--> Netstat: this program reports the content of the kernal data structures related to networking. One use is to display the connections and services on the host. $ netstat Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:mysql 0.0.0.0:* LISTEN tcp 0 0 shbackup.sho:bacula-dir 0.0.0.0:* LISTEN tcp 0 0 shbackup.shod:bacula-fd 0.0.0.0:* LISTEN tcp 0 0 shbackup.shodor.org:ssh monitor.shodor.or:36198 ESTABLISHED tcp 0 88 shbackup.shodor.org:ssh cpe-45-37-183-254:61342 ESTABLISHED Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 10515 /run/lvm/lvmpolld.socket unix 2 [ ACC ] STREAM LISTENING 30909 /var/lib/libvirt/qemu/channel/target/domain-chem-mopac/org.qemu.guest_agent.0 unix 2 [ ] DGRAM 8217 /run/systemd/notify unix 2 [ ACC ] STREAM LISTENING 10524 /run/lvm/lvmetad.socket unix 2 [ ACC ] STREAM LISTENING 31777 /var/run/libvirt/libvirt-sock # The first column gives you the protocol. The next two columns gives the size of the send and receive queues. They should be either 0 or near 0. Or you might have problem with that service. # The 4th-5th columns gives the socket/IP address and port numbers for each end of the connection. Its provided in the format: hostname.service. # The stat of the connection is given in the last column for TCP connections. This is blank for UDP, since udp is connectionless. # Common states are: - ESTABLISHED: for current connections - LISTENING: for services awaiting a connection - TIME_AWAIT: for recently terminated connections. - SYN_RECEIVED: excessive # of these means there is a problem. # use -n option for numeric results. avoid name resolution. Faster results. # the * or *.echo is placeholder for unknonw IP-address. # *.* means that both the remote host and port are unkown. # --> Another use of netstat is to list the routing table, to resolve the host or network unreachable issues. $ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default gateway.shodor. 0.0.0.0 UG 0 0 0 br0 link-local 0.0.0.0 255.255.0.0 U 0 0 0 br0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 204.85.28.0 0.0.0.0 255.255.254.0 U 0 0 0 br0 ##->NOTE: there are four ways to add entries to the routing table. - ifconfig: when an interface is configured - route: cmd to show/manipulate the IP routing tables. - By ICMP redirects - or Updates from a dynamic protocol such as: RIP or OSPF. The dynamic protocol entries cant be found in the config files. # too look up the info on an interface, use: $ netstat -i ---------<> --> Isof: Cmd used to list open files on unix system. # Its most useful when tracking applications that use the filesystem or networked or will have open files at some point. # Its more an OS tool than a networking tool. $ lsof | less COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME systemd 1 root cwd DIR 253,1 4096 128 / systemd 1 root rtd DIR 253,1 4096 128 / systemd 1 root txt REG 253,1 1494168 134689621 /usr/lib/systemd/systemd # The most useful fields are the first three (cmd-name, PID, owner). # the -p option is used to get the open files for a specific pid. # $ lsof -c sendmail # list open files for sendmail # lsof -N # for local NFS server. # lsof -i # limits the output to the internet and X.25 network files. # it only provides the states for services that have files open. # NOTE: you can use lsof to track FTP transfers.