1、关于netstat -anq 的 Recv-Q与Send-Q说明
[root@zayhu01-mb ~]# netstat -anp | head
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2742/sshd
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 29931/ruby
tcp 0 0 0.0.0.0:4505 0.0.0.0:* LISTEN 15776/python2.6
tcp 0 0 0.0.0.0:4506 0.0.0.0:* LISTEN 15783/python2.6
tcp 0 0 0.0.0.0:28027 0.0.0.0:* LISTEN 2880/bin/mongod
tcp 0 0 0.0.0.0:50491 0.0.0.0:* LISTEN 2567/rpc.statd
tcp 0 0 0.0.0.0:24224 0.0.0.0:* LISTEN 29931/ruby
tcp 0 0 0.0.0.0:10050 0.0.0.0:* LISTEN 31248/zabbix_agentd
[root@zayhu01-mb ~]#
What It Means
"Proto" is short for protocol, which is either TCP or UDP. "Recv-Q" and "Send-Q" mean receiving queue and sending queue. These should always be zero; if they're not you might have a problem. Packets should not be piling up in either queue, except briefly, as this example shows:
tcp 0 593 192.168.1.5:34321 venus.euao.com:smtp ESTABLISHED
That happened when I hit the "check mail" button in KMail; a brief queuing of outgoing packets is normal behavior. If the receiving queue is consistently jamming up, you might be experiencing a denial-of-service attack. If the sending queue does not clear quickly, you might have an application that is sending them out too fast, or the receiver cannot accept them quickly enough.
"Local address" is either your IP and port number, or IP and the name of a service. "Foreign address" is the hostname and service you are connected to. The asterisk is a placeholder for IP addresses, which of course cannot be known until a remote host connects. "State" is the current status of the connection. Any TCP state can be displayed here, but these three are the ones you want to see
大致意思如下:
Recv-Q Send-Q分别表示网络接收队列,发送队列。Q是Queue的缩写。这两个值通常应该为0,如果不为0可能是有问题的。packets在两个队列里都不应该有堆积状态。可接受短暂的非0情况。如下中的示例,短暂的Send-Q队列发送pakets非0是正常状态。
如果接收队列Recv-Q一直处于阻塞状态,可能是遭受了拒绝服务 denial-of-service 攻击。如果发送队列Send-Q不能很快的清零,可能是有应用向外发送数据包过快,或者是对方接收数据包不够快。
Recv-Q:表示收到的数据已经在本地接收缓冲,但是还有多少没有被进程取走,recv()
Send-Q:对方没有收到的数据或者说没有Ack的,还是本地缓冲区.
通过netstat的这两个值就可以简单判断程序收不到包到底是包没到还是包没有被进程recv。
例如:
[root@zayhu01-mb ~]# netstat -anp|grep 16715 | grep 7070 | grep -v LISTEN
sctp 0 0 172.34.11.11:7070 172.34.28.118:37733 ESTABLISHED 16715/java
sctp 0 604 172.34.11.11:7070 172.34.0.206:36314 ESTABLISHED 16715/java
sctp 0 839 172.34.11.11:7070 172.34.17.191:44516 ESTABLISHED 16715/java
sctp 0 483 172.34.11.11:7070 172.34.5.72:38376 ESTABLISHED 16715/java
sctp 0 482 172.34.11.11:7070 172.34.23.190:60160 ESTABLISHED 16715/java
sctp 0 0 172.34.11.11:7070 172.34.8.26:41579 ESTABLISHED 16715/java
sctp 0 0 172.34.11.11:7070 172.34.8.151:60199 ESTABLISHED 16715/java
sctp 0 0 172.34.11.11:7070 172.34.27.100:38005 ESTABLISHED 16715/java
sctp 0 607 172.34.11.11:7070 172.34.11.11:36616 ESTABLISHED 16715/java
sctp 0 0 172.34.11.11:7070 172.34.10.26:45828 ESTABLISHED 16715/java
