netstat command in Linux with Examples


Advertisements

Name

netstat - Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships

Synopsis

netstat [address_family_options] [--tcp|-t] [--udp|-u] [--raw|-w]   [--listening|-l] [--all|-a] [--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--symbolic|-N] [--extend|-e[--extend|-e]] [--timers|-o] [--program|-p] [--verbose|-v]  [--continuous|-c]
 
netstat {--route|-r} [address_family_options] [--extend|-e[--extend|-e]] [--verbose|-v] [--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c]
 
netstat {--interfaces|-i} [--all|-a] [--extend|-e[--extend|-e]]  [--verbose|-v] [--program|-p] [--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c]

Description

Netstat is a command line utility to display all the network connections on a system. It displays all the tcp, udp and unix socket connections. Apart from connected sockets it also displays listening sockets that are waiting for incoming connections. The type of information displayed by netstat command is controlled by the first argument, as follows:

(none)
   By default, netstat displays a list of open sockets. If you don't  specify any address families, then the active sockets of all configured address families will be printed.
 
--route , -r
   Display the kernel routing tables. See the description in route(8) for details. netstat -r and route -e produce the same output.
 
--groups , -g
   Display multicast group membership information for IPv4 and IPv6.
 
--interfaces, -i
   Display a table of all network interfaces.
 
--masquerade , -M
   Display a list of masqueraded connections.
 
--statistics , -s
   Display summary statistics for each protocol.

Options

The options for netstat commands are:

--verbose , -v
   Tell the user what is going on by being verbose. Especially print some useful information about unconfigured address families.

--wide , -W
   Do not truncate IP addresses by using output as wide as needed. This is optional for now to not break existing scripts.

--numeric , -n
   Show numerical addresses instead of trying to determine  symbolic host, port or usernames.

--numeric-hosts
   shows numerical host addresses but does not affect the resolution of port or user names.

--numeric-ports
   shows numerical port numbers but does not affect the resolution of host or user names.

--numeric-users
   shows numerical user IDs but does not affect the resolution of host or port names.

--protocol=family, -A
   Specifies the address families (perhaps better described as low level protocols) for which connections are to be shown. family is a comma (',') separated list of address family keywords like inet, unix, ipx, ax25, netrom, and ddp. This has the same effect as using the --inet, --unix (-x), --ipx, --ax25, --netrom, and --ddp options.

The address family inet includes raw, udp and tcp protocol sockets.

-c, --continuous
   This will cause netstat to print the selected information every second continuously.

-e, --extend
   Display additional information. Use this option twice for maximum detail.

-o, --timers
   Include information related to networking timers.

-p, --program
   Show the PID and name of the program to which each socket belongs.

-l, --listening
   Show only listening sockets. (These are omitted by default.)
    
-F
   Print routing information from the FIB. (This is the default.)

-C
   Print routing information from the route cache.

Examples

1. netstat command without any argument displays information about the Linux networking subsystem. By default, netstat displays a list of open sockets.

$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 erpnext.Dlink:59438     602.bm-nginx-load:https ESTABLISHED
tcp        0      0 erpnext.Dlink:57112     kul01s10-in-f34.1:https TIME_WAIT  
tcp        0      0 erpnext.Dlink:46496     162.125.81.13:https     ESTABLISHED
tcp        0      0 erpnext.Dlink:48512     172.67.167.22:https     TIME_WAIT  
tcp        0      0 erpnext.Dlink:40994     del12s04-in-f14.1:https ESTABLISHED
tcp        0      0 erpnext.Dlink:58724     del11s12-in-f8.1e:https TIME_WAIT  
tcp        0      0 erpnext.Dlink:38628     a97adde81b00f2ca4:https TIME_WAIT  
tcp        0      0 erpnext.Dlink:42136     server-13-35-217-:https TIME_WAIT  
tcp        0      0 erpnext.Dlink:59672     del12s03-in-f5.1e:https ESTABLISHED
tcp        0      0 erpnext.Dlink:46570     230.247.227.35.bc:https TIME_WAIT  
tcp        0      1 erpnext.Dlink:38166     182.161.72.137:https    SYN_SENT   
tcp        0      0 erpnext.Dlink:35614     del12s09-in-f2.1e:https TIME_WAIT  
tcp        0      0 erpnext.Dlink:59630     598.bm-nginx-load:https TIME_WAIT  
tcp        0      0 erpnext.Dlink:58280     del11s16-in-f1.1e:https TIME_WAIT  
tcp        0      0 erpnext.Dlink:58030     bidder.hk5.vip.pr:https ESTABLISHED
tcp        0      0 erpnext.Dlink:41966     del12s04-in-f4.1e:https TIME_WAIT  
tcp        0      0 erpnext.Dlink:58658     192.71.201.35.bc.:https TIME_WAIT  
tcp        0      0 erpnext.Dlink:59626     598.bm-nginx-load:https ESTABLISHED
tcp        0      0 erpnext.Dlink:56720     162.125.36.2:https      ESTABLISHED
...

