Zum Inhalt

Netstat Cheatsheet

Netstat - Netzwerkverbindung Utility

Netstat ist ein Befehlszeilennetzwerk-Dienstprogramm, das Netzwerkverbindungen, Routing-Tabellen, Schnittstellenstatistiken, Masquerade-Verbindungen und Multicast-Mitgliedschaften anzeigt. Wesentlich für Netzwerk-Fehlersuche, Sicherheitsanalyse und Systemverwaltung. < p>

generieren

Inhaltsverzeichnis

  • [Installation](LINK_0 -%20(__LINK_0___)
  • (__LINK_0____)
  • (__LINK_0___)
  • [Interface Statistics](LINK_0 -%20[Process%20Information](_LINK_0 -%20(__LINK_0)
  • [Security Analysis](LINK_0 -%20(_LINK_0)
  • (__LINK_0___)
  • (__LINK_0___)
  • Beste Praktiken

Installation

Linux (Einbau)

```bash

Netstat is typically pre-installed on most Linux distributions

If missing, install via package manager

Ubuntu/Debian

sudo apt update sudo apt install net-tools

CentOS/RHEL/Fedora

sudo yum install net-tools

or

sudo dnf install net-tools

Arch Linux

sudo pacman -S net-tools

Alpine Linux

sudo apk add net-tools ```_

Windows (Built-in)

```cmd

Netstat is built into Windows

Available in Command Prompt and PowerShell

netstat /?

PowerShell equivalent

Get-NetTCPConnection Get-NetUDPEndpoint ```_

macOS (Built-in)

```bash

Netstat is pre-installed on macOS

netstat -h

Alternative: lsof for more detailed process information

brew install lsof ```_

Alternative Werkzeuge

```bash

Modern alternatives to netstat

ss (socket statistics) - faster and more feature-rich

sudo apt install iproute2 # Ubuntu/Debian sudo yum install iproute2 # CentOS/RHEL

lsof - list open files and network connections

sudo apt install lsof # Ubuntu/Debian sudo yum install lsof # CentOS/RHEL ```_

Basisnutzung

Alle Anschlüsse anzeigen

```bash

Show all active connections

netstat -a

Show all TCP connections

netstat -at

Show all UDP connections

netstat -au

Show all listening ports

netstat -l

Show all listening TCP ports

netstat -lt

Show all listening UDP ports

netstat -lu ```_

Gemeinsame Optionen

```bash

Show numerical addresses instead of resolving hosts

netstat -n

Show process ID and name

netstat -p

Continuous monitoring (refresh every 2 seconds)

netstat -c

Show extended information

netstat -e

Show multicast group memberships

netstat -g

Show routing table

netstat -r

Show interface statistics

netstat -i ```_

Kombinierte Optionen

```bash

Most commonly used combination

netstat -tulpn

Breakdown:

-t: TCP connections

-u: UDP connections

-l: Listening ports only

-p: Show process ID and name

-n: Show numerical addresses

Show all connections with process information

netstat -anp

Show listening ports with process information

netstat -lnp

Show TCP connections with process information

netstat -tnp ```_

Verbindungsüberwachung

TCP Verbindungen

```bash

Show all TCP connections

netstat -t

Show TCP connections with numerical addresses

netstat -tn

Show TCP listening ports

netstat -tl

Show TCP connections with process information

netstat -tp

Show TCP connections in specific states

netstat -t | grep ESTABLISHED netstat -t | grep LISTEN netstat -t | grep TIME_WAIT netstat -t | grep CLOSE_WAIT ```_

UDP Verbindungen

```bash

Show all UDP connections

netstat -u

Show UDP connections with numerical addresses

netstat -un

Show UDP listening ports

netstat -ul

Show UDP connections with process information

netstat -up ```_

Verbindungsstaaten

```bash

Monitor connection states

| netstat -t | awk '{print $6}' | sort | uniq -c |

Count connections by state

| netstat -an | awk '/^tcp/ {print $6}' | sort | uniq -c |

Monitor specific connection state

| watch -n 1 'netstat -t | grep ESTABLISHED | wc -l' |

Show connections to specific port

netstat -an | grep :80 netstat -an | grep :443 netstat -an | grep :22 ```_

Echtzeitüberwachung

```bash

Continuous monitoring

netstat -c

Monitor with custom interval (every 5 seconds)

watch -n 5 netstat -tulpn

Monitor specific port continuously

watch -n 1 'netstat -an | grep :80'

Monitor connection count

watch -n 1 'netstat -an | wc -l' ```_

Routing Tables

Routing Information anzeigen

