13 Examples To Explain Linux Netstat Commad

August 22, 2011 | By
| 1 Reply More

The netstat command in Linux provides a lot of information about network activities and configuration on a system. It can display information on various network interface statistics. It can be used to check the network traffic, network sockets, listening ports, etc. This command provides a huge output many times, so you need to filter the output to extract the content you are looking for. This article provides the general usage of netstat command with its common options.

1. netstat command.

By default, netstat displays a list of open sockets.

$ netstat | head -20
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 13 [ ] DGRAM 7728 /dev/log
unix 2 [ ] DGRAM 6886 @/org/kernel/udev/udevd
unix 3 [ ] STREAM CONNECTED 80527 @/tmp/dbus-LLRqvS5L9G
unix 3 [ ] STREAM CONNECTED 81121
unix 3 [ ] STREAM CONNECTED 80521 @/tmp/dbus-LLRqvS5L9G
unix 3 [ ] STREAM CONNECTED 80520
unix 3 [ ] STREAM CONNECTED 80518 @/tmp/dbus-LLRqvS5L9G
unix 3 [ ] STREAM CONNECTED 81120
unix 3 [ ] STREAM CONNECTED 81119 /tmp/orbit-raghu/linc-df3-0-5d78f656e0ace
unix 3 [ ] STREAM CONNECTED 80517
unix 3 [ ] STREAM CONNECTED 80516 /tmp/orbit-raghu/linc-5c2-0-7ab8f5a51ba2f
unix 3 [ ] STREAM CONNECTED 81117
unix 3 [ ] STREAM CONNECTED 81108 @/tmp/.ICE-unix/1432
unix 3 [ ] STREAM CONNECTED 80509
unix 3 [ ] STREAM CONNECTED 80496 @/tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 81104

It displays a large output. So the output is filtered to display first 20 lines only.

2. Display the routing table.

The netstat command with -r option displays the kernel IP routing table.

$ netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
link-local * 255.255.0.0 U 0 0 0 eth1
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1

The routing information from route cache can be displayed with -C option.

$ netstat -rC
Kernel IP routing cache
Source Destination Gateway Flags MSS Window irtt Iface
192.168.1.1 all-systems.mca all-systems.mca ml 16436 0 0 lo
raghu-Inspiron- 224.0.0.251 224.0.0.251 ml 1500 0 0 eth1
192.168.1.111 224.0.0.251 224.0.0.251 ml 16436 0 0 lo
raghu-Inspiron- 224.0.0.251 224.0.0.251 ml 1500 0 0 eth1
raghu-Inspiron- ns3.ncr.airtelb 192.168.1.1 1500 0 0 eth1
raghu-Inspiron- ns3.ncr.airtelb 192.168.1.1 1500 0 0 eth1
ns2.ncr.airtelb raghu-Inspiron- raghu-Inspiron- l 16436 0 0 lo
ns3.ncr.airtelb raghu-Inspiron- raghu-Inspiron- l 16436 0 0 lo
192.168.1.111 224.0.0.251 224.0.0.251 ml 16436 0 0 lo
raghu-Inspiron- ns2.ncr.airtelb 192.168.1.1 1500 0 0 eth1

3. Interface table.

The kernel interface table is displayed using "netstat -i".

$ netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 0 0 0 0 0 0 0 0 BMU
eth1 1500 0 8789 0 0 0 8521 16 0 0 BMRU
lo 16436 0 42 0 0 0 42 0 0 0 LRU

The extended interface table can be displayed using -e option. This will output similar to “ifconfig” command.

