The netstat command , part of the standard UNIX networking toolset, displays various network-related information such as network connections, interface statistics, routing tables, masquerade, multicast, etc.
In this article, we will look at ten practical examples of using the netstat command in Linux .
- List of all ports (both listening and not)
List all ports: netstat -a
# netstat -a | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:domain *:* LISTEN
udp6 0 0 fe80::20c:29ff:fe68:ntp [::]:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 20492 /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 23323 /var/run/php5-fpm.sock
List all TCP ports: netstat -at
# netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:domain *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 *:http *:* LISTEN
List all UDP ports: netstat -au
# netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 localhost:domain *:*
udp 0 0 *:bootpc *:*
udp6 0 0 fe80::20c:29ff:fe68:ntp [::]:*
- List of sockets in LISTEN state
List all listening ports: netstat -l
# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:domain *:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
udp 0 0 192.168.128.134:ntp *:*
List listening TCP ports: netstat -lt
# netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:domain *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
List listening UDP ports: netstat -lu
# netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 *:bootpc *:*
udp6 0 0 [::]:ntp [::]:*
List listening UNIX sockets: netstat -lx
# netstat -lx
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 3141 /var/run/fail2ban/fail2ban.sock
unix 2 [ ACC ] STREAM LISTENING 20492 /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 23323 /var/run/php5-fpm.sock
- View statistics for each protocol
Show statistics of all ports: netstat -s
# netstat -s
IP:
11150 total packets received
1 with invalid addresses
0 forwarded
0 incoming packets discarded
11149 incoming packets delivered
11635 requests sent out
Icmp:
13791 ICMP messages received
12 input ICMP message failed.
Tcp:
15020 active connections openings
97955 passive connection openings
135 failed connection attempts
Udp:
2841 packets received
180 packets to unknown port received.
.....
Show statistics for TCP ports only: netstat -st
# netstat -st
Show statistics of UDP ports only: netstat -su
# netstat -su
- Display PID and process name in netstat output
The netstat -p option will add "PID/Program Name" to the netstat output, and can be combined with any other set of options. This is very useful for debugging, to determine what program is running on a particular port.
# netstat -pt
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 org-ru-putty.vm.udf:www 52-106.plus.kerch:55723 ESTABLISHED 9486/nginx: worker
tcp 0 0 org-ru-putty.vm.udf:www 52-106.plus.kerch:55757 ESTABLISHED 9486/nginx: worker
- Name resolution in netstat output
When you don't need to resolve hostname, portname, username, use netstat -n option to output values in numeric format. The command will show IP address instead of host, port number instead of port name, UID instead of username.
This will also speed up the output since netstat won't perform unnecessary lookups.
# netstat -an
To display the numeric values of only some of these items, use the following commands:
# netsat -a --numeric-ports
# netsat -a --numeric-hosts
# netsat -a --numeric-users
- Output netstat information continuously
The netstat -c option will output information continuously, in the style of top , updating the screen every few seconds.
# netstat -c
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 org-ru-putty.vm.udf:www 182.131.74.202:59933 FIN_WAIT2
tcp 0 0 org-ru-putty.vm.udf:www 182.131.74.202:63761 FIN_WAIT2
tcp 0 0 org-ru-putty.vm.udf:www 92-181-66-102-irk.:4585 ESTABLISHED
^C
Address families not supported by the system
The netstat --verbose option will show verbose output and at the very end will show unsupported Address Families.netstat: no support for
AF IPX' on this system.
AF AX25' on this system.
netstat: no support for
netstat: no support forAF X25' on this system.
AF NETROM' on this system.
netstat: no support forCore Routing
Show kernel routing table: netstat -r
#```
netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 192.168.128.2 0.0.0.0 UG 0 0 0 eth0
192.168.128.0 * 255.255.255.0 U 0 0 0 eth0
Note: Use netstat -rn to view the route in numerical format without resolving host names.
9. Port and process mapping
Find out which port a particular program is using:
netstat -ap | grep ssh
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 *:ssh : LISTEN -
tcp6 0 0 [::]:ssh [::]:* LISTEN -
Find out which process is using a specific port:
`# netstat -an | grep ':80'`
10. Network interfaces
Show list of network interfaces: netstat -i
netstat -i
Kernel Interface Table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 1911037 0 0 0 1382056 0 0 0 BMRU
lo 16436 0 0 0 0 0 0 0 0 0 LRU
Show extended interface information (similar to ifconfig): netstat -ie
netstat -ie
Kernel Interface Table
eth0 Link encap:Ethernet HWaddr 00:0c:29:68:4c:a4
inet addr:192.168.128.134 Bcast:192.168.128.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe68:4ca4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:24278 errors:0 dropped:0 overruns:0 frame:0
TX packets:11275 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueue:1000
RX bytes:33203025 (33.2 MB) TX bytes:665822 (665.8 KB)
Interrupt:19 Base address:0x2000
11. netstat -lnptux
Let's summarize the above and combine the keys into one useful command that will show:
-lall open ports (LISTEN)
-tvia TCP protocol
-uvia UDP protocol
-xvia UNIX Socket protocol
-nwithout resolving IP/names
-pbut with process names and PIDs
Note: Not all processes can be identified by the last key, foreign processes will not be shown. You must have root rights to see everything.
netstat -lnptux
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 9614/nginx
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 601/sshd
udp 0 0 8.8.4.4:123 0.0.0.0:* 574/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 574/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 574/ntpd
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ACC ] STREAM LISTENING 4233 826/python /var/run/fail2ban/fail2ban.sock
unix 2 [ ACC ] STREAM LISTENING 8122 2561/mysqld /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 160413 7301/php-fpm.conf /var/run/php5-fpm.soc