Introduction
Netstat is a command line network statistics tool that is used for checking your network configuration and activity.
It displays both incoming and outgoing network connections, routing tables, network interface and network protocol statistics.
It is available on unix operating systems such as Linux, Solaris and BSD, and is available on Windows based operating systems such as Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10. Netstat is very useful tool for Network Administrator to troubleshoot network-related problems and determine network traffic performance.
Netstat is very important tool for network administrators for finding problems in the network and to determine the amount of traffic on the network as a performance measurement.
Netstat provides the following statistics:
- The name of the protocol TCP or UDP.
- The IP address of the local system with used port number. The name of the local system with name of the port.
- The IP address and port number of the remote system with connected socket.
- The possible states such as CLOSE_WAIT, ESTABLISHED, CLOSED, FIN_WAIT_1, FIN_WAIT_2, LISTEN, SYN_RECEIVED, SYN_SEND, LAST_ACK, and TIME_WAIT.
In this tutorial, we will learn some useful netstat command line tips and tricks.
Requirements
Any Linux based operating system installed on your computer or server.
Netstat Help
To list out all vailable switches of netstat command run the following command:
netstat -h
Output:
usage: netstat [-vWeenNcCF] [] -r netstat {-V|--version|-h|--help}
netstat [-vWnNcaeol] [ ...]
netstat { [-vWeenNac] -i | [-cWnNe] -M | -s }
-r, --route display routing table
-i, --interfaces display interface table
-g, --groups display multicast group memberships
-s, --statistics display networking statistics (like SNMP)
-M, --masquerade display masqueraded connections
-v, --verbose be verbose
-W, --wide don't truncate IP addresses
-n, --numeric don't resolve names
--numeric-hosts don't resolve host names
--numeric-ports don't resolve port names
--numeric-users don't resolve user names
-N, --symbolic resolve hardware names
-e, --extend display other/more information
-p, --programs display PID/Program name for sockets
-c, --continuous continuous listing
-l, --listening display listening server sockets
-a, --all, --listening display all sockets (default: connected)
-o, --timers display timers
-F, --fib display Forwarding Information Base (default)
-C, --cache display routing cache instead of FIB
={-t|--tcp} {-u|--udp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom
=Use '-6|-4' or '-A ' or '--'; default: inet
List of possible address families (which support routing):
inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
x25 (CCITT X.25)
List All TCP and UDP Connections
To list out only tcp connections, run:
netstat -at
Output:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:mysql *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 Node1.mshome.net:ssh Vyom-PC.mshome.ne:36405 ESTABLISHED
tcp6 0 0 localhost:9200 [::]:* LISTEN
tcp6 0 0 localhost:9200 [::]:* LISTEN
tcp6 0 0 [::]:http [::]:* LISTEN
tcp6 0 0 localhost:9300 [::]:* LISTEN
tcp6 0 0 localhost:9300 [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 [::]:https [::]:* LISTEN
tcp6 0 0 [::]:36351 [::]:* LISTEN
tcp6 0 0 [::]:2181 [::]:* LISTEN
Similarly use following command to list all udp connections:
netstat -au
Output:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 *:16305 *:*
udp 0 0 *:bootpc *:*
udp6 0 0 [::]:60495 [::]:*
List All Connections
To list out all the current tcp and udp port connections, run the following command:
netstat -a
Output:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:mysql *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 Node1.mshome.net:ssh Vyom-PC.mshome.ne:36405 ESTABLISHED
tcp6 0 0 localhost:9200 [::]:* LISTEN
tcp6 0 0 localhost:9200 [::]:* LISTEN
tcp6 0 0 [::]:http [::]:* LISTEN
tcp6 0 0 localhost:9300 [::]:* LISTEN
tcp6 0 0 localhost:9300 [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 [::]:https [::]:* LISTEN
tcp6 0 0 [::]:36351 [::]:* LISTEN
tcp6 0 0 [::]:2181 [::]:* LISTEN
udp 0 0 *:16305 *:*
udp 0 0 *:bootpc *:*
udp6 0 0 [::]:60495 [::]:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 7945 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] SEQPACKET LISTENING 7480 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 9796 /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 7146 @/com/ubuntu/upstart
unix 7 [ ] DGRAM 8099 /dev/log
unix 2 [ ACC ] STREAM LISTENING 9126 /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 9531 flaskproject.sock
The above command shows you all connections from different protocols like tcp, udp and unix sockets.