$ netstat -ie
Kernel Interface table
eth0 Link encap:Ethernet HWaddr 00:23:ae:43:c8:07
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:44 Base address:0x8000

eth1 Link encap:Ethernet HWaddr 00:26:5e:45:48:21
inet addr:192.168.1.5 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::226:5eff:fe45:4821/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8895 errors:0 dropped:0 overruns:0 frame:2846
TX packets:8554 errors:16 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5671156 (5.6 MB) TX bytes:1250036 (1.2 MB)
Interrupt:17 Base address:0xc000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:42 errors:0 dropped:0 overruns:0 frame:0
TX packets:42 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2260 (2.2 KB) TX bytes:2260 (2.2 KB)

4. Summary statistics.

With -s option, summary statistics for each protocol is printed.

$ netstat -s
Ip:
8986 total packets received
1 with invalid addresses
0 forwarded
0 incoming packets discarded
8975 incoming packets delivered
8021 requests sent out
Icmp:
7 ICMP messages received
1 input ICMP message failed.
ICMP input histogram:
destination unreachable: 1
echo replies: 6
7 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 1
echo request: 4
IcmpMsg:
InType0: 6
InType3: 1
OutType3: 1
OutType8: 4
OutType69: 2
Tcp:
416 active connections openings
0 passive connection openings
21 failed connection attempts
18 connection resets received
0 connections established
7768 segments received
6378 segments send out
51 segments retransmited
0 bad segments received.
91 resets sent
Udp:
370 packets received
1 packets to unknown port received.
0 packet receive errors
388 packets sent
UdpLite:
TcpExt:
170 TCP sockets finished time wait in fast timer
234 delayed acks sent
Quick ack mode was activated 45 times
3722 packet headers predicted
1128 acknowledgments not containing data payload received
108 predicted acknowledgments
15 congestion windows recovered without slow start after partial ack
29 other TCP timeouts
33 DSACKs sent for old packets
6 DSACKs received
9 connections reset due to unexpected data
13 connections reset due to early user close
1 connections aborted due to timeout
IPReversePathFilter: 1
IpExt:
InMcastPkts: 780
OutMcastPkts: 212
InBcastPkts: 76
InOctets: 5552088
OutOctets: 1046184
InMcastOctets: 26911
OutMcastOctets: 10458
InBcastOctets: 10625

5. Multicast group membership.

The information about multicast group membership for ipv4 and ipv6 is displayed with -g option.

$ netstat -g
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 all-systems.mcast.net
eth0 1 all-systems.mcast.net
eth1 1 224.0.0.251
eth1 1 all-systems.mcast.net
lo 1 ip6-allnodes
eth0 1 ip6-allnodes
eth1 1 ff02::fb%5407002
eth1 1 ff02::1:ff45:4821%5407002
eth1 1 ip6-allnodes
vboxnet0 1 ip6-allnodes

6. States in netstat.

According to the manual page of netstat command, following are the states of the sockets.

ESTABLISHED
The socket has an established connection.

SYN_SENT
The socket is actively attempting to establish a connection.

SYN_RECV
A connection request has been received from the network.

FIN_WAIT1
The socket is closed, and the connection is shutting down.

FIN_WAIT2
Connection is closed, and the socket is waiting for a shutdown from the remote end.

TIME_WAIT
The socket is waiting after close to handle packets still in the network.

CLOSE The socket is not being used.

CLOSE_WAIT
The remote end has shut down, waiting for the socket to close.

LAST_ACK
The remote end has shut down, and the socket is closed. Waiting for acknowledgement.

LISTEN
The socket is listening for incoming connections. Such sockets are not included in the output unless you specify the --listening (-l) or --all (-a)
option.

CLOSING
Both sockets are shut down but we still don't have all our data sent.

UNKNOWN
The state of the socket is unknown.

These states are important. Some of these are used in following commands.

7. Listening sockets.

The listening sockets are not displayed by default. To display only listening sockets, use -l option.

