Linux command – netstat & lsof

adminLinux, Network

Loading

在 Linux 下可以透過 netstat 是顯示目前網路連線狀態.

netstat

測試環境為 Ubuntu

直接使用 netstat (不加參數) 所有的連線都顯示出來,或是 netstat -a 顯示 listening 與 non-listening (以 TCP 而言就是列出所有的連接埠).

root@ubuntu:~# netstat -a

上面顯示的資料太多反而不易查詢,可以使用下面幾個參數.

  • -t
    只顯示與 TCP 相關的.
  • -u
    只顯示與 UDP 相關的
  • -n
    用數字來顯示 (hostname->IP,daemon name->port number)
  • -l
    只顯示正在 listening sockets.
  • -p
    顯示程式的 PID (process ID).
  • -s
    可以列出協定 ( tcp , udp , icmp , etc…) 的統計數據.
  • -c #
    間隔幾秒執行一次.

-t , -at
顯示與 TCP 有關的連接埠,如果是要看所有與 TCP 相關的連線可以搭配 -a ,但純看有建立連線 (ESTABLISHED) 的就只需使用 -t.

root@ubuntu:~# netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 ubuntu:ssh              192.168.95.1:49592      ESTABLISHED

root@ubuntu:~# netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 localhost:domain        0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN     
tcp        0      0 ubuntu:ssh              192.168.95.1:49592      ESTABLISHED
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN

-u , -au
顯示與 UDP 有關的連接埠,如果是要看所有與 UDP 相關的連線可以搭配 -a ,但純看有建立連線 (ESTABLISHED) 的就只需使用 -u.

root@ubuntu:~# netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
udp        0      0 0.0.0.0:mdns            0.0.0.0:*                          
udp        0      0 0.0.0.0:48687           0.0.0.0:*                          
udp        0      0 localhost:domain        0.0.0.0:*                          
udp        0      0 0.0.0.0:bootpc          0.0.0.0:*                          
udp        0      0 0.0.0.0:ipp             0.0.0.0:*                          
udp6       0      0 [::]:mdns               [::]:*                             
udp6       0      0 [::]:51277              [::]:*      

                       
root@ubuntu:~# netstat -u
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State

-tun , -tunp
netstat 預設會做名稱解析 DNS:Port Name (解析應該是透過 /etc/services 檔案) ,-n 就不解析直接顯示 IP:port number 來顯示.

root@ubuntu:~# netstat -tun
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 192.168.95.210:22       192.168.95.1:49592      ESTABLISHED

如果想知道這些網路連結後面都對應到哪一些服務可以使用參數 -p .

root@ubuntu:~# netstat -tunp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 192.168.95.210:22       192.168.95.1:49592      ESTABLISHED 2365/sshd: ben [pri

顯示結為目前網路的連線狀態,分別的意思為

  • Proto:協議,使用 TCP 或是 UDP
  • Recv-Q:???
  • Send-Q:???
  • Local Address:本地地址+網路埠
  • Foreign Address:遠端連線地址+網路埠
    在 TCP port 裡面定義 49152 到 65535 號埠屬於動態範圍沒有被占用,使用者就是透過這些動態埠與網站連線,可以看到 SSH Client 是透過 49503 埠連線到 SSH Server 22 埠的.
  • State:該服務的狀態, Listen 表示該服務正在監聽該網路埠.
  • PID/Program name:該服務名稱以及 Process ID.

-tulnp
如果要知道目前這一台系統提供了哪一些 service 服務,可以使用參數 l.

root@ubuntu:~# netstat -tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      38413/systemd-resol 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      696/sshd            
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      2258/cupsd          
tcp6       0      0 :::22                   :::*                    LISTEN      696/sshd            
tcp6       0      0 ::1:631                 :::*                    LISTEN      2258/cupsd          
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           591/avahi-daemon: r 
udp        0      0 0.0.0.0:48687           0.0.0.0:*                           591/avahi-daemon: r 
udp        0      0 127.0.0.53:53           0.0.0.0:*                           38413/systemd-resol 
udp        0      0 0.0.0.0:68              0.0.0.0:*                           717/dhclient        
udp        0      0 0.0.0.0:631             0.0.0.0:*                           2259/cups-browsed   
udp6       0      0 :::5353                 :::*                                591/avahi-daemon: r 
udp6       0      0 :::51277                :::*                                591/avahi-daemon: r

上面的服務連線提供 127.0.0.1 表示只允許本地端的連線,不能遠端.

tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      38413/systemd-resol

上面的服務連線 sshd 有提供遠端的連線, 使用了 port 22 , 也沒有限制遠端連線的 IP 與 port .

