他标志的数据包所占的字节数;
Local Address :本地端的地址和端口
Foreign Address :远程主机的地址和端口
State:状态栏。主要有以下状态:
ESTABLISHED 已建立连接的状态 SYN_SENT 发出主动连接(SYN)的数据包 SYN_RECV 接收到一个要求连接的主动连接数据包 FIN_WAIT1 该套接字服务已中断,该连接正在断线中 FIN_WAIT2 该连接已挂断,正在等待对方主机响应断线确认的数据包 TIME_WAIT 连接已挂断,但socket还在网络上等待结束 CLOSE_WAIT 等待从本地用户发来的连接中断请求 LISTEN 侦听来自远方的TCP端口的连接请求
(3)列出目前已经启动的网络服务netstat -tulnp
[@tc_62_179 ~]# netstat -tulnp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 10.143.62.179:873 0.0.0.0:* LISTEN 24245/rsync tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 920/sshd tcp6 0 0 :::22 :::* LISTEN 920/sshd tcp6 0 0 ::1:25 :::* LISTEN 1452/master udp 0 0 127.0.0.1:323 0.0.0.0:* 488/chronyd udp6 0 0 ::1:323 :::* 488/chronyd
最重要的是l参数,可列出仅在监听的port.
(4)查看本机上所有网络连接状态netstat -atunp
[@tc_62_179 ~]# netstat -atunp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 10.143.62.179:873 0.0.0.0:* LISTEN 24245/rsync tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 920/sshd tcp 0 0 10.153.62.179:39282 10.153.10.111:80 TIME_WAIT - tcp 0 0 10.153.62.179:39287 10.153.10.111:80 TIME_WAIT - tcp 0 0 10.153.62.179:50657 10.149.227.21:80 TIME_WAIT - tcp 0 0 10.153.62.179:60835 10.153.17.83:80 TIME_WAIT - tcp 0 0 10.153.62.179:39289 10.153.10.111:80 TIME_WAIT - tcp 1 0 10.153.62.179:60633 10.153.51.59:10020 CLOSE_WAIT 6747/sshd: root@pts tcp 0 0 10.153.62.179:39284 10.153.10.111:80 TIME_WAIT - tcp 0 0 10.153.62.179:39286 10.153.10.111:80 TIME_WAIT - tcp 0 0 10.153.62.179:39280 10.153.10.111:80 TIME_WAIT - tcp 0 0 10.153.62.179:60838 10.153.17.83:80 TIME_WAIT - tcp 0 0 10.153.62.179:22 10.149.239.20:58823 ESTABLISHED 6747/sshd: root@pts tcp 0 0 10.153.62.179:39283 10.153.10.111:80 TIME_WAIT - tcp 0 0 10.153.62.179:60828 10.153.17.83:80 TIME_WAIT - tcp 0 0 10.153.62.179:39285 10.153.10.111:80 TIME_WAIT - tcp 0 0 10.153.62.179:39290 10.153.10.111:80 TIME_WAIT - tcp6 0 0 :::22 :::* LISTEN 920/sshd tcp6 0 0 ::1:25 :::* LISTEN 1452/master udp 0 0 10.153.62.179:59223 5.79.108.34:123 ESTABLISHED 488/chronyd udp 0 0 10.153.62.179:40293 108.59.2.24:123 ESTABLISHED 488/chronyd udp 0 0 10.153.62.179:44995 193.228.143.22:123 ESTABLISHED 488/chronyd udp 0 0 127.0.0.1:323 0.0.0.0:* 488/chronyd udp6 0 0 ::1:323 :::* 488/chronyd
kill加粗那条连接直接kill -9 6747即可。