Skip to main content

Linux networking: 13 uses for netstat

Though it's largely been replaced in recent years, netstat is still a powerful tool providing network analytics at your fingertips.
Image
analytics text

Photo by Timur Saglambilek from Pexels

The network statistics (netstat) command is a networking tool used for troubleshooting and configuration, that can also serve as a monitoring tool for connections over the network. Both incoming and outgoing connections, routing tables, port listening, and usage statistics are common uses for this command. Let's take a look at some of the basic usage for netstat and the most used cases.

List all listening ports

To list all listening ports, using both TCP and UDP, use netstat -a:

[tcarrigan@rhel ~]$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:hostmon         0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN     
tcp        0      0 rhel.test:domain        0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN     
tcp        0      0 rhel.test:39148         a173-222-212-251.:https ESTABLISHED
tcp     2880      0 rhel.test:39150         a173-222-212-251.:https ESTABLISHED
tcp        0      0 rhel.test:39146         a173-222-212-251.:https ESTABLISHED
tcp        0      0 rhel.test:49610         parrot.sbs.arizona:http TIME_WAIT  
tcp        0      0 rhel.test:49614         parrot.sbs.arizona:http TIME_WAIT  
tcp        0      0 rhel.test:49608         parrot.sbs.arizona:http TIME_WAIT 
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     38124    @/tmp/.ICE-unix/2276
unix  2      [ ACC ]     STREAM     LISTENING     41812    /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     38125    /tmp/.ICE-unix/2276
unix  2      [ ACC ]     STREAM     LISTENING     41743    /tmp/.ICE-unix/2613
unix  2      [ ACC ]     STREAM     LISTENING     14186    @/org/kernel/linux/storage/multipathd
unix  2      [ ACC ]     STREAM     LISTENING     41653    @/tmp/dbus-GYsHTAWD
unix  2      [ ACC ]     STREAM     LISTENING     41742    @/tmp/.ICE-unix/2613

Note: this output was edited for length.

If this looks like a lot of information to you, that is because it is a lot of information!

List only TCP port connections

If you found the -a option to be too verbose, try the -t flag with it:

[tcarrigan@rhel ~]$ netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:hostmon         0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN     
tcp        0      0 rhel.test:domain        0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN     
tcp        0      0 rhel.test:39148         a173-222-212-251.:https ESTABLISHED
tcp        0      0 rhel.test:39150         a173-222-212-251.:https ESTABLISHED
tcp        0      0 rhel.test:39146         a173-222-212-251.:https ESTABLISHED
tcp6       0      0 [::]:hostmon            [::]:*                  LISTEN     
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN 

This gives you a much more user-friendly readout of the TCP connections only.

List only UDP port connections

The same filter can be used to pull UDP connections down. Seen here:

[tcarrigan@rhel ~]$ netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
udp        0      0 0.0.0.0:35709           0.0.0.0:*                          
udp        0      0 rhel.test:domain        0.0.0.0:*                          
udp        0      0 127.0.0.53:domain       0.0.0.0:*                          
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                          
udp        0      0 rhel.test:bootpc        0.0.0.0:*                          
udp        0      0 0.0.0.0:sunrpc          0.0.0.0:*                          
udp        0      0 localhost:323           0.0.0.0:*                          
udp        0      0 0.0.0.0:mdns            0.0.0.0:*                          
udp        0      0 0.0.0.0:hostmon         0.0.0.0:*                          
udp6       0      0 [::]:39874              [::]:*                             
udp6       0      0 [::]:sunrpc             [::]:*                             
udp6       0      0 localhost:323           [::]:*                             
udp6       0      0 [::]:mdns               [::]:*                             
udp6       0      0 [::]:hostmon            [::]:*                

List all actively listening ports

To list all actively listening ports (both TCP and UDP), use the following command:

[tcarrigan@rhel ~]$ netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:hostmon         0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN    
udp        0      0 0.0.0.0:35709           0.0.0.0:*                          
udp        0      0 rhel.test:domain        0.0.0.0:*                         
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     38124    @/tmp/.ICE-unix/2276
unix  2      [ ACC ]     STREAM     LISTENING     41812    /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     38125    /tmp/.ICE-unix/2276
unix  2      [ ACC ]     STREAM     LISTENING     41743    /tmp/.ICE-unix/2613
unix  2      [ ACC ]     STREAM     LISTENING     14186    @/org/kernel/linux/storage/multipathd

Note: this output was edited for length.

