Linux networking: 13 uses for netstat
The network statistics (netstat
) command is a networking tool used for troubleshooting and configuration, that can also serve as a monitoring tool for connections over the network. Both incoming and outgoing connections, routing tables, port listening, and usage statistics are common uses for this command. Let's take a look at some of the basic usage for netstat
and the most used cases.
List all listening ports
To list all listening ports, using both TCP and UDP, use netstat -a
:
[tcarrigan@rhel ~]$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:hostmon 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN
tcp 0 0 rhel.test:domain 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN
tcp 0 0 rhel.test:39148 a173-222-212-251.:https ESTABLISHED
tcp 2880 0 rhel.test:39150 a173-222-212-251.:https ESTABLISHED
tcp 0 0 rhel.test:39146 a173-222-212-251.:https ESTABLISHED
tcp 0 0 rhel.test:49610 parrot.sbs.arizona:http TIME_WAIT
tcp 0 0 rhel.test:49614 parrot.sbs.arizona:http TIME_WAIT
tcp 0 0 rhel.test:49608 parrot.sbs.arizona:http TIME_WAIT
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 38124 @/tmp/.ICE-unix/2276
unix 2 [ ACC ] STREAM LISTENING 41812 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 38125 /tmp/.ICE-unix/2276
unix 2 [ ACC ] STREAM LISTENING 41743 /tmp/.ICE-unix/2613
unix 2 [ ACC ] STREAM LISTENING 14186 @/org/kernel/linux/storage/multipathd
unix 2 [ ACC ] STREAM LISTENING 41653 @/tmp/dbus-GYsHTAWD
unix 2 [ ACC ] STREAM LISTENING 41742 @/tmp/.ICE-unix/2613
Note: this output was edited for length.
If this looks like a lot of information to you, that is because it is a lot of information!
List only TCP port connections
If you found the -a
option to be too verbose, try the -t
flag with it:
[tcarrigan@rhel ~]$ netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:hostmon 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN
tcp 0 0 rhel.test:domain 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN
tcp 0 0 rhel.test:39148 a173-222-212-251.:https ESTABLISHED
tcp 0 0 rhel.test:39150 a173-222-212-251.:https ESTABLISHED
tcp 0 0 rhel.test:39146 a173-222-212-251.:https ESTABLISHED
tcp6 0 0 [::]:hostmon [::]:* LISTEN
tcp6 0 0 [::]:sunrpc [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 localhost:ipp [::]:* LISTEN
This gives you a much more user-friendly readout of the TCP connections only.
List only UDP port connections
The same filter can be used to pull UDP connections down. Seen here:
[tcarrigan@rhel ~]$ netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:35709 0.0.0.0:*
udp 0 0 rhel.test:domain 0.0.0.0:*
udp 0 0 127.0.0.53:domain 0.0.0.0:*
udp 0 0 0.0.0.0:bootps 0.0.0.0:*
udp 0 0 rhel.test:bootpc 0.0.0.0:*
udp 0 0 0.0.0.0:sunrpc 0.0.0.0:*
udp 0 0 localhost:323 0.0.0.0:*
udp 0 0 0.0.0.0:mdns 0.0.0.0:*
udp 0 0 0.0.0.0:hostmon 0.0.0.0:*
udp6 0 0 [::]:39874 [::]:*
udp6 0 0 [::]:sunrpc [::]:*
udp6 0 0 localhost:323 [::]:*
udp6 0 0 [::]:mdns [::]:*
udp6 0 0 [::]:hostmon [::]:*
List all actively listening ports
To list all actively listening ports (both TCP and UDP), use the following command:
[tcarrigan@rhel ~]$ netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:hostmon 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:35709 0.0.0.0:*
udp 0 0 rhel.test:domain 0.0.0.0:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 38124 @/tmp/.ICE-unix/2276
unix 2 [ ACC ] STREAM LISTENING 41812 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 38125 /tmp/.ICE-unix/2276
unix 2 [ ACC ] STREAM LISTENING 41743 /tmp/.ICE-unix/2613
unix 2 [ ACC ] STREAM LISTENING 14186 @/org/kernel/linux/storage/multipathd
Note: this output was edited for length.
