The netstat (network statistics) command in Linux is a network management tool used to display network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. It is helpful for diagnosing network issues, monitoring active network connections, and understanding network traffic behavior.

Note that netstat has been deprecated in favor of the ss command on some newer Linux distributions, but it is still widely used.

Basic Syntax of netstat:

netstat [options]

• options: Various flags to control the type of information you want to display.

Commonly Used netstat Options

1. -a: Show all sockets (both listening and non-listening).

   • Displays all active connections and the listening ports.
   • Example:

     netstat -a
     

     Sample Output:

     Active Internet connections (w/o servers)
     Proto Recv-Q Send-Q Local Address           Foreign Address         State
     tcp        0      0 *:http                  *:*                     LISTEN
     tcp        0      0 *:ssh                   *:*                     LISTEN
     tcp        0      0 192.168.1.2:8080        192.168.1.3:56789       ESTABLISHED
     

     • LISTEN: The socket is listening for incoming connections.
     • ESTABLISHED: The connection is active.

2. -t: Show TCP connections only.

   • Filters and displays only TCP connections.
   • Example:

     netstat -t
     

     Sample Output:

     Proto Recv-Q Send-Q Local Address           Foreign Address         State
     tcp        0      0 192.168.1.2:22          192.168.1.3:1024        ESTABLISHED
     

3. -u: Show UDP connections only.

   • Filters and displays only UDP connections.
   • Example:

     netstat -u
     

     Sample Output:

     Proto Recv-Q Send-Q Local Address           Foreign Address         State
     udp        0      0 192.168.1.2:53          *:*                     UNCONN
     udp        0      0 192.168.1.2:123         *:*                     UNCONN
     

4. -l: Show only listening sockets.

   • Displays only the sockets that are in a LISTEN state (waiting for incoming connections).
   • Example:

     netstat -l
     

     Sample Output:

     Proto Recv-Q Send-Q Local Address           Foreign Address         State
     tcp        0      0 *:http                  *:*                     LISTEN
     tcp        0      0 *:ssh                   *:*                     LISTEN
     

5. -n: Show numerical addresses instead of resolving hostnames.

   • By default, netstat will resolve IP addresses to hostnames, but with -n, it will display raw IP addresses and port numbers.
   • Example:

     netstat -n
     

     Sample Output:

     Proto Recv-Q Send-Q Local Address           Foreign Address         State
     tcp        0      0 192.168.1.2:22          192.168.1.3:1024        ESTABLISHED
     

6. -r: Display the routing table.

   • Shows the routing table, which contains information about how packets are routed within the network.
   • Example:

     netstat -r
     

     Sample Output:

     Kernel IP routing table
     Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
     0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
     192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
     

7. -i: Show network interface statistics.

   • Displays information about network interfaces, including the number of packets received, transmitted, and errors.
   • Example:

     netstat -i
     

     Sample Output:

     Kernel Interface table
     Iface  MTU   RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
     eth0  1500  1000   0      0      0      1500   0      0      0      BMRU
     lo    65536 1000   0      0      0      1000   0      0      0      LRU
     

8. -p: Show PID and program name (if available).

   • This will display the Process ID (PID) and the name of the program associated with each connection.
   • Example:

     netstat -tup
     

     Sample Output:

     Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
     tcp        0      0 192.168.1.2:22          192.168.1.3:1024        ESTABLISHED 1234/sshd
     tcp        0      0 192.168.1.2:80          192.168.1.4:56789       LISTEN      5678/httpd
     

9. -a + -n: Display all connections with numerical addresses.

   • Example:

     netstat -an
     

     Sample Output:

     Proto Recv-Q Send-Q Local Address           Foreign Address         State
     tcp        0      0 192.168.1.2:22          192.168.1.3:1024        ESTABLISHED
     tcp        0      0 192.168.1.2:80          0.0.0.0:*               LISTEN
     

10. -s: Display network statistics by protocol.

    • This option displays the statistics for each network protocol (TCP, UDP, ICMP, etc.).
    • Example:

      netstat -s
      

      Sample Output:

      Icmp:
          12 ICMP messages received
          8 ICMP messages sent
          0 ICMP messages received with invalid headers
      Tcp:
          1234 active connections openings
          5678 passive connection openings
          34 failed connection attempts
      

Example Scenarios

1. Display all network connections and listening ports:

   netstat -a
   

2. Show all active TCP connections with program names:

   netstat -tup
   

3. View the routing table:

   netstat -r
   

4. Display network interface statistics:

   netstat -i
   

5. Show all connections with numeric IPs and ports:

   netstat -an
   

6. Check protocol-specific statistics (e.g., TCP):

   netstat -s
   

Summary of Common netstat Options:

Conclusion

The netstat command is a powerful tool for monitoring and troubleshooting network-related issues. It provides detailed information about network connections, interface statistics, routing, and more, making it a valuable utility for system administrators and anyone needing to troubleshoot network configurations.