Linux Netstat Commands with Basic and Advanced Examples

Netstat is a command line tool that is used to view and monitor network statistics and configurations of a system. This tool is available on both Unix, Linux and Windows NT-based operating systems.

Below are some of the activities that can be carried out using this tool

  • View network connections
  • View routing tables
  • View network interface statistics
  • View masquerade connections
  • View multicast memberships

Netstat is a very powerful tool that can be used for network troubleshooting and network performance measuring purposes. The complete list of activities that can be carried using this tool can be viewed using man command in Unix based systems. (Sample usage of man command is given at the bottom of the page)

This article shows some of the common and important usages of netstat commands with examples and proper explanations, which may come in handy for daily operations.

Below are some of the basic commands of netstat tool

1) Listing all the sockets

This displays details of all the sockets, including open and close sockets in the following format
Proto - Protocol
RefCnt - Reference Count : number of attached processes connected via this socket
Flags - Flag type
Type – Network socket type
State - State of the socket
I-Node - Inode of the socket
Path - Path of the socket

Command : netstat -a
Sample output :

Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     15365    /var/run/docker.sock
unix  2      [ ACC ]     STREAM     LISTENING     22352    @/tmp/.ICE-unix/4060
unix  2      [ ACC ]     STREAM     LISTENING     10523    /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     21843    /tmp/ssh-8rfNCLtCuWbJ/agent.4000
unix  2      [ ACC ]     STREAM     LISTENING     13073    /var/run/samba/winbindd/pipe

2) Listing all TCP port connections

This displays details of all the TCP sockets, including open and close sockets in the same format.

Command : netstat -at
Sample output :

Active Internet connections (servers and established)
Proto  Recv-Q    Send-Q    Local Address        Foreign Address              State
tcp  	0           0       localhost:ipp           *:*                      	LISTEN
tcp     0           0       *:microsoft-ds          *:*                         LISTEN
tcp     0           0       *:netbios-ssn           *:*                         LISTEN
tcp     0           0       ubuntu:domain           *:*                         LISTEN
tcp6    0           0       ip6-localhost:ipp       [::]:*                      LISTEN
tcp6    0           0       [::]:microsoft-ds       [::]:*                      LISTEN
tcp6    0           0       [::]:netbios-ssn        [::]:*                      LISTEN
tcp6    1           0       ip6-localhost:34871     ip6-localhost:ipp     	CLOSE_WAIT

3) Listing all UDP port connections

This displays details of all the UDP sockets, including open and close sockets in the same format.
Command : netstat -au
Sample Output :

Active Internet connections (servers and established)
Proto    Recv-Q    Send-Q     Local Address                     Foreign Address     State
udp         0       0              *:59865                          *:*
udp         0       0              ubuntu:domain                    *:*
udp         0       0              *:bootpc                         *:*
udp         0       0              *:32333                          *:*
udp         0       0              *:ipp                            *:*
udp         0       0              192.168.64.2:netbios-ns     	    *:*
udp         0       0              192.168.64.1:netbios-ns     	    *:*
udp         0       0              172.17.255.2:netbios-ns          *:*
udp         0       0              172.17.0.1:netbios-ns            *:*

4) Listing all connections in ‘LISTEN’ state

This displays details of all the listening sockets in the same format.
Command : netstat -l
Sample output :

Proto  Recv-Q    Send-Q    Local Address              Foreign Address     State
tcp   	0           0       	localhost:ipp          	*:*                 LISTEN
tcp     0           0           *:microsoft-ds          *:*                 LISTEN
tcp     0           0           *:netbios-ssn           *:*                 LISTEN
tcp     0           0           ubuntu:domain           *:*                 LISTEN
tcp6    0           0           ip6-localhost:ipp       [::]:*              LISTEN
tcp6    0           0           [::]:microsoft-ds       [::]:*              LISTEN
tcp6    0           0           [::]:netbios-ssn        [::]:*              LISTEN

5) Display the routing table

This prints out kernel routing information in below format
Destination - Destination Address
Gateway – Gateway Address
Genmask - Netmask corresponding to the network
Flag - To provide specific information about the route (U-route is up , G - Communication for this network should be sent via the gateway)
MSS – Maximum Segment size
Window – TCP Window size
Irtt – Initial round trip time
Iface – Interface
Command : netstat -r
Sample Output :

Kernel IP routing table
Destination    Gateway           Genmask          Flags    MSS     Window  irtt    Iface
default       	192.168.64.2        0.0.0.0         UG      0       0       0       eth0
172.17.0.0      *                   255.255.0.0     U       0       0       0       docker0
192.168.64.0  	*                   255.255.255.0   U       0       0       0       eth0

6) Display network interfaces

This prints out information about network interfaces in following format
Iface – Interface
MTU – Maximum Transmission Unit
Met – Metric value for the interface
RX-OK - Number of error free packets received
RX-ERR – Number of packets received with errors
RX-DRP – Number of dropped packets when receiving
RX-OVR – Number of packets lost due to the overflow when receiving
TX-OK - Number of error free packets transmitted
RX-ERR – Number of transmitted packets with errors
RX-DRP – Number of dropped packets when transmitting
RX-OVR – Number of packets lost due to the overflow when transmitting
Flg – Flag
Command : netstat -i
Sample Output :

