One place for hosting & domains

      How to Deploy the Elastic Stack on Kubernetes


      Updated by Linode Written by Tyler Langlois

      What is the Elastic Stack?

      The Elastic Stack is a collection of open source projects from Elastic that help collect and visualize a wide variety of data sources. Elasticsearch can store and aggregate data such as log files, container metrics, and more. The products in the stack include: Elasticsearch, Logstash, Kibana, and now Beats.

      In this guide:

      At the end of this guide, you will have a deployment installed and configured that you can further use for application logs or monitoring Kubernetes itself.

      Caution

      This guide’s example instructions will create the following billable resources on your Linode account: four (4) Linodes and three (3) Block Storage volumes. If you do not want to keep using the example cluster that you create, be sure to delete the cluster Linodes and volumes when you have finished the guide.

      If you remove the resources afterward, you will only be billed for the hour(s) that the resources were present on your account. Consult the Billing and Payments guide for detailed information about how hourly billing works and for a table of plan pricing.

      Before You Begin

      Note

      This guide uses Kubernetes services which are private by default. Local listeners are opened which allow you to access the services on your local browser, however, web servers and NodeBalancers are out scope for this guide. Due to this, you should complete the steps of this guide from your local computer or from a computer that you will give you access the web browser. If you wish to be able to access these services from a public domain, please see our guide on Getting Started with NodeBalancers.
      1. Install the Kubernetes CLI (kubectl) on your computer, if it is not already.

      2. Follow the How to Deploy Kubernetes on Linode with the k8s-alpha CLI guide to set up a Kubernetes cluster. This guide will use a three node + master node cluster. You can use the following Linode k8s-alpha CLI command to create your cluster:

        linode-cli k8s-alpha create example-cluster --node-type g6-standard-2 --nodes 3 --master-type g6-standard-2 --region us-east --ssh-public-key ~/.ssh/id_rsa.pub
        
        • You should use this guide instead of manual installation via a method such as kubeadmin, as the k8s-alpha tool will setup support for persistent volume claims.

        • Node sizes are important when configuring Elasticsearch, and this guide assumes 4GB Linode instances.

        • This guide also assumes that your cluster has role-based access control (RBAC) enabled. This feature became available in Kubernetes 1.6. It is enabled on clusters created via the k8s-alpha Linode CLI.

      3. You should also make sure that your Kubernetes CLI is using the right cluster context. Run the get-contexts subcommand to check:

        kubectl config get-contexts
        
      4. Set up Helm in your Kubernetes cluster by following the How to Install Apps on Kubernetes with Helm guide and stop following the steps in this guide upon reaching the Use Helm Charts to Install Apps section.

      Configure Helm

      After following the prerequisites for this guide, you should have a Kubernetes cluster with Helm installed and configured.

      1. Add the elastic chart repository to your local installation of Helm:

        helm repo add elastic https://helm.elastic.co
        
      2. Fetch the updated list of charts from all configured chart repositories:

        helm repo update
        
      3. Search for the official elasticsearch chart to confirm Helm has been configured correctly. Note that this chart released by Elastic differs from the chart bundled with the default installation of Helm.

        helm search elasticsearch --version 7
        

        This command should return results similar to the following. Note that your exact version numbers may be different.

        NAME                    CHART VERSION   APP VERSION     DESCRIPTION
        elastic/elasticsearch   7.3.2           7.3.2           Official Elastic helm chart for Elasticsearch
        

      Your Helm environment is now prepared to install official Elasticsearch charts into your kubernetes cluster.

      Install Charts

      Install Elasticsearch

      Before installing the chart, ensure that resources are set appropriately. By default, the elasticsearch chart allocates 1G of memory to the JVM heap and sets Kubernetes resource requests and limits to 2G. Using a Linode 4GB instance is compatible with these defaults, but if you are using a different instance type, you will need to provide different values to the chart at install time in order to ensure that running pods are within the resource constraints of the node sizes you have chosen.

      1. Install the elasticsearch chart. This command will wait to complete until all pods are started and ready:

        helm install --name elasticsearch --wait --timeout=600 elastic/elasticsearch
        
      2. A three-node Elasticsearch cluster is now configured and available locally to the Kubernetes cluster. To confirm this, first port-forward a local port to the Elasticsearch service. You should leave this command running in a terminal window or tab in in the background for the remainder of this tutorial.

        kubectl port-forward svc/elasticsearch-master 9200:9200
        
      3. In another terminal window, send a request to this port:

        curl http://localhost:9200/
        
      4. You should see a response similar to the following:

        {
          "name" : "elasticsearch-master-0",
          "cluster_name" : "elasticsearch",
          "cluster_uuid" : "o66WYOm5To2znbZ0kOkDUw",
          "version" : {
            "number" : "7.3.2",
            "build_flavor" : "default",
            "build_type" : "docker",
            "build_hash" : "1c1faf1",
            "build_date" : "2019-09-06T14:40:30.409026Z",
            "build_snapshot" : false,
            "lucene_version" : "8.1.0",
            "minimum_wire_compatibility_version" : "6.8.0",
            "minimum_index_compatibility_version" : "6.0.0-beta1"
          },
          "tagline" : "You Know, for Search"
        }
        

      Note that your specific version numbers and dates may be different in this json response. Elasticsearch is operational, but not receiving or serving any data.

      Install Filebeat

      In order to start processing data, deploy the filebeat chart to your Kubernetes cluster. This will collect all pod logs and store them in Elasticsearch, after which they can be searched and used in visualizations within Kibana.

      1. Deploy the filebeat chart. No custom values.yaml file should be necessary:

        helm install --name filebeat --wait --timeout=600 elastic/filebeat
        
      2. Confirm that Filebeat has started to index documents into Elasticsearch by sending a request to the locally-forwarded Elasticsearch service port:

        curl http://localhost:9200/_cat/indices
        

        At least one filebeat index should be present, and output should be similar to the following:

          
                green open filebeat-7.3.12-2019.09.30-000001 peGIaeQRQq-bfeSG3s0RWA 1 1 9886 0 5.7mb 2.8mb
            
        

      Install Kibana

      Kibana will provide a frontend to Elasticsearch and the data collected by Filebeat.

      1. Deploy the kibana chart:

        helm install --name kibana --wait --timeout=600 elastic/kibana
        
      2. Port-forward the kibana-kibana service in order to access Kibana locally. Leave this command running in the background as well for the remainder of this tutorial.

        kubectl port-forward svc/kibana-kibana 5601:5601
        

      Configure Kibana

      Before visualizing pod logs, Kibana must be configured with an index pattern for Filebeat’s indices.

