20 netstat command examples in Linux [Cheat Sheet]

Introduction to netstat command

netstat (network statistics) is a command-line utility in the Linux system to display network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. netstat prints information about the Linux networking subsystem.

The output of the netstat command shows the information on active internet connections and active UNIX domain sockets.

Advertisement

The columns of the active internet connections contain the following information.

Proto: The protocol used by the socket: TCP, UDP, raw.

Recv-Q: The number of bytes that are not copied by the user program connected to this socket.

Send-Q: The number of bytes that are not acknowledged by the remote host.

Local Address: It is the address and port number of the local end of the socket.

Foreign Address: It is the address and port number of the remote end of the socket.

Advertisement

State: The state of the socket.

  • ESTABLISHED: The socket has an established connection.
  • SYN_SENT: The socket is actively attempting to establish a connection.
  • SYN_RECV: A connection request has been received from the network.
  • FIN_WAIT1: The socket is closed, and the connection is shutting down.
  • FIN_WAIT2: A connection is closed, and the socket is waiting for a shutdown from the remote end.
  • TIME_WAIT: The socket is waiting after close to handle packets still in the network.
  • CLOSED: The socket is not being used.
  • CLOSE_WAIT: The remote end has shut down, waiting for the socket to close.
  • LAST_ACK: The remote end has shut down, and the socket is closed. (Waiting for acknowledgement)
  • LISTEN: The socket is listening for incoming connections. Such sockets are not shown in the output unless you use the option --listening (-l) or --all (-a).
  • CLOSING: Both sockets are shut down, but still all data has not been sent.
  • UNKNOWN: The state of the socket is unknown.

User: The username or the user id (UID) of the owner of the socket.

PID/Program name: The process id (PID) and process name of the process that owns the socket.

Timer: It contains information about networking timers.

 

We can see the following column headers in the active UNIX domain sockets.

Proto: The protocol used by the socket: UNIX.

RefCnt: The reference count (i.e. attached processes via this socket).

Flags: It displays the flags: SO_ACCEPTON (displayed as ACC), SO_WAITDATA (W) or SO_NOSPACE (N). ACC is used on unconnected sockets if their corresponding processes are waiting for a connection request.

Advertisement

Type: It contains the different types of socket access.

  • SOCK_DGRAM: It is used in Datagram (connectionless) mode.
  • SOCK_STREAM: It is a stream (connection) socket.
  • SOCK_RAW: The socket is used as a raw socket.
  • SOCK_RDM: It serves reliably delivered messages.
  • SOCK_SEQPACKET: It is a sequential packet socket.
  • SOCK_PACKET: Raw interface access socket.

State: The state of the socket.

  • FREE: The socket is not allocated.
  • LISTENING: The socket is listening for a connection request. Such sockets are not displayed in the output without -l or -a option.
  • CONNECTING: The socket is establishing a connection.
  • CONNECTED: The socket is connected.
  • DISCONNECTING: The socket is disconnecting.
  • (empty): The socket is not connected to another one.

I-Node: The inode of the socket.

PATH: The pathname to which the corresponding processes are attached to the socket.

 

Different examples to use netstat command

In this tutorial, we will go through different practical examples of netstat commands to print network connections.

 

Syntax of netstat command

The general syntax of the netstat command is:

$ netstat [options]

We will explore the different OPTIONS which we can use with netstat command in the next section.

 

1. netstat command to display all connections

By default, netstat shows only connected connections/sockets. To view all of them in the output, you can use -a or -all option.

$ netstat -a

OR

$ netstat --all

Sample Output:

netstat command to display all connections

 

2. netstat command to list all TCP ports connections

-t or --tcp option displays the TCP connections. To display the list of all TCP ports connections, you can run the following command.

$ netstat -at

OR

$ netstat -a --tcp

Sample Output:

netstat command to list all tcp connections

 

3. netstat command to list all UDP ports connections

-u or --udp option displays the list of UDP connections. You can run the following command to print the list of all UDP ports connections.

$ netstat -au

OR

$ netstat -a --udp

Sample Output:

netstat command to display all udp connections

 

4. netstat command to display only listening connections

You can use -l option to get the list of only listening connections.

$ netstat -l

Sample Output:

netstat command to display only listening connections

 

5. Display routing table with netstat command

The following command displays the Kernel routing tables.

$ netstat -r

OR

$ netstat --route

Sample Output:

netstat command to display routing tables

 

6. Display available network interfaces with netstat command

To view the list of all network interfaces, you can execute the command below.

$ netstat -i

OR

$ netstat --interfaces

Sample Output:

netstat command to display network interfaces

 

7. netstat command to display multicast group membership

You can view the multicast group membership information for IPv4 and IPv6 with the execution of the following command.

$ netstat -g

OR

$ netstat --groups

Sample Output:

netstat command to display multicast group membership

 

8. Display network statistics using netstat command

The following command prints summary statistics for each protocol: TCP, UDP, ICMP, and IP.

