netstat

1. netstat command

The netstat command in Linux provides network statistics and information about the networking subsystem. It gives information about network connections, routing tables and network interface statistics. For example,

$ netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 myhost.local:53744 mail.example.i:imaps ESTABLISHED tcp 0 0 myhost.local:36149 example.com:http ESTABLISHED tcp 0 0 myhost.local:57051 imap.example.n:imap2 ESTABLISHED tcp 0 0 myhost.local:51209 mail.example.i:imaps ESTABLISHED tcp 0 0 myhost.local:35617 example.com:http ESTABLISHED tcp 0 0 myhost.local:51207 mail.example.i:imaps ESTABLISHED tcp 0 0 myhost.local:52281 r-198-51-100-12.tw:http ESTABLISHED tcp 0 0 myhost.local:51208 mail.example.i:imaps ESTABLISHED tcp 0 0 myhost.local:52282 r-198-51-100-12.tw:http TIME_WAIT ... tcp 0 0 myhost.local:51193 mail.example.i:imaps ESTABLISHED tcp 0 0 myhost.local:59586 imap.example.n:imap2 ESTABLISHED Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 11 [ ] DGRAM 9660 /dev/log unix 3 [ ] STREAM CONNECTED 137371 unix 2 [ ] STREAM CONNECTED 130029 ... unix 3 [ ] STREAM CONNECTED 104545 /var/run/dbus/system_bus_socket unix 3 [ ] STREAM CONNECTED 75140 @/tmp/dbus-GT5WnOFBJm unix 3 [ ] STREAM CONNECTED 73585 unix 3 [ ] STREAM CONNECTED 74032 @/tmp/.ICE-unix/1888 unix 3 [ ] STREAM CONNECTED 73584 unix 3 [ ] STREAM CONNECTED 72096 @/tmp/dbus-GT5WnOFBJm ....

The Proto column gives the protocol for the socket. The common values are tcp, tcp6, udp, udp6 for Internet connections and unix for Unix domain sockets. Recv-Q and Send-Q give the bytes in transit, Recv-Q, being the bytes not taken by the user process and Send-Q being the bytes not acknowledged by the remote host. The State is the state of the socket, possible values being ESTABLISHED, SYN_SENT, SYN_RECV, FIN_WAIT1, FIN_WAIT2, TIME_WAIT, CLOSE, CLOSE_WAIT, LAST_ACK, LISTEN, CLOSING and UNKNOWN.

2. netstat -n

netstat -n command prints numeric IP addresses, port and user ids. User id is printed with the -e option.

$ netstat -n Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.1.103:53744 198.51.100.12:993 ESTABLISHED tcp 0 0 192.168.1.103:36149 203.0.113.1:80 ESTABLISHED tcp 0 0 192.168.1.103:57051 198.51.100.10:143 ESTABLISHED ... Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 11 [ ] DGRAM 9660 /dev/log unix 3 [ ] STREAM CONNECTED 170916 /var/run/cups/cups.sock unix 3 [ ] STREAM CONNECTED 171998 ...

--numeric-hosts gives numeric host IP addresses but displays symbolic names for the ports and user id. Similarly --numeric-ports shows numeric port numbers but resolves the host name to its symbolic value and prints the user id as a string. --numeric-users prints user id as a number but resolves host name and port id to symbolic names.

3. netstat -a

The above netstat examples report the non-listening sockets only. netstat -a gives all, listening and non-listening, sockets.

$ netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:domain *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp 1 0 myhost.local:35035 example.canonical:http CLOSE_WAIT tcp 0 0 myhost.local:53744 mail.example.i:imaps ESTABLISHED ... tcp6 0 0 [::]:domain [::]:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN udp 0 0 *:60886 *:* ... udp6 0 0 [::]:37633 [::]:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 10907 @/tmp/.ICE-unix/1888 unix 2 [ ACC ] STREAM LISTENING 7987 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 11967 /tmp/keyring-2SQcW8/control unix 2 [ ACC ] STREAM LISTENING 10903 @/tmp/dbus-GT5WnOFBJm unix 2 [ ACC ] STREAM LISTENING 10460 /var/run/acpid.socket ... unix 2 [ ACC ] STREAM LISTENING 10460 /var/run/acpid.socket unix 2 [ ] STREAM CONNECTED 216491 unix 3 [ ] STREAM CONNECTED 214403 ...

netstat -l (minus ell) gives only the listening sockets.

$ netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost.localdo:mysql *:* LISTEN tcp 0 0 *:pop3 *:* LISTEN tcp 0 0 *:imap2 *:* LISTEN tcp 0 0 *:http *:* LISTEN tcp 0 0 localhost.loca:http-alt *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 0 *:sieve *:* LISTEN ...

4. netstat -p

The -p option displays the program name and the process id associated with the socket. The -p option is useful because, more often than not, we wish to know about connection (socket) along with the associated process and the program that is being run by that process. For printing information about sockets owned by other users, the -p option needs to be run with root privileges.

$ sudo netstat -pn Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.1.103:54626 198.51.100.14:993 ESTABLISHED 2507/thunderbird tcp 0 0 192.168.1.103:45852 198.51.100.14:22 ESTABLISHED 4279/ssh tcp 0 0 192.168.1.103:55362 198.51.100.14:993 ESTABLISHED 2507/thunderbird tcp 0 0 192.168.1.103:45031 198.51.100.14:443 ESTABLISHED 2719/chrome tcp 0 0 192.168.1.103:54625 198.51.100.14:993 ESTABLISHED 2507/thunderbird tcp 0 0 192.168.1.103:55963 198.51.100.14:993 ESTABLISHED 2507/thunderbird Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 13 [ ] DGRAM 1786 1164/rsyslogd /dev/log unix 2 [ ] DGRAM 81283 4637/sudo ...

5. netstat --protocol= family, -A

With the --protocol, or the -A option, the network address family can be specified. Some important family values are inet and inet6 for external communication using IPv4 and IPv6 respectively and unix for communication among local processes using unix domain sockets. The inet family includes the raw, TCP and UDP sockets.

$ sudo netstat --protocol=inet -p -n Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.1.103:51496 203.0.113.1:80 TIME_WAIT - tcp 0 0 192.168.1.103:40091 198.51.100.14:80 ESTABLISHED 2346/chrome tcp 0 0 192.168.1.103:53744 198.51.100.12:993 ESTABLISHED 2129/thunderbird tcp 0 0 192.168.1.103:40090 198.51.100.20:80 ESTABLISHED 2346/chrome tcp 1 0 192.168.1.103:36131 203.0.113.2:80 CLOSE_WAIT 2235/python tcp 0 0 192.168.1.103:54090 198.51.100.12:993 ESTABLISHED 2129/thunderbird tcp 0 0 192.168.1.103:51207 198.51.100.12:993 ESTABLISHED 2129/thunderbird tcp 0 0 192.168.1.103:42313 203.0.113.5:80 TIME_WAIT - tcp 0 0 192.168.1.103:51193 198.51.100.12:993 ESTABLISHED 2129/thunderbird

The above command could have been also given as sudo netstat --inet -p -n. Also,

  • netstat -t, prints TCP connections, and
  • netstat -u, prints UDP connections.

The last example gives the non-listening sockets. If we add the -a option to it and add inet6 protocol family, we get a list of the system's all internet connections.

$ sudo netstat --protocol=inet,inet6 -npa Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1461/nginx.conf tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1297/dnsmasq tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1139/sshd ... tcp 0 0 192.168.1.103:54626 198.51.100.12:993 ESTABLISHED 2507/thunderbird tcp 0 0 192.168.1.103:45852 198.51.100.12:22 ESTABLISHED 4279/ssh tcp 0 0 192.168.1.103:41975 203.0.113.1:443 ESTABLISHED 2719/chrome tcp 0 0 192.168.1.103:35753 203.0.113.1:443 ESTABLISHED 2719/chrome tcp 0 0 192.168.1.103:55362 198.51.100.12:993 ESTABLISHED 2507/thunderbird ... tcp6 0 0 :::53 :::* LISTEN 1297/dnsmasq tcp6 0 0 :::22 :::* LISTEN 1139/sshd tcp6 0 0 ::1:631 :::* LISTEN 1188/cupsd udp 0 0 0.0.0.0:53 0.0.0.0:* 1297/dnsmasq udp 0 0 0.0.0.0:67 0.0.0.0:* 1297/dnsmasq udp 0 0 0.0.0.0:68 0.0.0.0:* 1088/dhclient3 udp 0 0 192.168.1.103:123 0.0.0.0:* 863/ntpd udp6 0 0 :::53661 :::* 1163/avahi-daemon: udp6 0 0 :::53 :::* 1297/dnsmasq udp6 0 0 fe80::7add:8ff:fef1:123 :::* 863/ntpd udp6 0 0 ::1:123 :::* 863/ntpd udp6 0 0 :::123 :::* 863/ntpd udp6 0 0 :::5353 :::* 1163/avahi-daemon:

And, if we are interested in knowing about all services using TCP ports, the command would be,

$ sudo netstat -t -npl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1461/nginx.conf tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 1297/dnsmasq tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1139/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1188/cupsd tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1461/nginx.conf tcp 0 0 0.0.0.0:6080 0.0.0.0:* LISTEN 1476/python tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1375/mysqld tcp6 0 0 :::53 :::* LISTEN 1297/dnsmasq tcp6 0 0 :::22 :::* LISTEN 1139/sshd tcp6 0 0 ::1:631 :::* LISTEN 1188/cupsd

6. netstat -r

netstat -r prints the kernel's routing table. For example,

$ netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0 link-local * 255.255.0.0 U 0 0 0 eth0 192.168.1.0 * 255.255.255.0 U 0 0 0 wlan0 192.168.2.0 * 255.255.255.0 U 0 0 0 eth0

The output is the same as that produced by the command, route -e.