      1. With the previous port-forward command running in another terminal window, open your browser and navigate to http://localhost:5601

      2. A page similar to the following should render in your browser.

        Initial Kibana Page

      3. To begin configuring index patterns, scroll down until the Index Patterns button appears, and click it.

        Kibana Home Page Index Patterns

      4. The Index Patterns page should be displayed. Click the Create index pattern button to begin.

        Kibana Index Patterns Page

      5. From this page, enter “filebeat-*” into the Index pattern text box, then click the Next step button.

        Kibana Create Index Pattern

      6. In the following page, select @timestamp from the Time Filter field name dropdown menu, then click the Create index pattern button.

        Kibana Create Index Pattern

      7. A page with the index pattern details will then be shown. Click the Discover compass icon from the sidebar to view incoming logs.

        Kibana Select Discover

      8. The Discover page provides a realtime view of logs as they are ingested by Elasticsearch from your Kubernetes cluster. The histogram provides a view of log volume over time, which by default, spans the last 15 minutes. The sidebar on the left side of the user interface displays various fields parsed from json fields sent by Filebeat to Elasticsearch.

      9. Use the Filters box to search only for logs arriving from Kibana pods by filtering for kubernetes.container.name : "kibana". Click the Update button to apply the search filter.

        Note

        When searching in the filters box, field names and values are auto-populated.

        Kibana Filter

      10. In order to expand a log event, click the arrow next to an event in the user interface.

        Kibana Open Log Event

      11. Scroll down to view the entire log document in Kibana. Observe the fields provided by Filebeat, including the message field, which contains standard out and standard error messages from the container, as well as the kubernetes node and pod name in fields prefixed with kubernetes.

        Kibana Log Document

      12. Look closely at the message field in the log representation and note that the text field is formatted as json. While the terms in this field can be searched with free text search terms in Kibana, parsing this field will generally yield better results. The following section explains how to configure Filebeat and Kibana to achieve this.

      Update Stack Configuration

      At this point, the Elastic stack is functional and provides an interface to visualize and create dashboards for your logs from Kubernetes. This section will explain how to further configure the various components of the stack for greater visibility into your Kubernetes environment.

      1. Create a values file for Filebeat. This configuration will add the ability to provide autodiscover hints. Instead of changing the Filebeat configuration each time parsing differences are encountered, autodiscover hints permit fragments of Filebeat configuration to be defined at the pod level dynamically so that applications can instruct Filebeat as to how their logs should be parsed.

        filebeat-values.yml
         1
         2
         3
         4
         5
         6
         7
         8
         9
        10
        
        ---
        
        filebeatConfig:
        filebeat.yml: |
        filebeat.autodiscover:
        providers:
          - type: kubernetes
        hints.enabled: true
        output.elasticsearch:
        hosts: '${ELASTICSEARCH_HOSTS:elasticsearch-master:9200}'
      2. Upgrade the filebeat deployment to use this new configuration file:

        helm upgrade --values filebeat-values.yml --wait --timeout=600 filebeat elastic/filebeat
        
      3. Once this command completes, Filebeat’s DaemonSet will have successfully updated all running pods.

      4. Next, create a Kibana values file to append annotations to the Kibana Deployment that will indicate that Filebeat should parse certain fields as json values. This configuration file will instruct Filebeat to parse the message field as json and store the parsed object underneath the kibana field.

        kibana-values.yml
        1
        2
        3
        4
        5
        
        ---
        
        podAnnotations:
        co.elastic.logs/processors.decode_json_fields.fields: message
        co.elastic.logs/processors.decode_json_fields.target: kibana
      5. Upgrade the Kibana Helm release in your Kubernetes cluster, passing this file as an argument for the Chart values.

        helm upgrade --values kibana-values.yml --wait --timeout=600 kibana elastic/kibana
        
      6. Note, triggering a rolling pod update of Kibana will cause the previous port-forward to lose track of running pods. Terminate the previous Kibana port-forward command in the background terminal with Ctrl-C and start the command again:

        kubectl port-forward svc/kibana-kibana 5601:5601
        
      7. Open a browser window to http://localhost:5601 and navigate to the same Index Patterns page again:

        Kibana Home Page Index Patterns

      8. From the Index Patterns page, select the filebeat-* index pattern.

        Kibana Filebeat Index Pattern

      9. From the index pattern page for filebeat-*, select the Refresh field list button.

        Kibana Refresh Fields

      10. Confirm this action by selecting the Refresh button in the pop-up dialog.

        Kibana Refresh Fields Confirm

      11. Navigate to the “Discover” page.

        Kibana Select Discover

      12. Filter for kibana containers again, scroll down, and expand a log document. Note that various fields have been parsed into the kibana field, such as kibana.req.method, indicating which HTTP verb was issued for a request for Kibana.

        Kibana Parsed Fields

      Metricbeat

      In addition to collecting logs with Filebeat, Metricbeat can collect pod and node metrics in order to visualize information such as resource utilization.

      Install Metricbeat

      1. Deploy the metricbeat chart.

        helm install --name metricbeat --wait --timeout=600 elastic/metricbeat
        
      2. Confirm that Metricbeat has started to index documents into Elasticsearch by sending a request to the locally-forwarded Elasticsearch service port:

        curl http://localhost:9200/_cat/indices
        
      3. At least one metricbeat index should be present, similar to the following:

        green open metricbeat-7.3.2-2019.09.30-000001 N75uVk_hTpmVbDKZE0oeIw 1 1   455  0   1.1mb 567.9kb
        

      Load Dashboards

      Metricbeat can install default Dashboards into Kibana to provide out-of-the-box visualizations for data collected by Kubernetes.

      Before following these steps, ensure that the port-forward command to expose Kibana over port 5601 locally is still running.

      Run the following commands on your local machine. This will communicate with Kibana over 127.0.0.1:5601 to import default Dashboards that will be populated by data from Metricbeat.

      Note

      Your commands should use the same version of Metricbeat deployed to your Kubernetes cluster. You can find this version by issuing the following command:

      helm get values --all metricbeat | grep imageTag
      

      For Linux

      1. Get the Metricbeat package.

        wget https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-7.3.2-linux-x86_64.tar.gz
        
      2. Unzip the package.

        tar xvzf metricbeat-7.3.2-linux-x86_64.tar.gz
        
      3. Navigate to the directory.

        cd metricbeat-7.3.2-linux-x86_64
        
      4. Setup the dashboards.

        ./metricbeat setup --dashboards
        

      For MacOS

      1. Get the Metricbeat package.

        wget https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-7.3.2-darwin-x86_64.tar.gz
        
      2. Unzip the package.

        tar xvzf metricbeat-7.3.2-darwin-x86_64.tar.gz
        
      3. Navigate to the directory.

        cd metricbeat-7.3.2-darwin-x86_64
        
      4. Setup the dashboards.

        ./metricbeat setup --dashboards
        

      Explore Dashboards

      1. Open a browser window to http://localhost:5601 and click the Dashboards icon on the left sidebar.

        Kibana Dashboards Link

      2. In the search box, enter “kubernetes” and press Enter. Select the [Metricbeat Kubernetes] Overview ECS dashboard.

        Kibana Dashboards

      3. The following dashboard displays several types of metrics about your Kubernetes cluster.

        Kibana Kubernetes Dashboards

      4. You can explore the various visualizations on this page in order to view metrics about pods, nodes, and the overall health of the Kubernetes cluster.