```bash

Show routing table

netstat -r

Show routing table with numerical addresses

netstat -rn

Show IPv4 routing table

netstat -r -4

Show IPv6 routing table

netstat -r -6

Show kernel routing table (Linux)

netstat -rn | grep '^0.0.0.0'

Show default gateway

netstat -rn | grep '^default' ```_

Routenanalyse

```bash

Show routing table with interface information

netstat -rn | column -t

Find routes to specific network

netstat -rn | grep "192.168.1"

Show routing cache (if available)

netstat -C

Display routing statistics

netstat -s | grep -i route ```_

Schnittstellenstatistik

Informationen zur Netzwerkschnittstelle

```bash

Show interface statistics

netstat -i

Show interface statistics with extended information

netstat -ie

Show interface statistics continuously

netstat -ic

Show specific interface

netstat -i eth0 netstat -i wlan0 ```_

Schnittstellenüberwachung

```bash

Monitor interface packet counts

watch -n 1 'netstat -i'

Show interface errors and drops

netstat -i | awk 'NR>2 {print $1, $4, $8}'

Monitor specific interface traffic

watch -n 1 'netstat -i | grep eth0'

Calculate interface utilization

netstat -i | awk 'NR>2 {print $1, "RX:", $3, "TX:", $7}' ```_

Informationen zum Thema

Prozess-zu-Port Mapping

```bash

Show processes using network connections

netstat -p

Show processes listening on ports

netstat -lp

Show processes using TCP connections

netstat -tp

Show processes using UDP connections

netstat -up

Find process using specific port

netstat -lnp | grep :80 netstat -lnp | grep :443 netstat -lnp | grep :22 ```_

Prozessanalyse

```bash

Show all processes with network connections

netstat -anp | grep -v "0.0.0.0:*"

Find processes by name

netstat -anp | grep nginx netstat -anp | grep apache netstat -anp | grep mysql

Show connections for specific PID

netstat -anp | grep 1234

Count connections per process

| netstat -anp | awk '{print $7}' | sort | uniq -c | sort -nr | ```_

Erweiterte Filterung

Portbasierte Filterung

```bash

Show connections on specific port

netstat -an | grep :80 netstat -an | grep :443 netstat -an | grep :22 netstat -an | grep :3306

Show listening services on common ports

netstat -ln | grep :80 netstat -ln | grep :443 netstat -ln | grep :22

Show connections from specific IP

netstat -an | grep 192.168.1.100

Show connections to specific IP

netstat -an | grep "192.168.1.100:" ```_

Protokoll Filtern

```bash

Show only TCP connections

netstat -t

Show only UDP connections

netstat -u

Show only Unix domain sockets

netstat -x

Show only raw sockets

netstat -w

Show IPv4 connections only

netstat -4

Show IPv6 connections only

netstat -6 ```_

Staatliche Filterung

```bash

Show established connections

netstat -t | grep ESTABLISHED

Show listening ports

netstat -t | grep LISTEN

Show connections in TIME_WAIT state

netstat -t | grep TIME_WAIT

Show connections in CLOSE_WAIT state

netstat -t | grep CLOSE_WAIT

Count connections by state

| netstat -t | awk '{print $6}' | sort | uniq -c | ```_

Sicherheitsanalyse

Sicherheitsüberwachung

```bash

Monitor for suspicious connections

| netstat -an | grep ESTABLISHED | grep -v "127.0.0.1\ | ::1" |

Check for unexpected listening services

| netstat -ln | grep -v "127.0.0.1\ | ::1" |

Monitor for connections to unusual ports

| netstat -an | grep -E ":(1234 | 4444 | 5555 | 6666 | 7777 | 8888 | 9999)" |

Check for connections from external IPs

| netstat -an | grep ESTABLISHED | grep -v "192.168\ | 10.\ | 172." | ```_

Port Scanning Detection

```bash

Monitor for port scanning attempts

| netstat -an | grep SYN_RECV | wc -l |

Check for half-open connections

netstat -an | grep SYN_RECV

Monitor connection attempts

| watch -n 1 'netstat -an | grep SYN_RECV | wc -l' |

Detect potential DDoS

| netstat -an | grep :80 | grep SYN_RECV | wc -l | ```_

Netzwerk Forensics

```bash

Capture current network state

netstat -anp > network_state_$(date +%Y%m%d_%H%M%S).txt

Monitor network changes

netstat -anp > /tmp/netstat_before.txt

... perform action ...

netstat -anp > /tmp/netstat_after.txt diff /tmp/netstat_before.txt /tmp/netstat_after.txt

Track connection history

while true; do echo "$(date): $(netstat -an | wc -l) connections" >> connection_log.txt sleep 60 done ```_

Automatisierungsskripte

Netzwerküberwachung Skript

