Monday , October 22 2018
Home / Trainings / System / Operating Systems / netstat – Find number of active connections in Linux using netstat

netstat – Find number of active connections in Linux using netstat

The “netstat” command is quite useful for checking connections to your machine. If we wanted to see ALL of the connections (which i really recommend you don’t do unless you’re trying to debug something and then you should probably pipe it to a file) we could use the “netstat -a” command.

Using “netstat -a” will give you something like this:

 

tcp	 0	 0 app.mydomain.com:http	 93.184.216.119:16494	 SYN_RECV
tcp	 0	 0 app.mydomain.com:http	 93.184.216.119:18733	 SYN_RECV
tcp	 0	 0 app.mydomain.com:http	 93.184.216.119.dsl.mwe:64775 SYN_RECV
tcp	 0	 0 app.mydomain.com:http	 93.184.216.119.threembb.:16490 SYN_RECV
tcp	 0	 0 app.mydomain.com:http	 93.184.216.119:video-activmail SYN_RECV
tcp	 0	 0 app.mydomain.com:http	 93.184.216.119:45025	 SYN_RECV
tcp	 0	 0 app.mydomain.com:http	 93.184.216.119:dvl-activemail SYN_RECV
tcp	 0	 0 app.mydomain.com:http	 41-135-22-100.dsl.mwe:64774 SYN_RECV

As you can see it does name resolving for us and all that good stuff. Sometimes very hand but that’s not what this is about.

Total connections Count

We want to get some solid numbers so we can take a broader perspective. To do this we can use the following command:

netstat -an | wc -l

This will show us a count of all connections that we presently have to our machine.

Connections on specific port

We can take this one step further even. Lets say you only wanted to see traffic coming across port 80 (standard HTTP). We can grep our netstat then count it like so:

netstat -an | grep :80 | wc -l

Connections Count based on Connection state

Finally, lets take a look at the big picture in a category form. It is often extremely useful to see what those connections are doing, especially when you think you might just have tons of open connections that are idle and are trying to tweak your settings. It’s been known to happen where you have a really busy web server for instance, and maybe it’s running a lot of database connections to the same box, then stopping. That often causes things like the TIME_WAIT to pile up and a large number for any of these may be an indication that you need to adjust your tcp timeout settings.

netstat -ant | awk '{print $6}' | sort | uniq -c | sort -n
      1 CLOSING
      1 established
      1 FIN_WAIT2
      1 Foreign
      2 CLOSE_WAIT
      6 FIN_WAIT1
      7 LAST_ACK
      7 SYN_RECV
     37 ESTABLISHED
     44 LISTEN
    297 TIME_WAIT

So there you have it. A quick way to return counts on your connections in your linux environment.

Check opened ports on server

Occasionally, when using netstat you may only care about ports that you are listening on. This is especially important if you are running a server that isn’t behind a firewall because it helps you determine what you may be vulnerable to that you aren’t aware of. using the netstat -l provides us with an excellent way to view this information.

root@nox [~]# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 *:mysql                     *:*                         LISTEN
tcp        0      0 *:submission                *:*                         LISTEN
tcp        0      0 *:pop3                      *:*                         LISTEN
tcp        0      0 localhost:783               *:*                         LISTEN

 

Statistics by Protocol

Another very common thing and powerful tool that netstat has built in is to show you network statistics in an overview fashion. If you’re just trying to get a good idea about packet statistics then the netstat -s command may be what you’re looking for. Here is some sample output. Keep in mind that netstat -s will show statistics broken down by protocol, so the fewer protocol stacks you are running the more compacted this summary will be.

