1. Overview
Linux is a powerful operating system that offers a wide range of commands for system administration, network management, and troubleshooting. Though it’s recently been deprecated in favor of nstat and ss, netstat remains a useful command for network administration.
In this tutorial, we’ll explore the netstat command and various examples to illustrate its usage.
2. What Is netstat?
netstat, short for “network statistics”, is a command-line tool in Linux that offers details about network connections, routing tables, network interface stats, and multicast memberships. It’s a useful tool for network administrators and system operators to monitor and troubleshoot networking issues.
3. Installing netstat
In most Linux distributions, netstat is a part of the net-tools package, which may not be installed by default. Let’s update and install netstat using apt-get:
$ sudo apt-get update
$ sudo apt-get install net-tools
Next, let’s learn how to use the netstat command by going through some examples.
4. Basic Usage
Before diving into examples, let’s take a look at the basic syntax of the netstat command:
$ netstat [options]
The [options] section consists of various flags and parameters that control the output of netstat.
4.1. Displaying Active Connections
netstat is used for basic network administration tasks, such as displaying active connections and monitoring network traffic. Firstly, let’s use the netstat command without any parameters to display all active network connections:
$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 kali:43502 103.21.5.62:https ESTABLISHED
tcp 0 0 kali:44258 71.229.116.34.bc.:https ESTABLISHED
udp 0 0 kali:60450 maa05s09-in-f10.1:https ESTABLISHED
udp 0 0 kali:44156 maa03s26-in-f3.1e:https ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] STREAM 25752 @printer-applet-lock-user-aashish
unix 3 [ ] SEQPACKET CONNECTED 28453 @5b613
unix 2 [ ] DGRAM 22161 /run/user/1000/systemd/notify
The command output displays network connections, routing tables, interface statistics, and multicast memberships. Here’s a breakdown of the output provided:
- Proto: the protocol used (TCP or UDP)
- Recv-Q: receive queue size (number of bytes received by the kernel but not yet read by the application)
- Send-Q: send queue size (number of bytes not yet acknowledged by the remote host)
- Local Address: IP address and port number of the local end of the connection
- Foreign Address: IP address and port number of the remote end of the connection
- State: current state of the connection
4.2. Listing All Listening Ports
Let’s use netstat along with the -l option to view only the listening ports, which are waiting for incoming connections:
$ netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:7070 0.0.0.0:* LISTEN
tcp 0 0 localhost:38993 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:50001 0.0.0.0:*
udp 0 0 mdns.mcast.net:mdns 0.0.0.0:*
...
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 24008 @/tmp/.ICE-unix/1608
unix 2 [ ACC ] STREAM LISTENING 18159 /run/avahi-daemon/socket
unix 2 [ ACC ] SEQPACKET LISTENING 13833 /run/systemd/coredump
...
The command lists all the ports including UNIX domain sockets that are currently in a listening state, awaiting incoming connections. It provides valuable information for network troubleshooting and ensuring that services are up and running.
4.3. Listing All TCP Listening Ports
The netstat -lt command displays active listening server sockets for TCP connections:
$ netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:7070 0.0.0.0:* LISTEN
tcp 0 0 localhost:38993 0.0.0.0:* LISTEN
The -lt option in the netstat command stands for:
- -l: shows only listening sockets, which are sockets that are waiting for incoming connections
- -t: restricts the output to only TCP connections
4.4. Listing All UDP Listening Ports
Similarly, we’ll now use netstat with the -lu option to show only the listening UDP ports:
$ netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:50001 0.0.0.0:*
udp 0 0 mdns.mcast.net:mdns 0.0.0.0:*
udp 0 0 0.0.0.0:mdns 0.0.0.0:*
udp6 0 0 [::]:mdns [::]:*
udp6 0 0 [::]:44147 [::]:*
The command focuses on displaying only the UDP ports in a listening state. This is useful for identifying services that are using UDP for communication, such as DNS and DHCP.
4.5. Listing Statistics for TCP Ports
Statistical information for network protocols provides metrics on connection counts, error rates, data transfer volumes, and other performance indicators. To gather statistical information for specific protocols, we can use netstat with the -s (statistics) option:
$ netstat -s
Ip:
Forwarding: 1
91240 total packets received
1 with invalid addresses
91087 incoming packets delivered
...
Icmp:
2 ICMP messages received
1 input ICMP message failed
ICMP input histogram:
destination unreachable: 2
IcmpMsg:
InType3: 2
OutType3: 21
Tcp:
1371 active connection openings
5 failed connection attempts
145 connection resets received
51 connections established
...
The command provides detailed statistics for various network protocols, including IP, ICMP, and TCP. It is particularly useful for diagnosing network performance issues and understanding the behavior of the network stack.
4.6. Listing Statistics for TCP Ports
For a more specific breakdown of TCP port statistics, we’ll use the -s (statistics) and -t (TCP) flags with the netstat command:
$ netstat -st
IcmpMsg:
OutType3: 3
Tcp:
200 active connection openings
0 passive connection openings
...
