Netstat Command Line Tips and Tricks

Need Hosting? Try ours, it's fast, reliable and feature loaded with support you can depend on. View Plans

Introduction

Netstat is a command line network statistics tool that is used for checking your network configuration and activity.

It displays both incoming and outgoing network connections, routing tables, network interface and network protocol statistics.

It is available on unix operating systems such as Linux, Solaris and BSD, and is available on Windows based operating systems such as Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10. Netstat is very useful tool for Network Administrator to troubleshoot network-related problems and determine network traffic performance.

Netstat is very important tool for network administrators for finding problems in the network and to determine the amount of traffic on the network as a performance measurement.

Netstat provides the following statistics:

The name of the protocol TCP or UDP.

The IP address of the local system with used port number. The name of the local system with name of the port.

The IP address and port number of the remote system with connected socket.

The possible states such as CLOSE_WAIT, ESTABLISHED, CLOSED, FIN_WAIT_1, FIN_WAIT_2, LISTEN, SYN_RECEIVED, SYN_SEND, LAST_ACK, and TIME_WAIT.

In this tutorial, we will learn some useful netstat command line tips and tricks.

Requirements

Any Linux based operating system installed on your computer or server.

Netstat Help

To list out all vailable switches of netstat command run the following command:

netstat -h

Output:

usage: netstat [-vWeenNcCF] [] -r netstat {-V|--version|-h|--help} netstat [-vWnNcaeol] [ ...] netstat { [-vWeenNac] -i | [-cWnNe] -M | -s } -r, --route display routing table -i, --interfaces display interface table -g, --groups display multicast group memberships -s, --statistics display networking statistics (like SNMP) -M, --masquerade display masqueraded connections -v, --verbose be verbose -W, --wide don't truncate IP addresses -n, --numeric don't resolve names --numeric-hosts don't resolve host names --numeric-ports don't resolve port names --numeric-users don't resolve user names -N, --symbolic resolve hardware names -e, --extend display other/more information -p, --programs display PID/Program name for sockets -c, --continuous continuous listing -l, --listening display listening server sockets -a, --all, --listening display all sockets (default: connected) -o, --timers display timers -F, --fib display Forwarding Information Base (default) -C, --cache display routing cache instead of FIB ={-t|--tcp} {-u|--udp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom =Use '-6|-4' or '-A ' or '--'; default: inet List of possible address families (which support routing): inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25) netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP) x25 (CCITT X.25)

List All TCP and UDP Connections

To list out only tcp connections, run:

netstat -at

Output:

Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:mysql *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 Node1.mshome.net:ssh Vyom-PC.mshome.ne:36405 ESTABLISHED tcp6 0 0 localhost:9200 [::]:* LISTEN tcp6 0 0 localhost:9200 [::]:* LISTEN tcp6 0 0 [::]:http [::]:* LISTEN tcp6 0 0 localhost:9300 [::]:* LISTEN tcp6 0 0 localhost:9300 [::]:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN tcp6 0 0 [::]:https [::]:* LISTEN tcp6 0 0 [::]:36351 [::]:* LISTEN tcp6 0 0 [::]:2181 [::]:* LISTEN

Similarly use following command to list all udp connections:

netstat -au

Output:

Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 *:16305 *:* udp 0 0 *:bootpc *:* udp6 0 0 [::]:60495 [::]:*

List All Connections

To list out all the current tcp and udp port connections, run the following command:

netstat -a

Output:

Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:mysql *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 Node1.mshome.net:ssh Vyom-PC.mshome.ne:36405 ESTABLISHED tcp6 0 0 localhost:9200 [::]:* LISTEN tcp6 0 0 localhost:9200 [::]:* LISTEN tcp6 0 0 [::]:http [::]:* LISTEN tcp6 0 0 localhost:9300 [::]:* LISTEN tcp6 0 0 localhost:9300 [::]:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN tcp6 0 0 [::]:https [::]:* LISTEN tcp6 0 0 [::]:36351 [::]:* LISTEN tcp6 0 0 [::]:2181 [::]:* LISTEN udp 0 0 *:16305 *:* udp 0 0 *:bootpc *:* udp6 0 0 [::]:60495 [::]:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 7945 /var/run/dbus/system_bus_socket unix 2 [ ACC ] SEQPACKET LISTENING 7480 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 9796 /var/run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTENING 7146 @/com/ubuntu/upstart unix 7 [ ] DGRAM 8099 /dev/log unix 2 [ ACC ] STREAM LISTENING 9126 /var/run/acpid.socket unix 2 [ ACC ] STREAM LISTENING 9531 flaskproject.sock

The above command shows you all connections from different protocols like tcp, udp and unix sockets.

