Categories
Self-organization

How to use netstat on linux

Table of Contents

In this tutorial, I will take you through the steps to install and use netstat command in Linux. It is basically used to Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.

Install and Use Netstat Command

Before you go and use netstat command you need to make sure it is installed in your system. Below are the steps to install net-tools package in RedHat/CentOS/Ubuntu and best examples of how to use netstat command during any troubleshooting.

Install net-tools

To install netstat tool in your system, you need to install net-tools package using below given command.

Installation on CentOS/RedHat

You need to use yum install net-tools command to install in CentOS/RedHat.

Installation on Ubuntu

Here you need to use apt-get install net-tools command to install in Ubuntu.

Netstat Examples

Check the version

If you want to check the version of the netstat installed, you can use -V switch.

Check TCP Connection

If you want to check all active tcp connections, you can use -ant switch.

Check UDP Connections

If you want to check all active udp connections, you can use -anu switch.

Check Running Services and its Ports

If you want to check all the current running services along its process ID and port number,you can use below command.

Check Routing Table

If you want to check the current routing table information, you need to use -nr switch with netstat command.

Check Network Interface Stats

If you want to check your overall stats of all the network interfaces, use -ai switch with netstat command.

The netstat command displays current TCP/IP network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. The ss command provides dump socket statistics but also shows information similar to netstat.

A number of command-line options and arguments exist, but netstat by itself displays a list of open sockets. Sockets are the interface between the user process and the network protocol stacks in the kernel. The protocol modules are grouped into protocol families such as AF_INET, AF_IPX, and AF_PACKET, and socket types such as SOCK_STREAM or SOCK_DGRAM. If you do not specify any address families, the active sockets of all configured address families are printed.

Examples of using the netstat command

Several options exist with the netstat command. Some of the most commonly used options are listed below:

Options Description
-A Specify the address family.
-r Display the route table.
-i Display network interface information.
-s Display summary statistics for each protocol.
-g Display multicast group membership information.
-n Display IP addresses instead of the resolved names.
-c Print information every second continuously.
-e Display extended information.

1. Specifying address family

To specify the address families (low-level protocols) for which connections are to be shown, use the -A option followed by a comma-separated list of address family keywords. Possible address family keywords are inet, inet6, unix, ipx, ax25, netrom, and ddp. Example:

2. Display the kernel routing table

Use the -r or –route option to display the kernel routing table.

3. Display kernel interface table for a specific interface

Display a table of all network interfaces or the specified iface using the options -i [for all interfaces] or -I=[ifname] [ for a specific interface]. Examples of both the options are displayed below.

4. Display summary statistics for each protocol

You can display a summary of statistics for each protocol using the option -s or –statistics.

5. Display ports listening for input

To display all ports that have a process currently listening for input, use the option -l or –listening as shown below.

6. Display multicast group membership information

The -g or –groups options, display multicast group membership information for IPv4 and IPv6. The example for the option follows below.

Some more options to use with netstat

Below table lists out some more options that can be used with netstat command to gather more informational data on the network end.

Option Description
-n or –numeric Display IP addresses instead of the resolved names.
-c or –continuous Print information every second continuously.
-e or –extend Display additional information. Use this option twice for maximum detail.
-p or –program Show the PID and name of the program to which each socket belongs.

Any invalid option or argument displays a help screen listing usage and a brief description of available options.

Linux Tutorials

How to use netstat on linux

The term “netstat” stands for Network Statistics. In layman’s terms, netstat command displays the current network connections, networking protocol statistics, and a variety of other interfaces.

If we enter netstat in the terminal, without any background knowledge of computer networking, the system throws a wide range of networking jargon at us. It is the responsibility of the programmer to extract important information while flushing out the rest.

In this article, we will answer some of the queries related to computer networking using the netstat command.

Table of Contents

Identify Active Network Connections Using the Netstat Command

To display all the active network connections in Linux, we use

Output:

The standard output contains six columns:

  • Proto (Protocol) – The type of protocol used for the network connection, like TCP, UDP, etc.
  • Recv-Q (Receiving Queue) – The amount of data (in bytes) in the waiting queue for the socket.
  • Send-Q (Sending Queue) – The amount of data (in bytes) in the sending queue for the socket.
  • Addresses – Each address contains the name of the host followed by ‘:’ and a port number
    • Local Address – The address of the computer in which netstat command is running.
    • Foreign Address – The address of the computer which is on the other end of the network.
  • State – The state of each network connection.

