# netstat命令的主要功能
# 显示网络连接：TCP、UDP连接
# 显示路由表：内核路由表
# 显示接口统计：网络接口统计信息
# 显示伪装连接：NAT连接
# 显示多播成员：多播组成员
# 显示网络协议：网络协议统计

# netstat命令基本使用

# 1. 显示所有网络连接
[root@localhost ~]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.100:22 192.168.1.1:54321 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 12345 /var/run/docker.sock
unix 2 [ ACC ] STREAM LISTENING 12346 /var/run/libvirt/libvirt-sock
unix 2 [ ACC ] STREAM LISTENING 12347 /var/run/systemd/private

# 2. 显示TCP连接
[root@localhost ~]# netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.100:22 192.168.1.1:54321 ESTABLISHED
tcp 0 0 192.168.1.100:443 192.168.1.1:54322 ESTABLISHED
tcp 0 0 192.168.1.100:80 192.168.1.1:54323 ESTABLISHED

# 3. 显示UDP连接
[root@localhost ~]# netstat -u
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*

# 4. 显示监听端口
[root@localhost ~]# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*

# 5. 显示进程信息
[root@localhost ~]# netstat -p
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1234/sshd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2345/nginx
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2345/nginx
tcp 0 0 192.168.1.100:22 192.168.1.1:54321 ESTABLISHED 1235/sshd
tcp6 0 0 :::22 :::* LISTEN 1234/sshd
tcp6 0 0 :::80 :::* LISTEN 2345/nginx
tcp6 0 0 :::443 :::* LISTEN 2345/nginx
udp 0 0 0.0.0.0:68 0.0.0.0:* 3456/dhcpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 4567/chronyd

# netstat命令参数详解

# 1. 连接类型参数
# -a：显示所有连接
# -t：显示TCP连接
# -u：显示UDP连接
# -l：显示监听端口
# -n：不解析主机名和端口名
# -p：显示进程信息

# 2. 路由表参数
# -r：显示路由表
# -e：显示扩展信息
# -ee：显示更详细的扩展信息

# 3. 接口统计参数
# -i：显示网络接口统计
# -I：显示指定接口的统计

# 4. 其他参数
# -c：持续显示
# -s：显示网络协议统计
# -M：显示伪装连接
# -g：显示多播组成员

# 查看详细参数说明
[root@localhost ~]# netstat –help
Usage:
netstat [-vWeenNcCF] [] -r netstat {-V|–version|-h|–help}
netstat [-vWnNcaeol] [ …]
netstat { [-vWeenNac] -I[] | [-veenNac] -i | [-cnNe] -M | -s [-6tuw] } [delay]

-r, –route display routing table
-I, –interfaces= display interface table for
-i, –interfaces display interface table
-g, –groups display multicast group memberships
-s, –statistics display networking statistics (like SNMP)
-M, –masquerade display masqueraded connections

-v, –verbose be verbose
-W, –wide don’t truncate IP addresses
-n, –numeric don’t resolve names
–numeric-hosts don’t resolve host names
–numeric-ports don’t resolve port names
-N, –symbolic resolve hardware names
-e, –extend display other/more information
-p, –program display PID/Program name for sockets
-o, –timers display timers
-c, –continuous continuous listing

-l, –listening display listening server sockets
-a, –all, –listening display all sockets (default: connected)
-F, –fib display Forwarding Information Base (default)
-C, –cache display routing cache instead of FIB

= -4, –ipv4, -6, –ipv6, -0, –unix, -x, –ipx, –netlink
= {-t|–tcp} {-u|–udp} {-U|–udplite} {-S|–sctp} {-w|–raw}
{-x|–unix} –ax25 –ipx –netlink
= -G, –garbage-collect -z, –zero

# netstat命令高级功能

# 1. 显示路由表
[root@localhost ~]# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0

# 2. 显示网络接口统计
[root@localhost ~]# netstat -i
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 100000 0 0 0 50000 0 0 0 BMRU
lo 65536 10000 0 0 0 10000 0 0 0 LRU
virbr0 1500 0 0 0 0 0 0 0 0 BMU

# 3. 显示网络协议统计
[root@localhost ~]# netstat -s
Ip:
100000 total packets received
0 forwarded
0 incoming packets discarded
100000 incoming packets delivered
50000 requests sent out
Icmp:
100 ICMP messages received
0 ICMP input messages failed
ICMP input histogram:
echo requests: 50
echo replies: 50
100 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
echo requests: 50
echo replies: 50
Tcp:
1000 active connections openings
500 passive connection openings
1000 failed connection attempts
0 connection resets received
0 connections established
1500 segments received
1000 segments send out
0 segments retransmited
0 bad segments received
0 resets sent
Udp:
500 packets received
0 packets to unknown port received
0 packet receive errors
500 packets sent
0 receive buffer errors
0 send buffer errors

