In the Internet RFC standard, Netstat is defined as: Netstat is a program that accesses the network connection status and related information in the kernel. It can provide TCP connection, TCP and UDP monitoring, and process memory management related reports.
Netstat is a console command and a very useful tool for monitoring TCP/IP networks. It displays routing tables, actual network connections, and status information for each network interface device. Netstat is used to display statistics related to IP, TCP, UDP, and ICMP protocols. It is generally used to check the network connection of each port of the machine.
If your computer sometimes receives packets that cause erroneous data or failures, you don't have to wonder if TCP/IP can tolerate these types of errors and automatically resend packets. But if the cumulative number of error conditions is a significant percentage of the received IP datagram, or if its number is increasing rapidly, then you should use Netstat to find out why this is happening.
Netstat -an is generally used to display all connected ports and is represented by numbers.
The function of the netstat command is to display network connection, routing table and network interface information, which allows users to know which network connections are working. If used without parameters, netstat displays the active TCP connection.
Its main usage and detailed explanation!
(netstat -na command), this article mainly refers to the netstat tool under Linux, and then details the various network connection status.
Netstat -nat |awk '{print $6}'|sort|uniq -c|sort -nr
1.netstat command detailed
In fact, I commonly use netstat -tnl | grep 443 (check if port 443 is occupied), if there is currently a root user, I like to use netstat -pnl | grep 443 (can also show the process PID occupying the local port 443) .
Netstat
Function Description: Display network status.
Syntax: netstat [-acCeFghilMnNoprstuvVwx] [-A "Network Type"][--ip]
Additional explanation: Using the netstat command allows you to know the network status of the entire Linux system.
parameter:
-a or –all displays the Sockets in all connections.
-A Network Type or – Network Type Lists the relevant addresses in this network type connection.
-c or –continuous continuously lists network status.
-C or –cache Displays cache information for the router configuration.
-e or –extend displays other relevant information about the network.
-F or –fib displays the FIB.
-g or –groups Displays a list of multi-broadcast feature group members.
-h or –help online help.
-i or –interfaces displays a web interface information form.
-l or –listening Displays the Socket of the server being monitored.
-M or –masquerade shows the network connection that is disguised.
-n or –numeric directly uses the IP address instead of the domain name server.
-N or –netlink or –symbolic Displays the symbolic link name of the network hardware peripheral.
-o or –timers displays the timer.
-p or –programs Displays the program ID and program name of the socket being used.
-r or –route displays the Routing Table.
-s or –statistice Displays the network work information statistics table.
-t or –tcp Displays the connection status of the TCP transport protocol.
-u or –udp Displays the connection status of the UDP transport protocol.
-v or –verbose Displays the instruction execution process.
-V or –version displays version information.
-w or –raw Displays the connection status of the RAW transfer protocol.
-x or –unix The effect of this parameter is the same as the "-A unix" parameter specified.
–ip or –inet This parameter has the same effect as specifying the “-A inet†parameter.
2. Detailed network connection status
There are a total of 12 possible states, the first 11 are described in terms of the three-way handshake established by the TCP connection and the four-way handshake of the TCP connection disconnection.
