NETSTAT command - displays network connection statistics. Description of the NETSTAT command (statistics of active TCP connections) Listening port what it means

netstat this is a very useful utility that some system administrators are used every day, and some have to resort to it only to diagnose faults. But in any case, understanding this utility and being able to use it is very useful.

The command has only 10 parameters, of which probably the most frequently used is the parameter -a, which displays all connections and ports in use. However, even specifying parameters netstat from displays quite useful information.

Let us now consider the useful parameters of the utility netstat

Full domain name: When using the parameter -f full will be displayed domain names connected remote hosts. Any names will be resolved accessible ways. In the figure below you can see an example of this action:

Which process is using the open port: Using a combination of parameters -a -n -o You can track which process is using the open port. From the output of the command we find out the process identifier (PID), with which we can find the desired process in the task manager.

You can use another useful option to make the display more friendly. Parameter -b will show the name of each process, however it requires administrator rights.

Displaying the routing table: When using the parameter -r you can view the current routing table.

I most often use these 4 parameters for diagnostics Windows problems. How else do you use netstat and why?

Helpful information

Do you like to dress fashionably and beautifully? Go to an online clothing store from Korea and buy yourself items of excellent quality at an affordable price.

The Netstat command displays various network data such as network connections, routing table, interface statistics, masked connections, multicast space, etc.,

In this article, let's look at 10 practical command examples NetStat on Unix.

1. List of all ports (both listening and non-listening ports)

List all ports using Netstat -a command

# netstat -a | more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:30037 *:* LISTEN udp 0 0 *:bootpc *:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 6135 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 5140 /var/run/acpid.socket

List all TCP ports using netstat -at

# netstat -at Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0..0.0 .0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN

Listing all UDP ports using netstat -au

# netstat -au Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 andreyex..ru:50053 google-public-dn:domain ESTABLISHED

2. List of sockets that are in listening state

List only listening ports using netstat -l

# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0..0.0. 0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN

List only TCP listening ports using netstat -lt

# netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0..0.0. 0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN

List only listening UDP ports using netstat -lu

# netstat -lu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 site:domain 0.0.0.0:* udp 0 0 localhost:domain 0.0.0..0.0.0:*

List only UNIX listening ports using netstat -lx

# netstat -lx Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 19693 tmp/core.adm.internal unix 2 [ ACC ] SEQPACKET LISTENING 8723 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 12566 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 16948 /var/run/fail2ban/fail2ban.sock unix 2 [ ACC ] STREAM LISTENING 19702 tmp/core.sock

Regularly, some - only for diagnostics. I belong to the latter category: I prefer to use this utility to identify the causes of system problems and problems.

The netstat command has ten parameters that provide detailed information to solve the most difficult problems. different tasks. However, no less useful information can be obtained without any parameters.

The most common use of netstat is with the -a option to list all connections and listening ports. Listed below are a few other options that may come in handy when using this utility.

Fully qualified domain name. The -f parameter allows you to find out the FQDN for the external address. When using netstat with this option, names are resolved on both the internal and external networks. On fig. A shows the output of the command.

Figure A

Which process is using which port. The combination of the -a -n -o options allows you to find out which process identifier (PID) a particular port corresponds to. (See) The output of the command is shown in Fig. b.

Figure B

And if you add the -b option to this combination, friendly names will be used for each process, as shown in Fig. C. However, this will require administrator rights.

Figure C

Note: remote addresses pointing to 192.168.1.220:3261 belong to the Windows iSCSI Initiator service and are labeled differently than other service addresses.

Output of the routing table. When you want to figure out why a network connection is working differently on one computer than on others on the same network, you can use the -r option, which prints the route for that system, as shown in Figure 1. D. Please note the "Persistent routes" section: this lists all static routes configured for Windows Server).

Figure D

These four variations of the netstat command make it much easier

Sometimes during operation of any system, be it home Personal Computer or a powerful server serving many connections, it's useful to have a tool on hand that can display network activity data. Why might this be needed? To calculate applications that illegally access the Internet, or users. This is exactly what the utility we are considering does.

What is Netstat?

This is an application with which you can find out what is happening in this moment online. To start, use the command line. It also uses additional keys and parameters when starting Netstat.

It is worth noting that the name of the utility is formed from two components - network statistics, that is, network statistics, which, in principle, is logical. Among the information that the program shows, one can highlight routing connection statistics.

Commands and Keys

The syntax of command keys and parameters is quite extensive. This allows you to obtain network statistics at a variety of levels. The following is a description of the Netstat command, its parameters and keys:

-a - running with this parameter will display all active TCP connections, as well as TCP and UDP ports listening on the system;
-e - display extended Ethernet statistics, such as byte and packet movements;
-n - parameter allows you to show active TCP connections with addresses and port numbers;
-o - same as previous key, displays active TCP connections, but process codes have been added to the statistics, from which you can already determine exactly which application is using the connection;
-p - display information on a specific protocol specified in the parameter. Values may include tcp, udp, tcpv6, and udpv6;

-s - display protocol statistics; by default, all known types will be displayed;
-r - given key will display the contents of the IP, the parameter is equivalent to using the route command;
interval - in the general command line you can use the value of the interval through which the selected statistics will be displayed; if it is omitted, the information will be displayed only once;
/? - will display background information by Netstat command.

