netstat command and shell pipe feature can be used to dig out more information about particular IP address connection. You can find out total established connections, closing connection, SYN and FIN bits and much more. You can also display summary statistics for each protocol using netstat.
This is useful to find out if your server is under attack or not. You can also list abusive IP address using this method.
# netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
Output:
1 CLOSE_WAIT 1 established) 1 Foreign 3 FIN_WAIT1 3 LAST_ACK 13 ESTABLISHED 17 LISTEN 154 FIN_WAIT2 327 TIME_WAIT
Dig out more information about a specific ip address:
# netstat -nat |grep {IP-address} | awk '{print $6}' | sort | uniq -c | sort -n
2 LAST_ACK 2 LISTEN 4 FIN_WAIT1 14 ESTABLISHED 91 TIME_WAIT 130 FIN_WAIT2
Busy server can give out more information:
# netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c | sort -n
Output:
15 CLOSE_WAIT 37 LAST_ACK 64 FIN_WAIT_1 65 FIN_WAIT_2 1251 TIME_WAIT 3597 SYN_SENT 5124 ESTABLISHED
Get List Of All Unique IP Address
To print list of all unique IP address connected to server, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq
To print total of all unique IP address, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq | wc -l
Output:
449
Find Out If Box is Under DoS Attack or Not
If you think your Linux box is under attack, print out a list of open connections on your box and sorts them by according to IP address, enter:
# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
Output:
1 10.0.77.52 2 10.1.11.3 4 12.109.42.21 6 12.191.136.3 ..... ... .... 13 202.155.209.202 18 208.67.222.222 28 0.0.0.0 233 127.0.0.1
You can simply block all abusive IPs using iptables or just null route them.
Get Live View of TCP Connections
You can use tcptrack command to display the status of TCP connections that it sees on a given network interface. tcptrack monitors their state and displays information such as state, source/destination addresses and bandwidth usage in a sorted, updated list very much like the top command.
Display Summary Statistics for Each Protocol
Simply use netstat -s:
# netstat -s | less
# netstat -t -s | less
# netstat -u -s | less
# netstat -w -s | less
# netstat -s
Output:
Ip: 88354557 total packets received 0 forwarded 0 incoming packets discarded 88104061 incoming packets delivered 96037391 requests sent out 13 outgoing packets dropped 66 fragments dropped after timeout 295 reassemblies required 106 packets reassembled ok 66 packet reassembles failed 34 fragments failed Icmp: 18108 ICMP messages received 58 input ICMP message failed. ICMP input histogram: destination unreachable: 7173 timeout in transit: 472 redirects: 353 echo requests: 10096 28977 ICMP messages sent 0 ICMP messages failed ICMP output histogram: destination unreachable: 18881 echo replies: 10096 Tcp: 1202226 active connections openings 2706802 passive connection openings 7394 failed connection attempts 47018 connection resets received 23 connections established 87975383 segments received 95235730 segments send out 681174 segments retransmited 2044 bad segments received. 80805 resets sent Udp: 92689 packets received 14611 packets to unknown port received. 0 packet receive errors 96755 packets sent TcpExt: 48452 invalid SYN cookies received 7357 resets received for embryonic SYN_RECV sockets 43 ICMP packets dropped because they were out-of-window 5 ICMP packets dropped because socket was locked 2672073 TCP sockets finished time wait in fast timer 441 time wait sockets recycled by time stamp 368562 delayed acks sent 430 delayed acks further delayed because of locked socket Quick ack mode was activated 36127 times 32318597 packets directly queued to recvmsg prequeue. 741479256 packets directly received from backlog 1502338990 packets directly received from prequeue 18343750 packets header predicted 10220683 packets header predicted and directly queued to user 17516622 acknowledgments not containing data received 36549771 predicted acknowledgments 102672 times recovered from packet loss due to fast retransmit Detected reordering 1596 times using reno fast retransmit Detected reordering 1 times using time stamp 8 congestion windows fully recovered 32 congestion windows partially recovered using Hoe heuristic 19 congestion windows recovered after partial ack 0 TCP data loss events 39951 timeouts after reno fast retransmit 29653 timeouts in loss state 197005 fast retransmits 186937 retransmits in slow start 131433 other TCP timeouts TCPRenoRecoveryFail: 20217 147 times receiver scheduled too late for direct processing 29010 connections reset due to unexpected data 365 connections reset due to early user close 6979 connections aborted due to timeout
Display Interface Table
You can easily display dropped and total transmitted packets with netstat for eth0:
# netstat --interfaces eth0
Output:
Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 2040929 0 0 0 3850539 0 0 0 BMRU
Other netstat related articles / tips:
- Get Information about All Running Services Remotely
- Linux / UNIX Find Out What Program / Service is Listening on a Specific TCP Port
Read following man pages for the details:
$ man netstat
$ man cut
$ man awk
$ man sed
$ man grep
Updated for accuracy.