We can use -a option to display all sockets, both listening and non-listening, and protocols like TCP, UDP, RAW, Unix Sockets, etc.

2. We can use -t option to display only tcp sockets.

$ netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      1 erpnext.Dlink:38340     182.161.72.137:https    SYN_SENT   
tcp        0      0 erpnext.Dlink:42608     server-13-35-217-:https ESTABLISHED
tcp        0      1 erpnext.Dlink:38344     182.161.72.137:https    SYN_SENT   
tcp        0      1 erpnext.Dlink:38328     182.161.72.137:https    SYN_SENT   
tcp        0      1 erpnext.Dlink:38342     182.161.72.137:https    SYN_SENT   
tcp        0      0 erpnext.Dlink:42490     del12s04-in-f4.1e:https ESTABLISHED
tcp        0      1 erpnext.Dlink:38326     182.161.72.137:https    SYN_SENT   
tcp        0      0 erpnext.Dlink:48452     ec2-52-76-52-167.:https ESTABLISHED
tcp        0      0 erpnext.Dlink:56720     162.125.36.2:https      ESTABLISHED
tcp        0      1 erpnext.Dlink:38346     182.161.72.137:https    SYN_SENT   
tcp        0      1 erpnext.Dlink:38336     182.161.72.137:https    SYN_SENT   
tcp        0      0 erpnext.Dlink:57496     218.64.98.34.bc.g:https ESTABLISHED
tcp        0      0 erpnext.Dlink:59166     192.71.201.35.bc.:https ESTABLISHED
tcp        0      0 erpnext.Dlink:41324     103.231.98.193:https    ESTABLISHED
tcp        0      0 erpnext.Dlink:37068     ec2-54-179-109-22:https ESTABLISHED
tcp        0      0 erpnext.Dlink:48206     8.159.244.35.bc.g:https ESTABLISHED
tcp        0      0 erpnext.Dlink:42134     server-13-35-217-:https ESTABLISHED
tcp        0      0 erpnext.Dlink:39240     relay-f4105590.net:http ESTABLISHED
tcp        0      0 erpnext.Dlink:60756     ec2-13-229-220-22:https ESTABLISHED
tcp        0      1 erpnext.Dlink:38332     182.161.72.137:https    SYN_SENT   
tcp        0      0 erpnext.Dlink:35880     600.bm-nginx-load:https TIME_WAIT  
tcp        0      0 erpnext.Dlink:35162     ec2-34-215-30-193:https ESTABLISHED
tcp        0      0 erpnext.Dlink:35904     162.125.35.134:https    ESTABLISHED

3. We can use -u option to display only udp connections. Similarly we can use -w option to display data_gram

$ netstat -u
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
udp        0      0 localhost:45618         localhost:45618         ESTABLISHED

4. By default netstat comand shows only connected sockets. But we can use -a option to display other sockets as well.

$ netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
udp        0      0 *:53262                 *:*                                
udp        0      0 erpnext.esc.in:domain   *:*                                
udp        0      0 localhost:domain        *:*                                
udp        0      0 *:bootpc                *:*                                
udp        0      0 erpnext.Dlink:ntp       *:*                                
udp        0      0 localhost:ntp           *:*                                
udp        0      0 *:ntp                   *:*                                
udp        0      0 *:41092                 *:*                                
udp        0      0 localhost:45618         localhost:45618         ESTABLISHED
udp        0      0 *:ipp                   *:*                                
udp        0      0 *:41621                 *:*                                
udp6       0      0 ip6-localhost:domain    [::]:*                             
udp6       0      0 fe80::15de:9204:301:ntp [::]:*                             
udp6       0      0 ip6-localhost:ntp       [::]:*                             
udp6       0      0 [::]:ntp                [::]:*                             
udp6       0      0 [::]:mdns               [::]:*                             
udp6       0      0 [::]:44487              [::]:*                             

