Netstat

netstat - Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships

Mostly it's been used to list out all the network (socket) connections on a system. It lists out all the tcp, udp socket connections and the unix socket connections.

In addition to that, it can also list listening sockets that are waiting for incoming connections. This makes it a very useful tool.

Here are some useful examples:

1. List out all connections

   -a, --all
       Show both listening and non-listening (for TCP this means established connections) sockets.

$netstat -a | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0      0 *:ssh                       *:*                         LISTEN      
tcp        0      0 localhost:ipp               *:*                         LISTEN      
tcp        0      0 localhost:smtp              *:*                         LISTEN      
tcp        0      0 *:49433                     *:*                         LISTEN      
tcp        0      0 *:ideafarm-door             *:*                         LISTEN      
tcp        0      0 *:sunrpc                    *:*                         LISTEN      
tcp        0      0 localhost:commplex-main     localhost:54289             ESTABLISHED
tcp        1      0 fibrevillage.com:37834      a142-231-1-167.deploy.:http CLOSE_WAIT  
tcp        1      0 test.fibrevillage.com:48777      a142-231-1-174.deploy.:http CLOSE_WAIT  
...

The above command shows all connections from different protocols like tcp, udp and unix sockets.


2. List only TCP or UDP connections

To list out only tcp connections use the t options.

-t|--tcp TCP connection

$ netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 *:vce                       *:*                         LISTEN      
tcp        0      0 *:gmond                     *:*                         LISTEN      
tcp        0      0 *:mysql                     *:*                         LISTEN      
tcp        0      0 p1.fibrevillage.com:58010   p2.fibrevillage.com:vce     ESTABLISHED
tcp        0      0 p1.fibrevillage.com:vce       p2.fibrevillage.com:58011   ESTABLISHED
tcp        0      0 p1.fibrevillage.com:57979   p1.fibrevillage.com:vce     ESTABLISHED
.....

Similarly to list out only udp connections use the u option.

-u|--udp UDP connection

$ netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
udp        0      0 *:34660                 *:*                                
udp        0      0 *:38709                     *:*                                     
udp        0      0 *:40120                     *:*                                     
udp        0      0 p1.fibrevillage.com:56385  p2.fibrefillage.com:gmond ESTABLISHED
udp        0      0 *:gmond                     *:*         

The above output shows both ipv4 and ipv6 connections.

3. Display kernel routing information

The kernel routing information can be printed with the r option, -n is to prevent hostname solving.

-r|--route Display the kernel routing table

-n|--numeric Show numerical address, host address, ports, and users instead of a resolution name.

# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.12.1.0      0.0.0.0         255.255.255.0   U         0 0          0 bond0
0.0.0.0         10.12.1.252    0.0.0.0         UG        0 0          0 bond0

You may notice that it is the same output as given by the route command.

4. Print network interfaces

The netstat command can also print out the information about the network interfaces. 
-i|--interface display a table of all network interfaces, or the specified iface
# netstat -i
Kernel Interface table
Iface       MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
bond0      9000   0 2535585725      0     84      0 5989786978      0      0      0 BMmRU
eth0       9000   0 1252627259      0     36      0 3040357831      0      0      0 BMsRU
eth1       9000   0 1282958466      0     48      0 2949429147      0      0      0 BMsRU
lo        65536   0    40924      0      0      0    40924      0      0      0 LRU

The example above shows two ethernet interface bonded to one interface, which is bond0, compat output

If you prefer to see detailed output like ifconfig, try -ie

5. List out only listening connections

Use the l options to view only listening ports .

-l|--listening  Show only listening sockets

$ netstat -tnl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:51926               0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:2880                0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:1094                0.0.0.0:*                   LISTEN      

In example above, we see listening tcp ports/connections. 

6. Get process name/pid

Probably you want to know the process(program) name and pid which has opened that port or connection.

-p|--program Show the PID and name of the program to which each socket belongs

# netstat -nlpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address       Foreign Address   State       PID/Program name   
tcp        0      0 0.0.0.0:22          0.0.0.0:*         LISTEN      1909/sshd           
tcp        0      0 0.0.0.0:51926       0.0.0.0:*         LISTEN      1831/rpc.statd      
tcp        0      0 127.0.0.1:25        0.0.0.0:*         LISTEN      1957/sendmail       
tcp        0      0 0.0.0.0:2880        0.0.0.0:*         LISTEN      5895/java           
tcp        0      0 0.0.0.0:1094        0.0.0.0:*         LISTEN      24607/xrootd        
tcp        0      0 0.0.0.0:8649        0.0.0.0:*         LISTEN      1934/gmond          
tcp        0      0 0.0.0.0:41711       0.0.0.0:*         LISTEN      25398/cmsd          
tcp        0      0 0.0.0.0:111         0.0.0.0:*         LISTEN      1811/rpcbind   

Note: netstat must be run with root privileges to use -p option.

7. Get process name/pid and user id

How to know which user started the daemon?

-e|--extend display additional information

Use the e option along with the p option to get the username.

# netstat -ltpe
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address   Foreign Address State    User    Inode      PID/Program name   
tcp        0      0 *:ssh          *:*             LISTEN   root    10959      1909/sshd           
tcp        0      0 *:51926         *:*             LISTEN   rpcuser 10765      1831/rpc.statd      
tcp        0      0 localhost:smtp  *:*             LISTEN   root    11134      1957/sendmail       
tcp        0      0 *:synapse       *:*             LISTEN   root    366443     5895/java           
tcp        0      0 *:rootd         *:*             LISTEN   xrootd  7779859    24607/xrootd        
tcp        0      0 *:gmond         *:*             LISTEN   ganglia 11070      1934/gmond          
tcp        0      0 *:41711         *:*             LISTEN   xrootd  7780191    25398/cmsd          
tcp        0      0 *:sunrpc        *:*            LISTEN   root    10679      1811/rpcbind        

The above example lists out Listening connections of Tcp type with Process information and Extended information. The extended information contains the username and inode of the process.

