Linux netstat Command
The Linux netstat command is an essential tool for system administrators, network engineers, and anyone needing to track network connections and manage traffic.
It gives real-time insight into all active connections, making it invaluable for troubleshooting and monitoring network health.
With netstat, you can see details about open connections, listening ports, and routing tables, helping you quickly identify issues and manage security.
- Main Syntax of netstat command in Linux:
netstat [options][options] are flags to specify the type of information you want to retrieve.
- Using netstat command with no parameters:
netstat
When run without parameters, the Linux netstat command displays a basic overview of all active network connections, including protocol types, addresses, and connection states.
This quick summary helps monitor network activity at a glance.
Example Output
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 opera.local:ssh remote.ip:49211 ESTABLISHED
tcp 0 0 opera.local:http remote.ip:65432 TIME_WAIT
udp 0 0 opera.local:domain 0.0.0.0:*
udp 0 0 opera.local:ntp 0.0.0.0:* For more focused tracking, such as finding active SSH connections, you can refer to our guide on How to Find Active SSH Connections in Linux.
Prerequisites to Use netstat command in Linux
To use Linux netstat Command and view network statistics Linux, your machine needs to meet all the below specifications:
- A Linux VPS running a compatible Linux distribution (e.g., Ubuntu, Debian, CentOS).
- A non-root user with
sudoprivileges. - Access to Terminal/Command line.
Practical Example to Understand Linux netstat Command
Let’s dive into practical examples to fully understand Linux netstat command and each option it offers.
Using the below examples help you to level up your network management skills, show how netstat allows you to monitor connections, diagnose issues, and secure your Linux server.
Also, if you are managing a server on a reliable Linux VPS platform, it’s even easier to put these techniques into action.
1. Display All Active Connections and Listening Ports
The -a option in the Linux netstat command is used to display all active connections and listening ports, both for TCP and UDP.
This allows users to monitor all open connections and see which services are listening for incoming requests, making it essential for network monitoring and security analysis.
- Syntax:
netstat -aOR
netstat --all- Example:
netstat -aOutput
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 opera.local:ssh remote.ip:49211 ESTABLISHED
tcp 0 0 opera.local:http remote.ip:65432 LISTEN
udp 0 0 opera.local:domain 0.0.0.0:*
udp 0 0 opera.local:ntp 0.0.0.0:* In this example, the -a option lists all the open TCP and UDP connections, as well as any services listening for incoming requests on specific ports.
This is vital for keeping track of network activity and troubleshooting potential issues or unauthorized access.
2. Display Active TCP Ports
The -at option in netstat shows only active TCP connections, filtering out UDP and other network activity.
This is useful for focusing specifically on TCP traffic, which is common for applications and services.
- Syntax:
netstat -atOR
netstat -a --tcp- Example:
netstat -atOutput
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 opera.local:ssh remote.ip:49211 ESTABLISHED
tcp 0 0 opera.local:http remote.ip:65432 LISTENIn this case, -at filters the output to show only TCP connections, such as an active SSH session or a listening web service.
This targeted output helps diagnose or monitor TCP-specific traffic.
3. Display Active UDP Ports
The -au option in netstat focuses on displaying active UDP connections, and filtering out TCP and other types of network activity.
This is particularly useful for monitoring UDP traffic, which is commonly used by DNS, DHCP, and real-time applications like VoIP.
- Syntax:
netstat -auOR
netstat -a --udp- Example:
netstat -auOutput
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 opera.local:domain 0.0.0.0:*
udp 0 0 opera.local:ntp 0.0.0.0:* The -au option shows only the UDP sockets in use, such as those for DNS and NTP services.
This filtered output is vital for network troubleshooting and monitoring UDP network activity, especially in environments where UDP protocols are crucial for time-sensitive communication.
This option helps system administrators and security professionals identify open UDP ports and detect unusual traffic.
4. Display Only Listening Ports
The -l option in netstat shows all listening ports, i.e., those waiting for incoming connections.
This is essential for identifying active services on your system and ensuring that no unauthorized applications are listening on critical ports.
