netstat

1. netstat command

The netstat command in Linux provides network statistics and information about the networking subsystem. It gives information about network connections, routing tables and network interface statistics. For example,

$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 myhost.local:53744      mail.example.i:imaps    ESTABLISHED
tcp        0      0 myhost.local:36149      example.com:http        ESTABLISHED
tcp        0      0 myhost.local:57051      imap.example.n:imap2    ESTABLISHED
tcp        0      0 myhost.local:51209      mail.example.i:imaps    ESTABLISHED
tcp        0      0 myhost.local:35617      example.com:http        ESTABLISHED
tcp        0      0 myhost.local:51207      mail.example.i:imaps    ESTABLISHED
tcp        0      0 myhost.local:52281      r-198-51-100-12.tw:http ESTABLISHED
tcp        0      0 myhost.local:51208      mail.example.i:imaps    ESTABLISHED
tcp        0      0 myhost.local:52282      r-198-51-100-12.tw:http TIME_WAIT
...
tcp        0      0 myhost.local:51193      mail.example.i:imaps    ESTABLISHED
tcp        0      0 myhost.local:59586      imap.example.n:imap2    ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags   Type       State         I-Node   Path
unix  11     [ ]     DGRAM                    9660     /dev/log
unix  3      [ ]     STREAM     CONNECTED     137371   
unix  2      [ ]     STREAM     CONNECTED     130029   
...
unix  3      [ ]     STREAM     CONNECTED     104545   /var/run/dbus/system_bus_socket
unix  3      [ ]     STREAM     CONNECTED     75140    @/tmp/dbus-GT5WnOFBJm
unix  3      [ ]     STREAM     CONNECTED     73585    
unix  3      [ ]     STREAM     CONNECTED     74032    @/tmp/.ICE-unix/1888
unix  3      [ ]     STREAM     CONNECTED     73584    
unix  3      [ ]     STREAM     CONNECTED     72096    @/tmp/dbus-GT5WnOFBJm
....

The Proto column gives the protocol for the socket. The common values are tcp, tcp6, udp, udp6 for Internet connections and unix for Unix domain sockets. Recv-Q and Send-Q give the bytes in transit, Recv-Q, being the bytes not taken by the user process and Send-Q being the bytes not acknowledged by the remote host. The State is the state of the socket, possible values being ESTABLISHED, SYN_SENT, SYN_RECV, FIN_WAIT1, FIN_WAIT2, TIME_WAIT, CLOSE, CLOSE_WAIT, LAST_ACK, LISTEN, CLOSING and UNKNOWN.

2. netstat -n

netstat -n command prints numeric IP addresses, port and user ids. User id is printed with the -e option.

$ netstat -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 192.168.1.103:53744     198.51.100.12:993       ESTABLISHED
tcp        0      0 192.168.1.103:36149     203.0.113.1:80          ESTABLISHED
tcp        0      0 192.168.1.103:57051     198.51.100.10:143       ESTABLISHED
...        
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  11     [ ]         DGRAM                    9660     /dev/log
unix  3      [ ]         STREAM     CONNECTED     170916   /var/run/cups/cups.sock
unix  3      [ ]         STREAM     CONNECTED     171998
...

--numeric-hosts gives numeric host IP addresses but displays symbolic names for the ports and user id. Similarly --numeric-ports shows numeric port numbers but resolves the host name to its symbolic value and prints the user id as a string. --numeric-users prints user id as a number but resolves host name and port id to symbolic names.

3. netstat -a

The above netstat examples report the non-listening sockets only. netstat -a gives all, listening and non-listening, sockets.

$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:domain                *:*                     LISTEN
tcp        0      0 *:ssh                   *:*                     LISTEN
tcp        0      0 localhost:ipp           *:*                     LISTEN
tcp        1      0 myhost.local:35035      example.canonical:http  CLOSE_WAIT
tcp        0      0 myhost.local:53744      mail.example.i:imaps    ESTABLISHED
...
tcp6       0      0 [::]:domain             [::]:*                  LISTEN
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN
tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN
udp        0      0 *:60886                 *:*
...
udp6       0      0 [::]:37633              [::]:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     10907    @/tmp/.ICE-unix/1888
unix  2      [ ACC ]     STREAM     LISTENING     7987     /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     11967    /tmp/keyring-2SQcW8/control
unix  2      [ ACC ]     STREAM     LISTENING     10903    @/tmp/dbus-GT5WnOFBJm
unix  2      [ ACC ]     STREAM     LISTENING     10460    /var/run/acpid.socket
...
unix  2      [ ACC ]     STREAM     LISTENING     10460    /var/run/acpid.socket
unix  2      [ ]         STREAM     CONNECTED     216491   
unix  3      [ ]         STREAM     CONNECTED     214403   
...

netstat -l (minus ell) gives only the listening sockets.

$ netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 localhost.localdo:mysql *:*                     LISTEN     
tcp        0      0 *:pop3                  *:*                     LISTEN     
tcp        0      0 *:imap2                 *:*                     LISTEN     
tcp        0      0 *:http                  *:*                     LISTEN     
tcp        0      0 localhost.loca:http-alt *:*                     LISTEN     
tcp        0      0 *:ssh                   *:*                     LISTEN     
tcp        0      0 *:smtp                  *:*                     LISTEN     
tcp        0      0 *:sieve                 *:*                     LISTEN   
...  

4. netstat -p

The -p option displays the program name and the process id associated with the socket. The -p option is useful because, more often than not, we wish to know about connection (socket) along with the associated process and the program that is being run by that process. For printing information about sockets owned by other users, the -p option needs to be run with root privileges.

$ sudo netstat -pn 
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name  
tcp        0      0 192.168.1.103:54626     198.51.100.14:993      ESTABLISHED 2507/thunderbird  
tcp        0      0 192.168.1.103:45852     198.51.100.14:22       ESTABLISHED 4279/ssh        
tcp        0      0 192.168.1.103:55362     198.51.100.14:993      ESTABLISHED 2507/thunderbird
tcp        0      0 192.168.1.103:45031     198.51.100.14:443     ESTABLISHED 2719/chrome     
tcp        0      0 192.168.1.103:54625     198.51.100.14:993      ESTABLISHED 2507/thunderbird
tcp        0      0 192.168.1.103:55963     198.51.100.14:993      ESTABLISHED 2507/thunderbird  
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name    Path
unix  13     [ ]         DGRAM                    1786     1164/rsyslogd       /dev/log
unix  2      [ ]         DGRAM                    81283    4637/sudo           
...

5. netstat --protocol= family, -A

With the --protocol, or the -A option, the network address family can be specified. Some important family values are inet and inet6 for external communication using IPv4 and IPv6 respectively and unix for communication among local processes using unix domain sockets. The inet family includes the raw, TCP and UDP sockets.

$ sudo netstat --protocol=inet -p -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address         Foreign Address      State        PID/Program name
tcp        0      0 192.168.1.103:51496   203.0.113.1:80       TIME_WAIT    -               
tcp        0      0 192.168.1.103:40091   198.51.100.14:80     ESTABLISHED  2346/chrome     
tcp        0      0 192.168.1.103:53744   198.51.100.12:993    ESTABLISHED  2129/thunderbird
tcp        0      0 192.168.1.103:40090   198.51.100.20:80     ESTABLISHED  2346/chrome     
tcp        1      0 192.168.1.103:36131   203.0.113.2:80       CLOSE_WAIT   2235/python     
tcp        0      0 192.168.1.103:54090   198.51.100.12:993    ESTABLISHED  2129/thunderbird
tcp        0      0 192.168.1.103:51207   198.51.100.12:993    ESTABLISHED  2129/thunderbird
tcp        0      0 192.168.1.103:42313   203.0.113.5:80       TIME_WAIT    -               
tcp        0      0 192.168.1.103:51193   198.51.100.12:993    ESTABLISHED  2129/thunderbird

The above command could have been also given as sudo netstat --inet -p -n. Also,

  • netstat -t, prints TCP connections, and
  • netstat -u, prints UDP connections.

The last example gives the non-listening sockets. If we add the -a option to it and add inet6 protocol family, we get a list of the system's all internet connections.

$ sudo netstat --protocol=inet,inet6 -npa
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1461/nginx.conf 
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      1297/dnsmasq    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1139/sshd       
...
tcp        0      0 192.168.1.103:54626     198.51.100.12:993      ESTABLISHED 2507/thunderbird
tcp        0      0 192.168.1.103:45852     198.51.100.12:22       ESTABLISHED 4279/ssh        
tcp        0      0 192.168.1.103:41975     203.0.113.1:443      ESTABLISHED 2719/chrome     
tcp        0      0 192.168.1.103:35753     203.0.113.1:443      ESTABLISHED 2719/chrome     
tcp        0      0 192.168.1.103:55362     198.51.100.12:993      ESTABLISHED 2507/thunderbird
...
tcp6       0      0 :::53                   :::*                    LISTEN      1297/dnsmasq    
tcp6       0      0 :::22                   :::*                    LISTEN      1139/sshd       
tcp6       0      0 ::1:631                 :::*                    LISTEN      1188/cupsd      
udp        0      0 0.0.0.0:53              0.0.0.0:*                           1297/dnsmasq    
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1297/dnsmasq    
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1088/dhclient3  
udp        0      0 192.168.1.103:123       0.0.0.0:*                           863/ntpd        
udp6       0      0 :::53661                :::*                                1163/avahi-daemon: 
udp6       0      0 :::53                   :::*                                1297/dnsmasq    
udp6       0      0 fe80::7add:8ff:fef1:123 :::*                                863/ntpd        
udp6       0      0 ::1:123                 :::*                                863/ntpd        
udp6       0      0 :::123                  :::*                                863/ntpd        
udp6       0      0 :::5353                 :::*                                1163/avahi-daemon: 

And, if we are interested in knowing about all services using TCP ports, the command would be,

$ sudo netstat -t -npl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1461/nginx.conf 
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      1297/dnsmasq    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1139/sshd       
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1188/cupsd      
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1461/nginx.conf 
tcp        0      0 0.0.0.0:6080            0.0.0.0:*               LISTEN      1476/python     
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1375/mysqld     
tcp6       0      0 :::53                   :::*                    LISTEN      1297/dnsmasq    
tcp6       0      0 :::22                   :::*                    LISTEN      1139/sshd       
tcp6       0      0 ::1:631                 :::*                    LISTEN      1188/cupsd    

6. netstat -r

netstat -r prints the kernel's routing table. For example,

$ netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         192.168.1.1     0.0.0.0         UG        0 0          0 wlan0
link-local      *               255.255.0.0     U         0 0          0 eth0
192.168.1.0     *               255.255.255.0   U         0 0          0 wlan0
192.168.2.0     *               255.255.255.0   U         0 0          0 eth0

The output is the same as that produced by the command, route -e.

7. netstat -i

The netstat -i command prints data about the network interfaces.

$ netstat -i 
Kernel Interface table
Iface   MTU Met  RX-OK RX-ERR RX-DRP RX-OVR  TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0    1500 0       0      0      0 0           0      0      0      0 BMU
lo     16436 0      44      0      0 0          44      0      0      0 LRU
wlan0   1500 0  112946      0      0 0      112326      0      0      0 BMRU  

The MTU is the maximum transfer unit for the interface. Met is the interface metric. TX and RX are the receive and transmit statistics for an interface. RX-OK and TX-OK are the packets received and transmitted error-free respectively. RX-ERR and TX-ERR and the packets received or transmitted with errors, RX-DRP and TX-DRP are the packets that got dropped and RX-OVR and TX-OVR are the packets lost due to overrun. The flags are as follows:

  • B - broadcast address set
  • L - loopback device
  • M - all packets received (promiscous mode)
  • R - Interface is running
  • U - Interface is up

8. netstat -e

The -e option prints the extended output. With the -e option, one can get the user id and inode associated with each socket. For example,

