Linux netstat Command Tutorial for Beginners
If you are new to Linux command line, and are interested in learning networking stuff, there are many command line utilities that you should be aware of. One such tool is netstat. In this article, we will discuss this command using some easy to understand examples.
But before we do that, it’s worth mentioning that all these examples have been tested on an Ubuntu 16.04 LTS machine.
Linux netstat command
The netstat command lets you print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. Following is its syntax:
netstat [OPTIONS]
Here’s how the man page explains it:
Netstat prints information about the Linux networking subsystem. The type of information printed is controlled by the first argument, as follows: (none) By default, netstat displays a list of open sockets. If you don't specify any address families, then the active sockets of all configured address families will be printed. --route , -r Display the kernel routing tables. See the description in route(8) for details. netstat -r and route -e produce the same output. --groups , -g Display multicast group membership information for IPv4 and IPv6. --interfaces, -i Display a table of all network interfaces. --masquerade , -M Display a list of masqueraded connections. --statistics , -s Display summary statistics for each protocol.
Following are some Q&A-styled examples that should give you a good idea on how the netstat command works.
Q1. How to use netstat command?
Basic usage is fairly simple – just run the netstat command without any options.
netstat
For example, in my case, the following output was produced:
Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.1.7:59510 mails11.telegram.:https ESTABLISHED tcp 0 0 192.168.1.7:57318 13.70.5.200:https ESTABLISHED tcp 0 1 192.168.1.7:51238 52.114.32.7:https SYN_SENT tcp 390 0 192.168.1.7:60392 del03s09-in-f10.1:https ESTABLISHED tcp 0 1 192.168.1.7:51240 52.114.32.7:https SYN_SENT tcp 0 0 192.168.1.7:50196 del03s10-in-f10.1:https TIME_WAIT tcp 0 0 192.168.1.7:41996 maa05s05-in-f4.1e:https TIME_WAIT tcp 0 0 192.168.1.7:56680 wa-in-f94.1e100.n:https ESTABLISHED tcp 0 0 192.168.1.7:54578 del03s10-in-f14.1:https TIME_WAIT tcp 0 0 192.168.1.7:51310 del03s10-in-f2.1e:https TIME_WAIT
So by default, the command displays a list of all open sockets.
Q2. How to make netstat show numerical addresses?
By default, the netstat command tries to determine symbolic host, port, or user names. This may slow down the tool. However, if you’re fine with numerical values, you can make the tool output numeric values using the -n command line option.
netstat -n
For example in my case, the following output was produced:
Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.1.7:59510 149.154.171.22:443 ESTABLISHED tcp 0 0 192.168.1.7:57318 13.70.5.200:443 ESTABLISHED tcp 0 0 192.168.1.7:51682 52.114.32.7:443 TIME_WAIT tcp 0 0 192.168.1.7:54884 172.217.161.14:443 TIME_WAIT tcp 0 0 192.168.1.7:35112 172.217.161.5:443 ESTABLISHED tcp 0 0 192.168.2.97:45662 148.251.237.53:21 ESTABLISHED tcp 0 0 192.168.1.7:50892 149.154.164.224:443 ESTABLISHED tcp 0 0 192.168.1.7:58772 172.217.194.189:443 TIME_WAIT tcp 0 1 192.168.1.7:47728 144.76.158.93:443 SYN_SENT tcp 0 1 192.168.1.7:47730 144.76.158.93:443 SYN_SENT tcp 0 0 192.168.1.7:59548 149.154.171.22:443 ESTABLISHED tcp 0 0 192.168.1.7:35818 169.55.74.50:443 ESTABLISHED tcp 0 0 192.168.1.7:50888 149.154.164.224:443 ESTABLISHED tcp 0 0 192.168.1.7:44156 152.195.11.6:443 ESTABLISHED tcp 0 0 192.168.1.7:58478 52.229.174.94:443 ESTABLISHED tcp 52 0 127.0.0.1:60342 127.0.1.1:139 ESTABLISHED tcp 0 0 192.168.1.7:58820 172.217.161.3:443 ESTABLISHED tcp 0 0 192.168.1.7:45588 52.175.17.224:443 TIME_WAIT tcp 0 0 192.168.1.7:50890 149.154.164.224:443 ESTABLISHED tcp 0 0 192.168.1.7:58192 52.77.195.144:443 ESTABLISHED tcp 0 0 192.168.1.7:54224 172.217.31.2:443 ESTABLISHED tcp 0 0 127.0.1.1:139 127.0.0.1:60342 ESTABLISHED tcp 0 0 192.168.1.7:34500 192.241.190.153:443 ESTABLISHED tcp 0 0 192.168.1.7:54888 172.217.161.14:443 ESTABLISHED
So you can see only numeric values were produced in output (in Foreign Adress column) this time.
