Netstat Command in Linux with Examples

Introduction

Linux netstat command stands for Network statistics. It displays information about different interface statistics, including open sockets, routing tables, and connection information. Further, it can be used to displays all the socket connections (including TCP, UDP). Apart from connected sockets, it also displays the sockets that are pending for connections. It is a handy tool for network and system administrators.

In computing, the netstat command is a command-line network utility that shows network connections for TCP (both outgoing and incoming), several network interfaces (software-defined network interface or network interface controller), network protocol statistics, and routing tables. It's available on Plan 9, Unix, Inferno, and Unix-like OSes, including BSD, Solaris, Linux, and macOS. Also, it's available on IBM OS/2 and Microsoft Windows NT-based OSes, including Windows 10, Windows 8, Windows 7, Windows Vista, and Windows XP.

In the network, t is used to find problems and determine the traffic as a performance measurement. This program is almost obsolete on Linux, although still added in several distributions.

The netstat command is superseded by "s" on Linux. The ip route command is the replacement of the netstat -r command, and the ip maddr command is the replacement of the netstat -i command, each of which is suggested instead.

Statistics given

Netstat gives statistics for below:

  • Proto: Proto is the protocol name (UDP or TCP).
  • Local Address: Local Address specifies the local computer's IP address and port number being utilized. The local computer's name related to the IP address and the port name is displayed unless the parameter, i.e., -n, is mentioned. An asterisk (*) is displayed for the host when the server is active (listening) in every interface. The port number is displayed as an asterisk if the port isn't established yet.
  • Foreign Address: The port number and IP address of the remote computer to which a socket is linked. The names that relate to the IP address and all ports are displayed unless the parameter, i.e., -n, is mentioned. The port number is displayed as an asterisk if the port isn't established yet.
  • State: Represents the TCP connection state. Several possible states are available, including TIME_WAIT, SYN_SEND, SYN_RECEIVED, LISTEN, LAST_ACK, FIN_WAIT_2, FIN_WAIT_1, ESTABLISHED, CLOSED, and CLOSE_WAIT.

Some of the netstat commands and their description are mentioned below:

Command Description
netstat -a Represents every socket, both non-listening and listening, and every protocol, like UDP, TCP, etc.
netstat -at Represents TCP connections only (-au represents UDP connections only).
netstat -ant Represents every TCP connection without DNS resolution (rather than displays IP addresses).
netstat -al Displays listening sockets only.
netstat -aep Displays PID and to which function all sockets belong; e includes extra information like the user. Execute as root to check every PID.
netstat -s > file2.txt Displays network statistics.
netstat -i Shows a table of every network interface. Include -e to receive the result, which is the same as ifconfig.
netstat -r Displays the information on kernel routing. It is a similar result as route -e.
netstat -ct Shows TCP connections regularly.
netstat -g Shows the information of multicast group membership for IPv6 and IPv4.
netstat -atnp | grep ESTA Shows every "established" connection of TCP currently.
netstat -lntu Shows every service listening UDP and TCP, every free open port over the local device.

Syntax:

The netstat command supports various command-line options. The basic syntax of the netstat command is as follows:

Options:

It supports multiple command-line options to print information about the Linux networking subsystem. The output is controlled by the first argument. Let's see the list of the first arguments:

(none): If no option is specified, it will execute the default command that displays a list of open sockets of all configured address families.

--route, -r: It is used to print the kernel routing tables. The "netstat -r" command and "route -e" command will produce the same output.

--groups, -g: It is used to display multicast group membership information different IP versions (Ipv4 and IPV6).

--interfaces, -i: It is used to display all network interfaces.

--masquerade, -M: It displays masqueraded connections.

--statistics, -s: This option displays the summary statistics for each protocol.

Other options:

--verbose, -v: It is used to display the detailed output. It is a handy tool for displaying the details about unconfigured address families.

--wide, -W: It is used as an output not to reduce the IP address as necessary. It is still optional not to break existing scripts.

--numeric, -n: It is used to display numeric addresses alternatively defining symbolic hosts, ports, or usernames.

--numeric-hosts: It is used to display numerical host addresses; it does not affect the resolution of port or user names.

--numeric-ports: It is used to display numerical port numbers, it does not affect the properties and objects of host or user names.

--numeric-users: It is used to display numeric user Ids, it does not affect the resolution of host or port names.

--protocol=family, -A: It is used to specify the address families for which connections are to be displayed. The address families are a comma (',') separated like Inet, inet6, Unix, ax25, Netrom, Econet, Ipx, DDP, and Bluetooth.

-c, --continuous: It is used to display the selected information continuously for every second.

-e, --extend: It is used for extended output. This option can be used twice for maximum detail.