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 22 comments... add one ↓
Category | List of Unix and Linux commands |
---|---|
File Management | cat |
Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
Network Utilities | dig • host • ip • nmap |
OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
Package Manager | apk • apt |
Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
Searching | grep • whereis • which |
User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
i got windows xp.. i have tried some of these and nothing happens.. i have learned about using the command prompt thing last yr for the netstat but i never knew of any of these commands.. but what i need is some thing to givea read out of the ip.s when i am connected to certain people and i can use them to tell me where they are at actaully and other things.. the way it is now nowmally it does not show or explain which numbers are or are not
That explains it. These commands are for operating systems based on Linux, not for Windows. Actually this whole website is for Linux, so you’re in the wrong place. 😉
non of these commands work for anything.. ove tried them in even trhee diffrent combinations
There’s nothing wrong with the commands. What operating system are you on?
Thank you for post!
Hi Vivek,
This article is very good. Can you please suggest similar utilities for SCTP protocol as these doesn’t work for sctp.
watch -n 1 -d ‘netstat -atulpn -o 2 | egrep “LISTEN|ESTABLISHED”‘
netstat -atulpn -o 2
DO u think that will help
HI
how can I get the netstat to run like top command which give the live connections statistics.
Do we have any script which makes this working or any inbuild switch in netstat can do it?
any idea?
/kiran
netstat –interfaces eth0 -> netstat –interfaces=eth0
This is very good article , i reallay like to read it,
please note that you can reduce the timeout of TCP_WAIT2 it will reduce the amont of open conneciton on the server significaly
can we block packets in c++???
if yes,then how???
Great job! I just have one small question. Is there a certian netstat command that I can use for to find an IP address?
nice article
Get list of unique IP address. Add NR > 2 to awk and that’ll eliminate the netstat titles.
Like: netstat -nat | awk ‘NR>2 { print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’ | uniq
One note about “grep {IP-address}”: The dot (.) is a wildcard to grep, so “grep 1.2.1.5” would also match 132.135.x.x.
I generally use fgrep when I don’t want any regex matching. You could also escape the dots with a backslash, or use grep -F.
One small correction for the command
netstat –interfaces=eth0 ( original )
netstat –interfaces eth0 ( suggested )
For the copy paste user only .. others can read syntax.
My netstat box will only open for 5 seconds and will not accept anytype of command ?.
What I’ve forgot to mention in my previous post is the following, this command is useful if you are running a Linux box at home or at the office, but has some problems when run on a server, especially if it’s a web server, Apache or other, and if on it there are websites that have dynamically generated content via PHP, MySQL, PostgreSQL, etc. That’s because when having such a website there are multiple connections initiated by the “website” (via the web server software) to the database (whatever it might be) and to the PHP processor, all of this from a simple page being viewed by someone. This means that a web page might generate ~20-80 connections from one IP to the server.
Hope I don’t get too cryptic in this but there’s some explaining to do. These multiple connections generated by the access to one web page remain in a TIME_WAIT state usually for 60 seconds, value established on most Linux distros by the /proc/sys/net/ipv4/tcp_fin_timeout entry. This means that one page generates 20-80 connections, which remain active (by netstat they are shown in a TIME_WAIT state) for 60 seconds. Now picture accessing 5-6 pages in such a website (say it’s a shopping website and your searching through categories of products), this would generate well in excess of 120-480 connections from the same IP address, thus appearing that you are being attacked, flooded, etc. If you have a software running on the server to prevent flooding, it might be “smart” enough to figure it out on it’s own that it isn’t attacked. But if you as an individual are running the command, then you should take notice of the things said here, for it might fool you into thinking something else than what’s actually taking place.
One solution would be to add to the command the option for:
sed -n -e '/ESTABLISHED/p'
Which would scan only for connections that are in an ESTABLISHED state. A high count here would probably mean you should start taking action.
And the entire command which scans for established connections:
netstat -atun | awk '{print $5}' | sed -n -e '/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/p’ | sed -n -e '/ESTABLISHED/p' | sed ’s/::ffff://’ | cut -d: -f1 | sort | uniq -c | sort -n
we can use below also:
netstat -atun | grep ESTABLISHED | awk ‘{print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’ |sort | uniq -c | sort -n
To add to what you’ve mentioned above, in order to check for DoS attacks, there may be addresses in the output of netstat that might look something like:
:::*
So even if what I’m suggesting means writing some more code, it does the trick a little better if you ask me. So here it goes, the command for finding if you are under DoS attacks:
netstat -atun | awk '{print $5}' | sed -n -e '/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/p' | sed 's/::ffff://' | cut -d: -f1 | sort | uniq -c | sort -n
There’s some mean stuff here.
Thanks for gathering it 😉