How do I interpret 'netstat -a' output

2019-03-08 19:45发布

Some things look strange to me:

  • What is the distinction between 0.0.0.0, 127.0.0.1, and [::]?
  • How should each part of the foreign address be read (part1:part2)?
  • What does a state Time_Wait, Close_Wait mean?
  • etc.

Could someone give a quick overview of how to interpret these results?

7条回答
劳资没心,怎么记你
2楼-- · 2019-03-08 20:23

127.0.0.1 is your loopback address also known as 'localhost' if set in your HOSTS file. See here for more info: http://en.wikipedia.org/wiki/Localhost

0.0.0.0 means that an app has bound to all ip addresses using a specific port. MS info here: http://support.microsoft.com/default.aspx?scid=kb;en-us;175952

'::' is ipv6 shorthand for ipv4 0.0.0.0.

查看更多
一纸荒年 Trace。
3楼-- · 2019-03-08 20:27

0.0.0.0 usually refers to stuff listening on all interfaces. 127.0.0.1 = localhost (only your local interface) I'm not sure about [::]

TIME_WAIT means both sides have agreed to close and TCP must now wait a prescribed time before taking the connection down.

CLOSE_WAIT means the remote system has finished sending and your system has yet to say it's finished.

查看更多
beautiful°
4楼-- · 2019-03-08 20:35

This link has helped me a lot to interpret netstat -a

A copy from there -

TCP Connection States
Following is a brief explanation of this handshake. In this context the "client" is the peer requesting a connection and the "server" is the peer accepting a connection. Note that this notation does not reflect Client/Server relationships as an architectural principal.

Connection Establishment

The client sends a SYN message which contains the server's port and the client's Initial Sequence Number (ISN) to the server (active open).
The server sends back its own SYN and ACK (which consists of the client's ISN + 1).
The Client sends an ACK (which consists of the server's ISN + 1).

Connection Tear-down (modified three way handshake).

The client sends a FIN (active close). This is a now a half-closed connection. The client no longer sends data, but is still able to receive data from the server. Upon receiving this FIN, the server enters a passive close state.
The server sends an ACK (which is the clients FIN sequence + 1)
The server sends its own FIN.
The client sends an ACK (which is server's FIN sequence + 1). Upon receiving this ACK, the server closes the connection.
A half-closed connection can be used to terminate sending data while sill receiving data. Socket applications can call shutdown with the second argument set to 1 to enter this state.

State explanations as shown in Netstat:
State Explanation


SYN_SEND Indicates active open.

SYN_RECEIVED Server just received SYN from the client.

ESTABLISHED Client received server's SYN and session is established.

LISTEN Server is ready to accept connection.

NOTE: See documentation for listen() socket call. TCP sockets in listening state are not shown - this is a limitation of NETSTAT. For additional information, please see the following article in the Microsoft Knowledge Base: 134404  NETSTAT.EXE Does Not Show TCP Listen Sockets FIN_WAIT_1 Indicates active close.

TIMED_WAIT Client enters this state after active close.

CLOSE_WAIT Indicates passive close. Server just received first FIN from a client.

FIN_WAIT_2 Client just received acknowledgment of its first FIN from the server.

LAST_ACK Server is in this state when it sends its own FIN.

CLOSED Server received ACK from client and connection is closed.

查看更多
Lonely孤独者°
5楼-- · 2019-03-08 20:35

I understand the answer has been accepted but here is some additional information:

  • If it says 0.0.0.0 on the Local Address column, it means that port is listening on all 'network interfaces' (i.e. your computer, your modem(s) and your network card(s)).
  • If it says 127.0.0.1 on the Local Address column, it means that port is ONLY listening for connections from your PC itself, not from the Internet or network. No danger there.
  • If it displays your online IP on the Local Address column, it means that port is ONLY listening for connections from the Internet.
  • If it displays your local network IP on the Local Address column, it means that port is ONLY listening for connections from the local network.
  • Foreign Address - The IP address and port number of the remote computer to which the socket is connected. The names that corresponds to the IP address and the port are shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*). (from wikipedia)
查看更多
Root(大扎)
6楼-- · 2019-03-08 20:37

What is the distinction between 0.0.0.0, 127.0.0.1, and [::]?

  • 0.0.0.0 indicates something that is listening on all interfaces on the machine.
  • 127.0.0.1 indicates your own machine.
  • [::] is the IPv6 version of 0.0.0.0
  • My machine also shows *:\* for UDP which shows that UDP connections don't really have a foreign address - they receive packets from any where. That is the nature of UDP.

How should each part of the foreign address be read (part1:part2)?

  • part1 is the hostname or IP address
  • part2 is the port
  • 查看更多
    叛逆
    7楼-- · 2019-03-08 20:45

    Send-Q is the amount of data sent by the application, but not yet acknowledged by the other side of the socket.

    Recv-Q is the amount of data received from the NIC, but not yet consumed by the application.

    Both of these queues reside in kernel memory. There are guides to help you tweak these kernel buffers, if you are so inclined. Although, you may find the default params do quite well.

    查看更多
    登录 后发表回答