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      696/sshd

當資料量大的時候可以利用 grep, awk 來做一些統計. 

root@ubuntu:~# netstat -antp | awk '{print $6}' | grep -E '(ESTABLISHED|LISTEN)' | sort | uniq -c | sort -n
      2 ESTABLISHED
     11 LISTEN
  • grep: 主要是在一群文字資料裡搜尋 Keyword (BLOCK) 關鍵字在哪一行.
  • awk: 將一整行做多個 欄位(Field) 的資料處理. print 輸出格式,到標準輸出 (預設為 terminal),$11 代表第 11 欄資料.
  • sort: 進行排序(預設使用文字來進行排序), -n 依據 數字 來進行排序.
  • uniq: 刪除重複的行 並透過 -c 進行計數.

-c
如果要長時間做監控可以使用參數 -c 或是 watch 設定每隔#秒,重新整理網路狀態.

root@ubuntu:~# netstat -tunp -c 1
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 192.168.95.230:22           192.168.95.1:53274          ESTABLISHED 3046/sshd           
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 192.168.95.230:22           192.168.95.1:53274          ESTABLISHED 3046/sshd           
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 192.168.95.230:22           192.168.95.1:53274          ESTABLISHED 3046/sshd           
^C

關於 watch 使用請參考 https://benjr.tw/23577

root@ubuntu:~# watch -n 2 netstat -tulnp

要中斷可以按 Ctrl + C

-st , -su
-s 可以列出協定 (t – tcp , u – udp) 的統計數據.

root@ubuntu:~# netstat -st
IcmpMsg:
    InType3: 61
    InType8: 1
    OutType0: 1
    OutType3: 62
Tcp:
    2 active connections openings
    1 passive connection openings
    2 failed connection attempts
    0 connection resets received
    1 connections established
    2865 segments received
    1622 segments send out
    0 segments retransmited
    0 bad segments received.
    2 resets sent
UdpLite:
TcpExt:
    7 delayed acks sent
    251 packets header predicted
    1383 acknowledgments not containing data received
    33 predicted acknowledgments
    0 TCP data loss events
IpExt:
    InBcastPkts: 9
    InOctets: 220928
    OutOctets: 465541
    InBcastOctets: 792

root@ubuntu:~# netstat -su
IcmpMsg:
    InType3: 62
    InType8: 1
    OutType0: 1
    OutType3: 63
Udp:
    30 packets received
    63 packets to unknown port received.
    0 packet receive errors
    93 packets sent
UdpLite:
IpExt:
    InBcastPkts: 9
    InOctets: 221714
    OutOctets: 466903
    InBcastOctets: 792

-r
參數 -r 功能類似 #route

root@ubuntu:~# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         _gateway        0.0.0.0         UG        0 0          0 ens33
link-local      0.0.0.0         255.255.0.0     U         0 0          0 ens33
192.168.95.0    0.0.0.0         255.255.255.0   U         0 0          0 ens33

root@ubuntu:~# route 
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    100    0        0 ens33
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 ens33
192.168.95.0    0.0.0.0         255.255.255.0   U     100    0        0 ens33

-i , -ie
-i 可以顯示網卡介面的資訊(包含 Error , 更多關於 Network Error 請參考 – https://benjr.tw/94371 ) ,-ie 就類似 #ifconfig

root@ubuntu:~# netstat -i
Kernel Interface table
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
ens33     1500   386315      0      0 0         98053      0      0      0 BMRU
lo       65536      464      0      0 0           464      0      0      0 LRU

root@ubuntu:~# netstat -ie
Kernel Interface table
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.95.210  netmask 255.255.255.0  broadcast 192.168.95.255
        inet6 fe80::f1e3:59d2:2700:4068  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:f4:25:06  txqueuelen 1000  (Ethernet)
        RX packets 388987  bytes 530434215 (530.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 99424  bytes 7066480 (7.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 468  bytes 40738 (40.7 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 468  bytes 40738 (40.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lsof

測試環境為 CentOS

lsof (list open files) 主要用來查看哪些檔案被誰開啟,使用參數 -i 可以查看與網路相關的檔案是被開啟(服務是啟動的狀況),更多關於 lsof 請參考 – https://benjr.tw/101619

tcp
列出與 TCP 相關的.

[root@localhost ~]# lsof -i tcp
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd    1   root   43u  IPv4  35967      0t0  TCP *:sunrpc (LISTEN)
systemd    1   root   45u  IPv6  35969      0t0  TCP *:sunrpc (LISTEN)
rpcbind 6590    rpc    4u  IPv4  35967      0t0  TCP *:sunrpc (LISTEN)
rpcbind 6590    rpc    6u  IPv6  35969      0t0  TCP *:sunrpc (LISTEN)
sshd    6982   root    3u  IPv4  43646      0t0  TCP *:ssh (LISTEN)
sshd    6982   root    4u  IPv6  43655      0t0  TCP *:ssh (LISTEN)
cupsd   6983   root   11u  IPv6  43812      0t0  TCP localhost:ipp (LISTEN)
cupsd   6983   root   12u  IPv4  43813      0t0  TCP localhost:ipp (LISTEN)
httpd   6997   root    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
mysqld  7313  mysql   13u  IPv4  47680      0t0  TCP *:mysql (LISTEN)
master  7553   root   13u  IPv4  46598      0t0  TCP localhost:smtp (LISTEN)
master  7553   root   14u  IPv6  46599      0t0  TCP localhost:smtp (LISTEN)
dnsmasq 7574 nobody    6u  IPv4  46571      0t0  TCP localhost.localdomain:domain (LISTEN)
sshd    8316   root    3u  IPv4  54679      0t0  TCP localhost.localdomain:ssh->192.168.95.1:49890 (ESTABLISHED)
httpd   8706 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8707 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8708 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8709 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8711 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)

udp
列出與 UDP 相關的.