- Syntax:
netstat -l- Example:
netstat -lOutput
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 opera.local:ssh 0.0.0.0:*
tcp 0 0 opera.local:http 0.0.0.0:* The -l option filters the output to display only the ports in the listening state, helping network administrators and security professionals monitor which services are available to handle incoming traffic.
This is vital to network security, ensuring only expected services are active.
5. Display Listening TCP Ports
The -lt option filters the output to display only TCP listening ports on the system.
This is vital for network administrators who want to monitor TCP services that are awaiting incoming connections.
- Syntax:
netstat -lt- Example:
netstat -ltOutput
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 opera.local:ssh 0.0.0.0:*
tcp 0 0 opera.local:http 0.0.0.0:* This shows TCP listening ports, providing key insights into network services such as SSH or HTTP, crucial for server administration and security auditing.
6. Display Listening UDP Ports
The -lu option in Linux netstat command focuses on showing all UDP listening ports. This helps monitor services like DNS or NTP, which commonly use UDP for communication.
- Syntax:
netstat -lu- Example:
netstat -luOutput
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 opera.local:domain 0.0.0.0:*
udp 0 0 opera.local:ntp 0.0.0.0:* This output highlights listening UDP ports, showing essential services like DNS and NTP, critical for network synchronization and real-time applications.
7. Display Listening Unix Domain Sockets
The -lx option displays listening Unix domain sockets, which are used for communication between processes on the same machine, rather than across a network.
- Syntax:
netstat -lx- Example:
netstat -lxOutput
Proto Recv-Q Send-Q Local Address Foreign Address State
unix 0 0 opera.local:/var/run/dbus/system_bus_socket 0.0.0.0:* This shows Unix sockets that help local inter-process communication (IPC) on Linux systems.
8. Display Network Statistics
The -s option displays a summary of network statistics for each protocol, providing a deeper view of the overall system’s network performance and health.
- Syntax:
netstat -sOR
netstat --statistics- Example:
netstat -sOutput
Ip:
1144335 total packets received
12 with invalid addresses
1500 packets forwarded
0 incoming packets discardedThis displays network statistics, allowing you to track packet flow, errors, and protocol-specific performance metrics.
9. Display TCP Network Statistics
The -st option provides TCP-specific network statistics, which help understand the state of TCP connections and troubleshoot TCP-related issues.
- Syntax:
netstat -st- Example:
netstat -stOutput
Tcp:
199 active connections openings
159 passive connection openings
4 failed connection attemptsThis provides insight into TCP connections, allowing you to diagnose issues with network congestion or connection refusals.
10. Display UDP Network Statistics
The -su option displays UDP-specific network statistics, helping network administrators track the performance and issues related to UDP traffic.
- Syntax:
netstat -su- Example:
netstat -suOutput
Udp:
120 packets received
0 with invalid addresses
13 packets sentThis output shows UDP packet statistics, assisting in diagnosing packet loss or analyzing UDP performance.
11. Display Network Interfaces
The -i option lists all network interfaces, including their statistics such as packet count, errors, and more. This is vital for network troubleshooting.
- Syntax:
netstat -iOR
netstat --interfaces- Example:
netstat -iOutput
Iface MTU RX-OK RX-ERR TX-OK TX-ERR Coll
eth0 1500 123456 0 654321 0 0Displays the statistics of each interface, such as RX/TX packet counts, helpful for diagnosing network interface issues.
12. Display Extended Network Interface Information
The -ie option provides detailed and extended information about each network interface, including the interface name, IP address, and more.
- Syntax:
netstat -ie- Example:
netstat -ieOutput
Iface MTU RX-OK RX-ERR TX-OK TX-ERR Coll
eth0 1500 123456 0 654321 0 013. Display Memory Usage for Sockets
The -M option in Linux netstat command shows the memory usage related to network sockets, helping to monitor how much system memory is being utilized by the network stack.
- Syntax:
netstat -M- Example:
netstat -MOutput
Memory usage by sockets:
4MB used for socket buffersThis is crucial for performance tuning and ensuring that network buffers are properly managed to avoid memory issues.
