- Unix Commands Reference
- Unix Commands - Home
netstat command in Linux with Examples
Name
netstat - Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships
Synopsis
netstat [address_family_options] [--tcp|-t] [--udp|-u] [--raw|-w] [--listening|-l] [--all|-a] [--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--symbolic|-N] [--extend|-e[--extend|-e]] [--timers|-o] [--program|-p] [--verbose|-v] [--continuous|-c]
netstat {--route|-r} [address_family_options] [--extend|-e[--extend|-e]] [--verbose|-v] [--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c]
netstat {--interfaces|-i} [--all|-a] [--extend|-e[--extend|-e]] [--verbose|-v] [--program|-p] [--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c]
Description
Netstat is a command line utility to display all the network connections on a system. It displays all the tcp, udp and unix socket connections. Apart from connected sockets it also displays listening sockets that are waiting for incoming connections. The type of information displayed by netstat command is controlled by the first argument, as follows:
(none) By default, netstat displays a list of open sockets. If you don't specify any address families, then the active sockets of all configured address families will be printed. --route , -r Display the kernel routing tables. See the description in route(8) for details. netstat -r and route -e produce the same output. --groups , -g Display multicast group membership information for IPv4 and IPv6. --interfaces, -i Display a table of all network interfaces. --masquerade , -M Display a list of masqueraded connections. --statistics , -s Display summary statistics for each protocol.
Options
The options for netstat commands are:
--verbose , -v
Tell the user what is going on by being verbose. Especially print some useful information about unconfigured address families.
--wide , -W
Do not truncate IP addresses by using output as wide as needed. This is optional for now to not break existing scripts.
--numeric , -n
Show numerical addresses instead of trying to determine symbolic host, port or usernames.
--numeric-hosts
shows numerical host addresses but does not affect the resolution of port or user names.
--numeric-ports
shows numerical port numbers but does not affect the resolution of host or user names.
--numeric-users
shows numerical user IDs but does not affect the resolution of host or port names.
--protocol=family, -A
Specifies the address families (perhaps better described as low level protocols) for which connections are to be shown. family is a comma (',') separated list of address family keywords like inet, unix, ipx, ax25, netrom, and ddp. This has the same effect as using the --inet, --unix (-x), --ipx, --ax25, --netrom, and --ddp options.
The address family inet includes raw, udp and tcp protocol sockets.
-c, --continuous
This will cause netstat to print the selected information every second continuously.
-e, --extend
Display additional information. Use this option twice for maximum detail.
-o, --timers
Include information related to networking timers.
-p, --program
Show the PID and name of the program to which each socket belongs.
-l, --listening
Show only listening sockets. (These are omitted by default.)
-F
Print routing information from the FIB. (This is the default.)
-C
Print routing information from the route cache.
Examples
1. netstat command without any argument displays information about the Linux networking subsystem. By default, netstat displays a list of open sockets.
$ netstat Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 erpnext.Dlink:59438 602.bm-nginx-load:https ESTABLISHED tcp 0 0 erpnext.Dlink:57112 kul01s10-in-f34.1:https TIME_WAIT tcp 0 0 erpnext.Dlink:46496 162.125.81.13:https ESTABLISHED tcp 0 0 erpnext.Dlink:48512 172.67.167.22:https TIME_WAIT tcp 0 0 erpnext.Dlink:40994 del12s04-in-f14.1:https ESTABLISHED tcp 0 0 erpnext.Dlink:58724 del11s12-in-f8.1e:https TIME_WAIT tcp 0 0 erpnext.Dlink:38628 a97adde81b00f2ca4:https TIME_WAIT tcp 0 0 erpnext.Dlink:42136 server-13-35-217-:https TIME_WAIT tcp 0 0 erpnext.Dlink:59672 del12s03-in-f5.1e:https ESTABLISHED tcp 0 0 erpnext.Dlink:46570 230.247.227.35.bc:https TIME_WAIT tcp 0 1 erpnext.Dlink:38166 182.161.72.137:https SYN_SENT tcp 0 0 erpnext.Dlink:35614 del12s09-in-f2.1e:https TIME_WAIT tcp 0 0 erpnext.Dlink:59630 598.bm-nginx-load:https TIME_WAIT tcp 0 0 erpnext.Dlink:58280 del11s16-in-f1.1e:https TIME_WAIT tcp 0 0 erpnext.Dlink:58030 bidder.hk5.vip.pr:https ESTABLISHED tcp 0 0 erpnext.Dlink:41966 del12s04-in-f4.1e:https TIME_WAIT tcp 0 0 erpnext.Dlink:58658 192.71.201.35.bc.:https TIME_WAIT tcp 0 0 erpnext.Dlink:59626 598.bm-nginx-load:https ESTABLISHED tcp 0 0 erpnext.Dlink:56720 162.125.36.2:https ESTABLISHED ...
