Tutorials Point

  Unix for Beginners
  Unix Shell Programming
  Advanced Unix
  Unix Useful References
  Unix Useful Resources
  Selected Reading

Copyright © 2014 by tutorialspoint

  Home     References     Discussion Forums     About TP  

netstat - Unix, Linux Command

previous next AddThis Social Bookmark Button



netstat - Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships


netstat [address_family_options] [--tcp|-t] [--udp|-u] [--raw|-w] [--listening|-l] [--all|-a] [--numeric|-n] [--numeric-hosts][--numeric-ports][--numeric-ports] [--symbolic|-N] [--extend|-e[--extend|-e]] [--timers|-o] [--program|-p] [--verbose|-v] [--continuous|-c] [delay]

netstat {--route|-r} [address_family_options] [--extend|-e[--extend|-e]] [--verbose|-v] [--numeric|-n] [--numeric-hosts][--numeric-ports][--numeric-ports] [--continuous|-c] [delay]

netstat {--interfaces|-i} [iface] [--all|-a] [--extend|-e[--extend|-e]] [--verbose|-v] [--program|-p] [--numeric|-n] [--numeric-hosts][--numeric-ports][--numeric-ports] [--continuous|-c] [delay]

netstat {--groups|-g} [--numeric|-n] [--numeric-hosts][--numeric-ports][--numeric-ports] [--continuous|-c] [delay]

netstat {--masquerade|-M} [--extend|-e] [--numeric|-n] [--numeric-hosts][--numeric-ports][--numeric-ports] [--continuous|-c] [delay]

netstat {--statistics|-s} [--tcp|-t] [--udp|-u] [--raw|-w] [delay]

netstat {--version|-V}

netstat {--help|-h}


[--protocol={inet,unix,ipx,ax25,netrom,ddp}[,...]] [--unix|-x] [--inet|--ip] [--ax25] [--ipx] [--netrom] [--ddp]


Netstat prints information about the Linux networking subsystem. The type of information printed is controlled by the first argument, as follows:


By default, netstat displays a list of open sockets. If you don’t specify any address families, then the active sockets of all configured address families will be printed.

--route , -r

Display the kernel routing tables.

--groups , -g

Display multicast group membership information for IPv4 and IPv6.

--interface=iface , -i

Display a table of all network interfaces, or the specified iface).

--masquerade , -M

Display a list of masqueraded connections.

--statistics , -s

Display summary statistics for each protocol.


--verbose , -v

Tell the user what is going on by being verbose. Especially print some useful information about unconfigured address families.

--numeric , -n

Show numerical addresses instead of trying to determine symbolic host, port or user names.


shows numerical host addresses but does not affect the resolution of port or user names.


shows numerical port numbers but does not affect the resolution of host or user names.


shows numerical user IDs but does not affect the resolution of host or port names.

--protocol=family , -A

Specifies the address families (perhaps better described as low level protocols) for which connections are to be shown. family is a comma (’,’) separated list of address family keywords like inet, unix, ipx, ax25, netrom, and ddp. This has the same effect as using the --inet, --unix (-x), --ipx, --ax25, --netrom, and --ddp options.

The address family inet includes raw, udp and tcp protocol sockets.

-c, --continuous

This will cause netstat to print the selected information every second continuously.

-e, --extend

Display additional information. Use this option twice for maximum detail.

-o, --timers

Include information related to networking timers.

-p, --program

Show the PID and name of the program to which each socket belongs.

-l, --listening

Show only listening sockets. (These are omitted by default.)

-a, --all

Show both listening and non-listening sockets. With the --interfaces option, show interfaces that are not marked


Print routing information from the FIB. (This is the default.)


Print routing information from the route cache.

-Z --context

If SELinux enabled print SELinux context.

-T --notrim

Stop trimming long addresses.


Netstat will cycle printing through statistics every delay seconds. UP.


Active Internet connections (TCP, UDP, raw)


The protocol (tcp, udp, raw) used by the socket.


The count of bytes not copied by the user program connected to this socket.


The count of bytes not acknowledged by the remote host.

Local Address

Address and port number of the local end of the socket. Unless the --numeric (-n) option is specified, the socket address is resolved to its canonical host name (FQDN), and the port number is translated into the corresponding service name.

Foreign Address

Address and port number of the remote end of the socket. Analogous to "Local Address."