List All Listening Ports
To list out all listening port, run the following command:
netstat -l
Output:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:mysql *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp6 0 0 localhost:9200 [::]:* LISTEN
tcp6 0 0 localhost:9200 [::]:* LISTEN
tcp6 0 0 [::]:http [::]:* LISTEN
tcp6 0 0 localhost:9300 [::]:* LISTEN
tcp6 0 0 localhost:9300 [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 [::]:https [::]:* LISTEN
tcp6 0 0 [::]:36351 [::]:* LISTEN
tcp6 0 0 [::]:2181 [::]:* LISTEN
udp 0 0 *:16305 *:*
udp 0 0 *:bootpc *:*
udp6 0 0 [::]:60495 [::]:*
List All TCP Listening Ports
To list only tcp listening ports run the following command:
netstat -lt
Output:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:mysql *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp6 0 0 localhost:9200 [::]:* LISTEN
tcp6 0 0 localhost:9200 [::]:* LISTEN
tcp6 0 0 [::]:http [::]:* LISTEN
tcp6 0 0 localhost:9300 [::]:* LISTEN
tcp6 0 0 localhost:9300 [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 [::]:https [::]:* LISTEN
tcp6 0 0 [::]:36351 [::]:* LISTEN
tcp6 0 0 [::]:2181 [::]:* LISTEN
List All UDP Listening Port
To list only udp listening port run the following command:
netstat -lu
Output:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 *:16305 *:*
udp 0 0 *:bootpc *:*
udp6 0 0 [::]:60495 [::]:*
List All Unix Listening Port
You can list all listening Unix port by running the following command:
netstat -lx
Output:
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 7945 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] SEQPACKET LISTENING 7480 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 9796 /var/run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 7146 @/com/ubuntu/upstart
unix 2 [ ACC ] STREAM LISTENING 9126 /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 9531 flaskproject.sock
Display Network Information
You can print out the information about the network interfaces by running the following command:
netstat -i
Output:
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 0 1051 0 0 0 649 0 0 0 BMRU
lo 65536 0 65 0 0 0 65 0 0 0 LRU
The above command displays information in a very raw format. To get more information run the following command:
netstat -ie
Output:
Kernel Interface table
eth0 Link encap:Ethernet HWaddr 08:00:27:6c:2d:a6
inet addr:192.168.137.91 Bcast:192.168.137.255 Mask:255.255.255.0
inet6 addr: fe80::a00:27ff:fe6c:2da6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:573 errors:0 dropped:0 overruns:0 frame:0
TX packets:403 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:56080 (56.0 KB) TX bytes:62412 (62.4 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:65 errors:0 dropped:0 overruns:0 frame:0
TX packets:65 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6364 (6.3 KB) TX bytes:6364 (6.3 KB)
##Displaying RAW Network Statistics
You can use the following command to display the raw network statistics:
netstat --statistics --raw
Output:
Ip:
72893 total packets received
0 forwarded
0 incoming packets discarded
72888 incoming packets delivered
83458 requests sent out
8 outgoing packets dropped
16 dropped because of missing route
Icmp:
493 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
destination unreachable: 493
927 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 927
IcmpMsg:
InType3: 493
OutType3: 927
UdpLite:
IpExt:
InNoRoutes: 4
InMcastPkts: 161
OutMcastPkts: 177
InBcastPkts: 366
OutBcastPkts: 355
InOctets: 36976311