You can apply filters to the listening ports as well by adding the -t
and -u
options depending on your desired protocol.
For TCP:
[tcarrigan@rhel ~]$ netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:hostmon 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN
tcp 0 0 rhel.test:domain 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN
tcp6 0 0 [::]:hostmon [::]:* LISTEN
tcp6 0 0 [::]:sunrpc [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 localhost:ipp [::]:* LISTEN
For UDP:
[tcarrigan@rhel ~]$ netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:35709 0.0.0.0:*
udp 0 0 rhel.test:domain 0.0.0.0:*
udp 0 0 127.0.0.53:domain 0.0.0.0:*
udp 0 0 0.0.0.0:bootps 0.0.0.0:*
udp 0 0 rhel.test:bootpc 0.0.0.0:*
udp 0 0 0.0.0.0:sunrpc 0.0.0.0:*
udp 0 0 localhost:323 0.0.0.0:*
udp 0 0 0.0.0.0:mdns 0.0.0.0:*
udp 0 0 0.0.0.0:hostmon 0.0.0.0:*
udp6 0 0 [::]:39874 [::]:*
udp6 0 0 [::]:sunrpc [::]:*
udp6 0 0 localhost:323 [::]:*
udp6 0 0 [::]:mdns [::]:*
udp6 0 0 [::]:hostmon [::]:*
Netstat + grep
The combination of netstat
and grep
are very commonly used for finding the number of listening programs on a port. We run the standard netstat -ap
and then pipe to grep
for a search key. For this example, we will use http
:
[root@rhel ~]# netstat -ap | grep http
tcp 0 0 rhel.test:60680 iad30s14-in-f4.1e:https TIME_WAIT -
tcp 0 0 rhel.test:57752 iad30s15-in-f3.1e:https ESTABLISHED 4003/firefox
tcp 0 0 rhel.test:55418 13.107.42.14:https ESTABLISHED 4003/firefox
tcp 0 0 rhel.test:42496 server-13-249-126-:http ESTABLISHED 4003/firefox
tcp 0 0 rhel.test:48538 server-13-249-102:https ESTABLISHED 4003/firefox
Now that we know how to view connections and listening ports, let's take a look at pulling statistics.
Pull statistics by protocol
To pull and view network statistics sorted by protocol use the following:
[tcarrigan@rhel ~]$ netstat -s
Ip:
Forwarding: 1
64919 total packets received
1 with invalid addresses
0 forwarded
0 incoming packets discarded
64877 incoming packets delivered
62971 requests sent out
4 dropped because of missing route
Icmp:
0 ICMP messages received
0 input ICMP message failed
ICMP input histogram:
0 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
Tcp:
31 active connection openings
0 passive connection openings
0 failed connection attempts
1 connection resets received
0 connections established
64704 segments received
62779 segments sent out
0 segments retransmitted
0 bad segments received
33 resets sent
Udp:
173 packets received
0 packets to unknown port received
0 packet receive errors
205 packets sent
0 receive buffer errors
0 send buffer errors
UdpLite:
TcpExt:
9 TCP sockets finished time wait in fast timer
32 delayed acks sent
1 delayed acks further delayed because of locked socket
59599 packet headers predicted
38 acknowledgments not containing data payload received
424 predicted acknowledgments
1 connections reset due to early user close
TCPRcvCoalesce: 2863
TCPAutoCorking: 2
TCPOrigDataSent: 462
TCPDelivered: 493
IpExt:
InMcastPkts: 29
OutMcastPkts: 35
InOctets: 337792114
OutOctets: 2677848
InMcastOctets: 3098
OutMcastOctets: 3338
InNoECTPkts: 293203
Filters can be implemented for specific protocols in the same way that the connections/ports were filtered.