```bash

!/bin/bash

network_monitor.sh - Comprehensive network monitoring

LOG_FILE="/var/log/network_monitor.log" ALERT_THRESHOLD=1000

log_message() { echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" | tee -a "$LOG_FILE" }

check_connections() { local conn_count=$(netstat -an | wc -l) log_message "Total connections: $conn_count"

if [ "$conn_count" -gt "$ALERT_THRESHOLD" ]; then
    log_message "ALERT: High connection count detected!"
    # Send alert (email, Slack, etc.)
fi

}

check_listening_ports() { log_message "Listening ports:" | netstat -ln | grep LISTEN | tee -a "$LOG_FILE" | }

check_established_connections() { | local est_count=$(netstat -an | grep ESTABLISHED | wc -l) | log_message "Established connections: $est_count" }

check_suspicious_activity() { # Check for connections to unusual ports | local suspicious=$(netstat -an | grep -E ":(1234 | 4444 | 5555 | 6666 | 7777 | 8888 | 9999)" | wc -l) | if [ "$suspicious" -gt 0 ]; then log_message "WARNING: Suspicious connections detected!" | netstat -an | grep -E ":(1234 | 4444 | 5555 | 6666 | 7777 | 8888 | 9999)" | tee -a "$LOG_FILE" | fi }

main() { log_message "Starting network monitoring" check_connections check_listening_ports check_established_connections check_suspicious_activity log_message "Network monitoring completed" }

Run monitoring

main ```_

Port Scanner Erkennung

```bash

!/bin/bash

port_scan_detector.sh - Detect potential port scanning

SCAN_LOG="/var/log/port_scan.log" THRESHOLD=10

detect_syn_flood() { | local syn_count=$(netstat -an | grep SYN_RECV | wc -l) |

if [ "$syn_count" -gt "$THRESHOLD" ]; then
    echo "$(date): ALERT - Potential SYN flood detected! Count: $syn_count" >> "$SCAN_LOG"

    # Log source IPs
    echo "Source IPs:" >> "$SCAN_LOG"

| netstat -an | grep SYN_RECV | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr >> "$SCAN_LOG" |

    # Optional: Block suspicious IPs

| # netstat -an | grep SYN_RECV | awk '{print $5}' | cut -d: -f1 | sort | uniq | while read ip; do | # iptables -A INPUT -s "$ip" -j DROP # done fi }

monitor_connection_attempts() { # Monitor for rapid connection attempts | netstat -an | grep SYN_RECV | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | while read count ip; do | if [ "$count" -gt 5 ]; then echo "$(date): Suspicious activity from $ip - $count connection attempts" >> "$SCAN_LOG" fi done }

Run detection

detect_syn_flood monitor_connection_attempts ```_

Anschluss Analyzer

```python

!/usr/bin/env python3

connection_analyzer.py - Advanced connection analysis

import subprocess import re import json from collections import defaultdict, Counter from datetime import datetime

class ConnectionAnalyzer: def init(self): self.connections = [] self.stats = defaultdict(int)

def get_connections(self):
    """Get current network connections"""
    try:
        result = subprocess.run(['netstat', '-anp'], 
                              capture_output=True, text=True)
        return result.stdout.split('\n')
    except Exception as e:
        print(f"Error getting connections: {e}")
        return []

def parse_connections(self, lines):
    """Parse netstat output"""
    connections = []

    for line in lines:
        if 'tcp' in line or 'udp' in line:
            parts = line.split()
            if len(parts) >= 6:
                connection = {
                    'protocol': parts[0],
                    'local_address': parts[3],
                    'remote_address': parts[4],
                    'state': parts[5] if len(parts) > 5 else 'N/A',
                    'process': parts[6] if len(parts) > 6 else 'N/A'
                }
                connections.append(connection)

    return connections

def analyze_connections(self):
    """Analyze network connections"""
    lines = self.get_connections()
    self.connections = self.parse_connections(lines)

    # Count by protocol
    protocols = Counter(conn['protocol'] for conn in self.connections)

    # Count by state
    states = Counter(conn['state'] for conn in self.connections)

    # Count by remote IP
    remote_ips = Counter(
        conn['remote_address'].split(':')[0] 
        for conn in self.connections 
        if ':' in conn['remote_address']
    )