      Next Steps

      From this point onward, any additional workloads started in Kubernetes will be processed by Filebeat and Metricbeat in order to collect logs and metrics for later introspection within Kibana. As Kubernetes nodes are added or removed, the Filebeat and Metricbeat DaemonSets will automatically scale out pods to monitor nodes as they join the Kubernetes cluster.

      More Information

      You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

      Find answers, ask questions, and help others.

      This guide is published under a CC BY-ND 4.0 license.



      Source link

      How To Manage Replicas and Clients in Redis


      Introduction

      Redis is an open-source, in-memory key-value data store. One of its most sought-after features is its support for replication: any Redis server can replicate its data to any number of replicas, allowing for high read scalability and strong data redundancy. Additionally, Redis was designed to allow many clients (up to 10000, by default) to connect and interact with data, making it a good choice for cases where many users need access to the same dataset.

      This tutorial goes over the commands used to manage Redis clients and replicas.

      How To Use This Guide
      This guide is written as a cheat sheet with self-contained examples. We encourage you to jump to any section that is relevant to the task you’re trying to complete.

      The commands shown in this guide were tested on an Ubuntu 18.04 server running Redis version 4.0.9. To set up a similar environment, you can follow Step 1 of our guide on How To Install and Secure Redis on Ubuntu 18.04. We will demonstrate how these commands behave by running them with redis-cli, the Redis command line interface. Note that if you’re using a different Redis interface — Redli, for example — the exact output of certain commands may differ.

      Alternatively, you could provision a managed Redis database instance to test these commands, but note that depending on the level of control allowed by your database provider, some commands in this guide may not work as described. To provision a DigitalOcean Managed Database, follow our Managed Databases product documentation. Then, you must either install Redli or set up a TLS tunnel in order to connect to the Managed Database over TLS.

      Note: The Redis project uses the terms “master” and “slave” in its documentation and in various commands to identify different roles in replication, though the project’s contributors are taking steps to change this language in cases where it doesn’t cause compatibility issues. DigitalOcean generally prefers to use the alternative terms “primary” and “replica”.

      This guide will default to “primary” and “replica” whenever possible, but note that there are a few instances where the terms “master” and “slave” unavoidably come up.

      Managing Replicas

      One of Redis’s most distinguishing features is its built-in replication. When using replication, Redis creates exact copies of the primary instance. These secondary instances reconnect to the primary any time their connections break and will always aim to remain an exact copy of the primary.

      If you’re not sure whether the Redis instance you’re currently connected to is a primary instance or a replica, you can check by running the role command:

      This command will return either master or slave, or potentially sentinel if you’re using Redis Sentinel.

      To designate a Redis instance as a replica of another instance on the fly, run the replicaof command. This command takes the intended primary server’s hostname or IP address and port as arguments:

      • replicaof hostname_or_IP port

      If the server was already a replica of another primary, it will stop replicating the old server and immediately start synchronizing with the new one. It will also discard the old dataset.

      To promote a replica back to being a primary, run the following replicaof command:

      This will stop the instance from replicating the primary server, but will not discard the dataset it has already replicated. This syntax is useful in cases where the original primary fails. After running replicaof no one on a replica of the failed primary, the former replica can be used as the new primary and have its own replicas as a failsafe.

      Note: Prior to version 5.0.0, Redis instead included a version of this command named slaveof.

      Managing Clients

      A client is any machine or software that connects to a server in order to access a service. Redis comes with several commands that help with tracking and managing client connections.

      The client list command returns a set of human-readable information about current client connections:

      Output

      "id=18165 addr=[2001:db8:0:0::12]:47460 fd=7 name=jerry age=72756 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=0 qbuf-free=0 obl=0 oll=0 omem=0 events=r cmd=ping id=18166 addr=[2001:db8:0:1::12]:47466 fd=8 name= age=72755 idle=5 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=0 qbuf-free=0 obl=0 oll=0 omem=0 events=r cmd=info id=19381 addr=[2001:db8:0:2::12]:54910 fd=9 name= age=9 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=26 qbuf-free=32742 obl=0 oll=0 omem=0 events=r cmd=client "

      Here is what each of these fields mean:

      • id: a unique 64-bit client ID
      • name: the name of the client connection, as defined by a prior client setname command
      • addr: the address and port from which the client is connecting
      • fd: the file descriptor that corresponds to the socket over which the client is connecting
      • age: the total duration of the client connection, in seconds
      • flags: a set of one or more single-character flags that provide more granular detail about the clients; see the client list command documentation for more details
      • db: the current database ID number that the client is connected to (can be from 0 to 15)
      • sub: the number of channels the client is subscribed to
      • psub: the number of the client’s pattern-matching subscriptions
      • mutli: the number of commands the client has queued in a transaction (will show -1 if the client hasn’t begun a transaction or 0 if it has only started a transaction and not queued any commands)
      • qbuf: the client’s query buffer length, with 0 meaning it has no pending queries
      • qbuf-free: the amount of free space in the client’s query buffer, with 0 meaning that the query buffer is full
      • obl: the client’s output buffer length
      • oll: the length of the client’s output list, where replies are queued when its buffer is full
      • omem: the memory used by the client’s output buffer
      • events: the client’s file descriptor events, these can be r for “readable”, w for “writable,” or both
      • cmd: the last command run by the client

      Setting client names is useful for debugging connection leaks in whatever application is using Redis. Every new connection starts without an assigned name, but client setname can be used to create one for the current client connection. There’s no limit to how long client names can be, although Redis usually limits string lengths to 512 MB. Note, though, that client names cannot include spaces:

      To retrieve the name of a client connection, use the client getname command:

      Output

      "elaine"

      To retrieve a client’s connection ID, use the client id command:

      Output

      (integer) "19492"

      Redis client IDs are never repeated and are monotonically incremental. This means that if one client has an ID greater than another, then it was established at a later time.

      Blocking Clients and Closing Client Connections

      Replication systems are typically described as being either synchronous or asynchronous. In synchronous replication, whenever a client adds or changes data it must receive some kind of acknowledgement from a certain number of replicas for the change to register as having been committed. This helps to prevent nodes from having data conflicts but it comes at a cost of latency, since the client must wait to perform another operation until it has heard back from a certain number of replicas.

      In asynchronous replication, on the other hand, the client sees a confirmation that the operation is finished as soon as the data is written to local storage. There can, however, be a lag between this and when the replicas actually write the data. If one of the replicas fails before it can write the change, that write will be lost forever. So while asynchronous replication allows clients to continue performing operations without the latency caused by waiting for replicas, it can lead to data conflicts between nodes and may require extra work on the part of the database administrator to resolve those conflicts.