[root@localhost ~]# lsof -i udp
COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd      1   root   44u  IPv4  35968      0t0  UDP *:sunrpc 
systemd      1   root   46u  IPv6  35970      0t0  UDP *:sunrpc 
rpcbind   6590    rpc    5u  IPv4  35968      0t0  UDP *:sunrpc 
rpcbind   6590    rpc    7u  IPv6  35970      0t0  UDP *:sunrpc 
rpcbind   6590    rpc   10u  IPv4  36481      0t0  UDP *:823 
rpcbind   6590    rpc   11u  IPv6  36482      0t0  UDP *:823 
avahi-dae 6629  avahi   12u  IPv4  39542      0t0  UDP *:mdns 
avahi-dae 6629  avahi   13u  IPv4  39552      0t0  UDP *:52667 
dhclient  6762   root    6u  IPv4  41391      0t0  UDP *:bootpc 
dnsmasq   7574 nobody    3u  IPv4  46567      0t0  UDP *:bootps 
dnsmasq   7574 nobody    5u  IPv4  46570      0t0  UDP localhost.localdomain:domain

:port_Number , :port_Name
顯示 port_Number 相關的.

[root@localhost ~]# lsof -i :80
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
httpd   6997   root    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8706 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8707 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8708 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8709 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8711 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)

[root@localhost ~]# lsof -i tcp:80
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
httpd   6997   root    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8706 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8707 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8708 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8709 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8711 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)

[root@localhost ~]# lsof -i :http
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
httpd   6997   root    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8706 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8707 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8708 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8709 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8711 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)

[root@localhost ~]# lsof -i tcp:1-80
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd    6982   root    3u  IPv4  43646      0t0  TCP *:ssh (LISTEN)
sshd    6982   root    4u  IPv6  43655      0t0  TCP *:ssh (LISTEN)
httpd   6997   root    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
master  7553   root   13u  IPv4  46598      0t0  TCP localhost:smtp (LISTEN)
master  7553   root   14u  IPv6  46599      0t0  TCP localhost:smtp (LISTEN)
dnsmasq 7574 nobody    6u  IPv4  46571      0t0  TCP localhost.localdomain:domain (LISTEN)
sshd    8316   root    3u  IPv4  54679      0t0  TCP localhost.localdomain:ssh->192.168.95.1:49890 (ESTABLISHED)
httpd   8706 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8707 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8708 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8709 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8711 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)

-s
列出限定 state 相關的.

[root@localhost ~]# lsof -i TCP -s TCP:LISTEN
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
systemd    1   root   43u  IPv4  35967      0t0  TCP *:sunrpc (LISTEN)
systemd    1   root   45u  IPv6  35969      0t0  TCP *:sunrpc (LISTEN)
rpcbind 6590    rpc    4u  IPv4  35967      0t0  TCP *:sunrpc (LISTEN)
rpcbind 6590    rpc    6u  IPv6  35969      0t0  TCP *:sunrpc (LISTEN)
sshd    6982   root    3u  IPv4  43646      0t0  TCP *:ssh (LISTEN)
sshd    6982   root    4u  IPv6  43655      0t0  TCP *:ssh (LISTEN)
cupsd   6983   root   11u  IPv6  43812      0t0  TCP localhost:ipp (LISTEN)
cupsd   6983   root   12u  IPv4  43813      0t0  TCP localhost:ipp (LISTEN)
httpd   6997   root    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
mysqld  7313  mysql   13u  IPv4  47680      0t0  TCP *:mysql (LISTEN)
master  7553   root   13u  IPv4  46598      0t0  TCP localhost:smtp (LISTEN)
master  7553   root   14u  IPv6  46599      0t0  TCP localhost:smtp (LISTEN)
dnsmasq 7574 nobody    6u  IPv4  46571      0t0  TCP localhost.localdomain:domain (LISTEN)
httpd   8706 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8707 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8708 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8709 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)
httpd   8711 apache    4u  IPv6  45451      0t0  TCP *:http (LISTEN)

[root@localhost ~]# lsof -i TCP -s TCP:ESTABLISHED
COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
sshd    8316 root    3u  IPv4  54679      0t0  TCP localhost.localdomain:ssh->192.168.95.1:49890 (ESTABLISHED)
沒有解決問題,試試搜尋本站其他內容

2 thoughts on “Linux command – netstat & lsof

  1. 自動引用通知: 網路連線的錯誤排除(二) | Benjr.tw
  2. 自動引用通知: Networking | Benjr.tw

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料