Certified Linux Administrator Netstat and logging

Netstat and logging
 


Typing netstat should display a long list of information that's usually more than you want to go through at any given time.
The trick to keeping the information useful is knowing what you're looking for and how to tell netstat to only display that information.

For example, if you only want to see TCP connections, use netstat --tcp.
This shows a list of TCP connections to and from your machine. The following example shows connections to our machine on ports 993 (imaps), 143 (imap), 110 (pop3), 25 (smtp), and 22 (ssh).It also shows a connection from our machine to a remote machine on port 389 (ldap).

Note: To speed things up you can use the --numeric option to avoid having to do name resolution on addresses and display the IP only.

Code Listing 1: netstat --tcp

% netstat --tcp --numeric  
Active Internet connections (w/o servers)  
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 192.168.128.152:993     192.168.128.120:3853   ESTABLISHED
tcp        0      0 192.168.128.152:143     192.168.128.194:3076   ESTABLISHED
tcp        0      0 192.168.128.152:45771   192.168.128.34:389      TIME_WAIT
tcp        0      0 192.168.128.152:110     192.168.33.123:3521     TIME_WAIT
tcp        0      0 192.168.128.152:25      192.168.231.27:44221    TIME_WAIT
tcp        0    256 192.168.128.152:22      192.168.128.78:47258   ESTABLISHED

If you want to see what (TCP) ports your machine is listening on, use netstat --tcp --listening.
Another useful flag to add to this is --programs which indicates which process is listening on the specified port.
The following example shows a machine listening on ports 80 (www), 443 (https), 22 (ssh), and 25 (smtp);

Code Listing 2: netstat --tcp --listening --programs

# sudo netstat --tcp --listening --programs
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address   Foreign Address   State     PID/Program name
tcp        0      0 *:www           *:*               LISTEN    28826/apache2
tcp        0      0 *:ssh           *:*               LISTEN    26604/sshd
tcp        0      0 *:smtp          *:*               LISTEN    6836/
tcp        0      0 *:https         *:*               LISTEN    28826/apache2

Note: Using --all displays both connections and listening ports.

The next example uses netstat --route to display the routing table. For most people, this will show one IP and and the gateway address but if you have more than one interface or have multiple IPs assigned to an interface, this command can help troubleshoot network routing problems.

Code Listing 3: netstat --route

% netstat --route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
0.0.0.0         192.168.1.1     0.0.0.0         UG    1      0        0 eth0

The last example of netstat uses the --statistics flag to display networking statistics. Using this flag by itself displays all IP, TCP, UDP, and ICMP connection statistics.
To just show some basic information. For example purposes, only the output from --raw is displayed here.
Combined with the uptime command, this can be used to get an overview of how much traffic your machine is handling on a daily basis.

Code Listing 4: netstat --statistics --route

% netstat --statistics --raw
Ip:
    620516640 total packets received
    0 forwarded
    0 incoming packets discarded
    615716262 incoming packets delivered
    699594782 requests sent out
    5 fragments dropped after timeout
    3463529 reassemblies required
    636730 packets reassembled ok
    5 packet reassembles failed
    310797 fragments created
// ICMP statistics truncated

Note: For verbosity, the long names for the various flags were given. Most can be abbreviated to avoid excessive typing (e.g. netstat -tn, netstat -tlp, netstat -r, and netstat -sw).

 

Syntax

netstat [-a] [-n] [-v]

netstat [-g | -m | -p | -s | -f address_family ] [-n] [-P protocol]

netstat [ -i ] [ -I interface ] [ interval ]

netstat -r [-a] [-n] [-v ]

netstat -M [-n] [-s ]

netstat -D [ -I interface ]

-a Show the state of all sockets and all routing table entries; normally, sockets used by server processes are not shown and only interface, host, network, and default routes are shown.
-n Show network addresses as numbers. netstat normally displays addresses as symbols. This option may be used with any of the display formats.
-v Verbose. Show additional information for the sockets and the routing table.
-g Show the multicast group memberships for all interfaces.
-m Show the STREAMS statistics.
-p Show the address resolution (ARP) tables.
-s Show per-protocol statistics. When used with the -M option, show multicast routing statistics instead.
-i Show the state of the interfaces that are used for TCP/IP traffic.
-r Show the routing tables.
-M Show the multicast routing tables. When used with the -s option, show multicast routing statistics instead.
-d Show the state of all interfaces that are under Dynamic Host Configuration Protocol (DHCP) control.
-D Show the status of DHCP configured interfaces.
-f address_family imit statistics or address control block reports to those of the specified address_family, which can be one of:

inet For the AF_INET address family
unix For the AF_Unix address family

-P protocol Limit display of statistics or state of all sockets to those applicable to protocol.
- I interface Show the state of a particular interface. interface can be any valid interface such as ie0 or
le0.

Examples

netstat

Displays generic net statistics of the host you are currently connected to.

netstat -an

Shows all connections to the server including the source and destination ips and ports if you have proper permissions.

netstat -rn

Displays routing table for all ips bound to the server.

 


Logging type

Using netstat you can monitor every connection going in and out of your computer. This monitors all major protocols including tcp and udp, and every port. netstat is a standard Unix program, so it is likely installed.

netstat also displays unix connections are fairly useless. To display only tcp and udp connection.

  • Execute: netstat -t -u
  • For displaying continuously
    • Execute: netstat -t -u -c
  • Output
tcp        0      0 10.0.0.9:57053          71-95-19-141.stat:16359 ESTABLISHED 
tcp        0  19109 10.0.0.9:49249          5ac33076.bb.sky.c:52782 ESTABLISHED 
tcp        0      0 10.0.0.9:53874          catv54039CF5.pool:16628 ESTABLISHED 
tcp        0      0 10.0.0.9:37182          host86-140-193-28.:6881 ESTABLISHED 
tcp        0      0 10.0.0.9:45563          61-224-49-29.dyna:48227 ESTABLISHED 
tcp        0      0 10.0.0.9:47665          74.213.68.212:43837     ESTABLISHED 

 

 For Support