Guida a Netstat
Netstat è un comando disponbile sia su Windows che su Unix (e quindi su Linux, Mac OS X, BSD, ecc....).
Il comando permette di vedere lo stato delle connessioni del computer locale.
Il comando è eseguibile anche da utente normale, ma se potete è meglio eseguirlo da root in quanto da utente normale da errori sui processi che non gli appartengono.
Le prove le ho fatte su Linux, ma dovrebbero valere anche su Windows.
Vediamo alcuni esempi.
Listare tutte le porte:
# netstat -a | less
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost.localdoma:ipp *:* LISTEN
tcp 0 0 *:mysql *:* LISTEN
tcp 0 0 *:rfb *:* LISTEN
tcp 0 0 192.168.1.130:ssh 62.94.208.157:38011 ESTABLISHED
tcp 0 0 localhost.localdoma:ipp *:* LISTEN
tcp 0 0 *:5800 *:* LISTEN
tcp 0 0 *:rfb *:* LISTEN
tcp 0 0 *:www-http *:* LISTEN
udp 0 0 *:ipp *:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 6588 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 6555 /var/run/cups/cups.sock
unix 2 [ ACC ] STREAM LISTENING 6772 /tmp/ssh-JznlyRfE1208/agent.1208
unix 2 [ ACC ] STREAM LISTENING 6787 /tmp/.ICE-unix/1219
unix 2 [ ACC ] STREAM LISTENING 7106 /tmp/orbit-casa/linc-589-0-2d27571c78035
unix 2 [ ACC ] STREAM LISTENING 6262 /var/run/syslog-ng.ctl
unix 2 [ ACC ] STREAM LISTENING 91352 /var/run/httpd/cgisock.1039
unix 2 [ ACC ] STREAM LISTENING 6587 @/tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 7115 /tmp/orbit-casa/linc-54c-0-286f67bfa7764
unix 8 [ ] DGRAM 6260 /dev/log
unix 2 [ ACC ] SEQPACKET LISTENING 5178 @/org/kernel/udev/udevd
unix 2 [ ACC ] STREAM LISTENING 6786 @/tmp/.ICE-unix/1219
unix 2 [ ACC ] STREAM LISTENING 6648 @/tmp/dbus-hkcgAq60WC
unix 2 [ ACC ] STREAM LISTENING 6247 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 7959 @/tmp/dbus-SKLywgy1Al
unix 2 [ ACC ] STREAM LISTENING 7868 /var/run/mysqld/mysqld.sock
unix 2 [ ] DGRAM 140683
unix 3 [ ] STREAM CONNECTED 139977
unix 3 [ ] STREAM CONNECTED 139976
unix 3 [ ] STREAM CONNECTED 139938 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 140513
unix 3 [ ] STREAM CONNECTED 120365 @/dbus-vfs-daemon/socket-e0CHnaSH
unix 3 [ ] STREAM CONNECTED 119700
unix 3 [ ] STREAM CONNECTED 120366 @/dbus-vfs-daemon/socket-FfJaXrqO
unix 3 [ ] STREAM CONNECTED 119699
unix 3 [ ] STREAM CONNECTED 120359 @/dbus-vfs-daemon/socket-F35KezQT
unix 3 [ ] STREAM CONNECTED 119698
unix 3 [ ] STREAM CONNECTED 120360 @/dbus-vfs-daemon/socket-EQjCPyDf
unix 3 [ ] STREAM CONNECTED 119697
unix 3 [ ] STREAM CONNECTED 119693 @/dbus-vfs-daemon/socket-8CM7p1LP
unix 3 [ ] STREAM CONNECTED 119692.................
Ho usato il comando less per scorrere tutti i risultati che non sono pochi.
Questo comando lista tutte le porte, sia in ascolto che non.
Se invece vogliamo listare solo le porte in ascolto:
# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost.localdoma:ipp *:* LISTEN
tcp 0 0 *:mysql *:* LISTEN
tcp 0 0 *:rfb *:* LISTEN
tcp 0 0 localhost.localdoma:ipp *:* LISTEN
tcp 0 0 *:5800 *:* LISTEN
tcp 0 0 *:rfb *:* LISTEN
tcp 0 0 *:www-http *:* LISTEN
udp 0 0 *:ipp *:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 6588 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 6555 /var/run/cups/cups.sock
unix 2 [ ACC ] STREAM LISTENING 6772 /tmp/ssh-JznlyRfE1208/agent.1208
unix 2 [ ACC ] STREAM LISTENING 6787 /tmp/.ICE-unix/1219
unix 2 [ ACC ] STREAM LISTENING 7106 /tmp/orbit-casa/linc-589-0-2d27571c78035
unix 2 [ ACC ] STREAM LISTENING 6262 /var/run/syslog-ng.ctl
unix 2 [ ACC ] STREAM LISTENING 91352 /var/run/httpd/cgisock.1039
unix 2 [ ACC ] STREAM LISTENING 6587 @/tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 7115 /tmp/orbit-casa/linc-54c-0-286f67bfa7764
unix 2 [ ACC ] SEQPACKET LISTENING 5178 @/org/kernel/udev/udevd
unix 2 [ ACC ] STREAM LISTENING 6786 @/tmp/.ICE-unix/1219
unix 2 [ ACC ] STREAM LISTENING 6648 @/tmp/dbus-hkcgAq60WC
unix 2 [ ACC ] STREAM LISTENING 6247 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 7959 @/tmp/dbus-SKLywgy1Al
unix 2 [ ACC ] STREAM LISTENING 7868 /var/run/mysqld/mysqld.sock
Sono molto di meno.
Se vogliamo vedere le statistiche:
# netstat -s
Ip:
34701 total packets received
65 with invalid addresses
0 forwarded
0 incoming packets discarded
34636 incoming packets delivered
34201 requests sent out
Icmp:
29 ICMP messages received
19 input ICMP message failed.
ICMP input histogram:
destination unreachable: 29
29 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 29
IcmpMsg:
InType3: 29
OutType3: 29
Tcp:
216 active connections openings
1281 passive connection openings
19 failed connection attempts
14 connection resets received
1 connections established
31478 segments received
31831 segments send out
235 segments retransmited
0 bad segments received.
20 resets sent
Udp:
2171 packets received
0 packets to unknown port received.
0 packet receive errors
2170 packets sent
RcvbufErrors: 0
SndbufErrors: 0
UdpLite:
InDatagrams: 0
NoPorts: 0
InErrors: 0
OutDatagrams: 0
RcvbufErrors: 0
SndbufErrors: 0
error parsing /proc/net/snmp: Success
Le statistiche riguardano i vari protocolli.
L'opzione -p permette di vedere il PID dei vari processi:
# netstat -p
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 224 192.168.1.130:ssh 62.94.208.157:38011 ESTABLISHED 15440/sshd: casa [p
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 8 [ ] DGRAM 6260 626/syslog-ng /dev/log
unix 2 [ ] DGRAM 140683 15451/su
unix 3 [ ] STREAM CONNECTED 139977 15440/sshd: casa [p
unix 3 [ ] STREAM CONNECTED 139976 15449/1
unix 3 [ ] STREAM CONNECTED 139938 621/dbus-daemon /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 140513 15440/sshd: casa [p
unix 3 [ ] STREAM CONNECTED 120365 14746/gvfsd-network @/dbus-vfs-daemon/socket-e0CHnaSH
unix 3 [ ] STREAM CONNECTED 119700 1277/Thunar
unix 3 [ ] STREAM CONNECTED 120366 14746/gvfsd-network @/dbus-vfs-daemon/socket-FfJaXrqO
unix 3 [ ] STREAM CONNECTED 119699 1277/Thunar
unix 3 [ ] STREAM CONNECTED 120359 14746/gvfsd-network @/dbus-vfs-daemon/socket-F35KezQT
unix 3 [ ] STREAM CONNECTED 119698 1277/Thunar
unix 3 [ ] STREAM CONNECTED 120360 14746/gvfsd-network @/dbus-vfs-daemon/socket-EQjCPyDf
unix 3 [ ] STREAM CONNECTED 119697 1277/Thunar
unix 3 [ ] STREAM CONNECTED 119693 14750/gvfsd-dnssd @/dbus-vfs-daemon/socket-8CM7p1LP
unix 3 [ ] STREAM CONNECTED 119692 14746/gvfsd-network...........
