The netstat
command is a highly practical tool for network diagnostics, configurations, and other port-scanning activities. More specifically, system administrators use it for network troubleshooting and performance diagnostics.
The netstat
command works on Microsoft Windows, Linux, Unix, FreeBSD, and more. Therefore, all the commands in this article will produce the same results irrespective of your operating system, unless otherwise stated for Linux.
The Linux operating system comes with a considerable number of built-in capabilities pre-installed. Depending on their level of expertise, users may not be fully aware of the capabilities of a particular command. This article provides the basics of netstat
and how to troubleshoot network issues with it.
We will learn how the netstat
command functions by seeing its commonly used applications. We will see how to generate routing information, network interface statistics, or run port-scanning operations with the command. It might be a good idea to take notes on the most frequently recurring options and what they do, because they will come in handy while working with other commands.
Using the netstat
command with the -r option lists the kernel routing information in the same way as with the route command.
$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS
Window irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0
0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
Note that the additional -n
option is used to disable hostname lookup. It configures the netstat
command to display addresses as dot-separated quad IP numbers instead of host and network names in the form of symbols.
The -i
option configures the netstat
command to display network interface statistics. By including the -a
option, we’ll include all interfaces present on the kernel in the output, not just those currently configured.
$ netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 31611 0 0 0 27503 0 0 0 BMRU
lo 65536 0 2913 0 0 0 2913 0 0 0 LRU
Simply put, the MTU field displays the current MTU, while the Met field displays the metric values of the interface. The other fields display additional information:
-OK
suffixed fields indicate successfully received (RX) or transferred (TX) packets.-ERR
suffixed fields indicate connections with errors.-DRP
suffixed fields indicate the amount of packets dropped. -OVR
suffixed fields indicate the amount of packets lost due to overrun. The netstat
command supports the use of some options in listing active and passive sockets. These options include:
-t
for active TCP socket connections-u
for active UDP socket connections-w
for active RAW socket connections-x
for active Unix socket connectionsAdding the -a
option will display sockets that are listening for connection. This output will be a list of all servers currently running on the Linux machine.
netstat
Port scanning is the process of locating listening ports in a system.
A listening port is a free port that listens for incoming traffic from applications and processes. You can use a firewall to manage listening ports by opening or closing them. The open ports accept incoming packets from remote locations, while the closed ports are occupied by an application or a process.
Some common ports that are open by default:
Port number | Description |
---|---|
20 | File Transfer Protocol (FTP) |
22 | Secure Shell (SSH) |
25 | Simple Mail Transfer Protocol (SMTP) |
53 | Domain Name System (DNS) |
80 | Hypertext Transfer Protocol (HTTP) |
110 | Post Office Protocol (POP3) |
143 | Internet Message Access Protocol (IMAP) |
443 | HTTP Secure (HTTPS) |
Listening operations should be implemented on a frequent basis, as any port opened to outside connections is a possible point of entry into your system. If there’s anything unwanted listening for connections, make sure to remove the package by following the steps below:
A service can always be disabled, but it’s best to remove the underlying package so that it cannot be started by accident. Packages can always be reinstalled later.
Let’s examine, for example, how to use the netstat -untlp
command to address any currently connected and listening ports.
This command displays anything listening for incoming traffic and the port it is listening on. Breaking this command down, the first parameter, -t,
identifies your request for information pertaining to TCP. Next, -u
represents UDP; -l
requests listening sockets; -p
attempts to show the name of the program; and -n
shows numeric values. Putting it all together, you get netstat -tulpn:
$ sudo netstat -untlp
The first column displays active and established connections in the following headers:
Header | Description |
---|---|
Proto | The connection protocol (TCP or UDP) |
Recv-Q | Queue of bytes received or ready to be received |
Send-Q | Queue of bytes ready to be sent |
Local address | The details of the address and the local connection port (an asterisk indicates that the port is open) |
Foreign address | The details of the address and the remote connection port (an asterisk indicates that the port is not yet established) |
State | The state of the socket showing whether the connection to the port is established or not, and if it’s an open or a closed port |
The -a command is used to list all ports. The output will be similar to this:
$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 enlightened:domain *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 enlightened.local:54750 li240-5.members.li:http ESTABLISHED
tcp 0 0 enlightened.local:49980 del01s07-in-f14.1:https ESTABLISHED
tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN
udp 0 0 enlightened:domain *:*
udp 0 0 *:bootpc *:*
udp 0 0 enlightened.local:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp *:*
udp 0 0 *:58570 *:*
udp 0 0 *:mdns *:*
udp 0 0 *:49459 *:*
udp6 0 0 fe80::216:36ff:fef8:ntp [::]:*
udp6 0 0 ip6-localhost:ntp [::]:*
udp6 0 0 [::]:ntp [::]:*
udp6 0 0 [::]:mdns [::]:*
udp6 0 0 [::]:63811 [::]:*
udp6 0 0 [::]:54952 [::]:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 12403 @/tmp/dbus-IDgfj3UGXX
unix 2 [ ACC ] STREAM LISTENING 40202 @/dbus-vfs-daemon/socket-6nUC6CCx
Here the LISTEN
state signifies that sshd is listening for incoming IP packets on all network interfaces and IPs on TCP port 22. The ESTABLISHED
state shows an active SSH connection, listing the system's local address and port as well as the Recv-Q and Send-Q columns.
