netstat ‐ #networking - five4nets/Linux-Knowledgebase GitHub Wiki

Tutorial: Using the Linux netstat Command

The netstat (network statistics) command is a powerful tool in Linux for displaying network connections, routing tables, interface statistics, and more. This tutorial covers its usage, common options, and practical examples to help you monitor and troubleshoot network activity.

Note: While netstat is widely used, some modern Linux distributions recommend tools like ss or ip for similar tasks. However, netstat remains relevant on many systems.

Prerequisites

  • A Linux system with netstat installed (usually part of the net-tools package).
  • Basic familiarity with the Linux terminal.
  • Root privileges for some commands (use sudo where needed).

If netstat is not installed, install it:

sudo apt install net-tools  # Debian/Ubuntu
sudo yum install net-tools  # CentOS/RHEL

Overview of netstat

netstat provides information about:

  • Active network connections (TCP/UDP).
  • Listening ports.
  • Routing tables.
  • Network interface statistics.
  • Protocol statistics.

Basic Syntax

netstat [options]

Common options:

  • -a: Show all connections, including listening and non-listening sockets.
  • -t: Display TCP connections.
  • -u: Display UDP connections.
  • -l: Show listening sockets.
  • -n: Show numerical addresses (e.g., IP addresses instead of hostnames).
  • -p: Display the program/process ID (PID) associated with each connection.
  • -r: Show the kernel routing table.
  • -i: Display network interface statistics.
  • -s: Show network protocol statistics.

For a full list of options, run:

man netstat

Common Use Cases and Examples

1. List All Active Connections

To display all active connections (TCP and UDP, listening and non-listening):

netstat -a

Output Example:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:22           0.0.0.0:*               LISTEN
tcp        0      0 192.168.1.100:22       192.168.1.101:12345     ESTABLISHED
udp        0      0 0.0.0.0:68             0.0.0.0:*
  • Explanation:
    • Proto: Protocol (TCP/UDP).
    • Local Address: The local IP and port.
    • Foreign Address: The remote IP and port.
    • State: Connection state (e.g., LISTEN, ESTABLISHED).

2. Show Listening Ports

To list all listening ports:

netstat -tuln
  • Options:
    • -t: TCP connections.
    • -u: UDP connections.
    • -l: Listening sockets.
    • -n: Numerical addresses (faster, avoids DNS lookups).

Output Example:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:22             0.0.0.0:*               LISTEN
udp        0      0 0.0.0.0:123            0.0.0.0:*
  • Use Case: Identify services running on your system (e.g., SSH on port 22).

3. Display Processes Using Ports

To see which programs are using specific ports:

sudo netstat -tulnp
  • Options:
    • -p: Show the program name and PID.
    • Requires sudo for access to process information.

Output Example:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22             0.0.0.0:*               LISTEN      1234/sshd
udp        0      0 0.0.0.0:123            0.0.0.0:*                           5678/ntpd
  • Use Case: Troubleshoot port conflicts or identify unknown services.

4. View Routing Table

To display the kernel routing table:

netstat -r

Output Example:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
  • Explanation:
    • Destination: Target network or host.
    • Gateway: Next hop for routing.
    • Iface: Network interface.
  • Use Case: Verify routing configuration for network troubleshooting.

5. Display Network Interface Statistics

To show statistics for network interfaces:

netstat -i

Output Example:

Kernel Interface table
Iface   MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0    1500  123456      0      0      0   654321      0      0      0 BRU
lo      65536  7890       0      0      0    7890       0      0      0 LR
  • Explanation:
    • RX-OK/TX-OK: Received/transmitted packets without errors.
    • RX-ERR/TX-ERR: Error packets.
  • Use Case: Monitor interface performance or detect errors.

6. Show Protocol Statistics

To display statistics for network protocols:

netstat -s

Output Example:

Ip:
    123456 total packets received
    0 forwarded
Tcp:
    7890 active connections openings
    0 failed connection attempts
Udp:
    456 packets received
    0 packets to unknown port received
  • Use Case: Analyze protocol-level issues (e.g., dropped packets).

7. Filter Specific Ports

To check if a specific port (e.g., 80) is in use:

netstat -tuln | grep :80

Output Example:

tcp        0      0 0.0.0.0:80             0.0.0.0:*               LISTEN
  • Use Case: Verify if a web server is running on port 80.

8. Continuous Monitoring

To continuously monitor connections (refreshes every 2 seconds):

netstat -c
  • Use Case: Observe real-time changes in network activity.

Tips and Best Practices

  • Use Numerical Output: Add -n to avoid slow DNS lookups.
  • Combine Options: Combine flags (e.g., -tulnp) for specific needs.
  • Root Privileges: Use sudo for detailed process information.
  • Alternative Tools: Consider ss for faster output or nmap for port scanning.
  • Security: Regularly check listening ports to detect unauthorized services.

References