      Because of its focus on performance and low latency, Redis implements asynchronous replication by default. However, you can simulate synchronous replication with the wait command. wait blocks the current client connection for a specified amount of time (in milliseconds) until all the previous write commands are successfully transferred and accepted by a specified number of replicas. This command uses the following syntax:

      • wait number_of_replicas number_of_milliseconds

      For example, if you want to block your client connection until all the previous writes are registered by at least 3 replicas within a 30 millisecond timeout, your wait syntax would look like this:

      The wait command returns an integer representing the number of replicas that acknowledged the write commands, even if not every replica does so:

      Output

      2

      To unblock a client connection that has been previously blocked, whether from a wait, brpop, or xread command, you can run a client unblock command with the following syntax:

      To temporarily suspend every client currently connected to the Redis server, you can use the client pause command. This is useful in cases where you need to make changes to your Redis setup in a controlled way. For example, if you’re promoting one of your replicas to be the primary instance, you might pause every client beforehand so you can promote the replica and have the clients connect to it as the new primary without losing any write operations in the process.

      The client pause command requires you to specify the amount of time (in milliseconds) you’d like to suspend the clients. The following example will suspend all clients for one second:

      The client kill syntax allows you to close a single connection or a set of specific connections based on a number of different filters. The syntax looks like this:

      • client kill filter_1 value_1 ... filter_n value_n

      In Redis versions 2.8.12 and later, the following filters are available:

      • addr: allows you to close a client connection from a specified IP address and port
      • client-id: allows you to close a client connection based on its unique ID field
      • type: closes every client of a given type, which can be either normal, master, slave, or pubsub
      • skipme: the value options for this filter are yes and no:
        • if no is specified, the client calling the client kill command will not get skipped, and will be killed if the other filters apply to it
        • if yes is specified, the client running the command will be skipped and the kill command will have no effect on the client. skipme is always yes by default

      Conclusion

      This guide details a number of commands used to manage Redis clients and replicas. If there are other related commands, arguments, or procedures you’d like to see outlined in this guide, please ask or make suggestions in the comments below.

      For more information on Redis commands, see our tutorial series on How to Manage a Redis Database.



      Source link

      Inspecting Network Information with netstat


      Updated by Linode

      Contributed by

      Mihalis Tsoukalos

      The netstat command line utility shows information about the network status of a workstation or server. netstat is available on Unix-like and Windows operating systems, with some differences in its usage between these systems.

      netstat is an older utility, and some components of its functionality have been superseded by newer tools, like the ss command. A primary benefit of using netstat is that it is frequently pre-installed on Linux systems, while other tools might not be. As well, many (but not all) of the command line options for netstat can be run without root privileges, so it can still be useful on a system where you do not have root or sudo privileges.


      Assumptions

      This guide assumes some basic knowledge of networking in Linux, including network interfaces, routing tables, and network connections and sockets.

      In This Guide

      This guide will explore the options available when running netstat on Linux. netstat can be used to inspect:

      A list of the command line options can be found below, and some advanced examples of using netstat with the AWK command will be introduced at the end of the guide.

      Note

      This guide is written for a non-root user. Depending on your configuration, some commands might require the help of sudo in order to properly execute. If you are not familiar with the sudo command, see the Users and Groups guide.

      Basic Usage

      Installing netstat

      If netstat is not present on your Linux server or workstation, it can be added by installing the net-tools package:

      sudo apt install net-tools # Debian-based systems
      sudo yum install net-tools # CentOS and RHEL systems
      

      Running netstat without Any Options

      If you execute netstat without any command line arguments and options, the utility will display all open sockets and network connections, formatted in two tables. This will most likely be a relatively long list:

      netstat
      
        
      Active Internet connections (w/o servers)
      Proto Recv-Q Send-Q Local Address           Foreign Address         State
      tcp        0      0 li140-253.members.l:ssh 185.232.67.121:43556    TIME_WAIT
      tcp        0      0 li140-253.members.:smtp 37.252.14.141:64553     SYN_RECV
      tcp        0      0 li140-253.members.l:ssh 37.252.14.141:43860     SYN_RECV
      tcp        0      0 li140-253.members.:smtp 37.252.14.141:44909     SYN_RECV
      tcp        0      0 li140-253.members.l:ssh ppp-2-86-7-61.hom:54757 ESTABLISHED
      tcp        0      0 li140-253.members.l:ssh 37.252.14.141:62736     SYN_RECV
      tcp6       0      0 li140-253.members.:http 37.252.14.141:63805     SYN_RECV
      
      Active UNIX domain sockets (w/o servers)
      Proto RefCnt Flags       Type       State         I-Node   Path
      unix  2      [ ]         DGRAM                    20972    /var/spool/postfix/dev/log
      unix  3      [ ]         DGRAM                    18134    /run/systemd/notify
      unix  3      [ ]         STREAM     CONNECTED     24059
      unix  2      [ ]         DGRAM                    22790
      unix  2      [ ACC ]     STREAM     LISTENING     24523    public/showq
      unix  2      [ ACC ]     STREAM     LISTENING     24526    private/error
      
      

      The first table displays network connections, and the columns of this table are interpreted as follows:

      Column Description
      Proto The protocol of the connection: TCP, UDP, or raw.
      Recv-Q When in reference to a TCP connection, this column shows the number of bytes received by the local network interface but not read by the connected process.
      Send-Q When in reference to a TCP connection, this column shows the number of bytes sent to the other side of the connection but not acknowledged by the remote host.
      Local Address The local address and port for the connection. By default, this will display the host name for the address, if it can be resolved. The service name for the port (e.g. SSH for port 22) will also be displayed by default.
      Foreign Address The address and port number for the connected host. The host name and service name will be displayed by default, similar to the behavior for the Local Address column.
      State The state of the connection. Because raw and UDP connections will generally not have state information, this column will usually be blank for those connection types. For TCP connections, the State column will have a value that matches one of the states specified by TCP: SYN_RECV, SYN_SENT, ESTABLISHED, etc. By default, connections in the LISTEN state will not be displayed.

      The second table displays unix sockets, and the columns of this table are interpreted as follows:

      Column Description
      Proto The protocol of the socket (unix).
      RefCnt The reference count, which is the number of attached processes connected via this socket.
      Flags Any flags associated with the socket. This will most often display ACC, short for SO_ACCEPTON, which is shown for unconnected sockets whose processes are waiting for connection requests.
      Type The type of the socket: datagram/connectionless (SOCK_DGRAM), stream/connection (SOCK_STREAM), raw (SOCK_RAW), reliably-delivered messages (SOCK_RDM), sequential packet (SOCK_SEQPACKET), or the obsolete SOCK_PACKET.
      State The state of the socket: FREE for unallocated sockets, LISTENING for sockets listening for connections, CONNECTING for sockets that are about to be connected, CONNECTED for connected sockets, and DISCONNECTING for disconnecting sockets. If the state is empty, the socket is not connected. Sockets in the LISTENING state will not be displayed by default.
      I-Node The filesystem inode of the socket.
      Path The filesystem path of the socket.