TCP stats:
[tcarrigan@rhel ~]$ netstat -st
Tcp:
31 active connection openings
0 passive connection openings
0 failed connection attempts
1 connection resets received
0 connections established
64704 segments received
62779 segments sent out
0 segments retransmitted
0 bad segments received
33 resets sent
UdpLite:
TcpExt:
9 TCP sockets finished time wait in fast timer
32 delayed acks sent
1 delayed acks further delayed because of locked socket
59599 packet headers predicted
38 acknowledgments not containing data payload received
424 predicted acknowledgments
1 connections reset due to early user close
TCPRcvCoalesce: 2863
TCPAutoCorking: 2
TCPOrigDataSent: 462
TCPDelivered: 493
IpExt:
InMcastPkts: 29
OutMcastPkts: 35
InOctets: 337792798
OutOctets: 2678532
InMcastOctets: 3098
OutMcastOctets: 3338
InNoECTPkts: 293212
UDP stats:
[tcarrigan@rhel ~]$ netstat -su
Udp:
191 packets received
0 packets to unknown port received
0 packet receive errors
223 packets sent
0 receive buffer errors
0 send buffer errors
UdpLite:
IpExt:
InMcastPkts: 29
OutMcastPkts: 35
InOctets: 337793482
OutOctets: 2679216
InMcastOctets: 3098
OutMcastOctets: 3338
InNoECTPkts: 293221
Raw network stats:
If all of this filtered data isn't for you, consider pulling the raw stats:
[root@rhel ~]# netstat --statistics --raw
Ip:
Forwarding: 1
68789 total packets received
1 with invalid addresses
0 forwarded
0 incoming packets discarded
68727 incoming packets delivered
66762 requests sent out
4 dropped because of missing route
Icmp:
0 ICMP messages received
0 input ICMP message failed
ICMP input histogram:
0 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
UdpLite:
IpExt:
InMcastPkts: 29
OutMcastPkts: 35
InOctets: 348032479
OutOctets: 3070589
InMcastOctets: 3098
OutMcastOctets: 3338
InNoECTPkts: 303413
Display services by PID
A really handy trick for troubleshooting is to list out a service by PID. To do so, use the following command:
[root@rhel ~]# netstat -tp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 rhel.test:56598 130.248.144.17:https ESTABLISHED 4487/firefox
tcp 0 0 rhel.test:40414 server-13-249-122:https TIME_WAIT -
tcp 0 0 rhel.test:59534 e017.en25.com:https ESTABLISHED 4487/firefox
tcp 0 0 rhel.test:40134 iad23s60-in-f4.1e:https ESTABLISHED 4487/firefox
tcp 0 0 rhel.test:39014 72.21.91.29:http TIME_WAIT
Show I/O by interface
The -i
option is another useful flag for troubleshooting. To view send/receive stats by interface, use the following:
[root@rhel ~]# netstat -i
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
enp0s3 1500 293240 0 0 0 63064 0 0 0 BMRU
lo 65536 0 0 0 0 0 0 0 0 LRU
virbr0 1500 0 0 0 0 0 0 0 0 BMU
Wrap up
There you have it. The netstat
command is an easy to use and powerful tool that any Linux network admin can put to use. I used netstat
extensively as a storage admin for troubleshooting, and I am sure that you will find some use for it, too. While in recent years netstat
has been deprecated in favor of the ss
command, you may still find it in your networking toolbox. For a more modern take, I will explore ss
in a future article, so be sure to keep an eye out for that!
[ Getting started with networking? Check out the Linux networking cheat sheet. ]
Tyler Carrigan
Tyler is the Sr. Community Manager at Enable Sysadmin, a submarine veteran, and an all-round tech enthusiast! He was first introduced to Red Hat in 2012 by way of a Red Hat Enterprise Linux-based combat system inside the USS Georgia Missile Control Center. More about me