Show TCP Listen ports sorted by number (bugs: IPV6 addresses not supported) Show Sample Output
Alternative:
ss -tlpn
Show Sample Output
Some commands (such as netcat) have a port option but how can you know which ports are unused? Show Sample Output
This corrects duplicate output from the previous command. Show Sample Output
Use the aliased command 'nsl'
This will tell you who has the most Apache connections by IP (replace IPHERE with the actual IP you wish to check). Or if you wish, remove | grep -c IPHERE for the full list.
List top 20 IP from which TCP connection is in SYN_RECV state. Useful on web servers to detect a syn flood attack. Replace SYN_ with ESTA to find established connections Show Sample Output
The command could show you all conecctions if you skip "grep ESTABLISHED" Show Sample Output
To get the connection information of protocol tcp and extended infortmation. Show Sample Output
If you want prepend/append text just wrap in echo:
echo Connected: `netstat -an|grep -ci "tcp.*established"`
Show Sample Output
Sample command to obtain a list of geographic localization for established connections, extracted from netstat. Need geoiplookup command ( part of geoip package under CentOS) Show Sample Output
no need grep. its redundant when awk is present.
Alternative of OJM snippet : This one show the IP too, where ports bind. It's very important, because if there's only 127.0.0.1 instead of 0.0.0.0, connections from internet are rejected.
worked on ubuntu 9.04 and cygwin with MS netstat Show Sample Output
perl-less way
Summarize established connections after netstat output. Using tee and /dev/stderr you can send one command output to terminal before executing wc so you can summarize at the bottom of the output. Show Sample Output
Run netstat as root (via sudo) to get the ID of the process listening on the desired socket. Use awk to 1) match the entry that is the listening socket, 2) matching the exact port (bounded by leading colon and end of column), 3) remove the trailing slash and process name from the last column, and finally 4) use the system(…) command to call kill to terminate the process. Two direct commands, netstat & awk, and one forked call to kill. This does kill the specific port instead of any port that starts with 50. I consider this to be safer.
This command does a tally of concurrent active connections from single IPs and prints out those IPs that have the most active concurrent connections. VERY useful in determining the source of a DoS or DDoS attack. Show Sample Output
Ever logged into a *nix box and needed to know which webserver is running and where all the current access_log files are? Run this one liner to find out. Works for Apache or Lighttpd as long as CustomLog name is somewhat standard. HINT: works great as input into for loop, like this:
for i in `lsof -p $(netstat -ltpn|awk '$4 ~ /:80$/ {print substr($7,1,index($7,"/")-1)}')| awk '$9 ~ /access.log$/ {print $9| "sort -u"}'` ; do echo $i; done
Very useful for triage on unfamiliar servers!
Show Sample Output
commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.
Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.
» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10
Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):
Subscribe to the feed for: