How to use netstat in GNU/Linux

Mike Turcotte-McCusker
Mar 21, 2018
Updated • Mar 21, 2018
Linux
|
8

Netstat is a very powerful utility that will list all of the TCP and UDP connections, as well as unix socket connections currently listening for connections as well as currently connected. While many home users may not necessarily need to worry about this, online gamers, or anyone who intends to host any sort of server in the future, will surely at some point need to deal with ports.

Netstat is also useful for security and privacy, for example, to find out which programs "talk" to the Internet.

Using netstat can be an extremely simple process, or it can get very complicated and heavy, depending on usage; so today we will look at some of the more common uses for Netstat.

As promised (in my article "How do I find my network information in Linux?") I am going to introduce you to the netstat command. This command is a very useful tool for discovering networking information such as routing tables, network connections, interface statistics, masquerade connections, and multicast memberships. But it's not quite as simple to use as some of of the other "discovery" tools (such as ifconfig). With netstat you really do need to know what you're looking for and how to find it. This article will help you to understand just that.

Installation?

Fortunately your distribution should come with the netstat command pre-installed. To check this, open up a terminal window (that's where you will use netstat anyway) and issue the command which netstat. This command should return something like /bin/netstat. That will tell you that the tool is installed and where the executable is.

Netstat Basics

The basic netstat command looks like:

netstat ARGUMENT OPTIONS

Where ARGUMENT is the type of address family you want information about and OPTIONS is the optional option(s) that will specify the type of information you get returned.

Because netstat offers such a variety of options, it might be best if I first list some of the more useful options.

  • a: Shows the state of all sockets and routing table entries.
  • c: Display information continuously.
  • d: Show the state of all interfaces that use DHCP.
  • e: Show extended information.
  • g: Show the multicast group membership information for both IPv4 and IPv6.
  • i: Display a table of all network inferfaces.
  • l: Limit statistics to a defined interface.
  • M: Show multicast routing tables.
  • n: Shows network addresses as numbers instead of the default symbols.
  • p: Show address resolution tables.
  • P: Limit statistics to a defined protocol.
  • r: Show all routing tables.
  • t: Show TCP connections.
  • u: Show UDP connections.
  • v: Use verbose mode for output.

So let's take a look and see how these can be used together.

netstat

By itself (no options) this command prints out generic statistics of the host you are currently connected to.

netstat -an

This command will display all connections to the host, including source and destination addresses and ports, and displays them as numbers.

netstat -rn

This command will display the routing table for the host in numeric form.

netstat -r

This command will display your routing table for your host.

netstat -natp

This command will display active TCP connections in numerical form.

netstat -t --listening

This will show you all tcp ports you host is listening on.

netstat --statistics

This command will display various statistics for your host's interfaces. Note that this command will display a LOT of statistics.

As you can see, this command will display quite a bit of information. On top of that you might need to pipe this command through the less command in order to see it more easily. That full command would look like netstat --statistics | less. Using it that way would allow you to use your arrow keys to scroll up and down through the ouput.

Usage Tips for Netstat

One of the most basic and common ways to use netstat is to check for which ports are listening

  • netstat -l

Which gives something like this on my freshly installed Antergos system

Or, if you are looking to focus your search a little bit more, you can add another option to sort specificly for different types of connections

  • netstat -lt # for TCP
  • netstat -lu # for UDP
  • netstat -lx # for Unix

Or, you can go on the complete opposite end of the spectrum, and list all connections

  • netstat -a

If you prefer, another option that can be useful to keep in mind, is using the ‘n’ option. When using netstat -n or netstat -ltn for example, all hostnames will no longer try to be resolved, and only IP addresses will be shown, like in the example below.

As you can see, localhost in name, was resolved to its numerical value after using the ‘n’ option

Another way to use netstat is netstat -ie, the ‘i’ for interfaces, and the ‘e’ for ‘extended’ which will help give us a more human readable output.

netstat -ie # This will show us a list of network interfaces, and information about each device.

Advanced Netstat tips

What we want to do is tell netstat to give us output for specific applications that are listening for tcp connections. To do this we issue the command:

  • netstat --tcp --listening --programs

The output for this command would look something like:

Proto Recv-Q Send-Q Local Address Foreign Address Stat    PID/Program
tcp   0      0      *:ssh         *:*             LISTEN  25469/sshd
tcp   0      0      *:httpd       *:*             LISTEN  26754/httpd
tcp   0      0      localhost:ipp *:*             LISTEN  -

Now you can actually see some useful information. In the above output you can see that both sshd and httpd are listening for incoming connections. The above is just a snippet of what the output can look like. What is very handy about this command is it will show you if there is a command or local address listening for incoming connections that shouldn't be listening. If you find an application that shouldn't be listening, kill it to be safe.