$ netstat -l | head -25
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:dict *:* LISTEN
tcp 0 0 localhost:mysql *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN
udp 0 0 *:bootpc *:*
udp 0 0 *:mdns *:*
udp 0 0 *:53504 *:*
udp6 0 0 [::]:54960 [::]:*
udp6 0 0 [::]:mdns [::]:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 7689 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 81118 /tmp/orbit-raghu/linc-df3-0-5d78f656e0ace
unix 2 [ ACC ] STREAM LISTENING 81109 /tmp/gedit.raghu.3635333719
unix 2 [ ACC ] STREAM LISTENING 7828 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 9521 /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 6826 @/com/ubuntu/upstart
unix 2 [ ACC ] STREAM LISTENING 8508 /var/run/avahi-daemon/socket
unix 2 [ ACC ] STREAM LISTENING 96143 /tmp/orbit-raghu/linc-e64-0-71c9ef94bd011
unix 2 [ ACC ] STREAM LISTENING 11775 /tmp/keyring-HuNvqR/ssh
unix 2 [ ACC ] STREAM LISTENING 7827 @/tmp/.X11-unix/X0

8. Display all sockets.

To display all sockets, i.e. listening as well as non-listening sockets, -a option is used. When this option is used, first all listening, and then other sockets are displayed.

The -t or --tcp option displays only tcp sockets/connections, and similarly -u and --udp are used for udp connections.

$ netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:dict *:* LISTEN
tcp 0 0 localhost:mysql *:* LISTEN
tcp 0 0 *:1234 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN

You can also check what are the corresponding programs/PID to these sockets using -p option.

$ netstat -atp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost:dict *:* LISTEN 944/0
tcp 0 0 localhost:mysql *:* LISTEN 993/mysqld
tcp 0 0 *:1234 *:* LISTEN 3848/nc
tcp 0 0 *:ssh *:* LISTEN 768/sshd
tcp 0 0 localhost:ipp *:* LISTEN 1225/cupsd
tcp6 0 0 [::]:ssh [::]:* LISTEN 768/sshd
tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN 1225/cupsd

9. Netstat command to find open ports.

$ netstat –listen

10. Find application using your port.

$ netstat -nlp

All or some of the options described here can be combined with other options to get the desired outputs. The filters like grep are very useful for extracting useful and specific information about sockets.

Some miscellaneous examples for daily need.

1. Number of connections per connection states.

This is useful to find out if your server is under attack or not.

$ netstat -nat |grep 202.54.1.10 | awk ‘{print $6}’ | sort | uniq -c | sort -n

15 CLOSE_WAIT
37 LAST_ACK
64 FIN_WAIT_1
65 FIN_WAIT_2
1251 TIME_WAIT
3597 SYN_SENT
5124 ESTABLISHED

2. Find information about a specific IP address.

$ netstat -nat |grep {IP-address} | awk ‘{print $6}’ | sort | uniq -c | sort -n

2 LAST_ACK
2 LISTEN
4 FIN_WAIT1
14 ESTABLISHED
91 TIME_WAIT
130 FIN_WAIT2

Example:

$ netstat -nat |grep 174.84.2.40 | awk ‘{print $6}’ | sort | uniq -c | sort -n

15 CLOSE_WAIT
37 LAST_ACK
64 FIN_WAIT_1
65 FIN_WAIT_2
1251 TIME_WAIT
3597 SYN_SENT
5124 ESTABLISHED

3. Get list of all unique IP address.

To print list of all unique IP address connected to server

$ netstat -nat | awk ‘{ print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’ | uniq

To print total of all unique IP address

$ netstat -nat | awk ‘{ print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’ | uniq | wc -l
449

4. Netstat command to check if any DDOS attack or not.

Display list of open connections on your box and sorts them by according to IP address:

$ netstat -atun | awk ‘{print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’ |sort | uniq -c | sort -n

1 10.0.77.52
2 10.1.11.3
4 12.109.42.21
6 12.191.136.3
…..

….
13 202.155.209.202
18 208.67.222.222
28 0.0.0.0
233 127.0.0.1

Filed Under : LINUX COMMANDS, MONITORING

Tagged With :

Free Linux Ebook to Download

Leave a Reply

All comments are subject to moderation.