      Command Line Options

      Some important and frequently-used command line options of netstat are as follows:

      Option Definition
      -v Shows verbose output.
      -r Displays the kernel routing tables.
      -e Displays extended information for network connections.
      -i Displays a table of all network interfaces. When used with -a, the output also includes interfaces that are not up.
      -s Displays summary statistics for each protocol.
      -W Avoids truncating IP addresses and provides as much screen space as needed to display them.
      -n Displays numerical (IP) addresses, instead of resolving them to hostnames.
      -A Allows you to specify the protocol family. Valid values are inet, inet6, unix, ipx, ax25, netrom, econet, ddp and bluetooth.
      -t Displays TCP data only.
      -u Displays UDP data only.
      -4 Displays IPv4 connections only.
      -6 Displays IPv6 connections only.
      -c Displays information continuously (every second).
      -p Displays the process ID and the name of the program that owns the socket. It requires root privileges for this.
      -o Displays timer information.
      -a Shows both listening and non-listening network connections and unix sockets.
      -l Displays listening network connections and unix sockets, which are not shown by default.
      -C Displays routing information from the route cache.
      -g Displays multicast group membership information for IPv4 and IPv6.

      The rest of this guide will put the most important of these command line options to work in order to help you learn their usage. However, nothing can replace experimenting with netstat on your own.

      Sockets/Network Connections

      Include the LISTENING State

      Run netstat with the -a option to show both listening and non-listening network connections and sockets:

      netstat -a
      
        
      Active Internet connections (servers and established)
      Proto Recv-Q Send-Q Local Address           Foreign Address         State
      tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN
      tcp        0    316 li1076-154.members.:ssh 192.0.2.4:51109       ESTABLISHED
      tcp6       0      0 [::]:ssh                [::]:*                  LISTEN
      Active UNIX domain sockets (servers and established)
      Proto RefCnt Flags       Type       State         I-Node   Path
      unix  2      [ ACC ]     STREAM     LISTENING     15668    /run/systemd/private
      unix  6      [ ]         DGRAM                    9340     /run/systemd/journal/dev-log
      unix  3      [ ]         DGRAM                    9096     /run/systemd/notify
      unix  2      [ ]         DGRAM                    9098     /run/systemd/cgroups-agent
      unix  2      [ ACC ]     STREAM     LISTENING     9107     /run/systemd/fsck.progress
      unix  2      [ ACC ]     SEQPACKET  LISTENING     9117     /run/udev/control
      unix  2      [ ]         DGRAM                    9119     /run/systemd/journal/syslog
      unix  2      [ ]         DGRAM                    50340    /run/user/1000/systemd/notify
      unix  2      [ ACC ]     STREAM     LISTENING     50344    /run/user/1000/systemd/private
      ...
      
      

      Only Show the LISTENING State

      Run netstat with the -l option to only show listening network connections and sockets:

        
      Active Internet connections (only servers)
      Proto Recv-Q Send-Q Local Address           Foreign Address         State
      tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN
      tcp6       0      0 [::]:ssh                [::]:*                  LISTEN
      Active UNIX domain sockets (only servers)
      Proto RefCnt Flags       Type       State         I-Node   Path
      unix  2      [ ACC ]     STREAM     LISTENING     15668    /run/systemd/private
      unix  2      [ ACC ]     STREAM     LISTENING     9107     /run/systemd/fsck.progress
      unix  2      [ ACC ]     SEQPACKET  LISTENING     9117     /run/udev/control
      unix  2      [ ACC ]     STREAM     LISTENING     50344    /run/user/1000/systemd/private
      unix  2      [ ACC ]     STREAM     LISTENING     50349    /run/user/1000/gnupg/S.gpg-agent.ssh
      unix  2      [ ACC ]     STREAM     LISTENING     50352    /run/user/1000/gnupg/S.gpg-agent.extra
      unix  2      [ ACC ]     STREAM     LISTENING     50354    /run/user/1000/gnupg/S.gpg-agent.browser
      unix  2      [ ACC ]     STREAM     LISTENING     50356    /run/user/1000/gnupg/S.gpg-agent
      unix  2      [ ACC ]     STREAM     LISTENING     9210     /run/systemd/journal/stdout
      unix  2      [ ACC ]     STREAM     LISTENING     11261    /var/run/dbus/system_bus_socket
      
      

      Show IPv4 Connections Only

      The -A inet, --inet and -4 command line options will all tell netstat to show IPv4 connections (both TCP and UDP) only. Because listening connections are not shown by default, this command displays connections that are in a non-listening state:

      netstat -4
      
        
      Active Internet connections (w/o servers)
      Proto Recv-Q Send-Q Local Address           Foreign Address         State
      tcp        1      0 li140-253.members.:smtp 193.32.160.143:41356    CLOSE_WAIT
      tcp        0    300 li140-253.members.l:ssh athedsl-405473.ho:64917 ESTABLISHED
      tcp        1      0 li140-253.members.:smtp 193.32.160.136:37752    CLOSE_WAIT
      tcp        1      0 li140-253.members.:smtp 193.32.160.136:49900    CLOSE_WAIT
      tcp        1      0 li140-253.members.:smtp 193.32.160.136:49900    CLOSE_WAIT
      
      

      Note

      If you want to display IPv4 connections that are in both listening and non-listening state, add the -a command line option:

      netstat -4a
      

      Show IPv6 Connections Only

      The -A inet6, --inet6 and -6 command line options will all tell netstat to show IPv6 connections (both TCP and UDP) only. Because listening connections are not shown by default, this command displays connections that are in a non-listening state:

      netstat -6
      
        
      Active Internet connections (servers and established)
      Proto Recv-Q Send-Q Local Address           Foreign Address         State
      udp6       0      0 [::]:mdns               [::]:*
      udp6       0      0 [::]:58949              [::]:*
      udp6       0      0 fe80::f03c:91ff:fe6:ntp [::]:*
      udp6       0      0 2a01:7e00::f03c:91f:ntp [::]:*
      udp6       0      0 localhost:ntp           [::]:*
      udp6       0      0 [::]:ntp                [::]:*
      
      