Q3. How to make netstat display only tcp connections?
This you can do using the -t command line option.
netstat -t
For example, in my case, the following output was produced:
Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.1.7:44236 152.195.11.6:https ESTABLISHED tcp 0 0 192.168.1.7:59510 mails11.telegram.:https ESTABLISHED tcp 0 0 192.168.1.7:57318 13.70.5.200:https ESTABLISHED tcp 0 0 192.168.1.7:42706 maa05s05-in-f4.1e:https ESTABLISHED tcp 0 0 192.168.1.7:51984 del03s10-in-f2.1e:https ESTABLISHED tcp 0 0 192.168.1.7:51786 52.114.32.7:https ESTABLISHED tcp 0 0 192.168.1.7:52294 xx-fbcdn-shv-01-m:https ESTABLISHED tcp 0 0 192.168.1.7:54372 del03s01-in-f2.1e:https ESTABLISHED tcp 0 1 192.168.1.7:47788 hyperserver.semse:https SYN_SENT tcp 0 0 192.168.1.7:52298 xx-fbcdn-shv-01-m:https ESTABLISHED tcp 0 0 192.168.1.7:51840 149.154.164.224:https TIME_WAIT tcp 0 0 192.168.1.7:35258 del03s10-in-f1.1e:https ESTABLISHED tcp 0 0 192.168.2.97:45662 blog.gsmarena.com:ftp ESTABLISHED tcp 0 0 192.168.1.7:50728 del03s10-in-f10.1:https TIME_WAIT tcp 0 0 192.168.1.7:56468 del03s09-in-f3.1e:https ESTABLISHED tcp 0 0 192.168.1.7:50892 149.154.164.224:https ESTABLISHED tcp 0 0 192.168.1.7:45670 52.175.17.224:https ESTABLISHED tcp 0 0 192.168.1.7:55180 del03s10-in-f14.1:https TIME_WAIT tcp 0 1 192.168.1.7:47790 hyperserver.semse:https SYN_SENT tcp 0 0 192.168.1.7:59548 mails11.telegram.:https ESTABLISHED tcp 0 0 192.168.1.7:35818 32.4a.37a9.ip4.st:https ESTABLISHED tcp 0 0 192.168.1.7:50888 149.154.164.224:https ESTABLISHED tcp 0 0 192.168.1.7:33360 del03s10-in-f13.1:https TIME_WAIT tcp 0 0 192.168.1.7:52332 207.46.140.70:https ESTABLISHED tcp 0 0 192.168.1.7:58478 52.229.174.94:https ESTABLISHED tcp 0 0 192.168.1.7:54374 del03s01-in-f2.1e:https TIME_WAIT tcp 0 0 192.168.1.7:50216 104.24.1.68:https TIME_WAIT tcp 52 0 localhost:60342 ansh:netbios-ssn ESTABLISHED tcp 0 0 192.168.1.7:50890 149.154.164.224:https ESTABLISHED tcp 0 0 192.168.1.7:55200 del03s10-in-f14.1:https TIME_WAIT tcp 0 0 192.168.1.7:54224 del03s01-in-f2.1e:https ESTABLISHED tcp 0 0 ansh:netbios-ssn localhost:60342 ESTABLISHED tcp 0 0 192.168.1.7:55212 del03s10-in-f14.1:https TIME_WAIT tcp 0 1 192.168.1.7:47800 hyperserver.semse:https SYN_SENT tcp 0 0 192.168.1.7:45668 52.175.17.224:https ESTABLISHED tcp 0 0 192.168.1.7:58878 del03s10-in-f3.1e:https TIME_WAIT tcp 0 0 192.168.1.7:34500 do-11.lastpass.co:https ESTABLISHED tcp 0 0 192.168.1.7:41844 a23-35-40-198.dep:https ESTABLISHED
Q4. How to make netstat display only udp connections
This you can do using the -u command line option.
netstat -u
Q5. How to make netstat show only listening sockets?
This is possible by using the -l command line option.
netstat -l
For example, the following output was produced in my case:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 ansh:domain *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp 0 0 *:microsoft-ds *:* LISTEN tcp 0 0 *:netbios-ssn *:* LISTEN tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN tcp6 0 0 [::]:microsoft-ds [::]:* LISTEN tcp6 0 0 [::]:netbios-ssn [::]:* LISTEN ... ... ...
