10 Netstat command examples on Unix / Linux
The Netstat command displays various network data such as network connections, routing table, interface statistics, masked connections, multicast space, etc.
In this article, let’s take a look at 10 practical command examples NetStat on Unix.
1. List of all ports (both listening and non-listening ports)
List all ports using Netstat -a command
# netstat -a | more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:30037 *:* LISTEN udp 0 0 *:bootpc *:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 6135 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 5140 /var/run/acpid.socket
List all TCP ports using netstat -at
# netstat -at Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0.0:* LISTEN tcp 0 0 andreyex.ru:domain 0.0.0.0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN
Listing all UDP ports with netstat -au
# netstat -au Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 andreyex.ru:49419 google-public-dn:domain ESTABLISHED udp 0 0 andreyex.ru:39293 google-public-dn:domain ESTABLISHED udp 0 0 andreyex.ru:50053 google-public-dn:domain ESTABLISHED
2. List of sockets that are listening
List only listening ports with netstat -l
# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0.0:* LISTEN tcp 0 0 andreyex.ru:domain 0.0.0.0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN
List only listening TCP ports with netstat -lt
# netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0.0:* LISTEN tcp 0 0 andreyex.ru:domain 0.0.0.0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN
List only listening UDP ports using netstat -lu
# netstat -lu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 andreyex.ru:domain 0.0.0.0:* udp 0 0 localhost:domain 0.0.0.0:* udp 0 0 andreyex.ru:ntp 0.0.0.0:*
List only listening UNIX ports with netstat -lx
# netstat -lx Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 19693 tmp/core.adm.internal unix 2 [ ACC ] SEQPACKET LISTENING 8723 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 12566 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 16948 /var/run/fail2ban/fail2ban.sock unix 2 [ ACC ] STREAM LISTENING 19702 tmp/core.sock
3. Show statistics for each protocol
Show statistics for all ports using netstat -s
# netstat -s
Ip:
190566 total packets received
0 forwarded
0 incoming packets discarded
189618 incoming packets delivered
170462 requests sent out
16 dropped because of missing route
Icmp:
74 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
destination unreachable: 22
echo requests: 52
.....Show statistics for TCP (or) UDP ports using netstat -st (or) -su
# netstat -st # netstat -su
4. PIDs and program names in netstat output using netstat -p command
The netstat -p option can be combined with any other netstat option. This will add “PID / Program Name” to the netstat output. This is very useful when debugging to determine which program is running on a specific port.
# netstat -pt Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 localhost:56642 localhost:46846 TIME_WAIT - tcp 0 0 localhost:56642 localhost:46748 TIME_WAIT -
5. Do not allow host, port and username in netstat output
If you don’t want to display the hostname, port, or user, use netstat with the -n option. It will display in numbers, and not allow hostname, portname, username.
This also speeds up the logout as netstat does not perform any lookups.
# netstat -an
If you don’t want one of these three items (port or host or user), use the following commands.
# netsat -a --numeric-ports # netsat -a --numeric-hosts # netsat -a --numeric-users
6. Continuous printing of netstat information
netstat will print information continuously every few seconds.
# netstat -c Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:37840 localhost:webcache ESTABLISHED tcp 0 0 andreyex.ru:vlsi-lm 213.132.93.178:24080 ESTABLISHED tcp 0 0 localhost:56642 localhost:47258 TIME_WAIT tcp 0 0 localhost:56642 localhost:47150 TIME_WAIT ^C
Exit printing: Ctrl + C.
7. Find numbers supporting the address of families in your system
netstat --verbose
In the end, you will have something like this.
netstat: no support for `AF IPX' on this system. netstat: no support for `AF AX25' on this system. netstat: no support for `AF X25' on this system. netstat: no support for `AF NETROM' on this system.
8. Displaying kernel routing information using netstat -r
# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default gw.msk.ispsyste 0.0.0.0 UG 0 0 0 eth0 213.159.208.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
Note: Use netstat -rn to display routes numerically without hostname resolution.
9. Find out on which port the program is running
# netstat -ap | grep ssh (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 0.0.0.0:28456 0.0.0.0:* LISTEN 779/sshd tcp 0 0 andreyex.ru:28456 213.132.93.178:13430 ESTABLISHED 2893/sshd: andreyex tcp 0 0 andreyex.ru:28456 213.132.93.178:13106 ESTABLISHED 2393/sshd: andreyex tcp6 0 0 [::]:28456 [::]:* LISTEN 779/sshd
Find out which process is using a specific port:
# netstat -an | grep ':80'
10. Show list of network interfaces
# netstat -i Kernel Interface table Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1555 2765202 0 0 0 86602 0 0 0 BMRU lo 65536 93149 0 0 0 93149 0 0 0 LRU
Displaying extended information about interfaces (similar to ifconfig) using netstat -ie:
# netstat -ie
Kernel Interface table
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1550
inet 213.159.209.228 netmask 255.255.254.0 broadcast 213.159.209.255
inet6 fe80::5054:ff:fe80:19a4 prefixlen 64 scopeid 0x20<link>
ether 52:54:00:80:19:a4 txqueuelen 1000 (Ethernet)
RX packets 2772322 bytes 189451708 (180.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 86767 bytes 137897931 (131.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0