Analyse Linux Network with netstat
Under Linux, netstat displays the existing network connections, routing tables, interface statistics, masquerading connections and multicast memberships. This article will show several application examples of netstat. In addition to netstat, iptstate will also show existing network connections (displayed in real time).
Examples
Displaying Network Connections
netstat -tapen
is appropriate for displaying the currently existing network connections. The individual parameters have the following meanings:
- -t (only display TCP connections, -u would show only UDP connections)
- -a (show all connections, both connections that have the status=LISTEN as well as other states)
- -p (show the PIDs and the program names, which belong to those connections)
- -e (extended display showing more details)
- -n (numeric display)
[root@tpw ~]# netstat -tapen Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 0.0.0.0:5060 0.0.0.0:* LISTEN 500 66008 3260/twinkle tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 0 5355 1289/rpcbind tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 6668 1589/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 0 5505 1322/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 12548 2297/sendmail: acce tcp 0 0 0.0.0.0:33466 0.0.0.0:* LISTEN 0 6486 1532/rpc.statd tcp 0 0 192.168.1.52:59861 192.168.1.254:22 ESTABLISHED 500 100032 3703/ssh tcp 0 0 192.168.1.52:36330 217.188.215.74:443 ESTABLISHED 500 104396 2608/firefox tcp 0 0 192.168.1.52:33252 74.125.79.97:443 ESTABLISHED 500 101832 2608/firefox tcp 0 0 :::111 :::* LISTEN 0 5360 1289/rpcbind tcp 0 0 :::22 :::* LISTEN 0 6670 1589/sshd tcp 0 0 ::1:631 :::* LISTEN 0 5504 1322/cupsd [root@tpw ~]#
Displaying Routing Tables
netstat -r
[root@tpw ~]# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0 default 192.168.1.254 0.0.0.0 UG 0 0 0 eth0 [root@tpw ~]#
Displaying Interface Statistics
netstat -i
[root@tpw ~]# netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 26524 0 0 0 22118 0 0 0 BMRU lo 16436 0 34 0 0 0 34 0 0 0 LRU [root@tpw ~]#
netstat -s
[root@tpw ~]# netstat -s Ip: 28144 total packets received 1 with invalid addresses 0 forwarded 0 incoming packets discarded 28069 incoming packets delivered 23144 requests sent out 10 dropped because of missing route Icmp: 12 ICMP messages received 0 input ICMP message failed. ICMP input histogram: destination unreachable: 12 13 ICMP messages sent 0 ICMP messages failed ICMP output histogram: destination unreachable: 13 IcmpMsg: InType3: 12 OutType3: 13 Tcp: 146 active connections openings 0 passive connection openings 4 failed connection attempts 29 connection resets received 2 connections established 16637 segments received 12078 segments send out 67 segments retransmitted 0 bad segments received. 59 resets sent Udp: 11421 packets received 0 packets to unknown port received. 0 packet receive errors 10998 packets sent UdpLite: TcpExt: 7 TCP sockets finished time wait in fast timer 543 delayed acks sent Quick ack mode was activated 12 times 6 packets directly queued to recvmsg prequeue. 8 packets directly received from prequeue 13040 packets header predicted 799 acknowledgments not containing data received 1470 predicted acknowledgments 5 times recovered from packet loss due to SACK data 4 congestion windows recovered after partial ack 2 TCP data loss events 3 timeouts after SACK recovery 7 fast retransmits 33 other TCP timeouts 12 DSACKs sent for old packets 2 DSACKs received 10 connections reset due to unexpected data 23 connections reset due to early user close 3 connections aborted due to timeout TCPDSACKIgnoredNoUndo: 1 TCPSackShifted: 71 TCPSackMerged: 35 TCPSackShiftFallback: 10 IpExt: InMcastPkts: 19 OutMcastPkts: 14 InBcastPkts: 54 OutBcastPkts: 51 InOctets: 20989496 OutOctets: 5396900 InMcastOctets: 5540 OutMcastOctets: 3421 InBcastOctets: 6629 OutBcastOctets: 5898 [root@tpw ~]#
Additional Information
- iptstate also presents existing network connection in real time
Author: Werner Fischer Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.
|