netstat (네트워크 명령어)
2024. 6. 4. 20:25
00 개요
- 참 많이 쓰는 명령어, 데몬들 떠있는지 확인 할 때에도 사용되고 여러가지로 참 많이많이 사용되는 명령어라서 기록하지 않을 수가 없었음
01 netstat 명령어란
1. netstat 정의
- 'network statistics'의 약자
- 네트워크 통계
2. netstat 명령어 기능
- 네트워크 연결, routing tables, interface statistics, masquerade connections, and multicast memberships을 출력
- 리눅스 네트워킹 서브시스템(Linux Networking Subsystem) 정보 출력
- netstat 다음으로 오는 인자에 따라 어느 정보를 출력할지 결정됨
- Note: This program is obsolete
- Replacement: netstat → ss, netstat -r → ip route, netstat -i → ip -s link, netstat -g → ip maddr.
3. netstat 명령어 문법
- 아래 [address_family_options]에 들어갈 수 있는 것:
[-4|--inet] [-6|--inet6] [--protocol={inet,inet6,unix,ipx,ax25,netrom,ddp, ... } ]
[--unix|-x] [--inet|--ip|--tcpip] [--ax25] [--x25] [--rose] [--ash] [--ipx] [--netrom]
[--ddp|--appletalk] [--econet|--ec]
# netstat [address_family_options] [--tcp|-t] [--udp|-u] [--udplite|-U] [--sctp|-S]
[--raw|-w] [--listening|-l] [--all|-a] [--numeric|-n] [--numeric-hosts]
[--numeric-ports] [--numeric-users] [--symbolic|-N] [--extend|-e[--extend|-e]]
[--timers|-o] [--program|-p] [--verbose|-v] [--continuous|-c] [--wide|-W] [delay]
# netstat -nap를 많이 사용
# netstat --route|-r [address_family_options] [--extend|-e[--extend|-e]] [--verbose|-v]
[--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c]
# netstat --interfaces|-I|-i [--all|-a] [--extend|-e] [--verbose|-v] [--program|-p]
[--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c]
# netstat --groups|-g [--numeric|-n] [--numeric-hosts] [--numeric-ports]
[--numeric-users] [--continuous|-c] [delay]
# netstat --masquerade|-M [--extend|-e] [--numeric|-n] [--numeric-hosts]
[--numeric-ports] [--numeric-users] [--continuous|-c] [delay]
# netstat --statistics|-s [--tcp|-t] [--udp|-u] [--udplite|-U] [--sctp|-S] [--raw|-w]
# netstat --version|-V
# netstat --help|-h
02 첫 인자 (first argument)
- 네트워크에 관한 정보의 종류는 첫 번째로 오는 인자에 의해 결정됨
첫 인자 | 설명 |
(none) | 기본값으로 netstat는 open sockets 목록 출력. address family를 지정하지 않을 경우 모든 configured address family들의 active sockets 출력. |
--route , -r | 커널 routing tables 출력. netstat -e와 같은 출력 (extend - 상세 정보) |
--groups , -g | IPv4와 IPv6의 multicast group membership 정보 출력. |
--interfaces=iface , -I=iface , -i |
모든/지정된 인터페이스의 테이블 출력 |
--masquerade , -M | masquerade된 connections 목록 출력 |
--statistics , -s | 각 프로토콜의 요약 통계 출력 |
03 netstat 명령어 옵션
1. 옵션 종류
- 여러 개의 옵션을 함께 사용할 때 - 기호는 한 번만 써도 됨
옵션 | 설명 |
--verbose, -v |
긴 설명. 특히 unconfigured address family들에 관한 유용한 정보 출력. |
--wide, -w |
IP 주소를 짧게 자르지 않고 그대로 출력. |
--numeric, -n |
(심볼릭 호스트/포트/사용자 이름 대신에) 숫자 주소 출력 |
--numeric-hosts | 숫자로된 호스트 주소를 출력하나 포트/사용자 이름의 resolution에는 영향을 안 미침? |
--numeric-ports | 숫자로된 포트를 출력하나 호스트/사용자 이름의 resolution에는 영향을 안 미침 |
--numeric-users | 숫자로된 사용자 ID를 출력하나 호스트/포트 이름의 resolution에는 영향을 안 미침 |
--protocol=family, -A |
Specifies the address families (perhaps better described as low level protocols) for which connections are to be shown. family is a comma (',') separated list of address family keywords like inet, inet6, unix, ipx, ax25, netrom, econet, and ddp. --inet|-4, --inet6|-6, --unix|-x, --ipx, --ax25, --netrom, and --ddp 옵션을 사용하는 것과 동일. The address family inet (Iv4)은 raw, udp, udplite, tcp protocol sockets을 포함. |
--continuous, -c |
매 초마다 계속 선택된 정보를 출력 (every seconf continuously) |
--extend, -e |
부가적인 정보 출력. 두 번 사용 시 최대 상세 정보 출력 가능 (maximum detail). |
--timers, -o |
networking timers에 관한 정보 출력 |
--program, -p |
각 socket이 속해있는 PID 및 프로그램 이름 출력 |
--listening, -l |
listening socket들만 출력 (기본값으로 제외되어 있음) |
-all, -a |
모든 (listening, non-listening) socket의 정보 출력. --interface 옵션과 같이 사용 시 marked되지 않은 인터페이스들도 출력 |
-f | FIB로부터 routing 정보 출력 (기본값) |
-c | route cache로부터 routing 정보 출력 |
--context -z |
SELinux 활성화 됐을 경우 SELinux 내용 출력 |
--notrim -T |
긴 주소들 자르지 않고 출력 |
delay | Netstat will cycle printing through statistics every delay seconds. UP. |
04 netstat 출력값
- Active Internet connections (TCP, UDP, UDPLite, raw)
- Proto
- socket이 사용한 프로토콜 (tcp, udp, udpl, raw)
- Recv-Q
- Established: The count of bytes not copied by the user program connected to this socket.
