Using netstat in Linux to get number of connections

Linux OS Topics
Post Reply
User avatar
Saman
Lieutenant Colonel
Lieutenant Colonel
Posts: 828
Joined: Fri Jul 31, 2009 10:32 pm
Location: Mount Lavinia

Using netstat in Linux to get number of connections

Post by Saman » Sun Jan 07, 2018 10:53 pm

Using "netstat -a" will give you something sort of like this,

Code: Select all

tcp	 0	 0 app.example.com:http	 93.184.216.119:16494	 SYN_RECV
tcp	 0	 0 app.example.com:http	 93.184.216.119:18733	 SYN_RECV
tcp	 0	 0 app.example.com:http	 93.184.216.119.dsl.mwe:64775 SYN_RECV
tcp	 0	 0 app.example.com:http	 93.184.216.119.threembb.:16490 SYN_RECV
tcp	 0	 0 app.example.com:http	 93.184.216.119:video-activmail SYN_RECV
tcp	 0	 0 app.example.com:http	 93.184.216.119:45025	 SYN_RECV
tcp	 0	 0 app.example.com:http	 93.184.216.119:dvl-activemail SYN_RECV
tcp	 0	 0 app.example.com:http	 41-135-22-100.dsl.mwe:64774 SYN_RECV
To get currently connected connection count, use following command:

Code: Select all

netstat -an | wc -l
To filter out unnecessary data, we will use grep as below.

Code: Select all

netstat -an | grep :80 | wc -l
To see what connections are actually doing, use following command.

Code: Select all

netstat -ant | awk '{print $6}' | sort | uniq -c | sort -n
      1 CLOSING
      1 established
      1 FIN_WAIT2
      1 Foreign
      2 CLOSE_WAIT
      6 FIN_WAIT1
      7 LAST_ACK
      7 SYN_RECV
     37 ESTABLISHED
     44 LISTEN
    297 TIME_WAIT
To get a list of listening services, use following command.

Code: Select all

[root@server ~]# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 electrolanka.com:rfio   0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:submission      0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:pop3            0.0.0.0:*               LISTEN
tcp        0      0 localhost:783           0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:imap            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:ndmp            0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:urd             0.0.0.0:*               LISTEN
To see network statistics, use following command.