We can use -a option to display all sockets, both listening and non-listening, and protocols like TCP, UDP, RAW, Unix Sockets, etc.
2. We can use -t option to display only tcp sockets.
$ netstat -t Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 1 erpnext.Dlink:38340 182.161.72.137:https SYN_SENT tcp 0 0 erpnext.Dlink:42608 server-13-35-217-:https ESTABLISHED tcp 0 1 erpnext.Dlink:38344 182.161.72.137:https SYN_SENT tcp 0 1 erpnext.Dlink:38328 182.161.72.137:https SYN_SENT tcp 0 1 erpnext.Dlink:38342 182.161.72.137:https SYN_SENT tcp 0 0 erpnext.Dlink:42490 del12s04-in-f4.1e:https ESTABLISHED tcp 0 1 erpnext.Dlink:38326 182.161.72.137:https SYN_SENT tcp 0 0 erpnext.Dlink:48452 ec2-52-76-52-167.:https ESTABLISHED tcp 0 0 erpnext.Dlink:56720 162.125.36.2:https ESTABLISHED tcp 0 1 erpnext.Dlink:38346 182.161.72.137:https SYN_SENT tcp 0 1 erpnext.Dlink:38336 182.161.72.137:https SYN_SENT tcp 0 0 erpnext.Dlink:57496 218.64.98.34.bc.g:https ESTABLISHED tcp 0 0 erpnext.Dlink:59166 192.71.201.35.bc.:https ESTABLISHED tcp 0 0 erpnext.Dlink:41324 103.231.98.193:https ESTABLISHED tcp 0 0 erpnext.Dlink:37068 ec2-54-179-109-22:https ESTABLISHED tcp 0 0 erpnext.Dlink:48206 8.159.244.35.bc.g:https ESTABLISHED tcp 0 0 erpnext.Dlink:42134 server-13-35-217-:https ESTABLISHED tcp 0 0 erpnext.Dlink:39240 relay-f4105590.net:http ESTABLISHED tcp 0 0 erpnext.Dlink:60756 ec2-13-229-220-22:https ESTABLISHED tcp 0 1 erpnext.Dlink:38332 182.161.72.137:https SYN_SENT tcp 0 0 erpnext.Dlink:35880 600.bm-nginx-load:https TIME_WAIT tcp 0 0 erpnext.Dlink:35162 ec2-34-215-30-193:https ESTABLISHED tcp 0 0 erpnext.Dlink:35904 162.125.35.134:https ESTABLISHED
3. We can use -u option to display only udp connections. Similarly we can use -w option to display data_gram
$ netstat -u Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 localhost:45618 localhost:45618 ESTABLISHED