netstat -s
Ip:
    139502653 total packets received
    28 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    133312468 incoming packets delivered
    84570989 requests sent out
    366 outgoing packets dropped
    50 reassemblies required
    25 packets reassembled ok
    110 fragments received ok
    220 fragments created
Icmp:
    180285 ICMP messages received
    1586 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 9516
        timeout in transit: 331
        echo requests: 170151
        echo replies: 284
    172009 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 1818
        echo request: 40
        echo replies: 170151
IcmpMsg:
        InType0: 284
        InType3: 9516
        InType8: 170151
        InType11: 331
        OutType0: 170151
        OutType3: 1818
        OutType8: 40
Tcp:
    1104118 active connections openings
    2918161 passive connection openings
    26607 failed connection attempts
    256788 connection resets received
    10 connections established
    128535136 segments received
    78146054 segments send out
    1645036 segments retransmited
    0 bad segments received.
    185776 resets sent
Udp:
    5125395 packets received
    1867 packets to unknown port received.
    0 packet receive errors
    5158639 packets sent
TcpExt:
    511 SYN cookies sent
    511 SYN cookies received
    12748 invalid SYN cookies received
    14894 resets received for embryonic SYN_RECV sockets
    159972 packets pruned from receive queue because of socket buffer overrun
    2 packets pruned from receive queue
    73 ICMP packets dropped because they were out-of-window
    1965839 TCP sockets finished time wait in fast timer
    78 time wait sockets recycled by time stamp
    36503 packets rejects in established connections because of timestamp
    2487605 delayed acks sent
    33477 delayed acks further delayed because of locked socket
    Quick ack mode was activated 45146 times
    233 times the listen queue of a socket overflowed
    233 SYNs to LISTEN sockets ignored
    9643039 packets directly queued to recvmsg prequeue.
    7969358 packets directly received from backlog
    3291115817 packets directly received from prequeue
    24087199 packets header predicted
    5532135 packets header predicted and directly queued to user
    30481401 acknowledgments not containing data received
    42935286 predicted acknowledgments
    814 times recovered from packet loss due to fast retransmit
    339835 times recovered from packet loss due to SACK data
    336 bad SACKs received
    Detected reordering 2070 times using FACK
    Detected reordering 854 times using SACK
    Detected reordering 10 times using reno fast retransmit
    Detected reordering 1840 times using time stamp
    3234 congestion windows fully recovered
    20175 congestion windows partially recovered using Hoe heuristic
    TCPDSACKUndo: 11509
    14757 congestion windows recovered after partial ack
    1004274 TCP data loss events
    TCPLostRetransmit: 54568
    129 timeouts after reno fast retransmit
    33120 timeouts after SACK recovery
    31346 timeouts in loss state
    885023 fast retransmits
    93299 forward retransmits
    337378 retransmits in slow start
    128472 other TCP timeouts
    TCPRenoRecoveryFail: 356
    35936 sack retransmits failed
    9 times receiver scheduled too late for direct processing
    57242284 packets collapsed in receive queue due to low socket buffer
    49286 DSACKs sent for old packets
    157 DSACKs sent for out of order packets
    95033 DSACKs received
    2091 DSACKs for out of order packets received
    39363 connections reset due to unexpected data
    35517 connections reset due to early user close
    12861 connections aborted due to timeout
    6 times unable to send RST due to no memory
    TCPSACKDiscard: 60
    TCPDSACKIgnoredOld: 2937
    TCPDSACKIgnoredNoUndo: 38596
    TCPSpuriousRTOs: 2925
    TCPSackShifted: 1905464
    TCPSackMerged: 2048679
    TCPSackShiftFallback: 995770
    TCPBacklogDrop: 41842
IpExt:
    InBcastPkts: 20
    InOctets: 60455654365
    OutOctets: 154094094438
    InBcastOctets: 6560

Process Information

Another extremely useful tool for server administrators who are trying to track down processes that have run amuck is the netstat -p command. This returns the PID of the process that has the connection. It’s also quite useful if you’ve got someone abusing a PID and you need to find out what IP it is so that you can get in touch with that individual or to block connections from that IP in the future. Here’s some sample output from netstat -p.

netstat -p
tcp        0      0 localhost:56423  example.domain.com:https ESTABLISHED 27911/java
tcp        0     52 localhost:ssh    oh-76-76-76-76.dhcp.e:51653 ESTABLISHED 3344/sshd
tcp        0      0 localhost:imaps  76.sub-76-76-76.myvz:9258 ESTABLISHED 14501/dovecot/imap-

Ref: Exchange Core

About M H N

Leave a Reply

Your email address will not be published. Required fields are marked *

nineteen − eleven =