$ netstat -s

OR

$ netstat --statistics

Sample Output:

netstat command to display statistics of protocol

 

9. Display interface table for specific interface with netstat command

You can display interface table for any specific interface using -I=<iface> or --interfaces=<iface> option as shown below:

$ netstat -I=<Iface>

OR

$ netstat --interfaces=<Iface>

Sample Output:

~]# netstat -I=eth0
Kernel Interface table
Iface             MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0             9000  4580575      0      0 0       2428046      0      0      0 BMRU

 

10. Extend the information with netstat command

-e or --extend option displays the additional information in the output. You can use this option twice for maximum detail.

$ netstat -e

OR

$ netstat --extend

Sample Output:

netstat command to display additional information in the output

As we can see, the additional columns are shown when using -e option.

 

11. Display PID/Program name with netstat command

-p or --program option shows PID and name of the program for sockets.

$ netstat -p

OR

$ netstat --progress

Sample Output:

netstat command to show PID/program name

 

12. netstat command to print verbose output

You can use -v or --verbose option to print verbose or additional useful information. It also prints the information about unconfigured address families.

$ netstat -v

OR

$ netstat --verbose

Sample Output:

]# netstat -v
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 fi-758-ncs20fp2-5:43986 gatekeeper-webhoo:https ESTABLISHED
tcp        0      0 fi-758-ncs20fp2-5:44442 fi-758-ncs20fp2-5-:2379 ESTABLISHED
tcp        0      0 localhost:36472         localhost:9250          TIME_WAIT  
tcp        0      0 localhost:37830         localhost:9250          TIME_WAIT  
tcp        0      0 localhost:37534         localhost:9250          TIME_WAIT  
tcp        0      0 fi-758-ncs:pcsync-https 192.100.8.63:38200      ESTABLISHED
tcp        0      0 fi-758-ncs:pcsync-https fi-758-ncs20fp2-5:47440 ESTABLISHED
tcp        0      0 fi-758-ncs20fp2-5:42104 fi-758-ncs20fp2-5-:2379 ESTABLISHED
tcp        0      0 localhost:37522         localhost:9250          TIME_WAIT  
tcp        0      0 fi-758-ncs:pcsync-https 192.100.8.63:31598      ESTABLISHED
tcp        0      0 localhost:65432         localhost:47750         TIME_WAIT  
tcp        0      0 fi-758-ncs20fp2-5:42106 fi-758-ncs20fp2-5-:2379 ESTABLISHED
tcp        0      0 localhost:37880         localhost:9250          TIME_WAIT  
tcp        0      0 localhost:65432         localhost:47242         TIME_WAIT  
tcp        0      0 localhost:38612         localhost:9250          TIME_WAIT  
tcp        0      0 fi-758-ncs20fp2-5:52960 fi-758-ncs20fp2-5-:9250 TIME_WAIT  
tcp        0      0 fi-758-ncs20fp2-5:34028 kubernetes.defaul:https ESTABLISHED

 

13. Print routing information from the route cache with netstat command

-C option prints the routing information from the route cache instead of FIB (Forwarding Information Base). The default is FIB.

$ netstat -C

OR

$ netstat --cache

Sample Output:

netstat command to print information from route cache

 

14. Show complete IP addresses with netstat command

By default, netstat truncate IP addresses. To view the full address, you can use the following command.

$ netstat -W

OR

$ netstat --wide

Sample Output:

netstat command to show full IP addresses

 

15. netstat command to display timers

-o or --timers option shows the information related to networking timers.

$ netstat -o

OR

$ netstat --timers

Sample Output:

netstat command to display timers

 

16. Display numeric values instead of names with netstat command

-n or --numeric option shows the numerical values instead of names for the symbolic host, port, and user.

$ netstat -n

OR

$ netstat --numeric

Sample Output:

netstat command to show numerical addresses

You can also use:

--numeric-hosts : To show numerical host addresses. It does not affect the port or user names. 
--numeric-ports : To show numerical port addresses. It does not affect the host or user names.
--numeric-users : To show numerical user IDs. It does not affect the host or port.

 

17. Display information continuously using netstat command

-c or --continuous option forces netstat to print the information every second continuously.

$ netstat -c

OR

$ netstat --continuous

Use the command in your terminal to see the output.