Su tutte queste opzioni si possono aggiungere i flag -t o -u per filtrare solo i protocolli TCP o UDP.
Quindi ad esempio:
# netstat -pt
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 68 192.168.1.130:ssh srv-vra.verem:nmsigport ESTABLISHED 15587/sshd: unknown
tcp 0 224 192.168.1.130:ssh 62.94.208.157:38011 ESTABLISHED 15440/sshd: casa [p
Oppure:
# netstat -st
IcmpMsg:
InType3: 29
OutType3: 29
Tcp:
216 active connections openings
1333 passive connection openings
19 failed connection attempts
14 connection resets received
2 connections established
32192 segments received
32628 segments send out
235 segments retransmited
0 bad segments received.
20 resets sent
UdpLite:
InDatagrams: 0
NoPorts: 0
InErrors: 0
OutDatagrams: 0
RcvbufErrors: 0
SndbufErrors: 0
error parsing /proc/net/snmp: Success
Per fare due esempi......
Se invece non vogliamo che i nomi vengano risolti:
# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5900 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.130:22 201.64.140.178:13219 TIME_WAIT
tcp 0 0 192.168.1.130:22 201.6.102.173:41338 TIME_WAIT
tcp 0 0 192.168.1.130:22 201.64.140.178:14275 ESTABLISHED
tcp 0 48 192.168.1.130:22 62.94.208.157:38011 ESTABLISHED
tcp 0 0 ::1:631 :::* LISTEN
tcp 0 0 :::5800 :::* LISTEN
tcp 0 0 :::5900 :::* LISTEN
tcp 0 0 :::80 :::* LISTEN
udp 0 0 0.0.0.0:631 0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 6588 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 6555 /var/run/cups/cups.sock
unix 2 [ ACC ] STREAM LISTENING 6772 /tmp/ssh-JznlyRfE1208/agent.1208
unix 2 [ ACC ] STREAM LISTENING 6787 /tmp/.ICE-unix/1219.............
Ultima opzione interessante che vi posto è questa:
# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
Che riporta le informazioni di routing.
Se vogliamo identificare tutte le connessioni internet in ascolto:
# netstat -l -A inet
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:postgresql *:* LISTEN
tcp 0 0 localhost:smtp *:* LISTEN
tcp 0 0 *:microsoft-ds *:* LISTEN
tcp 0 0 localhost:27017 *:* LISTEN
tcp 0 0 localhost:mysql *:* LISTEN
tcp 0 0 *:netbios-ssn *:* LISTEN
tcp 0 0 localhost:submission *:* LISTEN
tcp 0 0 localhost:11211 *:* LISTEN
tcp 0 0 *:50511 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 localhost:28017 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
udp 0 0 *:44965 *:*
udp 0 0 localhost:11211 *:*
udp 0 0 *:sunrpc *:*
udp 0 0 *:ipp *:*
udp 0 0 192.168.1.25:netbios-ns *:*
udp 0 0 casa.local:netbios-ns *:*
udp 0 0 *:netbios-ns *:*
udp 0 0 192.168.1.2:netbios-dgm *:*
udp 0 0 casa.local:netbios-dgm *:*
udp 0 0 *:netbios-dgm *:*
udp 0 0 *:47770 *:*
udp 0 0 *:701 *:*
udp 0 0 localhost:711 *:*
udp 0 0 *:mdns *:*
Ovviamente le opzioni non finiscono qua, ed inoltre potete passare il tutto a grep per filtrare i dati come volete voi!
netstat windows linux unix bsd mac os x
Commentami!