In today’s article we will go through about the netstat command in Linux operating system. To determine which computers or networks a PC is linked to, we use netstat, which offers statistics about all active connections. The network utility is conveniently usable via the command line on even on Windows & macOS apart from the Linux.
If you want some guidance to be familiar with other Linux commands you can refer to other posts related to the linux commands via the Cheat Sheet
What is netstat ?
The name Netstat, which combines the words “network” and “statistics,” refers to a program that runs under command line instructions. It provides users with basic information about all network activity, including which ports and addresses the associated TCP and UDP connections are using, as well as which ports are available for tasks.
The first version of the Berkeley Software Distribution (BSD), a Unix derivative, enabled the TCP/IP Internet protocol family in version 4.2 when netstat was first added in 1983. Since its introduction in Linux in 1991, netstat has been a part of the operating system. It was first included in Windows in version 3.11 (1993), and with the aid of extensions, it was also able to interact via TCP/IP.
Why netstat ?
Gaining an understanding of your computer’s or server’s inbound and outgoing connections will greatly help you combat harmful software and excessive traffic. The corresponding network address, which among other things indicates which port was previously opened for data exchange, is used to establish these connections.
The main issue with these open ports is that they give outside parties the chance to infiltrate malware into your computer. Furthermore, it’s possible that an existing Trojan on your system will create a “backdoor” and open a related port in the process. You should so routinely verify the ports that your system has opened. Netstat is a great tool for this.
How Netstat works ?
Using the netstat commands we can displays protocol statistics and network status. Routing table data, interface data, and the status of TCP and UDP endpoints can all be shown in tabular form.
Netstat shows different kinds of network information based on the command line option that is chosen. For system administration, these are the most beneficial displays. This form’s syntax is as follows:
netstat [-m] [-n] [-s] [-i | -r] [-f address_family]
The most frequently used options for determining network status are: s, r, and i.
Examples using CMD line
Let us go through few examples of netstat commands and their expected outputs.
Listing all the ports (TCP & UDP)
To List all the port (TCP & UDP) use the command “netstat -a“
# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:pcsync-https 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:https 0.0.0.0:* LISTEN
tcp 0 0 localhost:mysql 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:webcache 0.0.0.0:* LISTEN
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 195753741 /var/run/.heim_org.h5l.kcm-socket
unix 2 [ ACC ] SEQPACKET LISTENING 21576 /run/systemd/coredump
unix 2 [ ACC ] STREAM LISTENING 27471 /run/gssproxy.sock
unix 2 [ ACC ] STREAM LISTENING 21589 /run/rpcbind.sockListing only TCP/UDP port connection
# netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:pcsync-https 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:https 0.0.0.0:* LISTEN
tcp 0 0 localhost:mysql 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:webcache 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 linuxquery.org:49506 192.168.255.126:ssh ESTABLISHED
tcp 0 0 linuxquery.org:52114 192.168.255.129:ssh ESTABLISHED
> netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 linuxquery.org:bootpc 192.168.0.4:bootps ESTABLISHED
udp 0 0 0.0.0.0:sunrpc 0.0.0.0:*
udp 0 0 localhost:323 0.0.0.0:*
udp6 0 0 [::]:sunrpc [::]:*
udp6 0 0 localhost:323 [::]:*
Listing all Listening connections
# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:pcsync-https 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:https 0.0.0.0:* LISTEN
tcp6 0 0 [::]:sunrpc [::]:* LISTEN
udp 0 0 0.0.0.0:sunrpc 0.0.0.0:*
udp 0 0 localhost:323 0.0.0.0:*
udp6 0 0 [::]:sunrpc [::]:*
udp6 0 0 localhost:323 [::]:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 195753741 /var/run/.heim_org.h5l.kcm-socket
unix 2 [ ACC ] STREAM LISTENING 698474821 /run/screen/S-ansible/1415278.test-playbboks
unix 2 [ ACC ] SEQPACKET LISTENING 21576 /run/systemd/coredump
unix 2 [ ACC ] STREAM LISTENING 27471 /run/gssproxy.sock
unix 2 [ ACC ] STREAM LISTENING 21589 /run/rpcbind.sock
If you want to list only the listening connections associated with TCP you can run : netstat -lt
While for listing the Listening connections with UDP you can use : netstat -lu
Listing the UNIX listening ports
# netstat -lx
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 195753741 /var/run/.heim_org.h5l.kcm-socket
unix 2 [ ACC ] STREAM LISTENING 698474821 /run/screen/S-ansible/1415278.test-playbboks
unix 2 [ ACC ] SEQPACKET LISTENING 21576 /run/systemd/coredump
unix 2 [ ACC ] STREAM LISTENING 27471 /run/gssproxy.sock
unix 2 [ ACC ] STREAM LISTENING 21589 /run/rpcbind.sock
unix 2 [ ACC ] SEQPACKET LISTENING 21596 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 21599 /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 15725 /run/systemd/journal/stdout
unix 2 [ ACC ] STREAM LISTENING 19316 /run/dbus/system_bus_socket
Listing services names with their PID
# netstat -tp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 labexample:pcsync-https n-20hepf0vy81l.ns:63962 ESTABLISHED -
tcp 0 0 labexmaple:48564 linuxquery.org:ssh ESTABLISHED 1249023/sshThe above will display the services running along with their PID which can be helpful during troubleshooting issues related to application. Please note that you need to have the root privileges to list all the process.
Kernel IP routing
This is quite a popular commands to check the routing table for the system
# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default _gateway 0.0.0.0 UG 0 0 0 eth0
169.254.169.254 _gateway 255.255.255.255 UGH 0 0 0 eth0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Checking the Open ports for programs
If you want to check how many listening programs is running on the ports you can do so with below commands
# netstat -ap | grep http
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:pcsync-https 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:https 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN -
tcp 0 0 labexample:pcsync-https n-20hepf0vy81l.ns:64101 ESTABLISHED -
unix 2 [ ACC ] STREAM LISTENING 1000215002 - /etc/httpd/run/cgisock.1303526
unix 3 [ ] STREAM CONNECTED 1023724798 - /etc/httpd/run/cgisock.1303526
Checking network Statistics
# netstat --statistics
Ip:
Forwarding: 2
23503068187 total packets received
4 with invalid addresses
0 forwarded
0 incoming packets discarded
23503068183 incoming packets delivered
23271626611 requests sent out
42 dropped because of missing route
13 fragments failed
Icmp:
11693 ICMP messages received
63 input ICMP message failed
ICMP input histogram:
destination unreachable: 9803
timeout in transit: 1823
echo requests: 45
echo replies: 22
238 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 74
echo requests: 119
echo replies: 45
------
------
------Conclusion
In this post we covered the major netstat command in Linux operating system. It’s a kind of unique utility that lets you check how your machine is connected to the other servers in the network. It functions similarly to a window providing you with data pathways, connections, and technical specifics. This information aids users in troubleshooting network problems and improving their comprehension of their system’s online activity. To learn more about the netstat command and its options, use the man netstat command or consult the manual documents netstat(8) – Linux manual page