IpExt:
InMcastPkts: 426
OutMcastPkts: 1227
...
The command provides statistics for TCP protocol, such as packet counts, errors, and other pertinent information related to TCP connections.
4.7. Listing Statistics for UDP Ports
Similar to listing statistics of TCP ports, the netstat -su command focuses on the statistical information related to UDP ports:
$ netstat -su
IcmpMsg:
OutType3: 3
Udp:
5487 packets received
3 packets to unknown port received
...
UdpLite:
IpExt:
InMcastPkts: 503
OutMcastPkts: 1231
...
The command shows statistics for UDP protocol, including packet counts, errors, and other relevant details specific to UDP connections.
5. Advanced Usage
netstat offers more advanced features for in-depth network analysis.
5.1. Displaying Route Information
To display the kernel routing table, showing how network packets are routed to their destinations, let’s use the netstat -r command, where -r stands for route:
$ netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default dsldevice.lan 0.0.0.0 UG 0 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
The command output shows that all unspecified traffic goes through the gateway dsldevice.lan via wlan0, while local network traffic for 192.168.1.0 is directly connected via wlan0.
5.2. Combining Options for Detailed Information
Upon combining netstat with -tulpn, it displays detailed information about all TCP connections, including PID and program name, numerical addresses, and listening state:
$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:46865 0.0.0.0:* LISTEN 993/containerd
udp 0 0 0.0.0.0:39214 0.0.0.0:* 755/avahi-daemon: r
udp 0 0 224.0.0.251:5353 0.0.0.0:* 2546/chrome
udp 0 0 0.0.0.0:5353 0.0.0.0:* 755/avahi-daemon: r
udp6 0 0 :::52189 :::* 755/avahi-daemon: r
udp6 0 0 :::5353 :::* 755/avahi-daemon: r
The command output shows active listening ports and associated processes. Notable entries include container listening on TCP port 46865, avahi-daemon on UDP ports 39214 and 5353 (both IPv4 and IPv6), and chrome on UDP port 5353 for multicast.
Here’s what the -tulpn options mean:
- -t: shows TCP connections
- -u: shows UDP connections
- -l: shows only listening sockets
- -p: shows the PID and program name
- -n: shows numerical addresses
5.3. Filtering by Specific Port
Another usage of netstat can be for filtering the connections for a specific port, we’ll use netstat along with -an option and filter port 80 using grep:
$ netstat -an | grep :80
udp6 0 0 2400:1a00:b020:5a:56703 2404:6800:4002:805::443 ESTABLISHED
udp6 0 0 2400:1a00:b020:5a:49474 2404:6800:4002:80c::443 ESTABLISHED
The command shows two UDP IPv6 connections to port 443 from local addresses using port 80, both in an ESTABLISHED state.
The -an option in the netstat command means:
- -a: displays all active connections and the listening ports
- -n: shows addresses and port numbers in numerical form, rather than resolving them to hostnames and service names
5.4. Filtering by Specific IP Address
Likewise, to filter the results by a specific IP address, we’ll use the netstat along with grep to filter a particular IP address:
$ netstat -an | grep 192.168.1.68
tcp 0 0 192.168.1.68:38142 103.18.12.112:443 ESTABLISHED
tcp 0 0 192.168.1.68:41608 103.18.12.112:443 ESTABLISHED
The command output shows two established TCP connections from the local IP address 192.168.1.68 to the remote IP address 103.18.12.112 on port 443. Furthermore, the connections use local ports 38142 and 41608, indicating active communications between the local machine and the remote server over HTTPS.
5.5. Monitoring Network Connections in Real-Time
To monitor network connections in real-time, we can combine watch with netstat:
$ watch -n 1 netstat -an
We’ll get output that constantly updates:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:46569 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:7070 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.68:39696 72.125.120.184:5228 ESTABLISHED
tcp 0 0 192.168.1.68:38432 182.64.154.145:443 ESTABLISHED
The command displays local and remote addresses along with their connection states. Moreover, the -n 1 option used with the watch command refreshes the displayed output every 1 second allowing us to see changes in network connections as they happen.
5.6. Monitoring Network Performance
We can monitor network performance by examining interface statistics with netstat along with the -i option:
$ netstat -i
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
lo 65536 232 0 0 0 232 0 0 0 LRU
neweOth0 1500 0 0 0 0 0 0 0 0 BMU
wlan0 1500 545065 0 0 0 120469 0 0 0 BMRU
Let’s understand what the command shows about network interface statistics:
- lo: loopback interface with 232 packets sent and received
- neweOth0: unused interface (0 packets sent or received)
- wlan0: wireless interface with 545,065 packets received and 120,469 packets sent
6. Conclusion
In this article, we explored the usage of netstat command with various examples.
netstat offers a suite of options for monitoring and troubleshooting network connections, including viewing active connections, listing listening ports, and displaying detailed protocol statistics. Despite being deprecated and replaced by ss, it remains widely used for both basic and advanced network analysis, providing essential insights into network status and performance for maintaining and diagnosing issues.