# 4. 持续监控网络连接
[root@localhost ~]# netstat -c
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.100:22 192.168.1.1:54321 ESTABLISHED
tcp 0 0 192.168.1.100:443 192.168.1.1:54322 ESTABLISHED
tcp 0 0 192.168.1.100:80 192.168.1.1:54323 ESTABLISHED
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.100:22 192.168.1.1:54321 ESTABLISHED
tcp 0 0 192.168.1.100:443 192.168.1.1:54322 ESTABLISHED
tcp 0 0 192.168.1.100:80 192.168.1.1:54323 ESTABLISHED

# 5. 显示特定端口的连接
[root@localhost ~]# netstat -an | grep :22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.100:22 192.168.1.1:54321 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN

# 6. 显示特定状态的连接
[root@localhost ~]# netstat -an | grep ESTABLISHED
tcp 0 0 192.168.1.100:22 192.168.1.1:54321 ESTABLISHED
tcp 0 0 192.168.1.100:443 192.168.1.1:54322 ESTABLISHED
tcp 0 0 192.168.1.100:80 192.168.1.1:54323 ESTABLISHED

# 实战案例：使用netstat命令监控网络连接

# 1. 查看所有网络连接
[root@localhost ~]# netstat -anp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1234/sshd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2345/nginx
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2345/nginx
tcp 0 0 192.168.1.100:22 192.168.1.1:54321 ESTABLISHED 1235/sshd
tcp6 0 0 :::22 :::* LISTEN 1234/sshd
tcp6 0 0 :::80 :::* LISTEN 2345/nginx
tcp6 0 0 :::443 :::* LISTEN 2345/nginx
udp 0 0 0.0.0.0:68 0.0.0.0:* 3456/dhcpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 4567/chronyd

# 2. 查看监听端口
[root@localhost ~]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1234/sshd
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2345/nginx
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2345/nginx
tcp6 0 0 :::22 :::* LISTEN 1234/sshd
tcp6 0 0 :::80 :::* LISTEN 2345/nginx
tcp6 0 0 :::443 :::* LISTEN 2345/nginx

# 3. 创建监控脚本
[root@localhost ~]# cat > /usr/local/bin/netstat-monitor.sh << 'EOF' #!/bin/bash # script.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn # netstat监控脚本 LOG_FILE="/var/log/netstat-monitor.log" ALERT_EMAIL="admin@fgedu.net.cn" # 记录日志函数 log() { echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1" >> $LOG_FILE
}

# 检查TCP连接数
check_tcp_connections() {
TCP_COUNT=$(netstat -an | grep -c ESTABLISHED)

if [ “$TCP_COUNT” -gt 1000 ]; then
log “WARNING: TCP connections count is ${TCP_COUNT}”
echo “TCP connections count is ${TCP_COUNT}” | mail -s “WARNING: TCP connections alert” $ALERT_EMAIL
fi
}

# 检查TIME_WAIT连接数
check_time_wait() {
TIME_WAIT_COUNT=$(netstat -an | grep -c TIME_WAIT)

if [ “$TIME_WAIT_COUNT” -gt 500 ]; then
log “WARNING: TIME_WAIT connections count is ${TIME_WAIT_COUNT}”
echo “TIME_WAIT connections count is ${TIME_WAIT_COUNT}” | mail -s “WARNING: TIME_WAIT alert” $ALERT_EMAIL
fi
}

# 检查监听端口
check_listening_ports() {
LISTENING_PORTS=$(netstat -tlnp | grep LISTEN | awk ‘{print $4}’ | cut -d: -f2 | sort -u)

for port in $LISTENING_PORTS; do
log “Listening port: ${port}”
done
}

# 主函数
main() {
log “Starting netstat monitoring…”
check_tcp_connections
check_time_wait
check_listening_ports
log “Netstat monitoring completed.”
}

# 执行主函数
main
EOF

# 4. 设置脚本执行权限
[root@localhost ~]# chmod +x /usr/local/bin/netstat-monitor.sh

# 5. 创建日志文件
[root@localhost ~]# touch /var/log/netstat-monitor.log
[root@localhost ~]# chmod 644 /var/log/netstat-monitor.log

# 6. 配置定时任务
[root@localhost ~]# echo “*/5 * * * * root /usr/local/bin/netstat-monitor.sh” > /etc/cron.d/netstat-monitor

# 7. 重启cron服务
[root@localhost ~]# systemctl restart crond

# 8. 测试监控脚本
[root@localhost ~]# /usr/local/bin/netstat-monitor.sh

# 9. 查看日志
[root@localhost ~]# tail -f /var/log/netstat-monitor.log
[2026-04-03 10:00:00] Starting netstat monitoring…
[2026-04-03 10:00:01] Listening port: 22
[2026-04-03 10:00:02] Listening port: 80
[2026-04-03 10:00:03] Listening port: 443
[2026-04-03 10:00:04] Netstat monitoring completed.

# 10. 配置日志轮转
[root@localhost ~]# cat > /etc/logrotate.d/netstat-monitor << 'EOF' /var/log/netstat-monitor.log { daily rotate 7 compress delaycompress missingok notifempty create 0644 root root } EOF # 11. 测试日志轮转 [root@localhost ~]# logrotate -f /etc/logrotate.d/netstat-monitor