      Note

      If you want to display IPv4 connections that are in both listening and non-listening state, add the -a command line option:

      netstat -6a
      

      Show Listening UNIX Sockets

      The -x option limits netstat to showing Unix sockets. If you want to only display listening UNIX sockets, use the following command:

      netstat -lx
      
        
      Active UNIX domain sockets (only servers)
      Proto RefCnt Flags       Type       State         I-Node   Path
      unix  2      [ ACC ]     STREAM     LISTENING     21569793 /run/user/1000/gnupg/S.gpg-agent.extra
      unix  2      [ ACC ]     STREAM     LISTENING     21569796 /run/user/1000/gnupg/S.gpg-agent.ssh
      unix  2      [ ACC ]     STREAM     LISTENING     21569798 /run/user/1000/gnupg/S.gpg-agent.browser
      unix  2      [ ACC ]     STREAM     LISTENING     21569800 /run/user/1000/gnupg/S.dirmngr
      unix  2      [ ACC ]     STREAM     LISTENING     21569802 /run/user/1000/gnupg/S.gpg-agent
      unix  2      [ ACC ]     STREAM     LISTENING     24485    public/cleanup
      unix  2      [ ACC ]     STREAM     LISTENING     20306    /var/run/dbus/system_bus_socket
      unix  2      [ ACC ]     STREAM     LISTENING     24490    private/tlsmgr
      unix  2      [ ACC ]     STREAM     LISTENING     24493    private/rewrite
      unix  2      [ ACC ]     STREAM     LISTENING     24496    private/bounce
      unix  2      [ ACC ]     STREAM     LISTENING     24499    private/defer
      unix  2      [ ACC ]     STREAM     LISTENING     24502    private/trace
      unix  2      [ ACC ]     STREAM     LISTENING     24505    private/verify
      unix  2      [ ACC ]     STREAM     LISTENING     20319    /var/run/avahi-daemon/socket
      ...
      
      

      Show TCP Connections Only

      The -t option limits netstat to showing TCP network connections. Because listening connections are not shown by default, the following command displays connections that are in a non-listening state:

      netstat -nt
      
        
      Active Internet connections (w/o servers)
      Proto Recv-Q Send-Q Local Address           Foreign Address         State
      tcp        1      0 109.74.193.253:25       193.32.160.143:41356    CLOSE_WAIT
      tcp        0      0 109.74.193.253:22       79.131.135.223:64917    ESTABLISHED
      tcp        1      0 109.74.193.253:25       193.32.160.136:37752    CLOSE_WAIT
      tcp        1      0 109.74.193.253:25       193.32.160.136:49900    CLOSE_WAIT
      tcp6       0      0 109.74.193.253:80       104.18.40.175:26111     SYN_RECV
      tcp6       0      0 109.74.193.253:80       104.18.40.175:47427     SYN_RECV
      tcp6       0      0 109.74.193.253:80       104.18.41.175:24763     SYN_RECV
      tcp6       0      0 109.74.193.253:80       104.18.41.175:32295     SYN_RECV
      tcp6       0      0 109.74.193.253:80       104.18.41.175:53268     SYN_RECV
      tcp6       0      0 109.74.193.253:80       104.18.40.175:4436      SYN_RECV
      tcp6       0      0 109.74.193.253:80       104.18.40.175:17099     SYN_RECV
      tcp6       0      0 109.74.193.253:80       104.18.41.175:12892     SYN_RECV
      
      

      Note

      The -n option in the previous command tells netstat to not resolve IP addresses to hostnames.

      Note

      If you want to display both listening and non-listening TCP connections, add the -a command line option:

      netstat -ta
      

      Show IPv4 TCP Connections Only

      If you are only interested in IPv4 TCP connections, use the -t and -4 options together. Because listening connections are not shown by default, the following command displays connections that are in a non-listening state:

      netstat -nt4
      
        
      Active Internet connections (w/o servers)
      Proto Recv-Q Send-Q Local Address           Foreign Address         State
      tcp        1      0 109.74.193.253:25       193.32.160.143:41356    CLOSE_WAIT
      tcp        0      0 109.74.193.253:22       79.131.135.223:64917    ESTABLISHED
      tcp        1      0 109.74.193.253:25       193.32.160.136:37752    CLOSE_WAIT
      tcp        1      0 109.74.193.253:25       193.32.160.136:49900    CLOSE_WAIT
      
      

      Note

      If you want to display both listening and non-listening IPv4 TCP connections, add the -a command line option:

      netstat -t4a
      

      Show Listening TCP Connections Only

      If you want to display listening TCP connections only, combine -l and -t:

      netstat -lt
      
        
      Active Internet connections (only servers)
      Proto Recv-Q Send-Q Local Address           Foreign Address         State
      tcp        0      0 localhost:mysql         0.0.0.0:*               LISTEN
      tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN
      tcp      101      0 0.0.0.0:smtp            0.0.0.0:*               LISTEN
      tcp6       0      0 [::]:http               [::]:*                  LISTEN
      tcp6       0      0 [::]:ssh                [::]:*                  LISTEN
      tcp6       0      0 [::]:https              [::]:*                  LISTEN
      
      

      Show UDP Connections Only

      If you are only interested in seeing UDP connections, use the -u option:

      netstat  -u
      
        
      Active Internet connections (servers and established)
      Proto Recv-Q Send-Q Local Address           Foreign Address         State
      udp        0      0 0.0.0.0:mdns            0.0.0.0:*
      udp        0      0 li140-253.member:syslog 0.0.0.0:*
      udp        0      0 0.0.0.0:60397           0.0.0.0:*
      udp        0      0 0.0.0.0:bootpc          0.0.0.0:*
      udp        0      0 li140-253.members.l:ntp 0.0.0.0:*
      udp        0      0 localhost:ntp           0.0.0.0:*
      udp        0      0 0.0.0.0:ntp             0.0.0.0:*
      udp6       0      0 [::]:mdns               [::]:*
      udp6       0      0 [::]:58949              [::]:*
      udp6       0      0 fe80::f03c:91ff:fe6:ntp [::]:*
      udp6       0      0 2a01:7e00::f03c:91f:ntp [::]:*
      udp6       0      0 localhost:ntp           [::]:*
      udp6       0      0 [::]:ntp                [::]:*
      
      

      Note

      To show only IPv4 or IPv6 UDP connections, combine -u with -4 or -6:

      netstat -u4
      netstat -u6
      

      Show Extended Output

      The -e command line parameter tells netstat to show extended output, which will add the User and Inode columns to the displayed table (but only for network connections, not unix sockets). For example, this command will show extended output for a system’s listening TCP connections:

      netstat -lte
      
        
      Active Internet connections (only servers)
      Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode
      tcp        0      0 localhost:mysql         0.0.0.0:*               LISTEN      mysql      35862475
      tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      root       35572959
      tcp      101      0 0.0.0.0:smtp            0.0.0.0:*               LISTEN      root       35544149
      tcp6       0      0 [::]:http               [::]:*                  LISTEN      root       35577141
      tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      root       35572961
      tcp6       0      0 [::]:https              [::]:*                  LISTEN      root       35577145
      
      

      Show the PID and Program Name

      The -p option displays the process ID and program name that corresponds to a network connection or unix socket.

