Linux netstat Command


The netstat (network statistics) command in Linux is a network management tool used to display network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. It is helpful for diagnosing network issues, monitoring active network connections, and understanding network traffic behavior.

Note that netstat has been deprecated in favor of the ss command on some newer Linux distributions, but it is still widely used.

Basic Syntax of netstat:

netstat [options]
  • options: Various flags to control the type of information you want to display.

Commonly Used netstat Options

  1. -a: Show all sockets (both listening and non-listening).

    • Displays all active connections and the listening ports.
    • Example:
      netstat -a
      Sample Output:
      Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:http *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 192.168.1.2:8080 192.168.1.3:56789 ESTABLISHED
      • LISTEN: The socket is listening for incoming connections.
      • ESTABLISHED: The connection is active.
  2. -t: Show TCP connections only.

    • Filters and displays only TCP connections.
    • Example:
      netstat -t
      Sample Output:
      Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.1.2:22 192.168.1.3:1024 ESTABLISHED
  3. -u: Show UDP connections only.

    • Filters and displays only UDP connections.
    • Example:
      netstat -u
      Sample Output:
      Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 192.168.1.2:53 *:* UNCONN udp 0 0 192.168.1.2:123 *:* UNCONN
  4. -l: Show only listening sockets.

    • Displays only the sockets that are in a LISTEN state (waiting for incoming connections).
    • Example:
      netstat -l
      Sample Output:
      Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:http *:* LISTEN tcp 0 0 *:ssh *:* LISTEN
  5. -n: Show numerical addresses instead of resolving hostnames.

    • By default, netstat will resolve IP addresses to hostnames, but with -n, it will display raw IP addresses and port numbers.
    • Example:
      netstat -n
      Sample Output:
      Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.1.2:22 192.168.1.3:1024 ESTABLISHED
  6. -r: Display the routing table.

    • Shows the routing table, which contains information about how packets are routed within the network.
    • Example:
      netstat -r
      Sample Output:
      Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
  7. -i: Show network interface statistics.

    • Displays information about network interfaces, including the number of packets received, transmitted, and errors.
    • Example:
      netstat -i
      Sample Output:
      Kernel Interface table Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 1000 0 0 0 1500 0 0 0 BMRU lo 65536 1000 0 0 0 1000 0 0 0 LRU
  8. -p: Show PID and program name (if available).

    • This will display the Process ID (PID) and the name of the program associated with each connection.
    • Example:
      netstat -tup
      Sample Output:
      Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.1.2:22 192.168.1.3:1024 ESTABLISHED 1234/sshd tcp 0 0 192.168.1.2:80 192.168.1.4:56789 LISTEN 5678/httpd
  9. -a + -n: Display all connections with numerical addresses.

    • Example:
      netstat -an
      Sample Output:
      Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.1.2:22 192.168.1.3:1024 ESTABLISHED tcp 0 0 192.168.1.2:80 0.0.0.0:* LISTEN
  10. -s: Display network statistics by protocol.

    • This option displays the statistics for each network protocol (TCP, UDP, ICMP, etc.).
    • Example:
      netstat -s
      Sample Output:
      Icmp: 12 ICMP messages received 8 ICMP messages sent 0 ICMP messages received with invalid headers Tcp: 1234 active connections openings 5678 passive connection openings 34 failed connection attempts

Example Scenarios

  1. Display all network connections and listening ports:

    netstat -a
  2. Show all active TCP connections with program names:

    netstat -tup
  3. View the routing table:

    netstat -r
  4. Display network interface statistics:

    netstat -i
  5. Show all connections with numeric IPs and ports:

    netstat -an
  6. Check protocol-specific statistics (e.g., TCP):

    netstat -s

Summary of Common netstat Options:

OptionDescription
-aShow all sockets (listening and non-listening)
-tShow only TCP connections
-uShow only UDP connections
-lShow only listening sockets
-nShow numerical addresses (no DNS lookup)
-rDisplay the routing table
-iDisplay interface statistics
-pShow PID and program name for each connection
-sDisplay statistics by protocol
-cContinuously update the output (useful for monitoring)

Conclusion

The netstat command is a powerful tool for monitoring and troubleshooting network-related issues. It provides detailed information about network connections, interface statistics, routing, and more, making it a valuable utility for system administrators and anyone needing to troubleshoot network configurations.