To understand this better, suppose we open a website www.lookip.net. On running the command:

We will get the following output:

As it quite clear that, we extracted all the network connections in progress with a particular foreign address. In the command, ‘ | ‘ is used to pass the output of one sub-command to another, whereas grep is a searching tool in Linux.

Note: This technique cannot be applied for all kinds of websites since not every website has a foreign address matching the URL.

To further experiment with the data provided by the netstat command, we can write commands focusing on protocols, addresses, or states:

Display all established connections

Display all TCP connections in listening state

Instead of creating custom commands, Linux provides some in-built options for fetching specific information.

Filtering based on Protocols

For TCP specific queries, -t option is used. To display only the TCP connections:

Note: To apply multiple filters in a single netstat command, the options are appended.

For UDP specific queries, -u option is used. To display all the sockets following UDP :

State-based option:

To display all listening sockets:

Identify the programs using network connections using Netstat

To fetch the programs and their process IDs, we use:

For TCP specific programs:

Output :

Programs following TCP

As we can notice, Chrome is accessing the internet with the process id as 16648. This information can be used to kill or stop any program accessing some network without the knowledge of the user.

Note: It may happen that some program information might be hidden if the current user is not the root user. To become a root user in Linux, the command sudo su and entering the password can help. For further information, refer to this.

Using the Netstat Command to List IP Addresses of Each Network Connection

For fetching all the data related to IP addresses and ports numerically, we use:

We can display addresses numerically for programs following TCP by:

Output:

The difference is very vivid as we can see the IP addresses as well as port numbers for each connection.

What are the statistics for each protocol?

To access the summary statistics for each type of protocol using the netstat command, we run:

Output:

Using the Netstat Command to Display the Routing Table

Any device on a network needs to decide where to route the data packets. The routing table contains information to make these decisions. To acquire the contents of the routing table in numerics, we use the following command option:

Output:

The kernel routing table consists of the following columns:

  • Destination – The address of the destination computer.
  • Gateway – The intermediate gateway address.
  • Genmask – The netmask which used to specify available hosts in a network.
  • Flags – Specifies which kind of routing.
  • MSS – Default Maximum Segment Size
  • Window – Default Window Size
  • irtt(Initial Round Trip Time) – Total time to send a signal and receive its acknowledgment.
  • Iface(Interface) – The interface through which the packets will be routed.

Note: The columns having zero value means that the default size is being used.

List out the active network interfaces

To access any information from the internet, there has to be some link between the system and the network. That point of interconnection is provided by a network interface. We run the command:

Output:

The kernel interface table comprises of:

  • Iface (Interface) – The kind of interface
  • MTU – Maximum Transmission Unit
  • RX – Received packets
  • TX – Transmitted packets
  • OK – Error-free packets
  • ERR – Packets with some error
  • DRP – Dropped packets
  • OVR – Packets lost due to overflow
  • Flg – Flags defining interface configuration

The command netstat features a wide range of knowledge which makes it impossible, to sum up in just one article. We can always refer man pages in Linux by:

and to learn more about netstat options we can ask help in terminal by:

Netstat is a command-line tool for mornitoring network packages and network interface. It is a very useful tool, the system administrator can be used to monitor network performance, locate and solve related problems.

In this article explain howto use netstat command on linux system.

Example usage netstat command

The syntax of netstat command is :

1. Display routing information

This information can be retrieved using the -r option along with this command:

Show display routing information using netstat command

So we see that kernel routing table information was displayed using the -r option. The flag “U” indicates that this entry is up while the flag “G” indicates that this entry is not a direct entry i.e. the destination indicated in this route entry is not on the same network. A list of flags is given below :

  • A Receive all multicast at this interface.
  • B OK broadcast.
  • D Debugging ON.
  • M Promiscuous Mode.
  • O No ARP at this interface.
  • P P2P connection at this interface.
  • R Interface is running.
  • U Interface is up.
  • G Not a direct entry.

2. List Sockets which are in Listening State

List only listening ports using -l option:

How to use netstat on linuxList Sockets which are in Listening State

List only listening TCP Ports using -lt option:

List only listening UDP Ports using -lu option:

3. Display multicast group membership information

This information is displayed for both IPv4 and IPv6 and can be retrieved using -g option with this command.

How to use netstat on linuxDisplay multicast group membership information

4. Display summary statistics for each protocol

This is very handy information that netstat command provides. This information can be retrieved by using -s option with this command.

Display statistics tcp protocol

Display statistics udp protocol

5. Display information related to all network interfaces

This is made possible using the -i option along with this command.

Showing Network Interface Transactions

So we see that all the network information related to individual interfaces was displayed in the output. The RX and TX columns are described as follows :

  • RX-OK : Correct packets received on this interface.
  • RX-ERR : Incorrect packets received on this interface
  • RX-DRP : Packets that were dropped at this interface.
  • RX-OVR : Packets that this interface was unable to receive.

Similar definition is for the TX columns that describe the transmitted packets.

6. Display the PID of the program using socket

The PID of the program using a particular socket can be produced in the output using the option -p with this command.

How to use netstat on linuxDisplaying Service name with PID

That’s it. For more information about netstat command see netstat man page.

Netstat is a command line utility that can be utilized to list out all the network (socket) connections on a method comparable to network connections, routing tables, interface records, masquerade connections, multicast memberships etc. This article explains about – Top 10 Netstat Command Examples on Linux.

Listening and non-listening sockets

To show about listening and non-listening sockets, use the following command –

The sample output should be like this –

PID and name of the program

To show the PID and name of the program to which each socket belongs, use the following command –

The sample output should be like this –

TCP Ports Information

To get the TCP ports information, use the following command –

The sample output should be like this –

UDP Ports information

To get the UDP ports information, use the following command –

The sample output should be like this –

List of linux ports

To get the list of linux ports, use the following command –

The sample output should be like this –

Display Routing table

To display routing table, use the following command –

The sample output should be like this –

Display networking stats

To display networking statistics, use the following command –

The sample output should be like this –

Nonsupportive Address families

To find the nonsupportive Address families, use the following command –

The sample output should be like this –

Network information

To display other/more information about network, use the following command –

Netstat help

To get the help of netstat, use the following command –

The sample output should be like this –

In the above article, we have learnt about – Top 10 Netstat command examples on Linux. In our next articles, we will come up with more Linux based tricks and tips. Keep reading!

How to use Netstat?

Netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. Netstat is a useful tool for checking your network configuration and activity.

just typing netstat should display a long list of information that’s usually more than you want to go through at any given time. The trick to keeping the information useful is knowing what you’re looking for and how to tell netstat to only display that information.

For example, if you only want to see TCP connections, use netstat –tcp . This shows a list of TCP connections to and from your machine. The following example shows connections to our machine on ports 993 (imaps), 143 (imap), 110 (pop3), 25 (smtp), and 22 (ssh).It also shows a connection from our machine to a remote machine on port 389 (ldap).

Note: To speed things up you can use the –numeric option to avoid having to do name resolution on addresses and display the IP only.

% netstat –tcp –numeric

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.128.152:993 192.168.128.120:3853 ESTABLISHED
tcp 0 0 192.168.128.152:143 192.168.128.194:3076 ESTABLISHED
tcp 0 0 192.168.128.152:45771 192.168.128.34:389 TIME_WAIT
tcp 0 0 192.168.128.152:110 192.168.33.123:3521 TIME_WAIT
tcp 0 0 192.168.128.152:25 192.168.231.27:44221 TIME_WAIT
tcp 0 256 192.168.128.152:22 192.168.128.78:47258 ESTABLISHED

If you want to see what (TCP) ports your machine is listening on, use netstat –tcp –listening. Another useful flag to add to this is –programs which indicates which process is listening on the specified port. The following example shows a machine listening on ports 80 (www), 443 (https), 22 (ssh), and 25 (smtp);

2: netstat –tcp –listening –programs

# sudo netstat –tcp –listening –programs

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:www *:* LISTEN 28826/apache2
tcp 0 0 *:ssh *:* LISTEN 26604/sshd
tcp 0 0 *:smtp *:* LISTEN 6836/
tcp 0 0 *:https *:* LISTEN 28826/apache2

Note: Using –all displays both connections and listening ports.

The next example uses netstat –route to display the routing table. For most people, this will show one IP and and the gateway address but if you have more than one interface or have multiple IPs assigned to an interface, this command can help troubleshoot network routing problems.

3: netstat –route

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 1 0 0 eth0

The last example of netstat uses the –statistics flag to display networking statistics. Using this flag by itself displays all IP, TCP, UDP, and ICMP connection statistics. To just show some basic information. For example purposes, only the output from –raw is displayed here. Combined with the uptime command, this can be used to get an overview of how much traffic your machine is handling on a daily basis.

