network netstat - ghdrako/doc_snipets GitHub Wiki

• https://www.howtogeek.com/513003/how-to-use-netstat-on-linux/

Graph # of connections for each hosts

netstat -an | awk '/ESTABLISHED/ { split($5,ip,":"); if (ip[1] !~ /^$/) print ip[1] }' | \
sort | uniq -c | awk '{ printf("%s\t%s\t",$2,$1) ; for (i = 0; i < $1; i++) {printf("*")}; print "" }'

Monitor open connections for specific port including listen, count and sort it per IP

watch "netstat -plan | grep :443 | awk {'print \$5'} | cut -d: -f 1 | sort | uniq -c | sort -nk 1"

Grab banners from local IPv4 listening ports

netstat -nlt | grep 'tcp ' | grep -Eo "[1-9][0-9]*" | xargs -I {} sh -c "echo "" | nc -v -n -w1 127.0.0.1 {}"

The functionality of netstat has been replicated over time in different Linux utilities, such as ip and ss.

Listing All Sockets

netstat -a | less

$ netstat -i # list the network interfaces on your system
$ netstat -r # display the routing table.

An asterisk in the last two lines indicates that no gateway is required to send packets to any host on these networks. This host is directly connected to the networks

$ netstat # displays a list of open sockets.
$ netstat -l # show only listening sockets, which by default, are not shown
$ netstat -a # show listening and non-listening sockets. 

$ netstat -help

$ netstat -natu | grep 'ESTABLISHED' # display all established connections from the server
$ netstat -natu | grep 'ESTABLISHED' | grep 61.177.142.158

$ netstat -an | grep 'LISTEN'  # listen on a particular IP:Port

$ netstat -anlp |grep 3937 # show Port Number used by PID

$ netstat -s # overall stats all protocols where you can pay attention to packets discarded messages.

$ netstat -anlp |grep 80 | grep LISTEN  # which PID use/block particular port number

-c continous show

netstat -anlpc |grep 8080

Result interpretation

• https://www.ibm.com/support/pages/whats-meaning-recv-q-and-send-q-netstat

Send-Q

$ netstat -ct

Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0    1756 ubuntu:ircd             10.8.1.7:63602          ESTABLISHED

Data goes in the send queue when the application writes it to its local kernel TCP stack. Data gets removed from the send queue when the other side's TCP stack acknowledges receipt of the data. If they're sitting in the send queue that means that your IRC server code has sent them to your kernel, but the other side of the connection hasn't acknowledged them yet. This may be because they haven't been sent yet. This can be caused by server bandwidth limitations or server performance limitations, but most commonly it's simply because the other side isn't receiving the data as fast as the server is sending it.

Send-Q:

netstat -an

High Send-Q means the data is put on TCP/IP send buffer, but it is not sent or it is sent but not ACKed. So, high value in Send-Q can be related to server network congest, server performance issue or data packet flow control, and so on.

Recv-Q:

netstat -an

High Recv-Q means the data is put on TCP/IP receive buffer, but the application does not call recv() to copy it from TCP/IP buffer to the application buffer. Customer can check the application listening the port, and see if it is working as expected. For example, if you saw Recv-Q in the following connection:

Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4    3223      0  11.10.32.24.8002       11.10.32.12.64672      ESTABLISHED

Customer should check the application listening the port 8002.

Please note: The send and receive queue sizes are shown in bytes.