OutOctets: 10651904
InMcastOctets: 21555
OutMcastOctets: 22195
InBcastOctets: 60984
OutBcastOctets: 57358
InNoECTPkts: 72893
Display IPv4 and IPv6 Information
To display both IPv4 and IPv6 information, run the following command:
netstat -g
Output:
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 all-systems.mcast.net
eth0 1 all-systems.mcast.net
lo 1 ip6-allnodes
lo 1 ff01::1
eth0 1 ff02::1:ff6c:2da6
eth0 1 ip6-allnodes
eth0 1 ff01::1
Print Netstat Information Continuously
To print netstat command output continuously, run the following command:
netstat -c
Output:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 Node1.mshome.net:ssh Vyom-PC.mshome.ne:36405 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 7 [ ] DGRAM 8099 /dev/log
unix 3 [ ] STREAM CONNECTED 7464 @/com/ubuntu/upstart
unix 3 [ ] DGRAM 7520
unix 3 [ ] DGRAM 7519
unix 2 [ ] STREAM CONNECTED 10686
unix 3 [ ] STREAM CONNECTED 8526 @/com/ubuntu/upstart
unix 2 [ ] DGRAM 9115
unix 3 [ ] STREAM CONNECTED 8003 @/com/ubuntu/upstart
unix 2 [ ] DGRAM 8259
unix 3 [ ] STREAM CONNECTED 7923
unix 2 [ ] DGRAM 11466
unix 3 [ ] STREAM CONNECTED 8004
unix 3 [ ] STREAM CONNECTED 8279 /var/run/dbus/system_bus_socket
unix 2 [ ] STREAM CONNECTED 10008
unix 3 [ ] STREAM CONNECTED 7459
unix 2 [ ] DGRAM 11060
unix 2 [ ] STREAM CONNECTED 10966
unix 3 [ ] STREAM CONNECTED 8413
unix 2 [ ] DGRAM 11176
unix 3 [ ] STREAM CONNECTED 7962
unix 3 [ ] STREAM CONNECTED 7963
unix 3 [ ] STREAM CONNECTED 8005 /var/run/dbus/system_bus_socket
unix 2 [ ] STREAM CONNECTED 9799
unix 3 [ ] STREAM CONNECTED 8278
List process name, pid and user id
If you want to know the process name and pid which has opened that port or connection., run the following command:
netstat -nlpt
Output:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1158/mysqld
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 859/sshd
tcp6 0 0 ::1:9200 :::* LISTEN 1610/java
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 1610/java
tcp6 0 0 :::80 :::* LISTEN 1966/apache2
tcp6 0 0 ::1:9300 :::* LISTEN 1610/java
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 1610/java
tcp6 0 0 :::22 :::* LISTEN 859/sshd
tcp6 0 0 :::443 :::* LISTEN 1966/apache2
tcp6 0 0 :::36351 :::* LISTEN 857/java
tcp6 0 0 :::2181 :::* LISTEN 857/java
You can also list process name with uid by running the following command:
netstat -ltpe
Output:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 localhost:mysql *:* LISTEN mysql 9795 1158/mysqld
tcp 0 0 *:ssh *:* LISTEN root 9183 859/sshd
tcp6 0 0 localhost:9200 [::]:* LISTEN elasticsearch 11013 1610/java
tcp6 0 0 localhost:9200 [::]:* LISTEN elasticsearch 11012 1610/java
tcp6 0 0 [::]:http [::]:* LISTEN root 10775 1966/apache2
tcp6 0 0 localhost:9300 [::]:* LISTEN elasticsearch 10968 1610/java
tcp6 0 0 localhost:9300 [::]:* LISTEN elasticsearch 10965 1610/java
tcp6 0 0 [::]:ssh [::]:* LISTEN root 9190 859/sshd
tcp6 0 0 [::]:https [::]:* LISTEN root 10779 1966/apache2
tcp6 0 0 [::]:36351 [::]:* LISTEN zookeeper 9801 857/java
tcp6 0 0 [::]:2181 [::]:* LISTEN zookeeper 10017 857/java
The above command is very useful to get the username/uid owning that particular process. It is also contains the username and inode of the process. This is a very useful command for network administrators.
Disable Reverse DNS Lookup for Faster Output
When you run the netstat command, it tries to find out the hostname of each ip address in the connection by doing a reverse dns lookup, this will slows down the output.