- Listening: Since Kernel 2.6.18 this column contains the current syn backlog.
- Send-Q
- Established: The count of bytes not acknowledged by the remote host.
- Listening: Since Kernel 2.6.18 this column contains the maximum size of the syn backlog.
- Local Address
- Address and port number of the local end of the socket.
- Unless the --numeric (-n) option is specified, the socket address is resolved to its canonical host name (FQDN), and the port number is translated into the corresponding service name.
- Foreign Address
- Address and port number of the remote end of the socket.
- Analogous to "Local Address"
- 상태
- The state of the socket
- Since there are no states in raw mode and usually no states used in UDP and UDPLite, this column may be left blank.
- 종류는 다음과 같음:
- ESTABLISHED - socket이 확립된?(established) 연결 지님
- SYN_SENT - socket이 연결을 확립시키려고 actively 시도 중
- SYN_RECV - 네트워크로부터 연결 요청을 받음
- FIN_WAIT1 - socket이 closed 됐고 연결이 종료되고있음
- FIN_WAIT2 - 연결 종료됨, socket은 원격 끝지점 (remote end)으로부터 종료되길 기다리는 중
- TIME_WAIT - socket is waiting after close to handle packets still in the network.
- CLOSE - socket이 사용되고 있지 않음
- CLOSE_WAIT - The remote end has shut down, waiting for the socket to close.
- LAST_ACK - The remote end has shut down, and the socket is closed. Waiting for acknowledgement
- LISTEN - 들어오는 연결을 듣고 있음. (these sockets are not included in the output unless you specify the --listening (-l) or --all (-a) option)
- CLOSING - Both sockets are shut down but we still don't have all our data sent
- UNKNOWN - The state of the socket is unknown
- 사용자
- The username or the user id (UID) of the owner of the socket.
- The username or the user id (UID) of the owner of the socket.
- PID/Program name
- Slash-separated pair of the process id (PID) and process name of the process that owns the socket. --program causes this column to be included.
- You will also need superuser privileges to see this information on sockets you don't own.
- This identification information is not yet available for IPX sockets.
- Timer
- (this needs to be written)
- Active UNIX domain Sockets
- Proto
- The protocol (usually unix) used by the socket.
- RefCnt
- The reference count (i.e. attached processes via this socket).
- The reference count (i.e. attached processes via this socket).
- Flags
- The flags displayed is SO_ACCEPTON (displayed as ACC), SO_WAITDATA (W) or SO_NOSPACE (N). SO_ACCECPTON is used on unconnected sockets if their corresponding processes are waiting for a connect request. The other flags are not of normal interest.
- Type
- There are several types of socket access:
- SOCK_DGRAM - The socket is used in Datagram (connectionless) mode.
- SOCK_STREAM - This is a stream (connection) socket.
- SOCK_RAW - The socket is used as a raw socket.
- SOCK_RDM - This one serves reliably-delivered messages.
- SOCK_SEQPACKET - This is a sequential packet socket.
- SOCK_PACKET - Raw interface access socket.
- UNKNOWN - Who ever knows what the future will bring us - just fill in here :-)
- State
- This field will contain one of the following Keywords:
- FREE - The socket is not allocated
- LISTENING - 들어오는 연결을 듣고 있음. (these sockets are not included in the output unless you specify the --listening (-l) or --all (-a) option)
- CONNECTING - The socket is about to establish a connection.
- CONNECTED - The socket is connected.
- DISCONNECTING - The socket is disconnecting.
- (empty) - The socket is not connected to another one.
- UNKNOWN - This state should never happen.
- PID/Program name
- Process ID (PID) and process name of the process that has the socket open. More info available in Active Internet connections section written above.
- Path
- This is the path name as which the corresponding processes attached to the socket.
- Active IPX sockets
- (this needs to be done by somebody who knows it)
- Active NET/ROM sockets
- (this needs to be done by somebody who knows it)
- Active AX.25 sockets
- (this needs to be done by somebody who knows it)
/etc/services -- The services translation file
/proc -- Mount point for the proc filesystem, which gives access to kernel status
information via the following files.
/proc/net/dev -- device information
/proc/net/raw -- raw socket information
/proc/net/tcp -- TCP socket information
/proc/net/udp -- UDP socket information
/proc/net/udplite -- UDPLite socket information
/proc/net/igmp -- IGMP multicast information
/proc/net/unix -- Unix domain socket information
/proc/net/ipx -- IPX socket information
/proc/net/ax25 -- AX25 socket information
/proc/net/appletalk -- DDP (appletalk) socket information
/proc/net/nr -- NET/ROM socket information
/proc/net/route -- IP routing information
/proc/net/ax25_route -- AX25 routing information
/proc/net/ipx_route -- IPX routing information
/proc/net/nr_nodes -- NET/ROM nodelist
/proc/net/nr_neigh -- NET/ROM neighbours
/proc/net/ip_masquerade -- masqueraded connections
/proc/net/snmp -- statistics
- Process ID (PID) and process name of the process that has the socket open. More info available in Active Internet connections section written above.
- route(8), ifconfig(8), iptables(8), proc(5) ss(8) ip(8)
- Occasionally strange information may appear if a socket changes as it is viewed.
- This is unlikely to occur.
- man netstat