netstat command

The netstat command is used to show (mostly) network connections and interface statistics. It can also show routing tables (the same output as route -n), masquerade connections and multicast memberships. But we won't be covering those features in this brief tutorial.

Let's start with the basics. These 3 commands yield the same result because the last 2 have all the default values for the command:

# netstat                           → command with default values
# netstat ­­-tcp ­­-udp ­-4 ­-6 -­­unix     → explicit default values
# netstat -­t -­u -­4 -­6 -­x            → abbreviated explicit default values
# netstat ­-tu46x                    → same but all flags packed together

They show us all the established connections for TCP & UDP protocols (both IPv4 & 6) plus all the UNIX sockets.

[root@rhce7 ~]# netstat
Active Internet connections (w/o servers)
Proto Recv­Q Send­Q Local Address            Foreign Address    State
tcp       0     0 rhce7.bogomips.net:ssh   192.168.0.2:56513  ESTABLISHED
tcp       0    36 rhce7.bogomips.net:ssh   192.168.0.2:56547  ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags  Type     State      I­Node  Path
unix  2     [ ]     DGRAM               12396  /run/systemd/shutdownd
unix  2     [ ]     DGRAM               9882   @/org/freedesktop/systemd1/notify
unix  5     [ ]     DGRAM               7113   /run/systemd/journal/socket
unix  27    [ ]     DGRAM               7115   /dev/log
unix  3     [ ]     STREAM   CONNECTED  19751  /var/run/dbus/system_bus_socket
unix  3     [ ]     STREAM   CONNECTED  28247  /var/run/cups/cups.sock
unix  3     [ ]     STREAM   CONNECTED  17322
unix  3     [ ]     STREAM   CONNECTED  29998
unix  3     [ ]     STREAM   CONNECTED  22427  @/tmp/.X11­unix/X0
[ output truncated ]

Most likely the output will span hundreds of lines and most often than not is not what we are after. So we can filter exactly what we want with the flags before-mentioned to list for instance just UNIX sockets, or TCP IPv6 or UDP IPv4, etc.

One thing we have to pay attention to though: the listed connections are the ones established with remote or local listening ports or sockets. But listening ports and sockets are not listed by default. If we want them listed we can either use:

# netstat ­­--all        -> list connections (clients) as well as listening ports & sockets
# netstat ­­--listen     -> list just listening ports & sockets
# netstat ­-l           -> same as above
# netstat ­-lt4         -> listening TCP IPv4 sockets
# netstat ­-lt46        -> listening TCP IPv4 & IPv6 sockets
# netstat ­-lt          -> same as above
# netstat ­-ltu         -> listening TCP & UDP sockets of both IPv4 & IPv6 types
# netstat ­-ltux        -> same as above plus UNIX sockets

We can disable hostname resolution and just show the numeric IPs with the flag “-n” or “--numeric”:

root:/etc> netstat -­lt
Active Internet connections (only servers)
Proto Recv­Q Send­Q Local Address     Foreign Address  State
tcp       0     0 localhost:rfb     0.0.0.0:*        LISTEN
tcp       0     0 envy17:domain     0.0.0.0:*        LISTEN
tcp       0     0 0.0.0.0:ssh       0.0.0.0:*        LISTEN
tcp       0     0 localhost:ipp     0.0.0.0:*        LISTEN
tcp6      0     0 [::]:ssh          [::]:*           LISTEN
tcp6      0     0 ip6­localhost:ipp  [::]:*           LISTEN
[ output truncated ]
.
root:/etc> netstat -­ltn
Active Internet connections (only servers)
Proto Recv­Q Send­Q Local Address     Foreign Address  State
tcp       0     0 127.0.0.1:5900    0.0.0.0:*        LISTEN
tcp       0     0 192.168.122.1:53  0.0.0.0:*        LISTEN
tcp       0     0 0.0.0.0:22        0.0.0.0:*        LISTEN
tcp       0     0 127.0.0.1:631     0.0.0.0:*        LISTEN
tcp6      0     0 [::]:22           [::]:*           LISTEN
tcp6      0     0 ::1:631           [::]:*           LISTEN
[ output truncated ]

