linux 网络状态监控 netstat & TCP States

Netstat is a command line utility that can be used to list out all the network (socket) connections on a system. It lists out all the tcp, udp socket connections and the unix domain socket connections.

查看 TCP, UDP， UNIX Domain socket 等连接状态:

guowei@localhost:~$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp        0      0 *:8090                  *:*                     LISTEN     
tcp        0      0 *:8091                  *:*                     LISTEN     
tcp        0      0 192.168.1.133:8091       192.168.1.98:54741       ESTABLISHED
tcp        0    288 192.168.1.133:ssh        192.168.1.188:42910      ESTABLISHED
tcp        0      0 192.168.1.133:ssh        192.168.1.168:20809      ESTABLISHED
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     SEQPACKET  LISTENING     2101     /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     1228     @/com/ubuntu/upstart
unix  4      [ ]         DGRAM                    5192     /dev/log
unix  2      [ ]         DGRAM                    16302    
...

上面显示本地开放的tcp端口有 22(ssh)，8090， 8091 .
ESTABLISHED 表示一个已经建立的正常连接。例如从远端192.168.1.98:54741 到本地的 192.168.1.133:8091 的连接.（其他各种状态的含义见下文）

还有一些 UNIX domain sockets 的连接信息（可用于进程间通信）

关于 Recv-Q 和 Send-Q :

Recv-Q Send-Q分别表示网络接收队列，发送队列，这两个值通常应该为 0，如果不为 0 可能某些网络连接存在问题。packets在两个队列里都不应该有堆积状态。可接受短暂的非0情况, 如短暂的Send-Q队列发送pakets非0是正常状态。这两个队列的解释如下：
Recv-Q will be that data which has not yet been pulled from the socket
buffer by the application.
Send-Q will be that data which the sending application has given to
the transport, but has yet to be ACKnowledged by the receiving TCP.

如果只想显示 tcp (-t)和 upd (-u) 连接的信息：

# 显示tcp连接信息
guowei@localhost:~$ netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp        0      0 *:8090                  *:*                     LISTEN     
tcp        0      0 *:8091                  *:*                     LISTEN     
tcp        0    300 192.168.1.133:8091       192.168.1.98:54741       ESTABLISHED
tcp        0     36 192.168.1.133:ssh        192.168.1.188:42910      ESTABLISHED
tcp        0      0 192.168.1.133:ssh        192.168.1.168:20809      ESTABLISHED
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN  

# 显示 upd 连接信息(没有upd连接)：
guowei@localhost:~$ netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State 

如果需要查看对应的端口的应用程序的pid或者程序名，可以加上 -p 选项：

guowei@localhost:~$ sudo netstat -atp
[sudo] password for guowei: 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 *:ssh                   *:*                     LISTEN      583/sshd        
tcp        0      0 *:8090                  *:*                     LISTEN      14118/bonefish  
tcp        0      0 *:8091                  *:*                     LISTEN      14118/bonefish  
tcp        0      0 192.168.1.133:8091       192.168.1.98:54741       ESTABLISHED 14118/bonefish  
tcp        0    232 192.168.1.133:ssh        192.168.1.188:42910      ESTABLISHED 17964/sshd: guowei [pri
tcp        0      0 192.168.1.133:ssh        192.168.1.168:20809      ESTABLISHED 17098/sshd: guowei [pri
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      583/sshd 

---

关于 TCP连接 的各种状态的含义：
Most of the 11 TCP states are pretty easy to understand and most programmers know what they mean:

CLOSED: There is no connection.
LISTEN: The local end-point is waiting for a connection request from a remote end-point i.e. a passive open was performed.
SYN-SENT: The first step of the three-way connection handshake was performed. A connection request has been sent to a remote end-point i.e. an active open was performed.
SYN-RECEIVED: The second step of the three-way connection handshake was performed. An acknowledgement for the received connection request as well as a connection request has been sent to the remote end-point.
ESTABLISHED: The third step of the three-way connection handshake was performed. The connection is open.
FIN-WAIT-1: The first step of an active close (four-way handshake) was performed. The local end-point has sent a connection termination request to the remote end-point.
CLOSE-WAIT: The local end-point has received a connection termination request and acknowledged it e.g. a passive close has been performed and the local end-point needs to perform an active close to leave this state.
FIN-WAIT-2: The remote end-point has sent an acknowledgement for the previously sent connection termination request. The local end-point waits for an active connection termination request from the remote end-point.
LAST-ACK: The local end-point has performed a passive close and has initiated an active close by sending a connection termination request to the remote end-point.
CLOSING: The local end-point is waiting for an acknowledgement for a connection termination request before going to the TIME-WAIT state.
TIME-WAIT: The local end-point waits for twice the maximum segment lifetime (MSL) to pass before going to CLOSED to be sure that the remote end-point received the acknowledgement.

ref link:
https://benohead.com/tcp-about-fin_wait_2-time_wait-and-close_wait/
https://linuxacademy.com/blog/linux/netstat-network-analysis-and-troubleshooting-explained/