You can apply filters to the listening ports as well by adding the -t and -u options depending on your desired protocol.

For TCP:

[tcarrigan@rhel ~]$ netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:hostmon         0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:sunrpc          0.0.0.0:*               LISTEN     
tcp        0      0 rhel.test:domain        0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN     
tcp6       0      0 [::]:hostmon            [::]:*                  LISTEN     
tcp6       0      0 [::]:sunrpc             [::]:*                  LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN 

For UDP:

[tcarrigan@rhel ~]$ netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
udp        0      0 0.0.0.0:35709           0.0.0.0:*                          
udp        0      0 rhel.test:domain        0.0.0.0:*                          
udp        0      0 127.0.0.53:domain       0.0.0.0:*                          
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                          
udp        0      0 rhel.test:bootpc        0.0.0.0:*                          
udp        0      0 0.0.0.0:sunrpc          0.0.0.0:*                          
udp        0      0 localhost:323           0.0.0.0:*                          
udp        0      0 0.0.0.0:mdns            0.0.0.0:*                          
udp        0      0 0.0.0.0:hostmon         0.0.0.0:*                          
udp6       0      0 [::]:39874              [::]:*                             
udp6       0      0 [::]:sunrpc             [::]:*                             
udp6       0      0 localhost:323           [::]:*                             
udp6       0      0 [::]:mdns               [::]:*                             
udp6       0      0 [::]:hostmon            [::]:*      

Netstat + grep

The combination of netstat and grep are very commonly used for finding the number of listening programs on a port. We run the standard netstat -ap and then pipe to grep for a search key. For this example, we will use http:

[root@rhel ~]# netstat -ap | grep http
tcp        0      0 rhel.test:60680         iad30s14-in-f4.1e:https TIME_WAIT   -                   
tcp        0      0 rhel.test:57752         iad30s15-in-f3.1e:https ESTABLISHED 4003/firefox        
tcp        0      0 rhel.test:55418         13.107.42.14:https      ESTABLISHED 4003/firefox        
tcp        0      0 rhel.test:42496         server-13-249-126-:http ESTABLISHED 4003/firefox        
tcp        0      0 rhel.test:48538         server-13-249-102:https ESTABLISHED 4003/firefox        

Now that we know how to view connections and listening ports, let's take a look at pulling statistics.

Pull statistics by protocol

To pull and view network statistics sorted by protocol use the following:

[tcarrigan@rhel ~]$ netstat -s
Ip:
    Forwarding: 1
    64919 total packets received
    1 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    64877 incoming packets delivered
    62971 requests sent out
    4 dropped because of missing route
Icmp:
    0 ICMP messages received
    0 input ICMP message failed
    ICMP input histogram:
    0 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
Tcp:
    31 active connection openings
    0 passive connection openings
    0 failed connection attempts
    1 connection resets received
    0 connections established
    64704 segments received
    62779 segments sent out
    0 segments retransmitted
    0 bad segments received
    33 resets sent
Udp:
    173 packets received
    0 packets to unknown port received
    0 packet receive errors
    205 packets sent
    0 receive buffer errors
    0 send buffer errors
UdpLite:
TcpExt:
    9 TCP sockets finished time wait in fast timer
    32 delayed acks sent
    1 delayed acks further delayed because of locked socket
    59599 packet headers predicted
    38 acknowledgments not containing data payload received
    424 predicted acknowledgments
    1 connections reset due to early user close
    TCPRcvCoalesce: 2863
    TCPAutoCorking: 2
    TCPOrigDataSent: 462
    TCPDelivered: 493
IpExt:
    InMcastPkts: 29
    OutMcastPkts: 35
    InOctets: 337792114
    OutOctets: 2677848
    InMcastOctets: 3098
    OutMcastOctets: 3338
    InNoECTPkts: 293203

Filters can be implemented for specific protocols in the same way that the connections/ports were filtered.