List All Listening Ports

To list out all listening port, run the following command:

netstat -l

Output:

Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:mysql *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp6 0 0 localhost:9200 [::]:* LISTEN tcp6 0 0 localhost:9200 [::]:* LISTEN tcp6 0 0 [::]:http [::]:* LISTEN tcp6 0 0 localhost:9300 [::]:* LISTEN tcp6 0 0 localhost:9300 [::]:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN tcp6 0 0 [::]:https [::]:* LISTEN tcp6 0 0 [::]:36351 [::]:* LISTEN tcp6 0 0 [::]:2181 [::]:* LISTEN udp 0 0 *:16305 *:* udp 0 0 *:bootpc *:* udp6 0 0 [::]:60495 [::]:*

List All TCP Listening Ports

To list only tcp listening ports run the following command:

netstat -lt

Output:

Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:mysql *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp6 0 0 localhost:9200 [::]:* LISTEN tcp6 0 0 localhost:9200 [::]:* LISTEN tcp6 0 0 [::]:http [::]:* LISTEN tcp6 0 0 localhost:9300 [::]:* LISTEN tcp6 0 0 localhost:9300 [::]:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN tcp6 0 0 [::]:https [::]:* LISTEN tcp6 0 0 [::]:36351 [::]:* LISTEN tcp6 0 0 [::]:2181 [::]:* LISTEN

List All UDP Listening Port

To list only udp listening port run the following command:

netstat -lu

Output:

Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 *:16305 *:* udp 0 0 *:bootpc *:* udp6 0 0 [::]:60495 [::]:*

List All Unix Listening Port

You can list all listening Unix port by running the following command:

netstat -lx

Output:

Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 7945 /var/run/dbus/system_bus_socket unix 2 [ ACC ] SEQPACKET LISTENING 7480 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 9796 /var/run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTENING 7146 @/com/ubuntu/upstart unix 2 [ ACC ] STREAM LISTENING 9126 /var/run/acpid.socket unix 2 [ ACC ] STREAM LISTENING 9531 flaskproject.sock

Display Network Information

You can print out the information about the network interfaces by running the following command:

netstat -i

Output:

Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 1051 0 0 0 649 0 0 0 BMRU lo 65536 0 65 0 0 0 65 0 0 0 LRU

The above command displays information in a very raw format. To get more information run the following command:

netstat -ie

Output:

Kernel Interface table eth0 Link encap:Ethernet HWaddr 08:00:27:6c:2d:a6 inet addr:192.168.137.91 Bcast:192.168.137.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fe6c:2da6/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:573 errors:0 dropped:0 overruns:0 frame:0 TX packets:403 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:56080 (56.0 KB) TX bytes:62412 (62.4 KB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:65 errors:0 dropped:0 overruns:0 frame:0 TX packets:65 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:6364 (6.3 KB) TX bytes:6364 (6.3 KB)

##Displaying RAW Network Statistics You can use the following command to display the raw network statistics:

netstat --statistics --raw

Output:

Ip: 72893 total packets received 0 forwarded 0 incoming packets discarded 72888 incoming packets delivered 83458 requests sent out 8 outgoing packets dropped 16 dropped because of missing route Icmp: 493 ICMP messages received 0 input ICMP message failed. ICMP input histogram: destination unreachable: 493 927 ICMP messages sent 0 ICMP messages failed ICMP output histogram: destination unreachable: 927 IcmpMsg: InType3: 493 OutType3: 927 UdpLite: IpExt: InNoRoutes: 4 InMcastPkts: 161 OutMcastPkts: 177 InBcastPkts: 366 OutBcastPkts: 355 InOctets: 36976311 OutOctets: 10651904 InMcastOctets: 21555 OutMcastOctets: 22195 InBcastOctets: 60984 OutBcastOctets: 57358 InNoECTPkts: 72893

Display IPv4 and IPv6 Information

To display both IPv4 and IPv6 information, run the following command:

netstat -g

Output:

IPv6/IPv4 Group Memberships Interface RefCnt Group --------------- ------ --------------------- lo 1 all-systems.mcast.net eth0 1 all-systems.mcast.net lo 1 ip6-allnodes lo 1 ff01::1 eth0 1 ff02::1:ff6c:2da6 eth0 1 ip6-allnodes eth0 1 ff01::1

Print Netstat Information Continuously

To print netstat command output continuously, run the following command:

netstat -c

Output:

Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 Node1.mshome.net:ssh Vyom-PC.mshome.ne:36405 ESTABLISHED Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 7 [ ] DGRAM 8099 /dev/log unix 3 [ ] STREAM CONNECTED 7464 @/com/ubuntu/upstart unix 3 [ ] DGRAM 7520 unix 3 [ ] DGRAM 7519 unix 2 [ ] STREAM CONNECTED 10686 unix 3 [ ] STREAM CONNECTED 8526 @/com/ubuntu/upstart unix 2 [ ] DGRAM 9115 unix 3 [ ] STREAM CONNECTED 8003 @/com/ubuntu/upstart unix 2 [ ] DGRAM 8259 unix 3 [ ] STREAM CONNECTED 7923 unix 2 [ ] DGRAM 11466 unix 3 [ ] STREAM CONNECTED 8004 unix 3 [ ] STREAM CONNECTED 8279 /var/run/dbus/system_bus_socket unix 2 [ ] STREAM CONNECTED 10008 unix 3 [ ] STREAM CONNECTED 7459 unix 2 [ ] DGRAM 11060 unix 2 [ ] STREAM CONNECTED 10966 unix 3 [ ] STREAM CONNECTED 8413 unix 2 [ ] DGRAM 11176 unix 3 [ ] STREAM CONNECTED 7962 unix 3 [ ] STREAM CONNECTED 7963 unix 3 [ ] STREAM CONNECTED 8005 /var/run/dbus/system_bus_socket unix 2 [ ] STREAM CONNECTED 9799 unix 3 [ ] STREAM CONNECTED 8278

List process name, pid and user id

If you want to know the process name and pid which has opened that port or connection., run the following command:

netstat -nlpt

Output:

Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1158/mysqld tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 859/sshd tcp6 0 0 ::1:9200 :::* LISTEN 1610/java tcp6 0 0 127.0.0.1:9200 :::* LISTEN 1610/java tcp6 0 0 :::80 :::* LISTEN 1966/apache2 tcp6 0 0 ::1:9300 :::* LISTEN 1610/java tcp6 0 0 127.0.0.1:9300 :::* LISTEN 1610/java tcp6 0 0 :::22 :::* LISTEN 859/sshd tcp6 0 0 :::443 :::* LISTEN 1966/apache2 tcp6 0 0 :::36351 :::* LISTEN 857/java tcp6 0 0 :::2181 :::* LISTEN 857/java

You can also list process name with uid by running the following command:

netstat -ltpe

Output:

Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp 0 0 localhost:mysql *:* LISTEN mysql 9795 1158/mysqld tcp 0 0 *:ssh *:* LISTEN root 9183 859/sshd tcp6 0 0 localhost:9200 [::]:* LISTEN elasticsearch 11013 1610/java tcp6 0 0 localhost:9200 [::]:* LISTEN elasticsearch 11012 1610/java tcp6 0 0 [::]:http [::]:* LISTEN root 10775 1966/apache2 tcp6 0 0 localhost:9300 [::]:* LISTEN elasticsearch 10968 1610/java tcp6 0 0 localhost:9300 [::]:* LISTEN elasticsearch 10965 1610/java tcp6 0 0 [::]:ssh [::]:* LISTEN root 9190 859/sshd tcp6 0 0 [::]:https [::]:* LISTEN root 10779 1966/apache2 tcp6 0 0 [::]:36351 [::]:* LISTEN zookeeper 9801 857/java tcp6 0 0 [::]:2181 [::]:* LISTEN zookeeper 10017 857/java

The above command is very useful to get the username/uid owning that particular process. It is also contains the username and inode of the process. This is a very useful command for network administrators.

Disable Reverse DNS Lookup for Faster Output

When you run the netstat command, it tries to find out the hostname of each ip address in the connection by doing a reverse dns lookup, this will slows down the output. If you need to know only ip address then ignore the hostname lookup by running the following command:

netstat -ant

Output:

Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 192.168.137.91:22 192.168.137.130:36405 ESTABLISHED tcp6 0 0 ::1:9200 :::* LISTEN tcp6 0 0 127.0.0.1:9200 :::* LISTEN tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 ::1:9300 :::* LISTEN tcp6 0 0 127.0.0.1:9300 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 :::443 :::* LISTEN tcp6 0 0 :::36351 :::* LISTEN tcp6 0 0 :::2181 :::* LISTEN

Verify DDOS Attacks

To display all active internet connections to the server, run the following command:

netstat -na

Output:

Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN tcp 0 0 10.0.3.1:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 181 192.168.43.4:51550 74.125.200.105:443 ESTABLISHED tcp 0 0 192.168.137.130:48314 162.243.43.181:80 ESTABLISHED tcp 0 0 192.168.137.130:48307 162.243.43.181:80 ESTABLISHED tcp 0 0 192.168.137.130:48311 162.243.43.181:80 TIME_WAIT tcp 0 3130 192.168.43.4:33282 74.125.200.94:443 FIN_WAIT1 tcp 0 354 192.168.137.130:46685 52.84.105.226:80 ESTABLISHED tcp 0 0 192.168.137.130:33093 75.126.153.202:80 ESTABLISHED tcp 0 0 192.168.137.130:33101 75.126.153.202:80 ESTABLISHED tcp 0 1 192.168.137.130:52242 74.125.130.95:80 FIN_WAIT1 tcp 0 0 192.168.137.130:48308 162.243.43.181:80 ESTABLISHED tcp 0 0 192.168.137.130:50452 192.0.73.2:80 TIME_WAIT tcp 0 0 192.168.137.130:33076 75.126.153.202:80 TIME_WAIT tcp 0 0 192.168.137.130:52236 74.125.130.95:80 ESTABLISHED tcp 0 178 192.168.43.4:51551 74.125.200.105:443 FIN_WAIT1 tcp 0 1 192.168.43.4:52630 162.243.43.181:80 LAST_ACK tcp 0 1 192.168.43.4:52623 162.243.43.181:80 LAST_ACK tcp 0 0 192.168.137.130:48315 162.243.43.181:80 ESTABLISHED tcp 0 0 192.168.137.130:33079 75.126.153.202:80 TIME_WAIT tcp 0 1 192.168.137.130:52241 74.125.130.95:80 FIN_WAIT1 tcp 0 0 192.168.137.130:33077 75.126.153.202:80 TIME_WAIT tcp 0 1 192.168.137.130:33098 75.126.153.202:80 FIN_WAIT1 tcp 0 0 192.168.137.130:48320 162.243.43.181:80 ESTABLISHED tcp 0 0 192.168.137.130:48318 162.243.43.181:80 ESTABLISHED tcp 0 0 192.168.137.130:52237 74.125.130.95:80 ESTABLISHED tcp 0 1 192.168.137.130:33096 75.126.153.202:80 FIN_WAIT1 tcp 0 0 192.168.137.130:49134 216.58.199.163:80 TIME_WAIT tcp 0 480 192.168.43.4:52622 162.243.43.181:80 FIN_WAIT1 tcp 0 1 192.168.137.130:52238 74.125.130.95:80 FIN_WAIT1 tcp 0 0 192.168.137.130:50459 192.0.73.2:80 TIME_WAIT tcp 0 0 192.168.137.130:49135 216.58.199.163:80 TIME_WAIT tcp 0 1 192.168.137.130:49130 216.58.199.163:80 LAST_ACK tcp 0 1 192.168.43.4:52595 162.243.43.181:80 FIN_WAIT1 tcp 0 0 192.168.137.130:48309 162.243.43.181:80 TIME_WAIT tcp 0 1 192.168.43.4:52626 162.243.43.181:80 LAST_ACK tcp 0 0 192.168.137.130:46686 52.84.105.226:80 ESTABLISHED tcp 0 1 192.168.137.130:33100 75.126.153.202:80 FIN_WAIT1 tcp 0 0 192.168.137.130:50458 192.0.73.2:80 ESTABLISHED tcp 0 0 192.168.137.130:33078 75.126.153.202:80 ESTABLISHED

To display only active connections to the server on port 80, run the following command:

sudo netstat -an | grep :80 | sort

Output:

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 1 192.168.137.130:39239 52.222.135.39:80 LAST_ACK tcp 0 1 192.168.137.130:48354 162.243.43.181:80 LAST_ACK tcp 0 587 192.168.137.130:33127 75.126.153.202:80 LAST_ACK tcp6 0 0 :::80 :::* LISTEN

If you want to find out how many active SYNC_REC are occurring on the server, run the following command:

sudo netstat -n -p | grep SYN_REC | sort -u

You can also detect a single flood by allowing you to recognize many connections coming from one IP by running the following command:

sudo netstat -n -p|grep SYN_REC | wc -l

To list out all the unique IP addresses of the attacker that is sending SYN_REC connections, run the following command:

sudo netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

To calculate and count the number of connections each IP address makes to the server, run the following command:

sudo netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

TO list out the number of connections the IPs are connected to the server using TCP or UDP protocol, run the following command:

sudo netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr

You can also list out only ESTABLISHED connections instead of all connections, and displays the connections count for each IP by running the following command:

sudo netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1