sctp 0 787 172.34.11.11:7070 172.34.2.121:53356 ESTABLISHED 16715/java
sctp 0 752 172.34.11.11:7070 172.34.28.86:37574 ESTABLISHED 16715/java
sctp 0 483 172.34.11.11:7070 172.34.16.161:35600 ESTABLISHED 16715/java
sctp 0 0 172.34.11.11:7070 172.34.0.206:45765 ESTABLISHED 16715/java
sctp 0 0 172.34.11.11:7070 172.34.17.191:42716 ESTABLISHED 16715/java
[root@zayhu01-mb ~]# netstat -anp|grep 16715 | grep 7070 | grep -v LISTEN | awk '{sum+=$2}END{print sum}' Recv-Q的总和
0
[root@zayhu01-mb ~]# netstat -anp|grep 16715 | grep 7070 | grep -v LISTEN | awk '{sum+=$3}END{print sum}' Send-Q的总和
4503
[root@zayhu01-mb ~]#
2、关于 /proc/net/sctp/assocs 文件说明
[root@zayhu01-mb ~]# awk '{for(i=1;i<NF;i++)if($i~/LPORT/)l=i;if($l~/7070|LPORT/)print }' /proc/net/sctp/assocs
ASSOC SOCK STY SST ST HBKT ASSOC-ID TX_QUEUE RX_QUEUE UID INODE LPORT RPORT LADDRS <-> RADDRS HBINT INS OUTS MAXRT T1X T2X RTXC wmema wmemq sndbuf rcvbuf
ffff88036c975000 ffff88073bf05c00 2 1 3 26 13869 702 0 501 925943431 7070 41343 172.34.11.11 <-> *172.34.16.161 7500 10 10 10 0 0 0 1529 1280 212992 212992
ffff880003223000 ffff88073bf07300 2 1 3 35 13106 0 0 501 903426908 7070 37788 172.34.11.11 <-> *172.34.21.131 7500 10 10 10 0 0 0 1 0 212992 212992
解释:
awk '{for(i=1;i<NF;i++)if($i~/LPORT/)l=i;if($l~/7070|LPORT/)print }' /proc/net/sctp/assocs 输出LPORT列包含7070的行
awk '{for(i=1;i<NF;i++)if($i~/LPORT/)l=i;if($l~/7070|LPORT/)print }' /proc/net/sctp/assocs |awk '{for(i=1;i<NF;i++)if($i~/RX_QUEUE/)k=i;print $k}' 输出 RX_QUEUE列
awk '{for(i=1;i<NF;i++)if($i~/LPORT/)l=i;if($l~/7070|LPORT/)print }' /proc/net/sctp/assocs |awk '{for(i=1;i<NF;i++)if($i~/RX_QUEUE/)k=i;print $k}'|grep -v "RX_QUEUE"|awk '{sum+=$1}'END'{print sum}' 计算这一列的总和
assoc: 表示assoc的内存地址。
sock:表示sock的内存地址。
STY:表示sctp sock的类型。
SCTP_SOCKET_UDP = 0,
SCTP_SOCKET_UDP_HIGH_BANDWIDTH = 1,
SCTP_SOCKET_TCP = 2,
SST: 表示sock的状态。sctp的sock状态延续了tcp协议的状态。
sctp中sock的状态:
SCTP_SS_CLOSED = TCP_CLOSE, //7
SCTP_SS_LISTENING = TCP_LISTEN, //10
SCTP_SS_ESTABLISHING = TCP_SYN_SENT, //2
SCTP_SS_ESTABLISHED = TCP_ESTABLISHED, //1
SCTP_SS_CLOSING = TCP_CLOSING, //11
ST: 表示assoc的状态。 assoc的状态取值如下:
/* SCTP state defines for internal state machine */
SCTP_STATE_EMPTY = 0,
SCTP_STATE_CLOSED = 1,
SCTP_STATE_COOKIE_WAIT = 2,
SCTP_STATE_COOKIE_ECHOED = 3,
SCTP_STATE_ESTABLISHED = 4,
SCTP_STATE_SHUTDOWN_PENDING = 5,
SCTP_STATE_SHUTDOWN_SENT = 6,
SCTP_STATE_SHUTDOWN_RECEIVED = 7,
SCTP_STATE_SHUTDOWN_ACK_SENT = 8,
HBKT: 表示该assoc在hash表中的hash值。
ASSOC-ID:表示该连接的ID值。
TX_QUEUE: 表示发送缓存的内存使用量,单位:字节。
RX_QUEUE: 表示接收队列的内存使用量,单位:字节。
UID INODE: 分别表示sock所对应的uid和inode值。
LPORT RPORT:分别表示本地端口和远端端口。
LADDRS <-> RADDRS :分别表示本地IP地址和远端IP地址。
HBINT:表示assoc发送heartbeat的间隔时间OUTS:同INS类似,表示该assoc可以允许发送的最大 stream数,默认值是10。
MAXRT:表示该assoc允许的最大重传数,默认值是10
T1X:表示该assoc重传的INIT chunk的次数。
T2X:表示该assoc重传的SHUTDOWN chunk的次数。
RTXC:表示该assoc重传的DATA chunk的次数。