4: netstat –statistics –route

% netstat –statistics –raw

Ip:
620516640 total packets received
0 forwarded
0 incoming packets discarded
615716262 incoming packets delivered
699594782 requests sent out
5 fragments dropped after timeout
3463529 reassemblies required
636730 packets reassembled ok
5 packet reassembles failed
310797 fragments created
// ICMP statistics truncated

Note: For verbosity, the long names for the various flags were given. Most can be abbreviated to avoid excessive typing (e.g. netstat -tn, netstat -tlp, netstat -r, and netstat -sw).

While netstat is a common utility, hopefully this has demonstrated some different ways to make use of the command. For more information see man 8 netstat.

In this guide we’ll take a look at the functions of the Netstat Command within Linux and how it can be used to effectively monitor your network services. Before you can use Netstat properly though, you need to understand what it is and how it works.

What is Netstat?

Netstat is a tool in Linux which can be used to monitor and report information on network services. Netstat is actually a series of commands designed to report statistics on various aspects of your network, including which processes are using which ports.

Using the Netstat Command

Typically, Netstat displays all the ports in use by all processes, however, by adding the grep command, you can limit those results to only a specific designated port.

For example, if you wish to see which service is running on port 80, you just need to execute the following command:

netstat -ant | grep 80

Next, if you want to check the number of connections on port 80, you can use the command:

netstat -an |grep :80 |wc –l

Lastly, if you only want to see which ports your server is listening on, enter the following:

netstat -ant | grep LISTEN

And there you have it!

Need More Personalized Help?

If you have any further issues, questions, or would like some assistance checking on this or anything else, please reach out to us from your my.hivelocity.net account -> Support and provide your server credentials within the encrypted field for the best possible security and support.

If you are unable to reach your my.hivelocity.net account or if you are on the go, please reach out from your valid my.hivelocity.net account email to us here at: [email protected]elocity.net . We are also available to you through our phone and live chat system 24/7/365.

Additional Links :

Looking for more information on Linux ? Search our Knowledge Base !

In need of more great content? Interested in cPanel , Private Cloud , or Colocation ? Check out our recent posts for more news, guides, and industry insights!

Linux: How to kill a TCP connection using netstat?

You cannot kill a TCP connection using netstat utility. netstat is use for

  • Display network connections
  • Routing tables
  • Interface statistics
  • Masquerade connections
  • Multicast memberships
  • And much more

However Linux support two other commands or utility that can be used to kill a TCP connection.

tcpkill command

Use tcpkill command to kill specified in-progress TCP connections. It is useful for libnids-based applications which require a full TCP 3-whs for TCB creation.

Syntax:

Examples:

tcpkill -i eth0 port 21

(b) Kill all all packets arriving at or departing from host 192.168.1.2 (host12.nixcraft.com)

tcpkill host 192.168.1.2

tcpkill host host12.nixcraft.com

(c) To kill all IP packets between 192.168.1.2 and any host except 192.168.1.111, type the following:

tcpkill ip host 192.168.1.2 and not 192.168.1.111

Since tcpkill expressions are based upon tcpdump command’s filter expression, it is recommended that you read options with expression and examples.

cutter command

Cutter is an open source program that allows Linux firewall administrators to abort TCP/IP connections routed over Linux based firewall. It works on Linux router only. We have already covered examples of cutter here.

TCP (Transmission Control Protocol) is a standard that defines how network conversation between two systems is established and maintained to facilitate an exchange of data between applications. Internet Protocol (IP) defines how systems send packets of data to each other.

The TCP States in Linux

Below is a list of TCP connection states that can be viewed using netstat or ss command on Linux.

For the difference in usage between ss and netstat command, check netstat vs ss usage guide on Linux. Use the command below to check all applications TCP states on your Linux server, it will give you the number of processes in each state.

To understand the options used in the command, read netstat vs ss usage guide on Linux. You can also get the list of processes in a particular state by piping the output to grep. For example to get processes in CLOSEWAIT state, use # netstat -apn | grep CLOSE_WAIT You can further filter this output to get process ID of the processes in CLOSEWAIT state.

If you want to limit the output to top 10 processes with CLOSE_WAIT TCP connection state, use head

This shows that the Process with ID 8166 has 3856 CLOSE_WAIT connection states.

If you’re running short of TCP connections or doing troubleshooting, you may need to identify this process with a large number of CLOSE_WAIT connection states. It could mean that the application doesn’t close connections as expected.

I made a simple bash script which uses the command netstat to identify count for TCP connection states and the processes with many states in CLOSE_WAIT .

Sample output: How to use netstat on linux