The state of the socket. Since there are no states in raw mode and usually no states used in UDP, this column may be left blank. Normally this can be one of several values:
ESTABLISHED The socket has an established connection.
SYN_SENT The socket is actively attempting to establish a connection.
SYN_RECV A connection request has been received from the network.
FIN_WAIT1 The socket is closed, and the connection is shutting down.
FIN_WAIT2 Connection is closed, and the socket is waiting for a shutdown from the remote end.
TIME_WAIT The socket is waiting after close to handle packets still in the network.
CLOSED The socket is not being used.
CLOSE_WAIT The remote end has shut down, waiting for the socket to close.
LAST_ACK The remote end has shut down, and the socket is closed. Waiting for acknowledgement.
LISTEN The socket is listening for incoming connections. Such sockets are not included in the output unless you specify the --listening (-l) or --all (-a) option.
CLOSING Both sockets are shut down but we still don’t have all our data sent.
UNKNOWN The state of the socket is unknown.


The username or the user id (UID) of the owner of the socket.

PID/Program name

Slash-separated pair of the process id (PID) and process name of the process that owns the socket. --program causes this column to be included. You will also need superuser privileges to see this information on sockets you don’t own. This identification information is not yet available for IPX sockets.


(this needs to be written)

Active UNIX domain Sockets


The protocol (usually unix) used by the socket.


The reference count (i.e. attached processes via this socket).


The flags displayed is SO_ACCEPTON (displayed as ACC), SO_WAITDATA (W) or SO_NOSPACE (N). SO_ACCECPTON is used on unconnected sockets if their corresponding processes are waiting for a connect request. The other flags are not of normal interest.


There are several types of socket access:
SOCK_DGRAM The socket is used in Datagram (connectionless) mode.
SOCK_STREAM This is a stream (connection) socket.
SOCK_RAW The socket is used as a raw socket.
SOCK_RDM This one serves reliably-delivered messages.
SOCK_SEQPACKET This is a sequential packet socket.
SOCK_PACKET Raw interface access socket.
UNKNOWN Who ever knows what the future will bring us - just fill in here :-)


This field will contain one of the following Keywords:
FREE The socket is not allocated
  The socket is listening for a connection request. Such sockets are only included in the output if you specify the --listening (-l) or --all (-a) option.
  The socket is about to establish a connection.
  The socket is connected.
  The socket is disconnecting.
(empty) The socket is not connected to another one.
  This state should never happen.

PID/Program name

Process ID (PID) and process name of the process that has the socket open. More info available in Active Internet connections section written above.


This is the path name as which the corresponding processes attached to the socket.

Active IPX sockets

(this needs to be done by somebody who knows it)

Active NET/ROM sockets

(this needs to be done by somebody who knows it)

Active AX.25 sockets

(this needs to be done by somebody who knows it)


Starting with Linux release 2.2 netstat -i does not show interface statistics for alias interfaces. To get per alias interface counters you need to setup explicit rules using the ipchains(8) command.


/etc/services -- The services translation file

/proc -- Mount point for the proc filesystem, which gives access to kernel status information via the following files.

/proc/net/dev -- device information

/proc/net/raw -- raw socket information

/proc/net/tcp -- TCP socket information

/proc/net/udp -- UDP socket information

/proc/net/igmp -- IGMP multicast information

/proc/net/unix -- Unix domain socket information

/proc/net/ipx -- IPX socket information

/proc/net/ax25 -- AX25 socket information

/proc/net/appletalk -- DDP (appletalk) socket information

/proc/net/nr -- NET/ROM socket information

/proc/net/route -- IP routing information

/proc/net/ax25_route -- AX25 routing information

/proc/net/ipx_route -- IPX routing information

/proc/net/nr_nodes -- NET/ROM nodelist

/proc/net/nr_neigh -- NET/ROM neighbours

/proc/net/ip_masquerade -- masqueraded connections

/proc/net/snmp -- statistics



Occasionally strange information may appear if a socket changes as it is viewed. This is unlikely to occur.

If the sctp module is not added to the kernel, running netstat with the -A inet or -A inet6 option abnormally terminates with the following message:

netstat: no support for ‘AF INET (sctp)’ on this system.        

To avoid this, install the sctp kernel module.


The netstat user interface was written by Fred Baumgarten <dc6iq@insu1.etec.uni-karlsruhe.de> the man page basically by Matt Welsh <mdw@tc.cornell.edu>. It was updated by Alan Cox <Alan.Cox@linux.org> but could do with a bit more work. It was updated again by Tuan Hoang <tqhoang@bigfoot.com>.
The man page and the command included in the net-tools package is totally rewritten by Bernd Eckenfels <ecki@linux.de>.

previous next Printer Friendly