Monitoring memory usage is essential not only for network performance but also for overall system health.
If you are looking for a more detailed guide on how to check memory usage on Linux, refer to the Linux Check Memory Usage article.
14. Display TCP Connections with Process IDs
The -tp option adds process IDs (PID) to the output, showing which processes are associated with TCP connections.
- Syntax:
netstat -tp- Example:
netstat -tpOutput
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 opera.local:ssh remote.ip:49211 ESTABLISHED 1234/sshdThis shows the PID and program name related to active TCP connections, crucial for troubleshooting applications.
15. Display Listening Ports with Associated Processes
The -lp option in the Linux netstat command shows listening ports along with the associated processes that are bound to those ports.
This is particularly useful for security auditing and network troubleshooting, as it allows you to see which applications or services are actively listening for incoming connections.
- Syntax:
netstat -lp- Example:
netstat -lpOutput
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 opera.local:ssh 0.0.0.0:* LISTEN 1234/sshdThis command helps network engineers and system administrators ensure that only authorized services are running and listening on critical ports.
It’s a must-have for network monitoring and security checks in production environments.
16. Display Multicast Group Memberships (IPv4 & IPv6)
The -g option in the Linux netstat command shows the multicast group memberships for both IPv4 and IPv6 interfaces on your system.
This is essential for troubleshooting and managing applications or services that utilize multicast communication, such as video streaming or large-scale data distribution.
- Syntax:
netstat -gOR
netstat --groups- Example:
netstat -gOutput
Interface Multicast Address
eth0 224.0.0.1
eth1 ff02::1The output shows both IPv4 and IPv6 multicast group addresses, making this command essential for those working with network protocols that use multicast, offering insights into multicast group activity across your network interfaces.
17. Display Routing Table
The -r option in the Linux netstat command is used to display the routing table of the system.
This table shows the routes for outgoing traffic, including information about network destinations, gateways, and interface details.
This is essential for network configuration and troubleshooting routing issues, ensuring traffic is properly directed across your network.
- Syntax:
netstat -rOR
netstat --route- Example:
netstat -rOutput
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0This output shows the network routing information, helping network engineers and system administrators understand how packets are routed through different interfaces.
18. Continuous netstat Output
The -c option allows you to run netstat in continuous mode, where it periodically updates the output.
This is useful for real-time monitoring of network connections and network traffic without needing to repeatedly run the command.
- Syntax:
netstat -cOR
netstat --cache- Example:
netstat -cOutput
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 opera.local:ssh remote.ip:49211 ESTABLISHED
tcp 0 0 opera.local:http 0.0.0.0:* LISTENBy continuously updating the output, this option provides real-time insights into the network performance and can be used to monitor active connections and data flow across your system.
19. Detailed netstat Output
The --verbose option gives you extra details about the state of network connections, including some information that’s not normally shown by default.
This is useful for a deeper network analysis or when troubleshooting intricate network issues.
- Syntax:
netstat -vOR
netstat --verbose- Example:
netstat --verboseOutput
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 opera.local:ssh remote.ip:49211 ESTABLISHED 1234/sshdThe verbose output expands on the regular netstat output by providing more information about the status of each connection and process details, making it an essential tool for advanced network troubleshooting.
20. Display Numeric Addresses
The -n option forces netstat to display numeric IP addresses and port numbers, instead of resolving domain names or service names.
This speeds up the command and avoids potential DNS or service resolution delays.
- Syntax:
netstat -n- Example:
netstat -nOutput
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.5:22 192.168.1.10:49152 ESTABLISHED
tcp 0 0 192.168.1.5:80 0.0.0.0:* LISTENUsing this option speeds up the network statistics retrieval by avoiding reverse DNS lookups and ensures that the output is given in raw, numeric format for more efficient analysis.
21. Display Numeric Host Addresses
The --numeric-hosts option forces the command to display numeric host addresses instead of hostnames, similar to the -n option but focusing solely on the hostnames.
