Saturday, December 19, 2009

Netstat

List The Open Ports And The Process That Owns Them
netstat -lptu

netstat command to find open ports
# netstat --listen

Display open ports and established TCP connections:
# netstat -vatn

For UDP port try following command:
# netstat -vaun

If you want to see FQDN, remove -n flag:
# netstat -vat

Display list of open ports
# lsof -i

To display all open files, use:
# lsof

To display all open IPv4 network files in use by the process whose PID is 111, use:
# lsof -i 4 -a -p 111

Get Detailed Information About Particular IP address using netstat

This is useful to find out if your server is under attack or not. You can also list abusive IP address using this method.
# netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
      1 CLOSE_WAIT
      1 established)
      1 Foreign
      3 FIN_WAIT1
      3 LAST_ACK
     13 ESTABLISHED
     17 LISTEN
    154 FIN_WAIT2
    327 TIME_WAIT

Dig out more information about a specific ip address:
# netstat -nat |grep {IP-address} | awk '{print $6}' | sort | uniq -c | sort -n
      2 LAST_ACK
      2 LISTEN
      4 FIN_WAIT1
     14 ESTABLISHED
     91 TIME_WAIT
    130 FIN_WAIT2Busy server can give out more information:

# netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c | sort -n
  15 CLOSE_WAIT
  37 LAST_ACK
  64 FIN_WAIT_1
  65 FIN_WAIT_2
1251 TIME_WAIT
3597 SYN_SENT
5124 ESTABLISHED

Get List Of All Unique IP Address
To print list of all unique IP address connected to server, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq

To print total of all unique IP address, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq | wc -l
449

Find Out If Box is Under DoS Attack or Not
If you think your Linux box is under attack, print out a list of open connections on your box and sorts them by according to IP address
# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
    1 10.0.77.52
      2 10.1.11.3
      4 12.109.42.21
      6 12.191.136.3

Display Summary Statistics for Each Protocol
# netstat -s | less
# netstat -t -s | less
# netstat -u -s | less
# netstat -w -s | less
# netstat -s

Display Interface Table
You can easily display dropped and total transmitted packets with netstat for eth0:
# netstat --interfaces eth0

The command for finding if you are under DoS attacks:
# netstat -atun | awk '{print $5}' | sed -n -e '/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/p’ | sed -n -e '/ESTABLISHED/p' | sed ’s/::ffff://’ | cut -d: -f1 | sort | uniq -c | sort -n
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)