Kernel Interface table
Iface   MTU    Met RX-OK   RX-ERR  RX-DRP  RX-OVR  TX-OK   TX-ERR  TX-DRP  TX-OVR  Flg
docker0	 1500 	0   0       0       0       0       0       0       0       0       BMU
eth0     1500   0   36774   0       0       0       20917   0       0       0       BMRU
lo       65536  0   7246    0       0       0       7246    0       0       0       LRU

7) Continuous monitoring

This command outputs socket connections continuously, so this is useful for continuous network monitoring
Command : netstat -c
Sample output :

unix 3 [ ] STREAM CONNECTED 24655
unix 3 [ ] STREAM CONNECTED 22456
unix 3 [ ] STREAM CONNECTED 22227 @/tmp/.X11-unix/X0
unix 2 [ ] DGRAM            16819
unix 3 [ ] STREAM CONNECTED 13848 /var/run/dbus/system_bus_socket

8) Display multicast group information

This displays multicast group information for both IPV4 and IPV6 in following format
Interface - Network interface
RefCnt – Reference Count : number of attached processes connected via this socket
Group – Multicast group
Command : netstat -g
Sample output :

IPv6/IPv4 Group Memberships
Interface       RefCnt     Group
--------------- ------ ---------------------
lo           	1    	    all-systems.mcast.net
eth0            1           224.0.0.251
eth0            1           all-systems.mcast.net
docker0       	1           224.0.0.251
docker0       	1           all-systems.mcast.net
lo              1           ip6-allnodes
lo              1           ff01::1
eth0            1           ff02::fb
eth0            1           ff02::1:ff6a:275b
eth0            1           ip6-allnodes
eth0            1           ff01::1
docker0       	1           ip6-allnodes
docker0       	1           ff01::1

Below are some of bit more advanced and miscellaneous commands of netstat tool

9) Listing active connection on a given port

Following command displays details about connections established through the port 80. These details include protocol , source and destination addresses and the connection status.
Command : netstat -anp | grep :80 | grep ESTABLISHED
Sample output :

tcp 0 0 192.168.64.129:51548 74.125.204.106:80  ESTABLISHED 8418/firefox
tcp 0 0 192.168.64.129:44365 172.217.194.101:80 ESTABLISHED 8418/firefox
tcp 0 0 192.168.64.129:51547 74.125.204.106:80  ESTABLISHED 8418/firefox

10) List number of different connection types

Following command displays the number connections of different types of state that is in the machine sorted in ascending order
Command : netstat -ant | awk '{print $6}' | sort | uniq -c | sort -n
Sample Output :

1 CLOSE_WAIT
1 established)
1 Foreign
7 LISTEN

11) Display services listening to a given port

This shows details on the services listening to the port 53 , such as the process id of the service and service name
Command : netstat -ltnp | grep ':53'
Sample output :

tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 1488/dnsmasq

12) List Non supportive address families

At the bottom of the output of the following command, details on the non-supportive address families in the machine is displayed.
Command : netstat --verbose
Sample output :

netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.

13) Find out on which port a service is running

This is used to find out the details of the ports that ‘SSH’ service is listening to along with details on the ssh service itself
Command : netstat -ap | grep ssh
Sample output :

unix 2 [ ACC ] STREAM LISTENING 21843 4004/ssh-agent /tmp/ssh-8rfNCLtCuWbJ/agent.4000
unix 2 [ ACC ] STREAM LISTENING 22603 3927/gnome-keyring- /run/user/1000/keyring-SC0TKd/ssh

'man Netstat' Command

  • man command is used to view the manual page of a command and here it displays the manual page of the netstat command. It list out all the usage options that are available for this command with explanations and example.
    Command : man netstat
    Sample output :

    DESCRIPTION
           Netstat  prints  information about the Linux networking subsystem.  The
           type of information printed is controlled by  the  first  argument,  as
           follows:
    
       (none)
           By  default,  netstat  displays  a  list of open sockets.  If you don't
           specify any address families, then the active sockets of all configured
           address families will be printed.
    
       --route , -r
           Display  the kernel routing tables. See the description in route(8) for
           details.  netstat -r and route -e produce the same output.
    
       --groups , -g
           Display multicast group membership information for IPv4 and IPv6.
    
       --interfaces, -i
           Display a table of all network interfaces.
    
       --masquerade , -M
           Display a list of masqueraded connections.
    
       --statistics , -s
           Display summary statistics for each protocol.

Read Also :

Nishali Wijesinghe 12:05 am

About Nishali Wijesinghe

Nishali is a Linux enthusiastic who works as a Linux System Engineer with 4+ years experience in this field. She is interested in Information Security and Linux Administration and also learning about new technologies.

Author Archive Page

Have anything to say?

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.