5. We can use -l command to display listening sockets. Below we show an example of all tcp listening sockets.

$ netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp        0      0 localhost:8022          *:*                     LISTEN     
tcp        0      0 localhost:ipp           *:*                     LISTEN     
tcp        0      0 localhost:45432         *:*                     LISTEN     
tcp        0      0 *:smtp                  *:*                     LISTEN     
tcp        0      0 *:db-lsp                *:*                     LISTEN     
tcp        0      0 *:7070                  *:*                     LISTEN     
tcp        0      0 localhost:mysql         *:*                     LISTEN     
tcp        0      0 localhost:6379          *:*                     LISTEN     
tcp        0      0 *:5900                  *:*                     LISTEN     
tcp        0      0 localhost:x11           *:*                     LISTEN     
tcp        0      0 erpnext.esc.in:domain   *:*                     LISTEN     
tcp        0      0 localhost:domain        *:*                     LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN     
tcp6       0      0 [::]:smtp               [::]:*                  LISTEN     
tcp6       0      0 [::]:https              [::]:*                  LISTEN     
tcp6       0      0 [::]:db-lsp             [::]:*                  LISTEN     
tcp6       0      0 [::]:5900               [::]:*                  LISTEN     
tcp6       0      0 [::]:http               [::]:*                  LISTEN     
tcp6       0      0 ip6-localhost:domain    [::]:*                  LISTEN   

6. We can use -p option to show PID and to which program each socket belongs, -e option adds extra info like the user. But run this command as root to see all PIDs.

$ netstat -pt
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      1 erpnext.Dlink:38872     182.161.72.137:https    SYN_SENT    6173/firefox    
tcp        0      1 erpnext.Dlink:38866     182.161.72.137:https    SYN_SENT    6173/firefox    
tcp        0      0 erpnext.Dlink:59230     162.125.6.20:https      ESTABLISHED 6049/dropbox    
tcp        0      1 erpnext.Dlink:38876     182.161.72.137:https    SYN_SENT    6173/firefox    
tcp        0      0 localhost:36492         localhost:45432         ESTABLISHED 11111/rake jobs:wor
tcp        0      1 erpnext.Dlink:38868     182.161.72.137:https    SYN_SENT    6173/firefox    
tcp        0      1 erpnext.Dlink:38870     182.161.72.137:https    SYN_SENT    6173/firefox    
tcp        0      1 erpnext.Dlink:38874     182.161.72.137:https    SYN_SENT    6173/firefox    
tcp        0      0 erpnext.Dlink:48206     8.159.244.35.bc.g:https ESTABLISHED 6173/firefox    
tcp        0      0 erpnext.Dlink:42134     server-13-35-217-:https ESTABLISHED 6173/firefox    
tcp        0      0 erpnext.Dlink:39240     relay-f4105590.net:http ESTABLISHED 837/anydesk     
tcp        0      0 erpnext.Dlink:39536     162.125.35.136:https    ESTABLISHED 6049/dropbox    
tcp        0      0 erpnext.Dlink:35162     ec2-34-215-30-193:https ESTABLISHED 6173/firefox    
tcp        0      0 localhost:45432         localhost:36492         ESTABLISHED 11148/main: openpro
tcp        0      0 erpnext.Dlink:36878     162.125.35.134:https    ESTABLISHED 6049/dropbox    
tcp        0      1 erpnext.Dlink:38862     182.161.72.137:https    SYN_SENT    6173/firefox    
tcp        0      1 erpnext.Dlink:38864     182.161.72.137:https    SYN_SENT    6173/firefox    
$ 

Output in the above example shows PID/Program, PID is the process id associated with the socket connection and Program denotes the program associated withthe socket connection.