$ sudo netstat --protocol=inet,inet6 -pae | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 *:http                  *:*                     LISTEN      root       9819        1461/nginx.conf 
tcp        0      0 *:domain                *:*                     LISTEN      root       10486       1297/dnsmasq    
tcp        0      0 *:ssh                   *:*                     LISTEN      root       1754        1139/sshd       
tcp        0      0 localhost:ipp           *:*                     LISTEN      root       45754       1188/cupsd      
tcp        0      0 *:https                 *:*                     LISTEN      root       9820        1461/nginx.conf 
tcp        0      0 *:6080                  *:*                     LISTEN      nova       9868        1476/python     
tcp        0      0 localhost:mysql         *:*                     LISTEN      mysql      10170       1375/mysqld     
tcp        0      0 bagpipe.local:54626     mail.mydomain.i:imaps ESTABLISHED user1      17487       2507/thunderbird
tcp        0      0 bagpipe.local:45852     mail.mydomain.in:ssh  ESTABLISHED user1      56802       4279/ssh        
tcp        0      0 bagpipe.local:48008     maa03s16-in-f13.1e:http ESTABLISHED user1      113555      2719/chrome     
tcp        0      0 bagpipe.local:51192     maa03s04-in-f9.1e:https ESTABLISHED user1     113558      2719/chrome     
...
tcp6       0      0 [::]:domain             [::]:*                  LISTEN      root       10488       1297/dnsmasq    
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      root       1756        1139/sshd       
tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN      root       45753       1188/cupsd      
udp        0      0 *:domain                *:*                                 root       10485       1297/dnsmasq    
udp        0      0 *:bootps                *:*                                 root       10479       1297/dnsmasq    
udp6       0      0 [::]:53661              [::]:*                              avahi      918         1163/avahi-daemon: 
udp6       0      0 [::]:domain             [::]:*                              root       10487       1297/dnsmasq    
...

9. netstat -o

netstat -o prints information regarding networking timers. For example,

$ netstat -o -n --tcp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address       State       Timer
tcp        0      0 192.168.1.103:53744     198.51.100.12:993     ESTABLISHED off (0.00/0/0)
tcp        0      0 192.168.1.103:45935     203.0.113.2:143       ESTABLISHED keepalive (19.36/0/0)  
tcp        0      0 192.168.1.103:57051     203.0.113.1:143       ESTABLISHED off (0.00/0/0)
tcp        0      0 192.168.1.103:37010     203.0.113.1:143       ESTABLISHED off (0.00/0/0)
tcp        1      0 192.168.1.103:39539     203.0.113.4:80        CLOSE_WAIT  off (0.00/0/0)
tcp        0      0 192.168.1.103:54090     198.51.100.12:993     ESTABLISHED off (0.00/0/0)
tcp        0      0 192.168.1.103:51207     198.51.100.12:993     ESTABLISHED off (0.00/0/0)
tcp        0      0 192.168.1.103:51208     198.51.100.12:993     ESTABLISHED off (0.00/0/0)
tcp        1      0 192.168.1.103:33100     203.0.113.6:80        CLOSE_WAIT  off (0.00/0/0)
tcp        0      0 192.168.1.103:45948     203.0.113.8:80        ESTABLISHED keepalive (21.16/0/0)  
tcp        0      0 192.168.1.103:51193     198.51.100.12:993     ESTABLISHED off (0.00/0/0)
tcp        1      0 192.168.1.103:39538     203.0.113.9:80        CLOSE_WAIT  off (0.00/0/0)

The last column gives data about the timers. If off is displayed, the connection is getting closed. If keepalive is displayed, the connection is using TCP keepalives. The first figure in parenthesis indicates in seconds when the keepalive timer will expire. The second figure indicates the number of keepalive packets already sent.

10. netstat -c

With the -c option, netstat prints the selected output continuously. It prints the output every second. For example,

netstat -ntc

prints information about TCP sockets every second, printing the host IP addresses, ports and user-ids in the numeric form.

11. netstat -s

The -s option prints the summary statistics for each protocol.