4. By default netstat comand shows only connected sockets. But we can use -a option to display other sockets as well.
$ netstat -au Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 *:53262 *:* udp 0 0 erpnext.esc.in:domain *:* udp 0 0 localhost:domain *:* udp 0 0 *:bootpc *:* udp 0 0 erpnext.Dlink:ntp *:* udp 0 0 localhost:ntp *:* udp 0 0 *:ntp *:* udp 0 0 *:41092 *:* udp 0 0 localhost:45618 localhost:45618 ESTABLISHED udp 0 0 *:ipp *:* udp 0 0 *:41621 *:* udp6 0 0 ip6-localhost:domain [::]:* udp6 0 0 fe80::15de:9204:301:ntp [::]:* udp6 0 0 ip6-localhost:ntp [::]:* udp6 0 0 [::]:ntp [::]:* udp6 0 0 [::]:mdns [::]:* udp6 0 0 [::]:44487 [::]:*
5. We can use -l command to display listening sockets. Below we show an example of all tcp listening sockets.
$ netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:ssh *:* LISTEN tcp 0 0 localhost:8022 *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp 0 0 localhost:45432 *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 0 *:db-lsp *:* LISTEN tcp 0 0 *:7070 *:* LISTEN tcp 0 0 localhost:mysql *:* LISTEN tcp 0 0 localhost:6379 *:* LISTEN tcp 0 0 *:5900 *:* LISTEN tcp 0 0 localhost:x11 *:* LISTEN tcp 0 0 erpnext.esc.in:domain *:* LISTEN tcp 0 0 localhost:domain *:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN tcp6 0 0 [::]:smtp [::]:* LISTEN tcp6 0 0 [::]:https [::]:* LISTEN tcp6 0 0 [::]:db-lsp [::]:* LISTEN tcp6 0 0 [::]:5900 [::]:* LISTEN tcp6 0 0 [::]:http [::]:* LISTEN tcp6 0 0 ip6-localhost:domain [::]:* LISTEN
6. We can use -p option to show PID and to which program each socket belongs, -e option adds extra info like the user. But run this command as root to see all PIDs.
$ netstat -pt Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 1 erpnext.Dlink:38872 182.161.72.137:https SYN_SENT 6173/firefox tcp 0 1 erpnext.Dlink:38866 182.161.72.137:https SYN_SENT 6173/firefox tcp 0 0 erpnext.Dlink:59230 162.125.6.20:https ESTABLISHED 6049/dropbox tcp 0 1 erpnext.Dlink:38876 182.161.72.137:https SYN_SENT 6173/firefox tcp 0 0 localhost:36492 localhost:45432 ESTABLISHED 11111/rake jobs:wor tcp 0 1 erpnext.Dlink:38868 182.161.72.137:https SYN_SENT 6173/firefox tcp 0 1 erpnext.Dlink:38870 182.161.72.137:https SYN_SENT 6173/firefox tcp 0 1 erpnext.Dlink:38874 182.161.72.137:https SYN_SENT 6173/firefox tcp 0 0 erpnext.Dlink:48206 8.159.244.35.bc.g:https ESTABLISHED 6173/firefox tcp 0 0 erpnext.Dlink:42134 server-13-35-217-:https ESTABLISHED 6173/firefox tcp 0 0 erpnext.Dlink:39240 relay-f4105590.net:http ESTABLISHED 837/anydesk tcp 0 0 erpnext.Dlink:39536 162.125.35.136:https ESTABLISHED 6049/dropbox tcp 0 0 erpnext.Dlink:35162 ec2-34-215-30-193:https ESTABLISHED 6173/firefox tcp 0 0 localhost:45432 localhost:36492 ESTABLISHED 11148/main: openpro tcp 0 0 erpnext.Dlink:36878 162.125.35.134:https ESTABLISHED 6049/dropbox tcp 0 1 erpnext.Dlink:38862 182.161.72.137:https SYN_SENT 6173/firefox tcp 0 1 erpnext.Dlink:38864 182.161.72.137:https SYN_SENT 6173/firefox $
Output in the above example shows PID/Program, PID is the process id associated with the socket connection and Program denotes the program associated withthe socket connection.
