netstat command and shell pipe feature can be used to dig out more information about particular IP address connection. You can find out total established connections, closing connection, SYN and FIN bits and much more. You can also display summary statistics for each protocol using netstat.
This is useful to find out if your server is under attack or not. You can also list abusive IP address using this method.
# netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
Output:
1 CLOSE_WAIT
1 established)
1 Foreign
3 FIN_WAIT1
3 LAST_ACK
13 ESTABLISHED
17 LISTEN
154 FIN_WAIT2
327 TIME_WAITDig out more information about a specific ip address:
# netstat -nat |grep {IP-address} | awk '{print $6}' | sort | uniq -c | sort -n
2 LAST_ACK
2 LISTEN
4 FIN_WAIT1
14 ESTABLISHED
91 TIME_WAIT
130 FIN_WAIT2Busy server can give out more information:
# netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c | sort -n
Output:
15 CLOSE_WAIT 37 LAST_ACK 64 FIN_WAIT_1 65 FIN_WAIT_2 1251 TIME_WAIT 3597 SYN_SENT 5124 ESTABLISHED
Get List Of All Unique IP Address
To print list of all unique IP address connected to server, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq
To print total of all unique IP address, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq | wc -l
Output:
449
Find Out If Box is Under DoS Attack or Not
If you think your Linux box is under attack, print out a list of open connections on your box and sorts them by according to IP address, enter:
# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
Output:
1 10.0.77.52
2 10.1.11.3
4 12.109.42.21
6 12.191.136.3
.....
...
....
13 202.155.209.202
18 208.67.222.222
28 0.0.0.0
233 127.0.0.1
You can simply block all abusive IPs using iptables or just null route them.
Get Live View of TCP Connections
You can use tcptrack command to display the status of TCP connections that it sees on a given network interface. tcptrack monitors their state and displays information such as state, source/destination addresses and bandwidth usage in a sorted, updated list very much like the top command.
Display Summary Statistics for Each Protocol
Simply use netstat -s:
# netstat -s | less
# netstat -t -s | less
# netstat -u -s | less
# netstat -w -s | less
# netstat -s
Output:
Ip:
88354557 total packets received
0 forwarded
0 incoming packets discarded
88104061 incoming packets delivered
96037391 requests sent out
13 outgoing packets dropped
66 fragments dropped after timeout
295 reassemblies required
106 packets reassembled ok
66 packet reassembles failed
34 fragments failed
Icmp:
18108 ICMP messages received
58 input ICMP message failed.
ICMP input histogram:
destination unreachable: 7173
timeout in transit: 472
redirects: 353
echo requests: 10096
28977 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 18881
echo replies: 10096
Tcp:
1202226 active connections openings
2706802 passive connection openings
7394 failed connection attempts
47018 connection resets received
23 connections established
87975383 segments received
95235730 segments send out
681174 segments retransmited
2044 bad segments received.
80805 resets sent
Udp:
92689 packets received
14611 packets to unknown port received.
0 packet receive errors
96755 packets sent
TcpExt:
48452 invalid SYN cookies received
7357 resets received for embryonic SYN_RECV sockets
43 ICMP packets dropped because they were out-of-window
5 ICMP packets dropped because socket was locked
2672073 TCP sockets finished time wait in fast timer
441 time wait sockets recycled by time stamp
368562 delayed acks sent
430 delayed acks further delayed because of locked socket
Quick ack mode was activated 36127 times
32318597 packets directly queued to recvmsg prequeue.
741479256 packets directly received from backlog
1502338990 packets directly received from prequeue
18343750 packets header predicted
10220683 packets header predicted and directly queued to user
17516622 acknowledgments not containing data received
36549771 predicted acknowledgments
102672 times recovered from packet loss due to fast retransmit
Detected reordering 1596 times using reno fast retransmit
Detected reordering 1 times using time stamp
8 congestion windows fully recovered
32 congestion windows partially recovered using Hoe heuristic
19 congestion windows recovered after partial ack
0 TCP data loss events
39951 timeouts after reno fast retransmit
29653 timeouts in loss state
197005 fast retransmits
186937 retransmits in slow start
131433 other TCP timeouts
TCPRenoRecoveryFail: 20217
147 times receiver scheduled too late for direct processing
29010 connections reset due to unexpected data
365 connections reset due to early user close
6979 connections aborted due to timeoutDisplay Interface Table
You can easily display dropped and total transmitted packets with netstat for eth0:
# netstat --interfaces eth0
Output:
Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 2040929 0 0 0 3850539 0 0 0 BMRU
Other netstat related articles / tips:
- Get Information about All Running Services Remotely
- Linux / UNIX Find Out What Program / Service is Listening on a Specific TCP Port
Read following man pages for the details:
$ man netstat
$ man cut
$ man awk
$ man sed
$ man grep
Updated for accuracy.