Q6. How to make netstat show name and PID of programs?
In case you want netstat to show name of process IDs of processes to which each socket belongs, use the -p command line option.
netstat -p
For example:
Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.1.7:57318 13.70.5.200:https ESTABLISHED 3247/firefox tcp 0 0 192.168.1.7:36732 13.76.170.95:https ESTABLISHED 3247/firefox tcp 0 0 192.168.1.7:52050 149.154.164.224:https ESTABLISHED 3247/firefox tcp 0 0 192.168.1.7:55974 del03s10-in-f14.1:https ESTABLISHED 3247/firefox tcp 0 0 192.168.1.7:52074 149.154.164.224:https ESTABLISHED 3247/firefox tcp 0 0 192.168.1.7:60590 mails11.telegram.:https ESTABLISHED 3247/firefox tcp 0 0 192.168.1.7:52254 149.154.164.224:https ESTABLISHED 3247/firefox tcp 0 0 192.168.2.97:45662 blog.gsmarena.com:ftp ESTABLISHED 3160/filezilla tcp 0 0 192.168.1.7:35818 32.4a.37a9.ip4.st:https ESTABLISHED 3247/firefox tcp 0 0 192.168.1.7:52528 52.114.32.7:https ESTABLISHED 3247/firefox tcp 0 0 192.168.1.7:55950 del03s10-in-f14.1:https ESTABLISHED 3247/firefox tcp 68 0 localhost:60342 ansh:netbios-ssn ESTABLISHED 2625/gvfsd-smb-brow tcp 0 0 192.168.1.7:44974 152.195.11.6:https ESTABLISHED 3247/firefox tcp 0 0 192.168.1.7:36730 13.76.170.95:https ESTABLISHED 3247/firefox tcp 0 0 ansh:netbios-ssn localhost:60342 ESTABLISHED - tcp 0 0 192.168.1.7:52732 del03s10-in-f2.1e:https ESTABLISHED 3247/firefox tcp 0 0 192.168.1.7:60314 52.229.174.94:https ESTABLISHED 3247/firefox tcp 0 0 192.168.1.7:53072 207.46.140.70:https ESTABLISHED 3247/firefox tcp 0 0 192.168.1.7:34500 do-11.lastpass.co:https ESTABLISHED 3247/firefox
See the last column for PID/program name info.
Q7. How to make netstat print network statistics?
This can be done using the -s command line option.
netstat -s
In this case, the tool produces information like total packets received, discarded, delivered, and much more. Following is an example output when the -s command line option was used.
Ip: 592215 total packets received 41 with invalid addresses 0 forwarded 0 incoming packets discarded 580699 incoming packets delivered 539118 requests sent out 627 outgoing packets dropped 482 dropped because of missing route 2 fragments failed Icmp: 2337 ICMP messages received 6 input ICMP message failed. ICMP input histogram: destination unreachable: 2337 3917 ICMP messages sent 0 ICMP messages failed ICMP output histogram: destination unreachable: 3917 IcmpMsg: InType3: 2337 OutType3: 3917 Tcp: 10943 active connections openings 127 passive connection openings 38 failed connection attempts 467 connection resets received 34 connections established 443643 segments received 414589 segments send out 6929 segments retransmited 428 bad segments received. 11713 resets sent ... ... ...
Q8. How to make netstat display kernel routing table?
This can be done using the -r command line option.
netstat -r
Following is the output produced in my case:
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default 192.168.1.1 0.0.0.0 UG 0 0 0 wlx18a6f713679b link-local * 255.255.0.0 U 0 0 0 wlx18a6f713679b 192.168.1.0 * 255.255.255.0 U 0 0 0 wlx18a6f713679b
Note that netstat -r and route -e produce the same output.
Conclusion
So as you would have understood by now, the netstat command is a very important tool. It provides a lot of features – we’ve just scratched the surface here. Once you are done practicing what all we’ve discussed in this tutorial, head to the tool’s man page for more info.
source : HOWTOFORGE
How to Save or Convert a PowerPoint Presentation to a Video sshot-0
Iptables: Unblock / Delete an IP Address Listed in IPtables Tables
Find Current Working Directory Of A Process Using Pwdx In Linux
About Author
adminus
Linux Windows & Networks System Administrator with some years of professional working experiance in the IT field. This is my personal blog where I make some notes and memo's on interesting materials.