1), LISTEN: First, the server needs to open a socket for monitoring, the status is LISTEN./* The socket is listening for incoming connections. Listening for connection requests from remote TCP ports */
2), SYN_SENT: The client calls connect to open open through the application. Then the client tcp sends a SYN to request to establish a connection. After that, the status is set to SYN_SENT./*The socket is mostly attempting to establish a connection. Waiting for a matching connection request after sending a connection request*/
3), SYN_RECV: The server should send an ACK to confirm the SYN of the client, and at the same time send a SYN to the client. After the status is set to SYN_RECV/* A connection request has been received from the network. After receiving and sending a connection request Waiting for confirmation of the connection request*/
4), ESTABLISHED: Represents an open connection that both parties can or have already interacted with the data. /* The socket has an established connection. On behalf of an open connection, data can be delivered to the user*/
5), FIN_WAIT1: The active close application calls close, so its TCP sends a FIN request to actively close the connection, and then enters the FIN_WAIT1 state. /* The socket is closed, and the connection is shutting down. Waiting for a remote TCP connection interrupt request, or confirmation of a previous connection interrupt request*/
6), CLOSE_WAIT: Passive close (TCP) After receiving the FIN, it sends an ACK in response to the FIN request (its reception is also passed as a file terminator to the upper application) and enters CLOSE_WAIT./* The remote end Has shut down, waiting for the socket to close. Waiting for a connection interrupt request from a local user*/
7), FIN_WAIT2: After the active shutdown terminal receives the ACK, it enters FIN-WAIT-2. /* Connection is closed, and the socket is waiting for a shutdown from the remote end. Waiting for a connection interrupt request from remote TCP*/
8), LAST_ACK: After a period of passive shutdown, the application that receives the end-of-file will call CLOSE to close the connection. This causes its TCP to also send a FIN, waiting for the other party's ACK. It enters LAST-ACK. /* The remote end has shut down, and the socket is closed. Waiting for acknowledgement. Waiting for the confirmation of the connection interruption request originally sent to the remote TCP*/
9), TIME_WAIT: After receiving the FIN on the active close, TCP sends an ACK packet and enters the TIME-WAIT state. /* The socket is waiting after close to handle packets still in the network. Waiting for enough time to ensure that the remote TCP receives a confirmation of the connection interruption request*/
10), CLOSING: It is rare. /* Both sockets are shut down but we still don't have all our data sent. Waiting for remote TCP to confirm the connection interruption */
11), CLOSED: After receiving the ACK packet, the passive shutdown terminal enters the closed state. The connection ends. /* The socket is not being used. No connection status*/
12), UNKNOWN: Unknown Socket status. /* The state of the socket is unknown. */
SYN: (Synchronize Sequence Numbers) This flag is valid only when a three-way handshake establishes a TCP connection. Represents a new TCP connection request.
ACK: (Acknowledgement Number) is an acknowledgment flag for the TCP request and prompts the peer system to successfully receive all data.
FIN: (End flag, FINish) is used to end a TCP callback. However, the corresponding port is still open and ready to receive subsequent data.
PS: There is a small tool under Windows. TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. See http:/ /technet.microsoft.com/en-us/sysinternals/bb897437 ; Of course, if you want to analyze the data packet in detail, you can use more powerful tools such as sniffer and Wireshark.
Reference materials:
Http://linux.sheup.com/linux/4/31225.html
Http://hi.baidu.com/mqbest_come_on/blog/item/18526dcef73d791a00e928e5.html
Http://
System connection status articles:1. View the status of the TCP connection
Netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn
Netstat -n | awk '/^tcp/ {++S[$NF]};END {for(a in S) print a, S[a]}' or
Netstat -n | awk '/^tcp/ {++state[$NF]}; END {for(key in state) print key,"",state[key]}'
Netstat -n | awk '/^tcp/ {++arr[$NF]};END {for(k in arr) print k,"",arr[k]}'
Netstat -n |awk '/^tcp/ {print $NF}'|sort|uniq -c|sort -rn
Netstat -ant | awk '{print $NF}' | grep -v '[az]' | sort | uniq -c
2. Find the number of requests, please use 20 IPs (usually used to find the source of the attack):
Netstat -anlp|grep 80|grep tcp|awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -n20
Netstat -ant |awk '/:80/{split($5,ip,":");++A[ip[1]]}END{for(i in A) print A[i],i}' | Sort -rn|head -n20
3. Use tcpdump to sniff 80 port access to see who is the highest
Tcpdump -i eth0 -tnn dst port 80 -c 1000 | awk -F"." '{print $1"."$2"."$3"."$4}' | sort | uniq -c | sort -nr |head - 20
4. Find more time_wait connections
Netstat -n|grep TIME_WAIT|awk '{print $5}'|sort|uniq -c|sort -rn|head -n20
5. Find more SYN connections
Netstat -an | grep SYN | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -nr | more
6. According to the port column process
Netstat -ntlp | grep 80 | awk '{print $7}' | cut -d/ -f1
Website Log Analysis 1 (Apache):1. Get the top 10 ip address of the visit
Cat access.log|awk '{print $1}'|sort|uniq -c|sort -nr|head -10
Cat access.log|awk '{counts[$(11)]+=1}; END {for(url in counts) print counts[url], url}'
2. The most visited files or pages, take the top 20
Cat access.log|awk '{print $11}'|sort|uniq -c|sort -nr|head -20
3. List the exe files with the largest transmission (used when analyzing the download station)
Cat access.log |awk '($7~/\.exe/){print $10 ††$1 ††$4 ††$7}'|sort -nr|head -20
4. List exe files with output greater than 200,000 bytes (about 200kb) and the number of corresponding file occurrences
Cat access.log |awk '($10 》 200000 && $7~/\.exe/){print $7}'|sort -n|uniq -c|sort -nr|head -100
5. If the last column of the log records the page file transfer time, there are the most time-consuming pages listed to the client.
Cat access.log |awk '($7~/\.php/){print $NF †$1 ††$4 ††$7}'|sort -nr|head -100
6. List the most time-consuming pages (more than 60 seconds) and the number of corresponding page occurrences
Cat access.log |awk '($NF 》 60 && $7~/\.php/){print $7}'|sort -n|uniq -c|sort -nr|head -100
7. List files with a transfer time of more than 30 seconds
Cat access.log |awk '($NF 》 30){print $7}'|sort -n|uniq -c|sort -nr|head -20
8. Statistics website traffic (G)
Cat access.log |awk '{sum+=$10} END {print sum/1024/1024/1024}'
9. Statistics 404 connection
Awk '($9 ~/404/)' access.log | awk '{print $9,$7}' | sort
10. Statistics http status.
Cat access.log |awk '{counts[$(9)]+=1}; END {for(code in counts) print code, counts[code]}'
Cat access.log |awk '{print $9}'|sort|uniq -c|sort -rn
10. Spider analysis
See which spiders are crawling content.
/usr/sbin/tcpdump -i eth0 -l -s 0 -w - dst port 80 | strings | grep -i user-agent | grep -i -E 'bot|crawler|slurp|spider'
Website Day Analysis 2 (Squid)2. Statistics by domain
Zcat squid_access.log.tar.gz| awk '{print $10,$7}' |awk 'BEGIN{FS=“[ /]â€}{trfc[$4]+=$1}END{for(domain in trfc){printf "%s%d", domain, trfc[domain]}}'
The more efficient version of perl can be downloaded here: http://docs.linuxtone.org/soft/tools/tr.pl
Database article
1. View the database execution sql
/usr/sbin/tcpdump -i eth0 -s 0 -l -w - dst port 3306 | strings | egrep -i 'SELECT|UPDATE|DELETE|INSERT|SET|COMMIT|ROLLBACK|CREATE|DROP|ALTER|CALL'
System Debug AnalysisDebug command
Strace -p pid
2. Track the PID of the specified process
Gdb -p pid
The speaker wire harness most are used in automobile, house applicance ,audio,video,radio,fuse wire ,game machine.Yacenter has experienced QC to check the products in each process, from developing samples to bulk, to make sure the best quality of goods. Timely communication with customers is so important during our cooperation.
If you can't find the exact product you need in the pictures,please don't go away.Just contact me freely or send your sample and drawing to us.We will reply you as soon as possible.
Speaker Wire,Custom Speaker Wiring Harness,Speaker Wiring Harness,Car Speaker Wire Harness
Dongguan YAC Electric Co,. LTD. , https://www.yacentercns.com