Netstat is a very powerful utility that will list all of the TCP and UDP connections, as well as unix socket connections currently listening for connections as well as currently connected. While many home users may not necessarily need to worry about this, online gamers, or anyone who intends to host any sort of server in the future, will surely at some point need to deal with ports.

Netstat is also useful for security and privacy, for example, to find out which programs "talk" to the Internet.

Using netstat can be an extremely simple process, or it can get very complicated and heavy, depending on usage; so today we will look at some of the more common uses for Netstat.

As promised (in my article "How do I find my network information in Linux?") I am going to introduce you to the netstat command. This command is a very useful tool for discovering networking information such as routing tables, network connections, interface statistics, masquerade connections, and multicast memberships. But it's not quite as simple to use as some of of the other "discovery" tools (such as ifconfig). With netstat you really do need to know what you're looking for and how to find it. This article will help you to understand just that.

Installation?

Fortunately your distribution should come with the netstat command pre-installed. To check this, open up a terminal window (that's where you will use netstat anyway) and issue the command which netstat. This command should return something like /bin/netstat. That will tell you that the tool is installed and where the executable is.

Netstat Basics

The basic netstat command looks like:

netstat ARGUMENT OPTIONS

Where ARGUMENT is the type of address family you want information about and OPTIONS is the optional option(s) that will specify the type of information you get returned.

Because netstat offers such a variety of options, it might be best if I first list some of the more useful options.

a : Shows the state of all sockets and routing table entries.

: Shows the state of all sockets and routing table entries. c : Display information continuously.

: Display information continuously. d : Show the state of all interfaces that use DHCP.

: Show the state of all interfaces that use DHCP. e : Show extended information.

: Show extended information. g : Show the multicast group membership information for both IPv4 and IPv6.

: Show the multicast group membership information for both IPv4 and IPv6. i : Display a table of all network inferfaces.

: Display a table of all network inferfaces. l : Limit statistics to a defined interface.

: Limit statistics to a defined interface. M : Show multicast routing tables.

: Show multicast routing tables. n : Shows network addresses as numbers instead of the default symbols.

: Shows network addresses as numbers instead of the default symbols. p : Show address resolution tables.

: Show address resolution tables. P : Limit statistics to a defined protocol.

: Limit statistics to a defined protocol. r : Show all routing tables.

: Show all routing tables. t : Show TCP connections.

: Show TCP connections. u : Show UDP connections.

: Show UDP connections. v: Use verbose mode for output.

So let's take a look and see how these can be used together.

netstat

By itself (no options) this command prints out generic statistics of the host you are currently connected to.

netstat -an

This command will display all connections to the host, including source and destination addresses and ports, and displays them as numbers.

netstat -rn

This command will display the routing table for the host in numeric form.

netstat -r

This command will display your routing table for your host.

netstat -natp

This command will display active TCP connections in numerical form.

netstat -t --listening

This will show you all tcp ports you host is listening on.

netstat --statistics

This command will display various statistics for your host's interfaces. Note that this command will display a LOT of statistics.

As you can see, this command will display quite a bit of information. On top of that you might need to pipe this command through the less command in order to see it more easily. That full command would look like netstat --statistics | less. Using it that way would allow you to use your arrow keys to scroll up and down through the ouput.

Usage Tips for Netstat

One of the most basic and common ways to use netstat is to check for which ports are listening

netstat -l

Which gives something like this on my freshly installed Antergos system

Or, if you are looking to focus your search a little bit more, you can add another option to sort specificly for different types of connections

netstat -lt # for TCP

netstat -lu # for UDP

netstat -lx # for Unix

Or, you can go on the complete opposite end of the spectrum, and list all connections

netstat -a

If you prefer, another option that can be useful to keep in mind, is using the ‘n’ option. When using netstat -n or netstat -ltn for example, all hostnames will no longer try to be resolved, and only IP addresses will be shown, like in the example below.

As you can see, localhost in name, was resolved to its numerical value after using the ‘n’ option

Another way to use netstat is netstat -ie, the ‘i’ for interfaces, and the ‘e’ for ‘extended’ which will help give us a more human readable output.

netstat -ie # This will show us a list of network interfaces, and information about each device.

Advanced Netstat tips

What we want to do is tell netstat to give us output for specific applications that are listening for tcp connections. To do this we issue the command:

netstat --tcp --listening --programs

The output for this command would look something like:

Proto Recv-Q Send-Q Local Address Foreign Address Stat PID/Program

tcp 0 0 *:ssh *:* LISTEN 25469/sshd

tcp 0 0 *:httpd *:* LISTEN 26754/httpd

tcp 0 0 localhost:ipp *:* LISTEN -

Now you can actually see some useful information. In the above output you can see that both sshd and httpd are listening for incoming connections. The above is just a snippet of what the output can look like. What is very handy about this command is it will show you if there is a command or local address listening for incoming connections that shouldn't be listening. If you find an application that shouldn't be listening, kill it to be safe.

Route

Netstat is able to quickly print your machines' kernel routing table with the command:

netstat -r

The output of this command will look like:

Kernel IP routing table

Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0

default 192.168.1.1 0.0.0.0 UG 0 0 0 eth0

Statistics

This is one of the handier of the netstat tools. With this you can find out exactly the statics for each protocol. The basic command structure is:

netstat --statistics

which will give you far more information than you want. Say, you only want to see statistics on the TCP protocol. For this you can issue the command:

netstat -t --statistics

The output to the above command will include information such as:

Tcp:

4343 active connections openings

8 passive connection openings

5 failed connection attempts

178 connection resets received

6 connections established

59075 segments received

60033 segments send out

76 segments retransmited

0 bad segments received.

303 resets sent

Or you could get information on UDP as well with the command:

netstat -u --statistics

Which would give you similar output for the UDP protocol.

Get creative

What if you wanted to see all unique IP addresses connected to a server? You can do that with netstat (and the help of a few other tools) like so:

netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq

The output of the above command would depend upon how much traffic your machine/server is getting. But it will include all unique IP addresses attempting to connect to your server.

What about checking to see if your server is under a DOS attack? You can do that with netstat like this:

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

The above command will list out the IP addresses requesting the highest amount of connections to your server. If you see a number that is far higher than it should be, you most likely are under a Denial of Service attack.

Final thoughts

Netstat is one of those tools that you’ll never really think you’ll need, until suddenly you do; and its always good to know how to use it incase the need ever arises at least on some basic level. For more information about how to use the netstat command and its options, check out the man pages by typing man netstat.

Now you: What’s your preferred utility for checking network information, and why? Let us know in the comments!

Related articles

Summary Article Name How to use netstat in GNU/Linux Description Netstat is a very powerful utility that will list all of the TCP and UDP connections, as well as unix socket connections currently listening for connections as well as currently connected. Author Mike Turcotte Publisher Ghacks Technology News Logo

Advertisement