    # Count by local port
    local_ports = Counter(
        conn['local_address'].split(':')[-1] 
        for conn in self.connections 
        if ':' in conn['local_address']
    )

    return {
        'total_connections': len(self.connections),
        'protocols': dict(protocols),
        'states': dict(states),
        'top_remote_ips': dict(remote_ips.most_common(10)),
        'top_local_ports': dict(local_ports.most_common(10))
    }

def detect_anomalies(self):
    """Detect potential security issues"""
    anomalies = []

    # Check for excessive connections from single IP
    remote_ips = Counter(
        conn['remote_address'].split(':')[0] 
        for conn in self.connections 
        if ':' in conn['remote_address'] and not conn['remote_address'].startswith('127.')
    )

    for ip, count in remote_ips.items():
        if count > 50:  # Threshold for suspicious activity
            anomalies.append(f"High connection count from {ip}: {count}")

    # Check for unusual ports
    unusual_ports = ['1234', '4444', '5555', '6666', '7777', '8888', '9999']
    for conn in self.connections:
        for port in unusual_ports:
            if f":{port}" in conn['remote_address']:
                anomalies.append(f"Connection to unusual port {port}: {conn['remote_address']}")

    return anomalies

def generate_report(self):
    """Generate comprehensive report"""
    analysis = self.analyze_connections()
    anomalies = self.detect_anomalies()

    report = {
        'timestamp': datetime.now().isoformat(),
        'analysis': analysis,
        'anomalies': anomalies,
        'recommendations': self.get_recommendations(analysis, anomalies)
    }

    return report

def get_recommendations(self, analysis, anomalies):
    """Generate security recommendations"""
    recommendations = []

    if analysis['total_connections'] > 1000:
        recommendations.append("High connection count detected - monitor for potential DDoS")

    if len(anomalies) > 0:
        recommendations.append("Security anomalies detected - investigate immediately")

    if 'SYN_RECV' in analysis['states'] and analysis['states']['SYN_RECV'] > 100:
        recommendations.append("High SYN_RECV count - potential SYN flood attack")

    return recommendations

def main(): analyzer = ConnectionAnalyzer() report = analyzer.generate_report()

print(json.dumps(report, indent=2))

# Save report to file
with open(f"network_report_{datetime.now().strftime('%Y%m%d_%H%M%S')}.json", 'w') as f:
    json.dump(report, f, indent=2)

if name == "main": main() ```_

Leistungsüberwachung

Anschlussleistung

```bash

Monitor connection establishment rate

watch -n 1 'netstat -s | grep "connections established"'

Monitor TCP retransmissions

netstat -s | grep -i retrans

Monitor packet drops

netstat -s | grep -i drop

Monitor buffer usage

netstat -s | grep -i buffer ```_

Bandbreitenüberwachung

```bash

Monitor interface throughput

| watch -n 1 'netstat -i | grep -v "Kernel\ | Iface\ | lo"' |

Calculate bandwidth utilization

netstat -i | awk 'NR>2 && $1!="lo" { rx_bytes=$3; tx_bytes=$7; print $1, "RX:", rx_bytes, "TX:", tx_bytes }'

Monitor network statistics

| netstat -s | grep -E "(packets | bytes)" | ```_

Nutzung der Systemressourcen

```bash

Monitor socket usage

netstat -s | grep -i socket

Check for memory issues

netstat -s | grep -i memory

Monitor connection limits

ulimit -n # Check file descriptor limit cat /proc/sys/net/core/somaxconn # Check socket backlog limit ```_

Fehlerbehebung

Gemeinsame Themen

Hoher Anschlusszähler

```bash

Identify processes with most connections

| netstat -anp | awk '{print $7}' | sort | uniq -c | sort -nr | head -10 |

Check for connection leaks

| netstat -an | grep TIME_WAIT | wc -l |

Monitor connection states over time

| watch -n 5 'netstat -an | awk "{print \$6}" | sort | uniq -c' | ```_

Port Binding Issues

```bash

Check if port is already in use

netstat -ln | grep :80

Find process using specific port

netstat -lnp | grep :80

Check for port conflicts

netstat -ln | sort -k4 ```_

Network Connectivity Issues

```bash

Check routing table

netstat -rn

Verify interface status

netstat -i

Check for dropped packets

netstat -i | grep -v "0.0.0.*0"

Monitor interface errors

watch -n 1 'netstat -i | awk "NR>2 {print \$1, \$4, \$8}"' ```_

Diagnostische Befehle

```bash

Comprehensive network state dump

netstat -anp > netstat_full.txt

Quick connection summary

netstat -s | head -20

Check for unusual activity

| netstat -an | grep -v "127.0.0.1\ | ::1" | grep ESTABLISHED |

Monitor real-time changes

watch -d -n 1 'netstat -tulpn | head -20' ```_

Leistungsoptimierung

