Introduction
netstat command is a useful command to reveal a network status of your system. It allows a system administrator to keep track of any network connections by querying their status, origin and destination.
Furthermore, netstat is the all-in-one networking monitoring tool as it can also be used to display route tables, interface statistics, masquerade connections, as well as multicast memberships. ss command is a future successor of the netstat command.
Frequently used options
| Option | Description |
|---|---|
| -i | Display table of network interfaces |
| -a | Show both listening and non-listening sockets |
| -e | Display additional information |
| -l | Show only listening sockets. |
| -s | Display summary statistics for each protocol. |
| -t | Display TCP connections only |
| -n | Show numerical addresses instead of trying to determine symbolic host, port or user names. |
Usage
The following lines will get you up the speed with some most popular netstat’s command line options.
For most of the functions an administrative privileges are required to execute the netstat command:
$ su Password: # netstat
Execution of the netstat command without any options or arguments displays all existing connections including their state, source address and local address. Additionally, active UNIX domain sockets and relevant information such as inode number and full path are part of the netstat’s default network reports.
The netstat’s -i option brings up a table listing all configured network interfaces on the system:
# netstat -i Kernel Interface table Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg docker0 1500 0 0 0 0 0 0 0 0 BMU enp0s25 1500 148 0 0 0 1 0 0 0 BMU lo 65536 4752 0 0 0 4752 0 0 0 LRU wlp3s0 1500 148377 0 1 0 135793 0 0 0 BMRU
In case you prefer ifconfig’s format to provide you with a list all active network interfaces, # netstat -ei can accommodate your needs with an identical output.
Another useful netstat’s command line options are -l and -t which are used displays all currently listening TCP sockets, that is to show all connections with LISTEN. This options might prove useful when performing a server hardening or firewall configuration. Alternatively add -u option to also include UDP connections:
# netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:ftp-data 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:https 0.0.0.0:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN tcp6 0 0 localhost:ipp [::]:* LISTEN tcp6 0 0 localhost:smtp [::]:* LISTEN
The above command showed local sockets eg. localhost:smtp with a human readable host name and service names. Using -n option this information is suppressed while numeric information is shown instead. Compare the below netstat’s output with the one above:
# netstat -ltn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:20 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:631 :::* LISTEN tcp6 0 0 ::1:25 :::* LISTEN
As already mentioned above the -l option only shows connections with the status “LISTEN”. The following netstat command shows all active TCP connections regardless of their status. To further enhance the above netstat command output, -p option can be used to show a program bind to any particular socket. This information may be useful to further harden your server and disable any unnecessary service. To demonstrate what netcat and list all connections with the “LISTEN” state and their relevant programs:
# netcat -l -p 20 & [1] 8941 # netstat -tlnp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2891/nginx: master tcp 0 0 0.0.0.0:20 0.0.0.0:* LISTEN 8941/netcat tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 518/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 472/cupsd tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2891/nginx: master tcp6 0 0 :::22 :::* LISTEN 518/sshd tcp6 0 0 ::1:631 :::* LISTEN 472/cupsd
Note that on the second line with socket 0.0.0.0:20 the netstat command also revealed a program and PID bind to that this socket, which in this case is netcat with PID 2891.
Using the -a option one could possibly monitor the entire TCP network connection handshake especially when coupled with -c option for a continuous listening.
# netstat -ant Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:20 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN tcp 1 0 10.1.1.8:36576 10.1.1.45:443 CLOSE_WAIT tcp 0 0 10.1.1.8:60186 10.1.1.11:443 ESTABLISHED tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 ::1:631 :::* LISTEN tcp6 0 0 ::1:25 :::* LISTEN
netstat command has a high number of options available to you disposal. Last two common options covered by in this guide are -r and -s. The first option -r is used to display a current system’s routing table.
# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default gateway 0.0.0.0 UG 0 0 0 wlp3s0 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 wlp3s0 link-local 0.0.0.0 255.255.0.0 U 0 0 0 docker0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
Once again the above output can be modified to suit your needs by -e and -n command line options. The last -s option is used to show detailed statistics :
# netstat -s
Examples
| Command | Description |
|---|---|
| # netstat -st | Show a TCP protocol specific summary |
| # netstat -r | Display routing table |
| # netstat -ie | The equivalent to default ifconfig command to list all active network interfaces |
| # netstat -antc | Continuously monitor all TCP connection. use -u for UDP. |
| # netstat -ltp | Display all open TCP ports along with PID and program. |
| # netstat -atep | grep ssh | Show all SSH connection along with user name, program and corresponding PID. |
| # netstat -atnep | grep 443 | Show all connection on port 443 along with user ID, program and corresponding PID. |
| # netstat -s -w | Display raw network statistics |