Use the netstat
command and the -l
option to listen only to active ports, with the following output:
$ netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0
You can also list the ports that are being listened to. This works for root users on a Linux machine:
$sudo netstat -plnt
TCP and UDP ports perform different functions. TCP provides an orderly and error-checked stream of packets, while UDP provides a faster stream of packets at the expense of error checking. The netstat
command supports options to list both ports separate from one another.
Adding the -at
option to the netstat command will display all TCP ports. Note that excluding the -a
option will display only active ports:
$ netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 enlightened:domain *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 enlightened.local:36310 del01s07-in-f24.1:https ESTABLISHED
tcp 0 0 enlightened.local:45038 a96-17-181-10.depl:http ESTABLISHED
tcp 0 0 enlightened.local:37892 ABTS-North-Static-:http ESTABLISHED
.....
Likewise, the -au options added to the netstat
command will list all UDP ports. Forgoing the -a
option will display only active ports:
$ netstat -au
AActive Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 *:34660 *:*
udp 0 0 enlightened:domain *:*
udp 0 0 *:bootpc *:*
udp 0 0 enlightened.local:ntp *:*
udp 0 0 localhost:ntp *:*
udp 0 0 *:ntp *:*
udp6 0 0 fe80::216:36ff:fef8:ntp [::]:*
udp6 0 0 ip6-localhost:ntp [::]:*
udp6 0 0 [::]:ntp [::]:*
netstat
Troubleshooting with netstat
involves identifying, diagnosing, and solving network problems by adding options to the command. In addition to the -untlp
option above, you can use the grep
option for troubleshooting issues.
netstat
+ grepTo see what process is occupying a specific port, you can use the grep
option.
# netstat -an | grep ':80'
This is helpful, for example, when you’re trying to run a web server on a particular port and discover it’s already in use.
If you discover that an unknown service is connected to a port, take immediate action by copying and pasting the details into a search engine to identify the service.
Network statistics are displayed using the -s option with the netstat command:
$ netstat -s
Ip:
30525 total packets received
0 forwarded
0 incoming packets discarded
20375 incoming packets delivered
16250 requests sent out
40 outgoing packets dropped
Icmp:
325 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
destination unreachable: 125
325 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 125
... OUTPUT TRUNCATED …
We have seen how netstat can be used for troubleshooting and displaying statistics. The netstat command can also be applied in two advanced use cases.
Let’s say you’re running a public server such as an SSH web server. The SSH server will open a port in the server system for users to access and log in.
The default port for sshd is TCP port 22. With the netstat
command, you can monitor all open ports, using the options together with the command, as shown below:
$ sudo netstat -untap | sed '2p;/ssh/!d'
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1296/sshd: /usr/sbi
tcp6 0 0 :::22 :::* LISTEN 1296/sshd: /usr/sbi
The IP address and port number are combined to tell your Linux machine where to send SSH packets.
The netstat
command can also be used to monitor your internet browsing session:
$ netstat -punta
Proto Local Address Foreign Address State PID/Program name
[...]
tcp 192.168.43.234:50586 72.21.91.66:443 ESTABLISHED 2798/firefox
tcp 192.168.43.234:38262 52.36.174.147:443 ESTABLISHED 6481/chrome
tcp 192.168.43.234:53232 99.86.33.45:443 ESTABLISHED 2798/firefox
[...]
Your computer may secretly listen or connect to an unknown website. An excellent way to detect this is to monitor connections with the netstat
command:
$ netstat -abf 5 > activity.txt
The -a
option lists all connections and listening ports; -b
displays all applications making the connections; while -f
shows the complete DNS name of every listed connection, for ease of identifying the connection source. The > symbol pushes the results to an activity.txt file.
While the netstat
command is a powerful system administrator tool, you don’t have to be a sysadmin to make use of it. As we have seen, netstat
is useful in many scenarios, even if our goal is just securing day-to-day browsing activities.
But netstat
should not be limited to the commands discussed here alone—options and flags can significantly expand the scope of what is possible with the netstat
command.
Write for Site24x7 is a special writing program that supports writers who create content for Site24x7 “Learn” portal. Get paid for your writing.
Apply Now