There’s some mean stuff here.
Thanks for gathering it 😉
To add to what you’ve mentioned above, in order to check for DoS attacks, there may be addresses in the output of netstat that might look something like:
:::*
So even if what I’m suggesting means writing some more code, it does the trick a little better if you ask me. So here it goes, the command for finding if you are under DoS attacks:
netstat -atun | awk '{print $5}' | sed -n -e '/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/p' | sed 's/::ffff://' | cut -d: -f1 | sort | uniq -c | sort -n
What I’ve forgot to mention in my previous post is the following, this command is useful if you are running a Linux box at home or at the office, but has some problems when run on a server, especially if it’s a web server, Apache or other, and if on it there are websites that have dynamically generated content via PHP, MySQL, PostgreSQL, etc. That’s because when having such a website there are multiple connections initiated by the “website” (via the web server software) to the database (whatever it might be) and to the PHP processor, all of this from a simple page being viewed by someone. This means that a web page might generate ~20-80 connections from one IP to the server.
Hope I don’t get too cryptic in this but there’s some explaining to do. These multiple connections generated by the access to one web page remain in a TIME_WAIT state usually for 60 seconds, value established on most Linux distros by the /proc/sys/net/ipv4/tcp_fin_timeout entry. This means that one page generates 20-80 connections, which remain active (by netstat they are shown in a TIME_WAIT state) for 60 seconds. Now picture accessing 5-6 pages in such a website (say it’s a shopping website and your searching through categories of products), this would generate well in excess of 120-480 connections from the same IP address, thus appearing that you are being attacked, flooded, etc. If you have a software running on the server to prevent flooding, it might be “smart” enough to figure it out on it’s own that it isn’t attacked. But if you as an individual are running the command, then you should take notice of the things said here, for it might fool you into thinking something else than what’s actually taking place.
One solution would be to add to the command the option for:
sed -n -e '/ESTABLISHED/p'
Which would scan only for connections that are in an ESTABLISHED state. A high count here would probably mean you should start taking action.
And the entire command which scans for established connections:
netstat -atun | awk '{print $5}' | sed -n -e '/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/p’ | sed -n -e '/ESTABLISHED/p' | sed ’s/::ffff://’ | cut -d: -f1 | sort | uniq -c | sort -n
we can use below also:
netstat -atun | grep ESTABLISHED | awk ‘{print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’ |sort | uniq -c | sort -n
My netstat box will only open for 5 seconds and will not accept anytype of command ?.
One small correction for the command
netstat –interfaces=eth0 ( original )
netstat –interfaces eth0 ( suggested )
For the copy paste user only .. others can read syntax.
One note about “grep {IP-address}”: The dot (.) is a wildcard to grep, so “grep 1.2.1.5” would also match 132.135.x.x.
I generally use fgrep when I don’t want any regex matching. You could also escape the dots with a backslash, or use grep -F.
Get list of unique IP address. Add NR > 2 to awk and that’ll eliminate the netstat titles.
Like: netstat -nat | awk ‘NR>2 { print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’ | uniq
nice article
Great job! I just have one small question. Is there a certian netstat command that I can use for to find an IP address?
can we block packets in c++???
if yes,then how???
This is very good article , i reallay like to read it,
please note that you can reduce the timeout of TCP_WAIT2 it will reduce the amont of open conneciton on the server significaly
netstat –interfaces eth0 -> netstat –interfaces=eth0
HI
how can I get the netstat to run like top command which give the live connections statistics.
Do we have any script which makes this working or any inbuild switch in netstat can do it?
any idea?
/kiran
netstat -atulpn -o 2
DO u think that will help
watch -n 1 -d ‘netstat -atulpn -o 2 | egrep “LISTEN|ESTABLISHED”‘
Hi Vivek,
This article is very good. Can you please suggest similar utilities for SCTP protocol as these doesn’t work for sctp.
Thank you for post!
non of these commands work for anything.. ove tried them in even trhee diffrent combinations
There’s nothing wrong with the commands. What operating system are you on?
i got windows xp.. i have tried some of these and nothing happens.. i have learned about using the command prompt thing last yr for the netstat but i never knew of any of these commands.. but what i need is some thing to givea read out of the ip.s when i am connected to certain people and i can use them to tell me where they are at actaully and other things.. the way it is now nowmally it does not show or explain which numbers are or are not
That explains it. These commands are for operating systems based on Linux, not for Windows. Actually this whole website is for Linux, so you’re in the wrong place. 😉