      Note

      netstat requires root privileges to show the PID and program name of processes that are not owned by your user.

      This command will display the PID and program name for a system’s listening TCP connections:

      sudo netstat -ltp
      
        
      Active Internet connections (only servers)
      Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
      tcp        0      0 localhost:mysql         0.0.0.0:*               LISTEN      24555/mysqld
      tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      1008/sshd
      tcp      101      0 0.0.0.0:smtp            0.0.0.0:*               LISTEN      8576/master
      tcp6       0      0 [::]:http               [::]:*                  LISTEN      1808/apache2
      tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      1008/sshd
      tcp6       0      0 [::]:https              [::]:*                  LISTEN      1808/apache2
      
      

      Note

      In particular, the previous example’s command is a fast way to learn about which networked services are running on your system.

      Combining -p and -e

      Combining -p with -e while having root privileges will simultaneously reveal the user, inode, and PID/program name of your network connections. The following example command will show all of this information for a system’s listening TCP connections:

      sudo netstat -ltpe
      
        
      Active Internet connections (only servers)
      Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
      tcp        0      0 localhost:mysql         0.0.0.0:*               LISTEN      mysql      35862475   24555/mysqld
      tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      root       35572959   1008/sshd
      tcp      101      0 0.0.0.0:smtp            0.0.0.0:*               LISTEN      root       35544149   8576/master
      tcp6       0      0 [::]:http               [::]:*                  LISTEN      root       35577141   1808/apache2
      tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      root       35572961   1008/sshd
      tcp6       0      0 [::]:https              [::]:*                  LISTEN      root       35577145   1808/apache2
      
      

      Routing Tables

      One of the most frequent uses of netstat is for showing the routing table of a machine:

      netstat -nr
      
        
      Kernel IP routing table
      Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
      0.0.0.0         109.74.193.1    0.0.0.0         UG        0 0          0 eth0
      109.74.193.0    0.0.0.0         255.255.255.0   U         0 0          0 eth0
      
      

      In this output, the U flag means that the route is in use and the G flag denotes the default gateway. The H flag, which is not displayed here, would mean that the route is to a host and not to a network.

      Network Interfaces

      The -i option shows network statistics on a per-interface basis:

      netstat -i
      
        
      Kernel Interface table
      Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
      eth0      1500  7075525      0      0 0       6830902      0      0      0 BMRU
      lo       65536   573817      0      0 0        573817      0      0      0 LRU
      
      
      Column Description
      Iface The name of the interface.
      MTU The value of the Maximum Transmission Unit.
      RX-OK The number of error free packets received.
      RX-ERR The number of packets received with errors.
      RX-DRP The number of dropped packets when receiving.
      RX-OVR The number of packets lost due to the overflow when receiving.
      TX-OK The number of error-free packets transmitted.
      RX-ERR The number of transmitted packets with errors.
      TX-DRP The number of dropped packets when transmitting.
      TX-OVR The number of packets lost due to the overflow when transmitting.
      Flag Flag values for the interface.

      If you combine -a with -i, netstat will also display interfaces that are not up:

      netstat -ia
      
        
      Kernel Interface table
      Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
      dummy0    1500        0      0      0 0             0      0      0      0 BO
      erspan0   1450        0      0      0 0             0      0      0      0 BM
      eth0      1500 13128358      0      0 0      15677694      0      0      0 BMRU
      gre0      1476        0      0      0 0             0      0      0      0 O
      gretap0   1462        0      0      0 0             0      0      0      0 BM
      ip6_vti0  1364        0      0      0 0             0      0      0      0 O
      ip6gre0   1448        0      0      0 0             0      0      0      0 O
      ip6tnl0   1452        0      0      0 0             0      0      0      0 O
      ip_vti0   1480        0      0      0 0             0      0      0      0 O
      lo       65536   846097      0      0 0        846097      0      0      0 LRU
      sit0      1480        0      0      0 0             0      0      0      0 O
      teql0     1500        0      0      0 0             0      0      0      0 O
      tunl0     1480        0      0      0 0             0      0      0      0 O
      
      

      Network Protocols

      Use the -s option to see network statistics on a per-protocol basis:

      netstat -s
      
        
      Ip:
          Forwarding: 2
          6775334 total packets received
          11 with invalid addresses
          0 forwarded
          0 incoming packets discarded
          6775323 incoming packets delivered
          7339283 requests sent out
      Icmp:
          10531 ICMP messages received
          4415 input ICMP message failed
          InCsumErrors: 3
          ICMP input histogram:
              destination unreachable: 6035
              timeout in transit: 93
              redirects: 1
              echo requests: 4379
              timestamp request: 20
          16939 ICMP messages sent
          0 ICMP messages failed
          ICMP output histogram:
              destination unreachable: 12540
              echo replies: 4379
              timestamp replies: 20
      IcmpMsg:
              InType3: 6035
              InType5: 1
              InType8: 4379
              InType11: 93
              InType13: 20
              OutType0: 4379
              OutType3: 12540
              OutType14: 20
      Tcp:
          38781 active connection openings
          330301 passive connection openings
          10683 failed connection attempts
          26722 connection resets received
          1 connections established
          6580191 segments received
          10797407 segments sent out
          654603 segments retransmitted
          748 bad segments received
          408640 resets sent
          InCsumErrors: 747
      Udp:
          212303 packets received
          13230 packets to unknown port received
          126 packet receive errors
          213173 packets sent
          0 receive buffer errors
          0 send buffer errors
          InCsumErrors: 126
      UdpLite:
      TcpExt:
          10451 resets received for embryonic SYN_RECV sockets
          9 ICMP packets dropped because they were out-of-window
          41710 TCP sockets finished time wait in fast timer
          294 packetes rejected in established connections because of timestamp
          161285 delayed acks sent
          22 delayed acks further delayed because of locked socket
          Quick ack mode was activated 20984 times
          43 SYNs to LISTEN sockets dropped
          1199311 packet headers predicted
          1851531 acknowledgments not containing data payload received
          919487 predicted acknowledgments
          114 times recovered from packet loss due to fast retransmit
          TCPSackRecovery: 5474
          TCPSACKReneging: 2
          Detected reordering 8235 times using SACK
          Detected reordering 21 times using reno fast retransmit
          Detected reordering 219 times using time stamp
          154 congestion windows fully recovered without slow start
          80 congestion windows partially recovered using Hoe heuristic
          TCPDSACKUndo: 142
          1009 congestion windows recovered without slow start after partial ack
          TCPLostRetransmit: 33008
          68 timeouts after reno fast retransmit
          TCPSackFailures: 302
          599 timeouts in loss state
          57605 fast retransmits
          2647 retransmits in slow start
          TCPTimeouts: 618841
          TCPLossProbes: 35168
          TCPLossProbeRecovery: 12069
          TCPRenoRecoveryFail: 60
          TCPSackRecoveryFail: 668
          TCPBacklogCoalesce: 54624
          TCPDSACKOldSent: 20866
          TCPDSACKOfoSent: 56
          TCPDSACKRecv: 5136
          TCPDSACKOfoRecv: 76
          20881 connections reset due to unexpected data
          1466 connections reset due to early user close
          3960 connections aborted due to timeout
          TCPSACKDiscard: 54
          TCPDSACKIgnoredOld: 28
          TCPDSACKIgnoredNoUndo: 2114
          TCPSpuriousRTOs: 23
          TCPSackShifted: 33515
          TCPSackMerged: 56742
          TCPSackShiftFallback: 24412
          TCPDeferAcceptDrop: 127813
          TCPRcvCoalesce: 258864
          TCPOFOQueue: 24749
          TCPOFOMerge: 56
          TCPChallengeACK: 238
          TCPSYNChallenge: 3
          TCPFastOpenCookieReqd: 6
          TCPFromZeroWindowAdv: 32
          TCPToZeroWindowAdv: 32
          TCPWantZeroWindowAdv: 187
          TCPSynRetrans: 517978
          TCPOrigDataSent: 7250401
          TCPHystartTrainDetect: 102
          TCPHystartTrainCwnd: 15000
          TCPHystartDelayDetect: 1533
          TCPHystartDelayCwnd: 101578
          TCPACKSkippedSynRecv: 16
          TCPACKSkippedPAWS: 160
          TCPACKSkippedSeq: 54
          TCPACKSkippedTimeWait: 140
          TCPACKSkippedChallenge: 91
          TCPWinProbe: 1552
          TCPDelivered: 7093769
          TCPAckCompressed: 12241
          TCPWqueueTooBig: 222
      IpExt:
          InMcastPkts: 104
          OutMcastPkts: 106
          InOctets: 3072954621
          OutOctets: 10300134722
          InMcastOctets: 8757
          OutMcastOctets: 8837
          InNoECTPkts: 6759736
          InECT1Pkts: 312
          InECT0Pkts: 54355
          InCEPkts: 8644
      Sctp:
          0 Current Associations
          0 Active Associations
          0 Passive Associations
          0 Number of Aborteds
          0 Number of Graceful Terminations
          14 Number of Out of Blue packets
          0 Number of Packets with invalid Checksum
          14 Number of control chunks sent
          0 Number of ordered chunks sent
          0 Number of Unordered chunks sent
          14 Number of control chunks received
          0 Number of ordered chunks received
          0 Number of Unordered chunks received
          0 Number of messages fragmented
          0 Number of messages reassembled
          14 Number of SCTP packets sent
          14 Number of SCTP packets received
          SctpInPktSoftirq: 14
          SctpInPktDiscards: 14
      
      

      Including the -w option will tell netstat to display raw network statistics:

      sudo netstat -sw
      
        
      Ip:
          Forwarding: 2
          6775954 total packets received
          11 with invalid addresses
          0 forwarded
          0 incoming packets discarded
          6775943 incoming packets delivered
          7339740 requests sent out
      Icmp:
          10531 ICMP messages received
          4415 input ICMP message failed
          InCsumErrors: 3
          ICMP input histogram:
              destination unreachable: 6035
              timeout in transit: 93
              redirects: 1
              echo requests: 4379
              timestamp request: 20
          16942 ICMP messages sent
          0 ICMP messages failed
          ICMP output histogram:
              destination unreachable: 12543
              echo replies: 4379
              timestamp replies: 20
      IcmpMsg:
              InType3: 6035
              InType5: 1
              InType8: 4379
              InType11: 93
              InType13: 20
              OutType0: 4379
              OutType3: 12543
              OutType14: 20
      UdpLite:
      IpExt:
          InMcastPkts: 104
          OutMcastPkts: 106
          InOctets: 3072998471
          OutOctets: 10300305693
          InMcastOctets: 8757
          OutMcastOctets: 8837
          InNoECTPkts: 6760354
          InECT1Pkts: 312
          InECT0Pkts: 54357
          InCEPkts: 8644
      
      

      Multicast Group Membership

      The netstat -g command displays multicast group membership information:

      netstat -g
      
        
      IPv6/IPv4 Group Memberships
      Interface       RefCnt Group
      --------------- ------ ---------------------
      lo              1      all-systems.mcast.net
      eth0            1      224.0.0.251
      eth0            1      all-systems.mcast.net
      lo              1      ip6-allnodes
      lo              1      ff01::1
      dummy0          1      ip6-allnodes
      dummy0          1      ff01::1
      eth0            1      ff02::202
      eth0            1      ff02::fb
      ...
      
      

      Note

      The default output of netstat -g displays both IPv4 and IPv6 data.

      Using AWK to process netstat output

      The AWK programming language can help you process netstat output and generate handy reports.

      Showing the Number of Listening Processes Per Username

      The following command calculates the total number of listening processes per username:

      sudo netstat -lte | awk '{print $7}' | grep -v Address | grep -v "^$" | sort | uniq -c | awk '{print $2 ": " $1}'
      
        
      mysql: 1
      root: 5
      
      
      • The netstat command collects the listening TCP connections and includes the users for the connections’ processes in the output.
      • The first awk command limits the output to the column that displays the user.
      • The first grep command deletes the line with the header information generated by netstat.
      • The second grep command deletes empty lines from the output.
      • The sort command sorts the users alphabetically.
      • After that, the uniq command counts line occurrences while omitting repeated output.
      • Lastly, the second awk command reverses the two columns of the uniq command’s output and prints the data on screen.

      HTTP Connections

      The following command, which needs root privileges to run, extracts the IP address from all established Apache connections and calculates the number of connections per IP address:

      sudo netstat -anpt | grep apache2 | grep ESTABLISHED | awk -F "[ :]*" '{print $4}' | uniq -c
      
        
            4 109.74.193.253
      
      

      TCP Connections

      The following command calculates the number of TCP connections per IP address, sorted by the number of connections:

      netstat -nt | awk '/^tcp/ {print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -nr
      
        
            2 193.32.160.136
            1 79.131.135.223
            1 193.32.160.143
            1 106.13.205.251
      
      

      Counting TCP States

      The next command counts the various types of TCP states:

      netstat -ant | awk '{print $6}' | grep -v established) | grep -v Foreign | sort | uniq -c | sort -n
      
        
            2 ESTABLISHED
            3 CLOSE_WAIT
            6 LISTEN
      
      

      Summary

      Even if there exists other more modern tools that can replace netstat, netstat remains a handy tool that will definitely help you if you ever have networking problems on your Linux machine. However, never forget to check your log files for errors or warnings related to your network problem before troubleshooting.

      More Information

      You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

      Find answers, ask questions, and help others.

      This guide is published under a CC BY-ND 4.0 license.



      Source link