If you preper to get uid instead of username,use the n option with the e option

8. Disable reverse dns lookup for faster output

By default, the socket address is resolved to its canonical host name (FQDN), and the port number is translated into the corresponding service name. That is to say there is reverse hostname lookup, If you do not need to know the host name, then use -n option.

# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:2880                0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:1094                0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:8649                0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:41711               0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      
tcp        0      0 10.12.1.134:1094           134.79.245.57:40142         ESTABLISHED
tcp        0      0 10.12.1.134:1094           192.170.226.7:2360          ESTABLISHED

9. Print statistics

The netstat command can also print out network statistics like total number of packets received and transmitted by protocol type

-s|--statistics display summary statistics for each protocol

# netstat -s
Ip:
    2413106341 total packets received
    0 forwarded
    0 incoming packets discarded
    2413101270 incoming packets delivered
    2782483825 requests sent out
    1 outgoing packets dropped
Icmp:
    1552 ICMP messages received
    355 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 979
        echo requests: 573
    879 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 306
        echo replies: 573
IcmpMsg:
        InType3: 979
        InType8: 573
        OutType0: 573
        OutType3: 306
Tcp:
    63392 active connections openings
    32706 passive connection openings
    25146 failed connection attempts
    7587 connection resets received
    195 connections established
    2410324014 segments received
    2761970327 segments send out
    17488327 segments retransmited
    262 bad segments received.
    74943 resets sent
Udp:
    2775651 packets received
    17 packets to unknown port received.
    0 packet receive errors
    3024292 packets sent
UdpLite:
TcpExt:
    58 invalid SYN cookies received
    528 packets pruned from receive queue because of socket buffer overrun
    48313 TCP sockets finished time wait in fast timer
    26277 packets rejects in established connections because of timestamp
    9444821 delayed acks sent
    84232 delayed acks further delayed because of locked socket
    Quick ack mode was activated 343882 times
    692 packets directly queued to recvmsg prequeue.
    152981929 packets directly received from backlog
    26576 packets directly received from prequeue
    1084447085 packets header predicted
    37067 packets header predicted and directly queued to user
    67239247 acknowledgments not containing data received
    1290743211 predicted acknowledgments
    32980 times recovered from packet loss due to fast retransmit
    1346298 times recovered from packet loss due to SACK data
    Detected reordering 106 times using FACK
    Detected reordering 4742 times using SACK
    Detected reordering 4486 times using time stamp
    1288 congestion windows fully recovered
    51007 congestion windows partially recovered using Hoe heuristic
    TCPDSACKUndo: 9813
    667084 congestion windows recovered after partial ack
    4175095 TCP data loss events
    TCPLostRetransmit: 353976
    470 timeouts after reno fast retransmit
    2021 timeouts after SACK recovery
    7851 timeouts in loss state
    15589417 fast retransmits
    66691 forward retransmits
    949203 retransmits in slow start
    816520 other TCP timeouts
    TCPRenoRecoveryFail: 31875
    11330 sack retransmits failed
    55014 packets collapsed in receive queue due to low socket buffer
    439318 DSACKs sent for old packets
    7317 DSACKs sent for out of order packets
    659543 DSACKs received
    20 DSACKs for out of order packets received
    168 connections reset due to unexpected data
    7209 connections reset due to early user close
    50 connections aborted due to timeout
    TCPDSACKIgnoredOld: 86
    TCPDSACKIgnoredNoUndo: 70282
    TCPSpuriousRTOs: 5172
    TCPSackShifted: 11973207
    TCPSackMerged: 42547340
    TCPSackShiftFallback: 4582208
    TCPChallengeACK: 283
    TCPSYNChallenge: 262
    TCPFromZeroWindowAdv: 112
    TCPToZeroWindowAdv: 112
    TCPWantZeroWindowAdv: 26268
IpExt:
    InBcastPkts: 100
    InOctets: 10180843647545
    OutOctets: 10231807686278
    InBcastOctets: 43649

Adding option 't' prints only TCP info, 'u' for UDP and so on

10. Get netstat instant output

Want to get instant info like 'top' command ? try 'c' option

-c|--continuous [delay] display the selected information every second continuously(default)

# netstat -ctnlp 10
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address      State       PID/Program name   
tcp        0      0 0.0.0.0:22        0.0.0.0:*         LISTEN      1909/sshd           
tcp        0      0 0.0.0.0:51926     0.0.0.0:*         LISTEN      1831/rpc.statd      
tcp        0      0 127.0.0.1:25      0.0.0.0:*         LISTEN      1957/sendmail       
tcp        0      0 0.0.0.0:2880      0.0.0.0:*         LISTEN      5895/java           
tcp        0      0 0.0.0.0:1094      0.0.0.0:*         LISTEN      24607/xrootd        
tcp        0      0 0.0.0.0:8649      0.0.0.0:*         LISTEN      1934/gmond          
tcp        0      0 0.0.0.0:41711     0.0.0.0:*         LISTEN      25398/cmsd          
tcp        0      0 0.0.0.0:111       0.0.0.0:*         LISTEN      1811/rpcbind        

 The example display instant listening port,program,PID every 10 seconds.