```bash

Tune TCP parameters (Linux)

echo 'net.core.somaxconn = 65535' >> /etc/sysctl.conf echo 'net.ipv4.tcp_max_syn_backlog = 65535' >> /etc/sysctl.conf echo 'net.core.netdev_max_backlog = 5000' >> /etc/sysctl.conf

Apply changes

sysctl -p

Monitor the effect

netstat -s | grep -i listen ```_

Best Practices

Sicherheit Best Practices

```bash

Regular security audits

| netstat -ln | grep -v "127.0.0.1\ | ::1" > listening_services.txt |

Monitor for unauthorized services

diff previous_services.txt current_services.txt

Check for backdoors

| netstat -anp | grep -E ":(1234 | 4444 | 5555 | 6666 | 7777 | 8888 | 9999)" |

Verify expected services only

| netstat -lnp | awk '{print $4, $7}' | sort | ```_

Best Practices überwachen

```bash

Automated monitoring

*/5 * * * * /usr/local/bin/network_monitor.sh

Log rotation for network logs

logrotate -f /etc/logrotate.d/network

Baseline establishment

netstat -anp > /var/baseline/network_baseline_$(date +%Y%m%d).txt

Regular comparison

diff /var/baseline/network_baseline_*.txt current_state.txt ```_

Performance Best Practices

```bash

Use ss instead of netstat for better performance

ss -tulpn

Limit output for large systems

netstat -an | head -100

Use specific filters

netstat -tn | grep :80

Avoid DNS resolution in scripts

netstat -n ```_

Dokumentation Best Practices

```bash

Document network configuration

netstat -rn > network_routes.txt netstat -i > network_interfaces.txt netstat -ln > listening_services.txt

Create network inventory

| netstat -anp | awk '{print $7}' | sort | uniq > network_processes.txt |

Regular snapshots

mkdir -p /var/log/network_snapshots netstat -anp > "/var/log/network_snapshots/netstat_$(date +%Y%m%d_%H%M%S).txt" ```_

Integrationsbeispiele

SIEM Integration

```bash

Syslog format for SIEM

netstat -anp | logger -t netstat -p local0.info

JSON format for modern SIEM

netstat -anp | awk '{print "{\"timestamp\":\"" strftime("%Y-%m-%d %H:%M:%S") "\",\"connection\":\"" $0 "\"}"}'

Send to remote syslog

netstat -anp | logger -n siem.company.com -P 514 -t netstat ```_

Überwachung der Integration

```bash

Prometheus metrics format

| echo "network_connections_total $(netstat -an | wc -l)" | curl -X POST http://pushgateway:9091/metrics/job/netstat |

Nagios check

if [ $(netstat -an | wc -l) -gt 1000 ]; then echo "CRITICAL - Too many connections" exit 2 fi ```_

Automatisierung Integration

```bash

Ansible playbook task

  • name: Check network connections shell: netstat -anp register: netstat_output

Terraform provisioner

provisioner "local-exec" { command = "netstat -ln > network_state.txt" } ```_

--

Zusammenfassung

Netstat ist ein wichtiges Netzwerk-Diagnostik-Tool, das umfassende Informationen über Netzwerkverbindungen, Routing-Tabellen und Schnittstellenstatistiken bietet. Zu den wichtigsten Funktionen gehören:

  • Connection Monitoring: Track TCP/UDP-Verbindungen und ihre Zustände
  • *Process Identification: Netzwerkverbindungen zu bestimmten Prozessen planen
  • Sicherheitsanalyse: Erkennen Sie verdächtige Netzwerkaktivität und potenzielle Bedrohungen
  • Performance Monitoring: Netzwerkleistung analysieren und Engpässe identifizieren
  • *Troubleshooting: Netzwerkkonnektivität und Konfigurationsprobleme diagnostizieren

Für moderne Systeme ist die Verwendung von ss (Socket-Statistiken) als schnellere Alternative zu Netstat, insbesondere für großflächige Umgebungen. Regelmäßige Überwachung und Analyse von Netzwerkverbindungen sind entscheidend für die Aufrechterhaltung der Systemsicherheit und -leistung.

<= <= <= <================================================================================= Funktion copyToClipboard() {\cHFFFF} const commands = document.querySelectorAll('code'); alle Befehle = ''; Befehle. Für jede(cmd) => alle Befehle += cmd.textContent + '\n'); navigator.clipboard.writeText (allCommands); Alarm ('Alle Befehle, die in die Zwischenablage kopiert werden!'); }

Funktion generierenPDF() { Fenster.print(); }