-o, --timers: It is used to include networking timers related information.

-p, --program: It is used to display the PID and name of the process to the corresponding sockets.

-l, --listening: It is used to display only listening sockets.

-a, --all: It is used to display both sockets (i.e., listening and non-listening). By specifying the '--interfaces' option, we can list the interfaces that are not up.

-F: It is used to display the routing information from the FIB.

-C: It is used to display the routing information from the route cache.

Installation of the netstat command

If the netstat command is not installed on your machine, it will display the traditional Linux installation error message "Command 'netstat' not found."

To install it, execute the below command:

The above command will ask for the administration password to install the command. If it is successfully installed, it will produce the output as follows:

Linux netstat

Examples of the netstat command

Let' see the following examples of the netstat command:

  • Display All Connections
  • Display only TCP or UDP connections
  • Disable reverse DNS lookup for faster output
  • Display only listening connections
  • Display Pid and Uid
  • Display Statistics
  • Display kernel routing information
  • Display network interfaces
  • Display netstat output continuously
  • Display multicast group information

Display All Connections

The '-a' option is used to display all the existing connections. Execute the netstat command as follows:

The above command will list all the existing connections. Consider the below output:

Linux netstat

Display only TCP or UDP Connections

We can list only the TCP or UDP connections. To display only the TCP connection, execute the command with the 't' option as follows:

The above command will list all the TCP connections. Consider the below output:

Linux netstat

To display only UDP connection, execute it with 'u' option as follows:

The above command will list all the UDP connections. Consider the below output:

Linux netstat

Disable Reverse DNS Lookup for Faster Output

The default behavior of the netstat command finds out the hostname for each IP address by a reverse DNS lookup. It causes the slowdowns in output. If we don't want to know the hostname, then disable the reverse DNS lookup by suppressing the 'n' option with it: Consider the below command:

The above command will disable the reverse DNS lookup and display all the TCP connections. Consider the below output:

Linux netstat

Display only Listening Connections

The listening connections are such connections that are available for connection requests. Any network process keeps an open port for the listening incoming connection requests. These connections can be listed by executing the below command:

The above command will list all the listening connection for TCP connections. Consider the below output:

Linux netstat

Display Pid and Uid

While checking the network statistics, it is sometimes vital to know the Pid and Uid for a particular connection or user. The Pid and Uid can be listed by executing the 'p' option. Execute the below command:

The above command will list all the Pid for the TCP connections. It is necessary to execute this command with sudo privilege. Otherwise, it will not display the Pid. Consider the below output:

Linux netstat

Display Statistics

netstat command is also a handy tool for displaying the network statistics such as no packets transmitted and received by a protocol. To display the network statistics, execute the command with the '-s' option as follows:

The above command will display the network statistics. Consider the below output:

Linux netstat

Display kernel Routing Information

The 'r' option is used to display the kernel routing information. It will display the same output as route command. To display the routing information, execute the command as follows:

The above command will display the routing information. The 'n' option will disable the hostname lookup. Consider the below output:

Linux netstat

Display Network Interfaces

We can also display information about the network interfaces by using the netstat command. To display the network interfaces, execute the command with 'i' option as follows:

The above command will list the network interfaces and related information. Consider the below output:

Linux netstat

Display netstat Output Continuously

To display the netstat output continuously, execute the command with the 'c' option as follows:

The above command will display the TCP connections continuously. Consider the below output:

Linux netstat

Display Multicast Group Information

The 'g' option is used to display the multicast group information. To print the details for Ipv4 and Ipv6, execute the command as follows:

The above command will display the multicast group information. Consider the below output:

Linux netstat

Install Net-Tools in Linux

The netstat command is a part of a package called net-tools. We get the net-tools package using the following command in Ubuntu:

<

Check Netstat Version

Upon the installation process, we can check the installed Netstat version using the following command:

Show Routing Table

The netstat command displays the routing table information on the command line. If we want to check the routing table, we can use the -nr option with Netstat; it will display the kernel routing table in a similar form to that route does. We can run the following command:

The -nr flag permits Netstat to show addresses separated by dots rather than applying symbolic address titles.

Show Network Connection

The netstat command has a variety of options to view passive and active sockets. Active TCP, Unix, RAW, and UDP socket connections are mentioned by the -x, -w, -u, and -t options, respectively.

We can run the following command:

Show Network Services

We can execute the below command to see a network list, their related ports, and their current states:

Show every listening port of the UDP and TCP connection

We can see every UDP and TCP port by running the following command in the terminal window:

Show every listening connection

We can use the netstat command with the -l option to list every active connection:


Next TopicLinux ss




Latest Courses