- Syntax:
netstat --numeric-hosts- Example:
netstat --numeric-hostsOutput
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.5:22 192.168.1.10:49152 ESTABLISHED
tcp 0 0 192.168.1.5:80 0.0.0.0:* LISTEN22. Numeric Port Numbers
The --numeric-ports option ensures that port numbers are shown in their numeric form, avoiding service name resolution.
- Syntax:
netstat --numeric-ports- Example:
netstat --numeric-portsOutput
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 opera.local:22 192.168.1.10:49152 ESTABLISHEDBy using numeric ports, this option ensures faster and more straightforward data output, particularly when analyzing port activity in a high-performance network environment.
23. Display Numeric User Information
The --numeric-users option displays numeric user IDs (UIDs) instead of user names associated with network connections, helping streamline the output in environments where user name resolution is unnecessary.
- Syntax:
netstat --numeric-users- Example:
netstat --numeric-usersOutput
Proto Recv-Q Send-Q Local Address Foreign Address State UID
tcp 0 0 opera.local:22 192.168.1.10:49152 ESTABLISHED 1000This option helps network administrators focus on numeric data for faster analysis, especially in automated scripts or performance-critical environments.
24. Extending Information
The -e option in the Linux netstat command extends the output by providing additional network interface statistics.
This includes detailed metrics on transmitted and received packets, errors, dropped packets, and collisions.
- Syntax:
netstat -eOR
netstat --extend- Example:
netstat -eOutput
Kernel interface table
Iface MTU RX-OK RX-ERR RX-DROP TX-OK TX-ERR TX-DROP Flows
eth0 1500 104238 0 0 130561 0 0 0
lo 65536 2503 0 0 2503 0 0 0With this information, network administrators can gain deeper insights into the network traffic quality across interfaces, allowing for effective troubleshooting and performance tuning.
25. Display All netstat Commands
The -h option displays the help message, providing users with a quick reference to all available netstat options and their descriptions.
- Syntax:
netstat -h- Example:
netstat -hOutput
Usage: netstat [OPTIONS]
-a Show all connections and listening ports
-n Show numeric addresses
-l Show only listening sockets
-t Show TCP connections
-u Show UDP connections
-s Show network statistics
-h Show helpThis option is essential for new users of netstat who need quick guidance on network monitoring commands.
26. Display PID/Program Name
The -p option in the Linux netstat command is used to display the PID (Process ID) and the associated program name for each network connection.
This option is particularly useful for identifying which processes are using specific network ports or protocols, making it a powerful tool for troubleshooting and managing network resources.
- Syntax:
netstat -pOR
netstat --progress- Example:
netstat -pOutput
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.10:ssh 192.168.1.20:56042 ESTABLISHED 1234/sshd
tcp 0 0 127.0.0.1:mysql 0.0.0.0:* LISTEN 2345/mysqld
udp 0 0 192.168.1.10:domain 0.0.0.0:* 3456/dnsmasqIn this output, you can see the PID and program name for each network connection, giving you clear insight into which applications are using network resources.
This is essential for system and network administrators to quickly identify and manage network-active processes.
27. Display complete IP addresses
The -w option in the Linux netstat command ensures that the IP addresses in the output are displayed in full, providing the complete and expanded form.
This is useful when analyzing network data, especially if you need precise IP details for thorough network monitoring or troubleshooting.
- Syntax:
netstat -wOr
netstat --wide- Example:
netstat -wOutput
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.10:22 192.168.1.20:56042 ESTABLISHED
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
udp 0 0 192.168.1.10:53 0.0.0.0:*This output displays complete IP addresses in their full form, which helps network administrators avoid confusion with shortened or truncated IP representations.
This option is valuable when you need precise network data visibility.
28. Display Connection Timers
The -o option in the Linux netstat command is used to display connection timers, which show information about the lifetime and status of active connections.
This includes timers related to TCP states, such as how long a connection has been established or how long it has been idle.
This option is useful for network troubleshooting and tracking connection stability or timeouts.