$ netstat -u -e Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode udp 0 0 localhost:37309 localhost:domain ESTABLISHED expert 400660 udp 0 0 localhost:45618 localhost:45618 ESTABLISHED postgres 26812 udp 0 0 localhost:50007 localhost:domain ESTABLISHED expert 402643 udp 0 0 localhost:37720 localhost:domain ESTABLISHED root 402644 udp 0 0 localhost:42455 localhost:domain ESTABLISHED expert 402628 udp 0 0 localhost:50913 localhost:domain ESTABLISHED expert 399785 udp 0 0 localhost:39830 localhost:domain ESTABLISHED expert 400657 udp 0 0 localhost:52621 localhost:domain ESTABLISHED expert 400655 udp 0 0 localhost:56808 localhost:domain ESTABLISHED expert 401604
Output in the above example with option -u shows I-Node. I-Node denotes file system inode (index node) associated with this socket. In case of option -x output displays Path, it denotes file system path to the socket.
7. We can use -n option along with other options to disable DNS resolution of symbolic names (shows IP address instead of names).
$ netstat -ant Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:8022 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:45432 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN tcp 0 1 192.168.0.4:51912 182.161.72.137:443 SYN_SENT tcp 0 0 192.168.0.4:42202 162.125.36.2:443 ESTABLISHED tcp 0 1 192.168.0.4:51904 182.161.72.137:443 SYN_SENT tcp 0 0 192.168.0.4:60294 162.125.81.13:443 ESTABLISHED tcp 0 0 192.168.0.4:39240 138.201.130.101:80 ESTABLISHED tcp 0 1 192.168.0.4:51892 182.161.72.137:443 SYN_SENT tcp 0 0 192.168.0.4:35162 34.215.30.193:443 ESTABLISHED tcp6 0 0 :::25 :::* LISTEN tcp6 0 0 :::443 :::* LISTEN tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 ::1:53 :::* LISTEN
8. We can use -s option to display the summary of network sockets by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols.
$ netstat -su IcmpMsg: InType3: 20 OutType3: 598 Udp: 723712 packets received 1704 packets to unknown port received. 0 packet receive errors 278423 packets sent IgnoredMulti: 8 UdpLite:
9. netstat command display the kernel routing tables. We can use -r or --route option to display the kernel routing table.
$ netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default 192.168.0.1 0.0.0.0 UG 0 0 0 enp0s25 default 192.168.0.1 0.0.0.0 UG 0 0 0 wlx503eaa7c4c9b link-local * 255.255.0.0 U 0 0 0 enp0s25 192.168.0.0 * 255.255.255.0 U 0 0 0 enp0s25 192.168.0.0 * 255.255.255.0 U 0 0 0 wlx503eaa7c4c9b
10. We can use -i option to display table of all network interfaces.
$ netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg enp0s25 1500 0 11562 0 0 0 6270 0 0 0 BMRU lo 65536 0 238860 0 0 0 238860 0 0 0 LRU wlx503eaa7c4c9b 1500 0 803751 0 2843 0 348358 0 0 0 BMRU
11. We can use -e option to netstat -i command to extend the details of the kernel interface table:
$ netstat -i -e
Kernel Interface table
enp0s25 Link encap:Ethernet HWaddr 7c:05:07:10:08:8d
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:18983 errors:0 dropped:0 overruns:0 frame:0
TX packets:11614 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10340011 (10.3 MB) TX bytes:1668036 (1.6 MB)
Interrupt:20 Memory:f7c00000-f7c20000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:265123 errors:0 dropped:0 overruns:0 frame:0
TX packets:265123 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:97634381 (97.6 MB) TX bytes:97634381 (97.6 MB)
wlx503eaa7c4c9b Link encap:Ethernet HWaddr 50:3e:aa:7c:4c:9b
inet addr:192.168.0.4 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::15de:9204:3015:b802/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:815468 errors:0 dropped:3174 overruns:0 frame:0
TX packets:362966 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:937465675 (937.4 MB) TX bytes:118211153 (118.2 MB)
Advertisements