All Products
Search
Document Center

Run the netstat command Linux ECS instance to view and check system Port information

Last Updated: May 20, 2022

Disclaimer: this document may contain information about third-party products that are for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

 

Overview

This article describes the procedure to use Linux netstat command to view the use of system port information.

 

Detailed information

Alibaba Cloud reminds you that:

  • If you have any risky operations on an instance or data, pay attention to the disaster tolerance and fault tolerance capabilities of the instance to ensure data security.
  • If you modify the configuration and data of an instance (including but not limited to ECS and RDS), we recommend that you create snapshots or enable RDS log backup.
  • If you have granted permissions on the Alibaba Cloud platform or submitted security information such as the logon account and password, we recommend that you modify the information as soon as possible.
This topic describes how to import logs into Linux netstat the following uses of the command.

 

netstat command

netstat command is usually a tool used to monitor TCP/IP network. It can display routing table, actual network connection and status information of each network interface device. To know the ports opened in the current system and the processes and users associated with these ports, you can use the netstat command. Introduced here netstat the syntax and parameters of the command are as follows.

 

Use the syntax

netstat [$Parameter]

Note:[$Parameter] is the Parameter of the netstat command.

 

Command parameters

The parameters are described as follows:

  • -a or--all: display in all connections socket.
  • -A: lists the relevant addresses in this network type connection.
  • -c or--continuous: continuously lists the network status.
  • -C or--cache: displays the cache information configured by the router.
  • -e or--extend: displays additional network-related information.
  • -t: displays only TCP ports.
  • -u: displays only UDP ports.
  • -l: only listening sockets are displayed.
  • -p: displays the process identifier and the program name, and each socket or port belongs to a program.
  • -n: do not perform DNS round robin to display IP addresses, you can speed up the operation.
  • --help: Command usage help.

 

Frequently used command combinations of netstat commands

Usually combined grep, wc or sort to analyze the system connection status and the number of connections to determine whether the server is under attack. The Command combination is described as follows.

  • Run the following command to display all active network connections:
    netstat -na

  • Run the following command to display and sort all network connections for the specified Port: If a Web service process is listening on the specified port, you can view the port to monitor the Web service. If the same IP has a large number of connections, it is suspected of being a single point of traffic attack.
    netstat -an | grep :[$Port] | sort
    Note:[$Port] is the Port number specified by the Linux.

  • Run the following command to count the number of active connections of the specified service on the current server: Normally this will be very small, usually less than 5 . When distributed denial of service attack is encountered, this value will be very high. However, this value cannot be used to determine whether a distributed denial of service attack is suffered, because it is also very high on high-concurrency servers.

    netstat -n -p|grep [$Server] | wc -l
    Note:[$Server] is the name of the service or process that you want to view.
  • Run the following command to list all parameters related to service the IP address of the connection point.
    netstat -n -p | grep [$Server] | sort -u

  • Run the following command to list all sending service the IP address of the connection point.
    netstat -n -p | grep [$Server] | awk '{print $5}' | awk -F: '{print $1}'
  • Run the following command to count all IP addresses connected to the local machine:
    netstat -ntu | awk '{print $5}' | cut -d: -f1 |
    sort | uniq -c |
    sort -n
  • Run the following command to count the IP addresses and the number of connections of all TCP and UDP connections to the local machine.
    netstat -anp | egrep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 |
    sort | uniq -c |
    sort -n
  • Run the following command to check ESTABLISHED connections and count the number of connections for each ip address:
    netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 |
    sort | uniq -c |
    sort -nr
  • Run the following command to count the number of IP address connections to the specified port, and list the top 10 IP addresses and the number of corresponding connections. If an IP address has a large number of connections, it indicates a single point of traffic attack.
    netstat -antp |awk '$4 ~ /:80$/ {print $4" "$5}'|awk '{print $2}'|awk -F : {'print $1'}|uniq -c|sort -nr|head -n 10

 

Occupied netstat command processing port

  1. Run the following command to query the processes that are using the corresponding port numbers:
    netstat -antp | grep [$Port]

  2. Run the following command to terminate the specified process based on the process id obtained through the preceding steps, and resolve the port usage issue.
    kill -9 [$PID]
    Note:[$PID] is the process number of the specified port PID obtained in the previous step.

 

Applicable to

  • Elastic Compute Service