- Syntax:
netstat -oOR
netstat --timers- Example:
netstat -oOutput
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 192.168.1.10:ssh 192.168.1.20:56042 ESTABLISHED keepalive (45.23/0/0)
tcp 0 0 127.0.0.1:mysql 0.0.0.0:* LISTEN on (0.00/0/0)
udp 0 0 192.168.1.10:domain 0.0.0.0:* off (0.00/0/0)In this output, the Timer column provides details about the connection timers, such as keepalive and on/off states, showing how long a connection has been open or idle.
This is helpful for administrators to monitor connection lifetimes and ensure network stability.
How to Use grep with netstat?
Using grep command with the Linux netstat command allows you to filter the output and focus on the specific information you’re interested in.
This combination is useful for narrowing down large amounts of network data to identify particular connections, ports, or services.
Filtering Active Connections by Port
To check for all connections involving a specific port, you can use grep to filter the output of netstat.
For example, to display connections on port 80 (HTTP), use:
netstat -tuln | grep :80This command shows only the lines that contain :80, highlighting all connections or listening ports on HTTP.
Finding Specific Protocols
If you want to list all TCP connections, you can use grep to filter the output of netstat -t:
netstat -t | grep tcpThis filters out everything except for TCP connections, making it easier to analyze TCP traffic.
Search for Specific IP or Host
To filter results for a particular IP address or host, you can use grep with the desired IP:
netstat -n | grep 192.168.1.5This command helps you track all connections involving a specific host or IP address.
By using grep, you enhance the Linux netstat command’s ability to filter and focus on the most relevant parts of your network statistics, whether you’re looking to monitor active network connections or troubleshoot network performance issues.
How to Interpret netstat Output
The netstat command in Linux provides detailed information about network connections and active processes, essential for network monitoring and troubleshooting.
Understanding the output can help you identify the current network activity, traffic patterns, and any potential issues. Here’s a breakdown to help interpret the output:
Proto: Shows the protocol in use, such as TCP or UDP.
Recv-Q / Send-Q: Indicates the amount of data waiting in the receive and send queues for each connection. Non-zero values here may signal network congestion.
Local Address: Displays the IP and port on the local system, giving insight into which local ports are active or listening.
Foreign Address: Lists the IP and port of the remote system (foreign address) involved in the connection, useful for tracking external connections.
State: For TCP connections, this shows the connection state (e.g., ESTABLISHED, LISTEN, or CLOSE_WAIT), helping to identify active, idle, or closed connections.
PID/Program Name (with -p): Shows the process ID and program associated with each connection, critical for monitoring which applications are using network resources.
Timer (with -o): Displays the connection timers, such as keepalive durations, useful for tracking connection stability.
With the basic overview provided by netstat, you might want to dive deeper into network health and performance.
Several advanced Linux monitoring tools can give you more detailed insights and tracking capabilities for your network. For a comprehensive list, check out the Best Linux System and Network Monitoring Tools.
Why does netstat show ‘CLOSE_WAIT’ state?
A CLOSE_WAIT state indicates a connection where the remote end has closed the connection, but the local end hasn’t finished closing yet.
How to track network connections over time with netstat?
Use netstat -c to display connections in real-time, allowing continuous monitoring of active network connections.
How to Install netstat on a Linux system?
Install it using sudo apt install net-tools for Debian/Ubuntu or sudo yum install net-tools for CentOS/RHEL.
How to display numerical IP addresses instead of hostnames?
Use netstat -n to display numerical IP addresses, helping avoid delays caused by DNS resolution.
How to filter netstat output by keyword?
Pipe netstat with grep (e.g., netstat -a | grep ssh) to filter specific network connections or protocols.
How to fix “netstat command not found” error?
Install the net-tools package (sudo apt install net-tools) to enable the netstat command on systems where it’s missing.
Conclusion
The Linux netstat command is a vital tool for monitoring network connections and troubleshooting issues.
This article explains how to use its various options, like -p for viewing PID/Program names and -o for tracking connection timers, to help users effectively manage network activity.
By mastering these options, you can gain deeper insights into network health, improve performance monitoring, and address potential security risks, making netstat an invaluable resource for any system administrator or network professional.
For deeper insights into open ports and network vulnerabilities, consider using Nmap command, which can scan your system to detect potential security risks.