 

18. Display Listening TCP and UDP connections

This is one of the most used commands by system administrators to check the list of listening TCP and UDP ports on any Linux server. We can combine following arguments for this purpose:

  • -n: Show numerical addresses instead of trying to determine symbolic host, port or user names.
  • -t: Show TCP connections
  • -u: Show UDP connections
  • -p: Show the PID and name of the program to which each socket belongs
  • -l: Show only listening sockets

Sample Output:

~]# netstat -ntlpu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:44899         0.0.0.0:*               LISTEN      9372/kubelet        
tcp        0      0 192.100.4.199:49155     0.0.0.0:*               LISTEN      4015/glusterfsd     
tcp        0      0 0.0.0.0:30086           0.0.0.0:*               LISTEN      17179/kube-proxy    
tcp        0      0 192.100.4.199:24007     0.0.0.0:*               LISTEN      3763/glusterd       
tcp        0      0 192.100.4.199:49154     0.0.0.0:*               LISTEN      3985/glusterfsd     
tcp        0      0 192.100.8.210:9250      0.0.0.0:*               LISTEN      1291/coredns        
tcp6       0      0 :::18080                :::*                    LISTEN      8476/nginx: worker  
tcp6       0      0 :::9090                 :::*                    LISTEN      8476/nginx: worker  
udp        0      0 0.0.0.0:30086           0.0.0.0:*                           17179/kube-proxy    
udp        0      0 192.100.8.210:53        0.0.0.0:*                           1291/coredns        
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1389/dhclient          
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1374/dhclient             
udp        0      0 0.0.0.0:714             0.0.0.0:*                           979/rpcbind         
udp6       0      0 :::111                  :::*                                979/rpcbind         
udp6       0      0 :::714                  :::*                                979/rpcbind

As you can see, the above command shows both IPv4 and IPv6 based connections. We can further filter it out, let's check the same in next example from our cheat sheet.

 

19. Display only IPv6 connections with netstat command

We can use -6 argument with netstat command to only display only tcp6 and udp6 based connections. We will combine -6 with our above set of arguments to display listening TCP6 and UDP6 connections:

~]# netstat -6tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp6       0      0 :::9091                 :::*                    LISTEN      10419/calico-node   
tcp6       0      0 :::10251                :::*                    LISTEN      11111/kube-schedule 
tcp6       0      0 :::8044                 :::*                    LISTEN      11224/k8s-scheduler 
tcp6       0      0 :::111                  :::*                    LISTEN      979/rpcbind         
tcp6       0      0 :::10258                :::*                    LISTEN      22093/openstack-clo 
tcp6       0      0 :::8082                 :::*                    LISTEN      8476/nginx: worker  
tcp6       0      0 :::10259                :::*                    LISTEN      11111/kube-schedule 
tcp6       0      0 :::8086                 :::*                    LISTEN      21965/bcmt-controll 
tcp6       0      0 :::22                   :::*                    LISTEN      3343/sshd           
tcp6       0      0 :::8090                 :::*                    LISTEN      18470/manager       
tcp6       0      0 :::18080                :::*                    LISTEN      8476/nginx: worker  
tcp6       0      0 :::9090                 :::*                    LISTEN      8476/nginx: worker  
udp6       0      0 :::111                  :::*                                979/rpcbind         
udp6       0      0 :::123                  :::*                                998/chronyd         
udp6       0      0 ::1:323                 :::*                                998/chronyd         
udp6       0      0 :::714                  :::*                                979/rpcbind

 

20. Display only IPv4 connections with netstat command

Similar to Ipv6, we can also force netstat to only print IPv4 connections using -4 argument. We will re-use our previous set of argument combining with -4 as shown below:

~]# netstat -4tulnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:44899         0.0.0.0:*               LISTEN      9372/kubelet        
tcp        0      0 192.100.4.199:49155     0.0.0.0:*               LISTEN      4015/glusterfsd     
tcp        0      0 0.0.0.0:30086           0.0.0.0:*               LISTEN      17179/kube-proxy    
tcp        0      0 192.100.4.199:24007     0.0.0.0:*               LISTEN      3763/glusterd       
tcp        0      0 127.0.0.1:10249         0.0.0.0:*               LISTEN      17179/kube-proxy    
tcp        0      0 192.100.4.199:5001      0.0.0.0:*               LISTEN      1727/dockerd        
tcp        0      0 192.100.8.210:10250     0.0.0.0:*               LISTEN      9372/kubelet        
tcp        0      0 127.0.0.1:9250          0.0.0.0:*               LISTEN      1291/coredns        
udp        0      0 0.0.0.0:30086           0.0.0.0:*                           17179/kube-proxy     
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1357/dhclient       
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1383/dhclient       
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1365/dhclient       
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1356/dhclient       
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1353/dhclient       
udp        0      0 0.0.0.0:68              0.0.0.0:*                           1374/dhclient       
udp        0      0 0.0.0.0:111             0.0.0.0:*                           979/rpcbind

 

Conclusion

Now, we have come to the end of the tutorial. We hope we have helped you to learn netstat command. netstat is a helpful tool to view the information of network connections. If you still have any confusion, please let us know in the comment section.

 

What's Next

30 nmap command examples in Linux [Cheat Sheet]

 

Further Reading

man page for netstat command

 

Didn't find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Leave a Comment