7. netstat -i

The netstat -i command prints data about the network interfaces.

$ netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 0 0 0 0 0 0 0 0 BMU lo 16436 0 44 0 0 0 44 0 0 0 LRU wlan0 1500 0 112946 0 0 0 112326 0 0 0 BMRU

The MTU is the maximum transfer unit for the interface. Met is the interface metric. TX and RX are the receive and transmit statistics for an interface. RX-OK and TX-OK are the packets received and transmitted error-free respectively. RX-ERR and TX-ERR and the packets received or transmitted with errors, RX-DRP and TX-DRP are the packets that got dropped and RX-OVR and TX-OVR are the packets lost due to overrun. The flags are as follows:

  • B - broadcast address set
  • L - loopback device
  • M - all packets received (promiscous mode)
  • R - Interface is running
  • U - Interface is up

8. netstat -e

The -e option prints the extended output. With the -e option, one can get the user id and inode associated with each socket. For example,

$ sudo netstat --protocol=inet,inet6 -pae | more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 *:http *:* LISTEN root 9819 1461/nginx.conf tcp 0 0 *:domain *:* LISTEN root 10486 1297/dnsmasq tcp 0 0 *:ssh *:* LISTEN root 1754 1139/sshd tcp 0 0 localhost:ipp *:* LISTEN root 45754 1188/cupsd tcp 0 0 *:https *:* LISTEN root 9820 1461/nginx.conf tcp 0 0 *:6080 *:* LISTEN nova 9868 1476/python tcp 0 0 localhost:mysql *:* LISTEN mysql 10170 1375/mysqld tcp 0 0 bagpipe.local:54626 mail.mydomain.i:imaps ESTABLISHED user1 17487 2507/thunderbird tcp 0 0 bagpipe.local:45852 mail.mydomain.in:ssh ESTABLISHED user1 56802 4279/ssh tcp 0 0 bagpipe.local:48008 maa03s16-in-f13.1e:http ESTABLISHED user1 113555 2719/chrome tcp 0 0 bagpipe.local:51192 maa03s04-in-f9.1e:https ESTABLISHED user1 113558 2719/chrome ... tcp6 0 0 [::]:domain [::]:* LISTEN root 10488 1297/dnsmasq tcp6 0 0 [::]:ssh [::]:* LISTEN root 1756 1139/sshd tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN root 45753 1188/cupsd udp 0 0 *:domain *:* root 10485 1297/dnsmasq udp 0 0 *:bootps *:* root 10479 1297/dnsmasq udp6 0 0 [::]:53661 [::]:* avahi 918 1163/avahi-daemon: udp6 0 0 [::]:domain [::]:* root 10487 1297/dnsmasq ...

9. netstat -o

netstat -o prints information regarding networking timers. For example,

$ netstat -o -n --tcp Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State Timer tcp 0 0 192.168.1.103:53744 198.51.100.12:993 ESTABLISHED off (0.00/0/0) tcp 0 0 192.168.1.103:45935 203.0.113.2:143 ESTABLISHED keepalive (19.36/0/0) tcp 0 0 192.168.1.103:57051 203.0.113.1:143 ESTABLISHED off (0.00/0/0) tcp 0 0 192.168.1.103:37010 203.0.113.1:143 ESTABLISHED off (0.00/0/0) tcp 1 0 192.168.1.103:39539 203.0.113.4:80 CLOSE_WAIT off (0.00/0/0) tcp 0 0 192.168.1.103:54090 198.51.100.12:993 ESTABLISHED off (0.00/0/0) tcp 0 0 192.168.1.103:51207 198.51.100.12:993 ESTABLISHED off (0.00/0/0) tcp 0 0 192.168.1.103:51208 198.51.100.12:993 ESTABLISHED off (0.00/0/0) tcp 1 0 192.168.1.103:33100 203.0.113.6:80 CLOSE_WAIT off (0.00/0/0) tcp 0 0 192.168.1.103:45948 203.0.113.8:80 ESTABLISHED keepalive (21.16/0/0) tcp 0 0 192.168.1.103:51193 198.51.100.12:993 ESTABLISHED off (0.00/0/0) tcp 1 0 192.168.1.103:39538 203.0.113.9:80 CLOSE_WAIT off (0.00/0/0)

The last column gives data about the timers. If off is displayed, the connection is getting closed. If keepalive is displayed, the connection is using TCP keepalives. The first figure in parenthesis indicates in seconds when the keepalive timer will expire. The second figure indicates the number of keepalive packets already sent.

10. netstat -c

With the -c option, netstat prints the selected output continuously. It prints the output every second. For example,

netstat -ntc

prints information about TCP sockets every second, printing the host IP addresses, ports and user-ids in the numeric form.

11. netstat -s

The -s option prints the summary statistics for each protocol.

Software: