The “netstat” command is quite useful for checking connections to your machine. If we wanted to see ALL of the connections (which i really recommend you don’t do unless you’re trying to debug something and then you should probably pipe it to a file) we could use the “netstat -a” command.
Using “netstat -a” will give you something like this:
tcp 0 0 app.mydomain.com:http 93.184.216.119:16494 SYN_RECV tcp 0 0 app.mydomain.com:http 93.184.216.119:18733 SYN_RECV tcp 0 0 app.mydomain.com:http 93.184.216.119.dsl.mwe:64775 SYN_RECV tcp 0 0 app.mydomain.com:http 93.184.216.119.threembb.:16490 SYN_RECV tcp 0 0 app.mydomain.com:http 93.184.216.119:video-activmail SYN_RECV tcp 0 0 app.mydomain.com:http 93.184.216.119:45025 SYN_RECV tcp 0 0 app.mydomain.com:http 93.184.216.119:dvl-activemail SYN_RECV tcp 0 0 app.mydomain.com:http 41-135-22-100.dsl.mwe:64774 SYN_RECV
As you can see it does name resolving for us and all that good stuff. Sometimes very hand but that’s not what this is about.
Total connections Count
We want to get some solid numbers so we can take a broader perspective. To do this we can use the following command:
netstat -an | wc -l
This will show us a count of all connections that we presently have to our machine.
Connections on specific port
We can take this one step further even. Lets say you only wanted to see traffic coming across port 80 (standard HTTP). We can grep our netstat then count it like so:
netstat -an | grep :80 | wc -l
Connections Count based on Connection state
Finally, lets take a look at the big picture in a category form. It is often extremely useful to see what those connections are doing, especially when you think you might just have tons of open connections that are idle and are trying to tweak your settings. It’s been known to happen where you have a really busy web server for instance, and maybe it’s running a lot of database connections to the same box, then stopping. That often causes things like the TIME_WAIT to pile up and a large number for any of these may be an indication that you need to adjust your tcp timeout settings.
netstat -ant | awk '{print $6}' | sort | uniq -c | sort -n
1 CLOSING
1 established
1 FIN_WAIT2
1 Foreign
2 CLOSE_WAIT
6 FIN_WAIT1
7 LAST_ACK
7 SYN_RECV
37 ESTABLISHED
44 LISTEN
297 TIME_WAITSo there you have it. A quick way to return counts on your connections in your linux environment.
Check opened ports on server
Occasionally, when using netstat you may only care about ports that you are listening on. This is especially important if you are running a server that isn’t behind a firewall because it helps you determine what you may be vulnerable to that you aren’t aware of. using the netstat -l provides us with an excellent way to view this information.
root@nox [~]# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:mysql *:* LISTEN tcp 0 0 *:submission *:* LISTEN tcp 0 0 *:pop3 *:* LISTEN tcp 0 0 localhost:783 *:* LISTEN
Statistics by Protocol
Another very common thing and powerful tool that netstat has built in is to show you network statistics in an overview fashion. If you’re just trying to get a good idea about packet statistics then the netstat -s command may be what you’re looking for. Here is some sample output. Keep in mind that netstat -s will show statistics broken down by protocol, so the fewer protocol stacks you are running the more compacted this summary will be.
netstat -s
Ip:
139502653 total packets received
28 with invalid addresses
0 forwarded
0 incoming packets discarded
133312468 incoming packets delivered
84570989 requests sent out
366 outgoing packets dropped
50 reassemblies required
25 packets reassembled ok
110 fragments received ok
220 fragments created
Icmp:
180285 ICMP messages received
1586 input ICMP message failed.
ICMP input histogram:
destination unreachable: 9516
timeout in transit: 331
echo requests: 170151
echo replies: 284
172009 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 1818
echo request: 40
echo replies: 170151
IcmpMsg:
InType0: 284
InType3: 9516
InType8: 170151
InType11: 331
OutType0: 170151
OutType3: 1818
OutType8: 40
Tcp:
1104118 active connections openings
2918161 passive connection openings
26607 failed connection attempts
256788 connection resets received
10 connections established
128535136 segments received
78146054 segments send out
1645036 segments retransmited
0 bad segments received.
185776 resets sent
Udp:
5125395 packets received
1867 packets to unknown port received.
0 packet receive errors
5158639 packets sent
TcpExt:
511 SYN cookies sent
511 SYN cookies received
12748 invalid SYN cookies received
14894 resets received for embryonic SYN_RECV sockets
159972 packets pruned from receive queue because of socket buffer overrun
2 packets pruned from receive queue
73 ICMP packets dropped because they were out-of-window
1965839 TCP sockets finished time wait in fast timer
78 time wait sockets recycled by time stamp
36503 packets rejects in established connections because of timestamp
2487605 delayed acks sent
33477 delayed acks further delayed because of locked socket
Quick ack mode was activated 45146 times
233 times the listen queue of a socket overflowed
233 SYNs to LISTEN sockets ignored
9643039 packets directly queued to recvmsg prequeue.
7969358 packets directly received from backlog
3291115817 packets directly received from prequeue
24087199 packets header predicted
5532135 packets header predicted and directly queued to user
30481401 acknowledgments not containing data received
42935286 predicted acknowledgments
814 times recovered from packet loss due to fast retransmit
339835 times recovered from packet loss due to SACK data
336 bad SACKs received
Detected reordering 2070 times using FACK
Detected reordering 854 times using SACK
Detected reordering 10 times using reno fast retransmit
Detected reordering 1840 times using time stamp
3234 congestion windows fully recovered
20175 congestion windows partially recovered using Hoe heuristic
TCPDSACKUndo: 11509
14757 congestion windows recovered after partial ack
1004274 TCP data loss events
TCPLostRetransmit: 54568
129 timeouts after reno fast retransmit
33120 timeouts after SACK recovery
31346 timeouts in loss state
885023 fast retransmits
93299 forward retransmits
337378 retransmits in slow start
128472 other TCP timeouts
TCPRenoRecoveryFail: 356
35936 sack retransmits failed
9 times receiver scheduled too late for direct processing
57242284 packets collapsed in receive queue due to low socket buffer
49286 DSACKs sent for old packets
157 DSACKs sent for out of order packets
95033 DSACKs received
2091 DSACKs for out of order packets received
39363 connections reset due to unexpected data
35517 connections reset due to early user close
12861 connections aborted due to timeout
6 times unable to send RST due to no memory
TCPSACKDiscard: 60
TCPDSACKIgnoredOld: 2937
TCPDSACKIgnoredNoUndo: 38596
TCPSpuriousRTOs: 2925
TCPSackShifted: 1905464
TCPSackMerged: 2048679
TCPSackShiftFallback: 995770
TCPBacklogDrop: 41842
IpExt:
InBcastPkts: 20
InOctets: 60455654365
OutOctets: 154094094438
InBcastOctets: 6560
Process Information
Another extremely useful tool for server administrators who are trying to track down processes that have run amuck is the netstat -p command. This returns the PID of the process that has the connection. It’s also quite useful if you’ve got someone abusing a PID and you need to find out what IP it is so that you can get in touch with that individual or to block connections from that IP in the future. Here’s some sample output from netstat -p.
netstat -p tcp 0 0 localhost:56423 example.domain.com:https ESTABLISHED 27911/java tcp 0 52 localhost:ssh oh-76-76-76-76.dhcp.e:51653 ESTABLISHED 3344/sshd tcp 0 0 localhost:imaps 76.sub-76-76-76.myvz:9258 ESTABLISHED 14501/dovecot/imap- Ref: Exchange Core