Route

Netstat is able to quickly print your machines' kernel routing table with the command:

netstat -r

The output of this command will look like:

Kernel IP routing table
Destination  Gateway     Genmask         Flags   MSS Window  irtt Iface
192.168.1.0  *           255.255.255.0   U       0 0         0    eth0
default      192.168.1.1 0.0.0.0         UG      0 0         0    eth0

Statistics

This is one of the handier of the netstat tools. With this you can find out exactly the statics for each protocol. The basic command structure is:

netstat --statistics

which will give you far more information than you want. Say, you only want to see statistics on the TCP protocol. For this you can issue the command:

netstat -t --statistics

The output to the above command will include information such as:

Tcp:
4343 active connections openings
8 passive connection openings
5 failed connection attempts
178 connection resets received
6 connections established
59075 segments received
60033 segments send out
76 segments retransmited
0 bad segments received.
303 resets sent

Or you could get information on UDP as well with the command:

netstat -u --statistics

Which would give you similar output for the UDP protocol.

Get creative

What if you wanted to see all unique IP addresses connected to a server? You can do that with netstat (and the help of a few other tools) like so:

netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq

The output of the above command would depend upon how much traffic your machine/server is getting. But it will include all unique IP addresses attempting to connect to your server.

What about checking to see if your server is under a DOS attack? You can do that with netstat like this:
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

The above command will list out the IP addresses requesting the highest amount of connections to your server. If you see a number that is far higher than it should be, you most likely are under a Denial of Service attack.

Final thoughts

Netstat is one of those tools that you’ll never really think you’ll need, until suddenly you do; and its always good to know how to use it incase the need ever arises at least on some basic level. For more information about how to use the netstat command and its options, check out the man pages by typing man netstat.

Now you: What’s your preferred utility for checking network information, and why? Let us know in the comments!

Related articles

Summary
How to use netstat in GNU/Linux
Article Name
How to use netstat in GNU/Linux
Description
Netstat is a very powerful utility that will list all of the TCP and UDP connections, as well as unix socket connections currently listening for connections as well as currently connected.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Paul(us) said on March 21, 2018 at 8:50 pm
    Reply

    Hey Mike and Martin, When I am trying to try to post a comment because on a mistake in Mike his article, I am getting a new almost blank page with only on it: the error message: ERROR: please type a comment.
    Something is rotten in the state of Denmark (Hamlet (1.4), Marcellus to Horatio)

    The thing I wanted to post for is that in Mike his article Mike is referring to a hyperlink under
    As promised (in my article “How do I find my network information in Linux?”) I am going to introduce you to the netstat command.
    Only this hyperlink is bringing me now ware (to the same page as this articel “How to use netstat in GNU/Linux”).
    Schould this be a hyperlink to the page: https://www.ghacks.net/2010/04/20/how-do-i-find-my-network-information-in-linux/

    1. Martin Brinkmann said on March 21, 2018 at 8:52 pm
      Reply

      That is strange. I have updated the link, sorry for that!

  2. Steve Hare said on March 21, 2018 at 12:01 pm
    Reply

    deprecated?

  3. Dougle said on March 21, 2018 at 8:31 am
    Reply

    Good article, however, netstat is depreciated, you should be using ss.

    1. Al CiD said on March 21, 2018 at 10:32 am
      Reply

      Most germans don´t like “ss” …

    2. Mike Turcotte said on March 21, 2018 at 9:43 am
      Reply

      While you’re absolutely correct, I feel it still good to teach users to use netstat, as MANY tutorials out there that co-relate, often still refer to netstat. Though ss has been adopted to replace netstat for years, its not quite as common as it perhaps should be, and until it is, I see no harm in teaching people to use netstat ;)

  4. Dougle said on March 21, 2018 at 8:29 am
    Reply

    Netstat is depreciated, you should be using ss.

    1. John Fenderson said on March 21, 2018 at 4:47 pm
      Reply

      “Deprecated” doesn’t mean “forbidden” or “something that you shouldn’t learn about”.

      I use ss as well as netstat on almost a daily basis. Netstat, because I use many machines that don’t have (and may never have) ss.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.