TCP stats:

[tcarrigan@rhel ~]$ netstat -st
Tcp:
    31 active connection openings
    0 passive connection openings
    0 failed connection attempts
    1 connection resets received
    0 connections established
    64704 segments received
    62779 segments sent out
    0 segments retransmitted
    0 bad segments received
    33 resets sent
UdpLite:
TcpExt:
    9 TCP sockets finished time wait in fast timer
    32 delayed acks sent
    1 delayed acks further delayed because of locked socket
    59599 packet headers predicted
    38 acknowledgments not containing data payload received
    424 predicted acknowledgments
    1 connections reset due to early user close
    TCPRcvCoalesce: 2863
    TCPAutoCorking: 2
    TCPOrigDataSent: 462
    TCPDelivered: 493
IpExt:
    InMcastPkts: 29
    OutMcastPkts: 35
    InOctets: 337792798
    OutOctets: 2678532
    InMcastOctets: 3098
    OutMcastOctets: 3338
    InNoECTPkts: 293212

UDP stats:

[tcarrigan@rhel ~]$ netstat -su
Udp:
    191 packets received
    0 packets to unknown port received
    0 packet receive errors
    223 packets sent
    0 receive buffer errors
    0 send buffer errors
UdpLite:
IpExt:
    InMcastPkts: 29
    OutMcastPkts: 35
    InOctets: 337793482
    OutOctets: 2679216
    InMcastOctets: 3098
    OutMcastOctets: 3338
    InNoECTPkts: 293221

Raw network stats:

If all of this filtered data isn't for you, consider pulling the raw stats:

[root@rhel ~]# netstat --statistics --raw
Ip:
    Forwarding: 1
    68789 total packets received
    1 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    68727 incoming packets delivered
    66762 requests sent out
    4 dropped because of missing route
Icmp:
    0 ICMP messages received
    0 input ICMP message failed
    ICMP input histogram:
    0 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
UdpLite:
IpExt:
    InMcastPkts: 29
    OutMcastPkts: 35
    InOctets: 348032479
    OutOctets: 3070589
    InMcastOctets: 3098
    OutMcastOctets: 3338
    InNoECTPkts: 303413

Display services by PID

A really handy trick for troubleshooting is to list out a service by PID. To do so, use the following command:

[root@rhel ~]# netstat -tp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 rhel.test:56598         130.248.144.17:https    ESTABLISHED 4487/firefox        
tcp        0      0 rhel.test:40414         server-13-249-122:https TIME_WAIT   -                   
tcp        0      0 rhel.test:59534         e017.en25.com:https     ESTABLISHED 4487/firefox        
tcp        0      0 rhel.test:40134         iad23s60-in-f4.1e:https ESTABLISHED 4487/firefox        
tcp        0      0 rhel.test:39014         72.21.91.29:http        TIME_WAIT 

Show I/O by interface

The -i option is another useful flag for troubleshooting. To view send/receive stats by interface, use the following:

[root@rhel ~]# netstat -i
Kernel Interface table
Iface             MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
enp0s3           1500   293240      0      0 0         63064      0      0      0 BMRU
lo              65536        0      0      0 0             0      0      0      0 LRU
virbr0           1500        0      0      0 0             0      0      0      0 BMU

Wrap up

There you have it. The netstat command is an easy to use and powerful tool that any Linux network admin can put to use. I used netstat extensively as a storage admin for troubleshooting, and I am sure that you will find some use for it, too. While in recent years netstat has been deprecated in favor of the ss command, you may still find it in your networking toolbox. For a more modern take, I will explore ss in a future article, so be sure to keep an eye out for that!

[ Getting started with networking? Check out the Linux networking cheat sheet. ]

Topics:   Networking  
Author’s photo

Tyler Carrigan

Tyler is a community manager at Enable Sysadmin, a submarine veteran, and an all-round tech enthusiast! He was first introduced to Red Hat in 2012 by way of a Red Hat Enterprise Linux-based combat system inside the USS Georgia Missile Control Center. More about me

Related Content

OUR BEST CONTENT, DELIVERED TO YOUR INBOX