$ netstat -u -e
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      
udp        0      0 localhost:37309         localhost:domain        ESTABLISHED expert     400660     
udp        0      0 localhost:45618         localhost:45618         ESTABLISHED postgres   26812      
udp        0      0 localhost:50007         localhost:domain        ESTABLISHED expert     402643     
udp        0      0 localhost:37720         localhost:domain        ESTABLISHED root       402644     
udp        0      0 localhost:42455         localhost:domain        ESTABLISHED expert     402628     
udp        0      0 localhost:50913         localhost:domain        ESTABLISHED expert     399785     
udp        0      0 localhost:39830         localhost:domain        ESTABLISHED expert     400657     
udp        0      0 localhost:52621         localhost:domain        ESTABLISHED expert     400655     
udp        0      0 localhost:56808         localhost:domain        ESTABLISHED expert     401604 

Output in the above example with option -u shows I-Node. I-Node denotes file system inode (index node) associated with this socket. In case of option -x output displays Path, it denotes file system path to the socket.

7. We can use -n option along with other options to disable DNS resolution of symbolic names (shows IP address instead of names).

$ netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:8022          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:45432         0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN     
tcp        0      1 192.168.0.4:51912       182.161.72.137:443      SYN_SENT   
tcp        0      0 192.168.0.4:42202       162.125.36.2:443        ESTABLISHED
tcp        0      1 192.168.0.4:51904       182.161.72.137:443      SYN_SENT   
tcp        0      0 192.168.0.4:60294       162.125.81.13:443       ESTABLISHED
tcp        0      0 192.168.0.4:39240       138.201.130.101:80      ESTABLISHED
tcp        0      1 192.168.0.4:51892       182.161.72.137:443      SYN_SENT   
tcp        0      0 192.168.0.4:35162       34.215.30.193:443       ESTABLISHED
tcp6       0      0 :::25                   :::*                    LISTEN     
tcp6       0      0 :::443                  :::*                    LISTEN     
tcp6       0      0 :::80                   :::*                    LISTEN     
tcp6       0      0 ::1:53                  :::*                    LISTEN     

8. We can use -s option to display the summary of network sockets by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols.

$ netstat -su
IcmpMsg:
   InType3: 20
   OutType3: 598
Udp:
   723712 packets received
   1704 packets to unknown port received.
   0 packet receive errors
   278423 packets sent
   IgnoredMulti: 8
UdpLite:

9. netstat command display the kernel routing tables. We can use -r or --route option to display the kernel routing table.

$ netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         192.168.0.1     0.0.0.0         UG        0 0          0 enp0s25
default         192.168.0.1     0.0.0.0         UG        0 0          0 wlx503eaa7c4c9b
link-local      *               255.255.0.0     U         0 0          0 enp0s25
192.168.0.0     *               255.255.255.0   U         0 0          0 enp0s25
192.168.0.0     *               255.255.255.0   U         0 0          0 wlx503eaa7c4c9b

10. We can use -i option to display table of all network interfaces.

$ netstat -i
Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
enp0s25    1500 0     11562      0      0 0          6270      0      0      0 BMRU
lo        65536 0    238860      0      0 0        238860      0      0      0 LRU
wlx503eaa7c4c9b  1500 0    803751      0   2843 0        348358      0      0      0 BMRU

11. We can use -e option to netstat -i command to extend the details of the kernel interface table:

$ netstat -i -e
Kernel Interface table
enp0s25 Link encap:Ethernet  HWaddr 7c:05:07:10:08:8d  
   UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
   RX packets:18983 errors:0 dropped:0 overruns:0 frame:0
   TX packets:11614 errors:0 dropped:0 overruns:0 carrier:0
   collisions:0 txqueuelen:1000 
   RX bytes:10340011 (10.3 MB)  TX bytes:1668036 (1.6 MB)
   Interrupt:20 Memory:f7c00000-f7c20000 

lo    Link encap:Local Loopback  
      inet addr:127.0.0.1  Mask:255.0.0.0
      inet6 addr: ::1/128 Scope:Host
      UP LOOPBACK RUNNING  MTU:65536  Metric:1
      RX packets:265123 errors:0 dropped:0 overruns:0 frame:0
      TX packets:265123 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000 
      RX bytes:97634381 (97.6 MB)  TX bytes:97634381 (97.6 MB)

wlx503eaa7c4c9b Link encap:Ethernet  HWaddr 50:3e:aa:7c:4c:9b  
      inet addr:192.168.0.4  Bcast:192.168.0.255  Mask:255.255.255.0
      inet6 addr: fe80::15de:9204:3015:b802/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:815468 errors:0 dropped:3174 overruns:0 frame:0
      TX packets:362966 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000 
      RX bytes:937465675 (937.4 MB)  TX bytes:118211153 (118.2 MB)
Advertisements