Code: Select all

[root@server ~]# netstat -s
Ip:
    127126899 total packets received
    0 forwarded
    9 with unknown protocol
    0 incoming packets discarded
    126998074 incoming packets delivered
    105806208 requests sent out
    27 outgoing packets dropped
    48 dropped because of missing route
    6272 fragments dropped after timeout
    6273 reassemblies required
    6272 packet reassembles failed
Icmp:
    342522 ICMP messages received
    35995 input ICMP message failed.
    InCsumErrors: 3
    ICMP input histogram:
        destination unreachable: 56408
        timeout in transit: 855
        redirects: 15
        echo requests: 285138
        echo replies: 96
        timestamp request: 7
    432921 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 141594
        time exceeded: 6182
        echo replies: 285138
        timestamp replies: 7
IcmpMsg:
        InType0: 96
        InType3: 56408
        InType5: 15
        InType8: 285138
        InType11: 855
        InType13: 7
        OutType0: 285138
        OutType3: 141594
        OutType11: 6182
        OutType14: 7
Tcp:
    620992 active connections openings
    3099807 passive connection openings
    87361 failed connection attempts
    332654 connection resets received
    12 connections established
    89909519 segments received
    136159669 segments send out
    1312097 segments retransmited
    977 bad segments received.
    985970 resets sent
    InCsumErrors: 730
Udp:
    39076419 packets received
    42846 packets to unknown port received.
    268 packet receive errors
    39084296 packets sent
    0 receive buffer errors
    0 send buffer errors
    InCsumErrors: 268
UdpLite:
TcpExt:
    53007 invalid SYN cookies received
    19201 resets received for embryonic SYN_RECV sockets
    3 ICMP packets dropped because they were out-of-window
    1903393 TCP sockets finished time wait in fast timer
    4809 packets rejects in established connections because of timestamp
    675451 delayed acks sent
    1278 delayed acks further delayed because of locked socket
    Quick ack mode was activated 79053 times
    980 times the listen queue of a socket overflowed
    1430 SYNs to LISTEN sockets dropped
    2501421 packets directly queued to recvmsg prequeue.
    68476567 bytes directly in process context from backlog
    3269301520 bytes directly received in process context from prequeue
    7547099 packet headers predicted
    1926072 packets header predicted and directly queued to user
    32847883 acknowledgments not containing data payload received
    28768928 predicted acknowledgments
    857 times recovered from packet loss due to fast retransmit
    193137 times recovered from packet loss by selective acknowledgements
    246 bad SACK blocks received
    Detected reordering 1406 times using FACK
    Detected reordering 1949 times using SACK
    Detected reordering 21 times using reno fast retransmit
    Detected reordering 6541 times using time stamp
    3031 congestion windows fully recovered without slow start
    5952 congestion windows partially recovered using Hoe heuristic
    4338 congestion windows recovered without slow start by DSACK
    30785 congestion windows recovered without slow start after partial ack
    TCPLostRetransmit: 24261
    154 timeouts after reno fast retransmit
    21210 timeouts after SACK recovery
    11008 timeouts in loss state
    472830 fast retransmits
    43723 forward retransmits
    87853 retransmits in slow start
    1695353 other TCP timeouts
    TCPLossProbes: 129123
    TCPLossProbeRecovery: 28947
    299 classic Reno fast retransmits failed
    27728 SACK retransmits failed
    20 times receiver scheduled too late for direct processing
    91329 DSACKs sent for old packets
    540 DSACKs sent for out of order packets
    91082 DSACKs received
    1802 DSACKs for out of order packets received
    244676 connections reset due to unexpected data
    18433 connections reset due to early user close
    26405 connections aborted due to timeout
    TCPSACKDiscard: 822
    TCPDSACKIgnoredOld: 822
    TCPDSACKIgnoredNoUndo: 41086
    TCPSpuriousRTOs: 25509
    TCPSackShifted: 436117
    TCPSackMerged: 864297
    TCPSackShiftFallback: 610372
    TCPDeferAcceptDrop: 2821626
    TCPRetransFail: 30
    TCPRcvCoalesce: 1705875
    TCPOFOQueue: 470742
    TCPOFOMerge: 365
    TCPChallengeACK: 10950
    TCPSYNChallenge: 268
    TCPFastOpenCookieReqd: 35
    TCPSpuriousRtxHostQueues: 10
    TCPAutoCorking: 7949083
    TCPFromZeroWindowAdv: 113
    TCPToZeroWindowAdv: 113
    TCPWantZeroWindowAdv: 341
    TCPSynRetrans: 284969
    TCPOrigDataSent: 118567808
    TCPHystartTrainDetect: 5381
    TCPHystartTrainCwnd: 1742831
    TCPHystartDelayDetect: 12737
    TCPHystartDelayCwnd: 744627
    TCPACKSkippedSynRecv: 1559
    TCPACKSkippedPAWS: 2541
    TCPACKSkippedSeq: 2241
    TCPACKSkippedTimeWait: 166
    TCPACKSkippedChallenge: 441
IpExt:
    InNoRoutes: 2
    InMcastPkts: 47
    OutMcastPkts: 49
    InOctets: 29122264496
    OutOctets: 165757922236
    InMcastOctets: 7129
    OutMcastOctets: 7209
    InNoECTPkts: 129867090
    InECT1Pkts: 316
    InECT0Pkts: 455518
    InCEPkts: 3900
Another extremely useful tool for server administrators who are trying to track down processes that have run amuck is the netstat -p command. This returns the PID of the process that has the connection. It's also quite useful if you've got someone abusing a PID and you need to find out what IP it is so that you can get in touch with that individual or to block connections from that IP in the future. Here's some sample output from netstat -p.

Code: Select all

[root@server ~]# netstat -p
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 ns3.example.c:http vmi150956.contabo:48464 SYN_RECV    -
tcp        0      0 ns4.example.c:http 45.xx.168.xx:364z2     SYN_RECV    -
tcp        0      0 ns3.example.:imaps xx.165.153.xx:3z496    ESTABLISHED 2xcv8/dovecot/imap-
tcp        0    272 example.com:rfio   123.2xx.10x.xx2:2zz40   ESTABLISHED 2zz7/sshd: root@pts
Post Reply

Return to “Linux”