Using Netstat on Windows

To display command line all connections, while placing them on several pages, you need to use the following syntax: “-a | more". If you need to save all statistics to a specific file, you need to use “ -a > C:\filename”. Thus, all collected information will be written to the file specified in this path.

The result of the work can be a small table that contains the following types of data:

Name. The name of the found active protocol is indicated here.
Local address. The IP address and port used by the local service to create the connection. The values may include 0.0.0.0, which means any available address, or 127.0.0.1. This indicates a local loop.
External address. IP and port of the external service on the network to which the connection is established.

State. Shows the current connection status. Can take on different meanings. For example, Listening indicates that the service is “listening” and waiting for an incoming connection. Established means an active connection.

Netstat, launched with the -a and -b switches, will show all network connections, as well as the programs associated with them. This is very convenient if you need to figure out which program is actively using traffic and where it is sending data.

Additional connection states

In addition to the above connection states, there are additional ones:

closed - as the name suggests, the connection is closed;
syn_sent - there is an active attempt to establish a connection;
syn_received - shows First stage synchronization;
close_wait - disabled and the connection is closed.

Using Netstat on Linux

Using the utility in a Linux environment is, in fact, not much different from Windows. There are only slight differences in the command parameters. Description of the Netstat command and its parameters with examples:

To display all ports, you need to use the command - “netstat -a”.
Everything is the same, but only the TCP type - “-at”.
UDP ports are "-au".
Display open ports in Netstat - “-l”. Their status will be shown as Listening.
Display open TCP ports in Netstat - “netstat -lt.
Display the process ID and its name - “netstat -p”.
Show statistics for an individual - "netstat -s".

Sometimes, in order to get more complete information about a network connection, you need to combine Netstat with some commands and Linux utilities. For example, like this:

netstat -ap | grep ssh

This line will display a list of ports that are currently used by the SSH utility. If, on the other hand, you want to find out which process is occupying a specific port, you can use the following syntax:

netstat -an | grep `:80`

Also for Netstat in Linux there is a universal set of keys that can display everything you need at once. It looks like this: netstat -lnptux. The data set will reflect all TCP, UDP, UNIX Socket protocols, names of processes and their identifiers.

Some examples to identify a DoS or DDoS attack

The following command will let you know how many connections are active on each IP address:

We define a large number of requests from one IP address:

netstat -na | grep:80 | sort

We determine the exact number of requests received per connection:

netstat -np | grep SYN_RECV | wc -l

When conducting a DoS attack, the number obtained as a result of this command should be quite large. In any case, it may depend on the specific system. That is, on one server it can be one thing, on another it can be different.

Conclusion

In which operating system Whatever the command is used, it is an indispensable tool for scanning, analyzing and debugging a network. It is actively used by system administrators all over the world.

Netstat can be used when the system is infected with some kind of virus software. It is able to show all applications with a lot of suspicious network traffic activity. This will help to identify malicious software at an early stage and neutralize it, or protect the server from unwanted intrusion by attackers.

conclusions

The article gave detailed description Netstat command and its parameters and switches. Full use program is possible after several stages of practice on a real device. Combining with other teams will make it even more effective. Full set Descriptions of Netstat commands can be found in the manual on the utility's official website. It is also worth noting that when used in an environment Linux team Netstat is deprecated and SS is strongly recommended instead.

The release of WordPress 5.3 improves and expands the block editor introduced in WordPress 5.0 with a new block, more intuitive interaction, and improved accessibility. New features in the editor […]

After nine months of development, the FFmpeg 4.2 multimedia package is available, which includes a set of applications and a collection of libraries for operations on various multimedia formats (recording, converting and […]

New features in Linux Mint 19.2 Cinnamon

Linux Mint 19.2 is a long-term support release that will be supported until 2023. It comes with updated software and contains improvements and many new […]

Linux Mint 19.2 distribution released

Release presented Linux distribution Mint 19.2, the second update to the Linux Mint 19.x branch, generated on a batch basis Ubuntu based 18.04 LTS and supported until 2023. The distribution is fully compatible [...]

New BIND service releases are available that contain bug fixes and feature improvements. New releases can be downloaded from the downloads page on the developer's website: […]

Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. It is freely available in accordance with [...]

After almost two years of development, the release of ZFS on Linux 0.8.0 is presented, implementation file system ZFS, packaged as a module for the Linux kernel. The operation of the module has been tested with Linux kernels from 2.6.32 to […]

WordPress 5.1.1 fixes a vulnerability that allows you to take control of your site

The IETF (Internet Engineering Task Force), which develops Internet protocols and architecture, has completed an RFC for the ACME (Automatic Certificate Management Environment) protocol […]

The non-profit certification authority Let’s Encrypt, which is controlled by the community and provides certificates free of charge to everyone, summed up the results of the past year and talked about plans for 2019. […]