We can see above that not only has DNS resolution not been used but also ports are now in numeric format rather than with the service using it. If we just want numeric IPs for hostnames but services rather than numeric ports, then we must use the “--numeric-hosts”.

root:/etc> netstat -­lt --numeric-hosts
Active Internet connections (only servers)
Proto Recv­Q Send­Q Local Address         Foreign Address  State
tcp       0     0 127.0.0.1:rfb         0.0.0.0:*        LISTEN
tcp       0     0 192.168.122.1:domain  0.0.0.0:*        LISTEN
tcp       0     0 0.0.0.0:ssh           0.0.0.0:*        LISTEN
tcp       0     0 127.0.0.1:ipp         0.0.0.0:*        LISTEN
tcp6      0     0 [::]:ssh              [::]:*           LISTEN
tcp6      0     0 ::1:ipp               [::]:*           LISTEN
[ output truncated ]

We can do the reverse: show numeric ports but use DNS resolution for hosts with the “--numeric-ports”:

root:/etc> netstat -­lt --numeric-ports
Active Internet connections (only servers)
Proto Recv­Q Send­Q Local Address     Foreign Address  State
tcp       0     0 localhost:5900    0.0.0.0:*        LISTEN
tcp       0     0 envy17:53         0.0.0.0:*        LISTEN
tcp       0     0 0.0.0.0:22        0.0.0.0:*        LISTEN
tcp       0     0 localhost:631     0.0.0.0:*        LISTEN
tcp6      0     0 [::]:22           [::]:*           LISTEN
tcp6      0     0 ip6-localhost:631 [::]:*           LISTEN
[ output truncated ]

We can obviously combine “--numeric-hosts” and “--numeric-ports” to yield the same result we would get by using just “--numeric”.

Another flag we can use is “-W” or “--wide” to ensure the DNS addresses and services are not truncated. We will combine it with two other flags: “-e” or “--extend” and “-p” or “--program”.

root:/etc> netstat -­lt --­­numeric­-ports ­-Wep
Active Internet connections (only servers)
Proto Recv­Q Send­Q Local Address    Foreign Address State  User Inode    PID/Program name
tcp       0     0 localhost:5900   0.0.0.0:*       LISTEN qemu 11339171 1851/qemu­system­x
tcp       0     0 envy17:53        0.0.0.0:*       LISTEN root 95400    1713/dnsmasq
tcp       0     0 0.0.0.0:22       0.0.0.0:*       LISTEN root 11488145 16890/sshd
tcp       0     0 localhost:631    0.0.0.0:*       LISTEN root 11176209 2374/cupsd
tcp6      0     0 [::]:22          [::]:*          LISTEN root 11488147 16890/sshd
tcp6      0     0 ip6­localhost:631 [::]:*          LISTEN root 11176208 2374/cupsd

As we can see in the output above, the “--extend” option shows us the user who owns the listening socket and its inode. The “--program” flag obviously shows the PID and binary name listening on it.

All the netstat options we have seen so far give us a picture of all the outgoing connections and listening sockets.

How do we get statistics about the different interfaces and protocols?

# netstat -­i
Kernel Interface table
Iface     MTU   RX-­OK RX-­ERR RX­-DRP RX­-OVR TX­-OK TX­-ERR TX­-DRP TX­-OVR Flg
eno16780  1500   39888     0      0      0 20872      0      0      0 BMRU
lo        65536     10     0      0      0    10      0      0      0 LRU
virbr0    1500       0     0      0      0     7      0      0      0 BMU

The “-i” or “-I” flags shows the some statistics about the interfaces: MTU, packets successfully received, packets successfully sent, etc. If we want a more verbose output, we can use the “-e” flag:

# netstat -­ie
Kernel Interface table
eno16780032: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
.      inet 192.168.0.190 netmask 255.255.255.0 broadcast 192.168.0.255
.      ether 00:50:56:87:bd:92 txqueuelen 1000 (Ethernet)
.      RX packets 40008 bytes 41510438 (39.5 MiB)
.      RX errors 0 dropped 0 overruns 0 frame 0
.      TX packets 20945 bytes 1933033 (1.8 MiB)
.      TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
.
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
.      inet 127.0.0.1 netmask 255.0.0.0
.      inet6 ::1 prefixlen 128 scopeid 0x10<host>
.      loop txqueuelen 0 (Local Loopback)
.      RX packets 10 bytes 764 (764.0 B)
.      RX errors 0 dropped 0 overruns 0 frame 0
.      TX packets 10 bytes 764 (764.0 B)
.      TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
.
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
.      inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
.      ether 52:54:00:dd:40:33 txqueuelen 0 (Ethernet)
.      RX packets 0 bytes 0 (0.0 B)
.      RX errors 0 dropped 0 overruns 0 frame 0
.      TX packets 7 bytes 1075 (1.0 KiB)
.      TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

If we want to get statistics on protocols we can use the “-s” or “--statistics” flags together with “-t” or “--tcp”, “-u” or “--udp”, “-U” or “--udplite” and “-w” or “--raw”.

# netstat ­-s
Ip:
.    37029 total packets received
.    0 forwarded
.    0 incoming packets discarded
.    32248 incoming packets delivered
.    20264 requests sent out
.    32 dropped because of missing route
.
Icmp:
.    5 ICMP messages received
.    0 input ICMP message failed.
.    ICMP input histogram:
.       destination unreachable: 5
.    2 ICMP messages sent
.    0 ICMP messages failed
.    ICMP output histogram:
.       destination unreachable: 2
.
IcmpMsg:
.       InType3: 5
.       OutType3: 2
Tcp:
.    274 active connections openings
.    3 passive connection openings
.    0 failed connection attempts
.    0 connection resets received
.    2 connections established
.    31130 segments received
.    19157 segments send out
.    15 segments retransmited
.    2 bad segments received.
.    106 resets sent
.
Udp:
.    1111 packets received
.    2 packets to unknown port received.
.    0 packet receive errors
.    1152 packets sent
.    0 receive buffer errors
.    0 send buffer errors
UdpLite:
TcpExt:
.    12 TCP sockets finished time wait in fast timer
.    427 delayed acks sent
.    Quick ack mode was activated 17 times
.    25346 packet headers predicted
.    673 acknowledgments not containing data payload received
.    1019 predicted acknowledgments
.    4 congestion windows recovered without slow start after partial ack
.    2 timeouts after SACK recovery
.    8 other TCP timeouts
.    TCPLossProbes: 20
.    TCPLossProbeRecovery: 8
.    17 DSACKs sent for old packets
.    17 DSACKs received
.    TCPDSACKIgnoredNoUndo: 8
.    IPReversePathFilter: 1
.    TCPRcvCoalesce: 219
.    TCPOFOQueue: 50
.    TCPChallengeACK: 2
.    TCPSYNChallenge: 2
IpExt:
.    InMcastPkts: 984
.    OutMcastPkts: 34
.    InBcastPkts: 3794
.    InOctets: 40814383
.    OutOctets: 1652326
.    InMcastOctets: 96846
.    OutMcastOctets: 5506
.    InBcastOctets: 361719
[ output truncated ]

If you often need to monitor networks statistics I would recommend installing the ntop package This package gathers various statistics and presents them with a web front-end. Once installed, we should run ntop once as root to configure it, and then we can start & enable the ntop.service. The web should be accessible by default in:

http://hostname:3000

https://hostname:3001

The response time of netstat is sometimes a bit frustrating. If that is the case, we can use its intended replacement ss which uses very similar flags:

# ss            → list of tcp, udp, raw & unix connections not listening
# ss ­-tu46      → list of tcp & udp versions 4 & 6 connections not listening
# ss -­wxt       → list of raw & unix socket connections
# ss ­-t4nl      → list of tcp IPv4 listening sockets in numeric format (not DNS)
# ss ­-at6rpi    → list of tcp IPv6 listening & non­listening sockets in DNS format with 
.                  process information and internal TCP details

 

<< ip command                  address resolution >>