If you need to know only ip address then ignore the hostname lookup by running the following command:
netstat -ant
Output:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 192.168.137.91:22 192.168.137.130:36405 ESTABLISHED
tcp6 0 0 ::1:9200 :::* LISTEN
tcp6 0 0 127.0.0.1:9200 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 ::1:9300 :::* LISTEN
tcp6 0 0 127.0.0.1:9300 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN
tcp6 0 0 :::36351 :::* LISTEN
tcp6 0 0 :::2181 :::* LISTEN
Verify DDOS Attacks
To display all active internet connections to the server, run the following command:
netstat -na
Output:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN
tcp 0 0 10.0.3.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 181 192.168.43.4:51550 74.125.200.105:443 ESTABLISHED
tcp 0 0 192.168.137.130:48314 162.243.43.181:80 ESTABLISHED
tcp 0 0 192.168.137.130:48307 162.243.43.181:80 ESTABLISHED
tcp 0 0 192.168.137.130:48311 162.243.43.181:80 TIME_WAIT
tcp 0 3130 192.168.43.4:33282 74.125.200.94:443 FIN_WAIT1
tcp 0 354 192.168.137.130:46685 52.84.105.226:80 ESTABLISHED
tcp 0 0 192.168.137.130:33093 75.126.153.202:80 ESTABLISHED
tcp 0 0 192.168.137.130:33101 75.126.153.202:80 ESTABLISHED
tcp 0 1 192.168.137.130:52242 74.125.130.95:80 FIN_WAIT1
tcp 0 0 192.168.137.130:48308 162.243.43.181:80 ESTABLISHED
tcp 0 0 192.168.137.130:50452 192.0.73.2:80 TIME_WAIT
tcp 0 0 192.168.137.130:33076 75.126.153.202:80 TIME_WAIT
tcp 0 0 192.168.137.130:52236 74.125.130.95:80 ESTABLISHED
tcp 0 178 192.168.43.4:51551 74.125.200.105:443 FIN_WAIT1
tcp 0 1 192.168.43.4:52630 162.243.43.181:80 LAST_ACK
tcp 0 1 192.168.43.4:52623 162.243.43.181:80 LAST_ACK
tcp 0 0 192.168.137.130:48315 162.243.43.181:80 ESTABLISHED
tcp 0 0 192.168.137.130:33079 75.126.153.202:80 TIME_WAIT
tcp 0 1 192.168.137.130:52241 74.125.130.95:80 FIN_WAIT1
tcp 0 0 192.168.137.130:33077 75.126.153.202:80 TIME_WAIT
tcp 0 1 192.168.137.130:33098 75.126.153.202:80 FIN_WAIT1
tcp 0 0 192.168.137.130:48320 162.243.43.181:80 ESTABLISHED
tcp 0 0 192.168.137.130:48318 162.243.43.181:80 ESTABLISHED
tcp 0 0 192.168.137.130:52237 74.125.130.95:80 ESTABLISHED
tcp 0 1 192.168.137.130:33096 75.126.153.202:80 FIN_WAIT1
tcp 0 0 192.168.137.130:49134 216.58.199.163:80 TIME_WAIT
tcp 0 480 192.168.43.4:52622 162.243.43.181:80 FIN_WAIT1
tcp 0 1 192.168.137.130:52238 74.125.130.95:80 FIN_WAIT1
tcp 0 0 192.168.137.130:50459 192.0.73.2:80 TIME_WAIT
tcp 0 0 192.168.137.130:49135 216.58.199.163:80 TIME_WAIT
tcp 0 1 192.168.137.130:49130 216.58.199.163:80 LAST_ACK
tcp 0 1 192.168.43.4:52595 162.243.43.181:80 FIN_WAIT1
tcp 0 0 192.168.137.130:48309 162.243.43.181:80 TIME_WAIT
tcp 0 1 192.168.43.4:52626 162.243.43.181:80 LAST_ACK
tcp 0 0 192.168.137.130:46686 52.84.105.226:80 ESTABLISHED
tcp 0 1 192.168.137.130:33100 75.126.153.202:80 FIN_WAIT1
tcp 0 0 192.168.137.130:50458 192.0.73.2:80 ESTABLISHED
tcp 0 0 192.168.137.130:33078 75.126.153.202:80 ESTABLISHED
To display only active connections to the server on port 80, run the following command:
sudo netstat -an | grep :80 | sort
Output:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 1 192.168.137.130:39239 52.222.135.39:80 LAST_ACK
tcp 0 1 192.168.137.130:48354 162.243.43.181:80 LAST_ACK
tcp 0 587 192.168.137.130:33127 75.126.153.202:80 LAST_ACK
tcp6 0 0 :::80 :::* LISTEN
If you want to find out how many active SYNC_REC are occurring on the server, run the following command:
sudo netstat -n -p | grep SYN_REC | sort -u
You can also detect a single flood by allowing you to recognize many connections coming from one IP by running the following command:
sudo netstat -n -p|grep SYN_REC | wc -l
To list out all the unique IP addresses of the attacker that is sending SYN_REC connections, run the following command:
sudo netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
To calculate and count the number of connections each IP address makes to the server, run the following command:
sudo netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
TO list out the number of connections the IPs are connected to the server using TCP or UDP protocol, run the following command:
sudo netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr
You can also list out only ESTABLISHED connections instead of all connections, and displays the connections count for each IP by running the following command:
sudo netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1
Share this Article!
