Learning Linux Commands: netstat

Introduction

netstat command is a useful command to reveal a network status of your system. It allows a system administrator to keep track of any network connections by querying their status, origin and destination.

Furthermore, netstat is the all-in-one networking monitoring tool as it can also be used to display route tables, interface statistics, masquerade connections, as well as multicast memberships. ss command is a future successor of the netstat command.

Frequently used options

Option Description
-i Display table of network interfaces
-a Show both listening and non-listening sockets
-e Display additional information
-l Show only listening sockets.
-s Display summary statistics for each protocol.
-t Display TCP connections only
-n Show numerical addresses instead of trying to determine symbolic host, port or user names.

Usage

The following lines will get you up the speed with some most popular netstat’s command line options.

For most of the functions an administrative privileges are required to execute the netstat command:

$ su
Password:
# netstat

Execution of the netstat command without any options or arguments displays all existing connections including their state, source address and local address. Additionally, active UNIX domain sockets and relevant information such as inode number and full path are part of the netstat’s default network reports.

The netstat’s -i option brings up a table listing all configured network interfaces on the system:

# netstat -i
Kernel Interface table
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
docker0   1500        0      0      0 0             0      0      0      0 BMU
enp0s25   1500      148      0      0 0             1      0      0      0 BMU
lo       65536     4752      0      0 0          4752      0      0      0 LRU
wlp3s0    1500   148377      0      1 0        135793      0      0      0 BMRU

In case you prefer ifconfig’s format to provide you with a list all active network interfaces, # netstat -ei can accommodate your needs with an identical output.

Another useful netstat’s command line options are -l and -t which are used displays all currently listening TCP sockets, that is to show all connections with LISTEN. This options might prove useful when performing a server hardening or firewall configuration. Alternatively add -u option to also include UDP connections:

#  netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ftp-data        0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN     
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:https           0.0.0.0:*               LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN     
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN 

The above command showed local sockets eg. localhost:smtp with a human readable host name and service names. Using -n option this information is suppressed while numeric information is shown instead. Compare the below netstat’s output with the one above:

#  netstat -ltn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:20              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 ::1:631                 :::*                    LISTEN     
tcp6       0      0 ::1:25                  :::*                    LISTEN

As already mentioned above the -l option only shows connections with the status “LISTEN”. The following netstat command shows all active TCP connections regardless of their status. To further enhance the above netstat command output, -p option can be used to show a program bind to any particular socket. This information may be useful to further harden your server and disable any unnecessary service. To demonstrate what -p option is capable of first open eg. port 20 for listing with netcat and list all connections with the “LISTEN” state and their relevant programs:

# netcat -l -p 20 &
[1] 8941
# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2891/nginx: master  
tcp        0      0 0.0.0.0:20              0.0.0.0:*               LISTEN      8941/netcat         
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      518/sshd            
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      472/cupsd           
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      2891/nginx: master  
tcp6       0      0 :::22                   :::*                    LISTEN      518/sshd            
tcp6       0      0 ::1:631                 :::*                    LISTEN      472/cupsd  

Note that on the second line with socket 0.0.0.0:20 the netstat command also revealed a program and PID bind to that this socket, which in this case is netcat with PID 2891.

Using the -a option one could possibly monitor the entire TCP network connection handshake especially when coupled with -c option for a continuous listening.

# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:20              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
tcp        1      0 10.1.1.8:36576          10.1.1.45:443       CLOSE_WAIT 
tcp        0      0 10.1.1.8:60186          10.1.1.11:443           ESTABLISHED
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 ::1:631                 :::*                    LISTEN     
tcp6       0      0 ::1:25                  :::*                    LISTEN 

netstat command has a high number of options available to you disposal. Last two common options covered by in this guide are -r and -s. The first option -r is used to display a current system’s routing table.

# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         gateway         0.0.0.0         UG        0 0          0 wlp3s0
10.0.0.0        0.0.0.0         255.0.0.0       U         0 0          0 wlp3s0
link-local      0.0.0.0         255.255.0.0     U         0 0          0 docker0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0

Once again the above output can be modified to suit your needs by -e and -n command line options. The last -s option is used to show detailed statistics :

# netstat -s

Examples

Command Description
# netstat -st Show a TCP protocol specific summary
# netstat -r Display routing table
# netstat -ie The equivalent to default ifconfig command to list all active network interfaces
# netstat -antc Continuously monitor all TCP connection. use -u for UDP.
# netstat -ltp Display all open TCP ports along with PID and program.
# netstat -atep | grep ssh Show all SSH connection along with user name, program and corresponding PID.
# netstat -atnep | grep 443 Show all connection on port 443 along with user ID, program and corresponding PID.
# netstat -s -w Display raw network statistics


Comments and Discussions
Linux Forum