How to Use the Command 'netstat' (with Examples)
The netstat
command is a powerful utility in Unix-like operating systems that displays network-related information such as open connections, routing tables, interface statistics, masquerade connections, and multicast memberships. This tool is indispensable for network administrators and engineers who wish to monitor the operational state of a network and troubleshoot connectivity issues. While it is often replaced by the ss
command in many modern systems, netstat
remains popular due to its robust set of features.
Use Case 1: List All Ports
Code:
netstat --all
Motivation:
By listing all ports, users can gain a comprehensive view of both listening and non-listening sockets on the system. This includes all protocols, enabling the monitoring of ongoing network activities. This is particularly helpful in identifying unauthorized or anomalous services running on the system.
Explanation:
--all
: This flag shows both listening and non-listening sockets. It displays all sockets including those not currently active or waiting for a connection.
Example Output:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:54171 localhost:54172 ESTABLISHED
tcp 0 0 localhost:54172 localhost:54171 ESTABLISHED
udp 0 0 0.0.0.0:68 0.0.0.0:*
Use Case 2: List All Listening Ports
Code:
netstat --listening
Motivation:
Listing all listening ports is vital to manage and secure a system by showing which ports are ready to accept connections. This allows administrators to verify that only expected services are running and identify any potentially unauthorized services.
Explanation:
--listening
: This filter command shows all listening sockets, i.e., sockets that are waiting for a connection.
Example Output:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
udp 0 0 0.0.0.0:bootpc 0.0.0.0:*
Use Case 3: List Listening TCP Ports
Code:
netstat --tcp
Motivation:
Monitoring TCP ports is crucial for maintaining secure and efficient communications. By focusing on TCP, network operators can ensure proper functioning of key services like HTTP, HTTPS, and SSH, which are essential for the administration and access of services.
Explanation:
--tcp
: This flag limits the output to TCP protocol only.
Example Output:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:https *:* LISTEN
Use Case 4: Display PID and Program Names
Code:
netstat --program
Motivation:
Attaching PIDs and program names to connections allows users to identify the processes responsible for each connection. This is invaluable in performance troubleshooting and security audits to ensure that only permitted applications maintain network connections.
Explanation:
--program
: Displays the PID and name of the program to which each socket belongs.
Example Output:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:ssh *:* LISTEN 1001/sshd
tcp 0 0 *:http *:* LISTEN 2168/apache2
Use Case 5: List Information Continuously
Code:
netstat --continuous
Motivation:
Continuous monitoring is critical during live debugging and performance testing, allowing real-time observation of network state changes. This can help identify transient issues that might be missed in a single snapshot.
Explanation:
--continuous
: Continuously updates and outputs network data in real-time.
Example Output:
... (repeats) ...
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:58123 localhost:39972 TIME_WAIT
tcp 0 0 192.168.1.5:53015 ec2-54-93-12-34:https ESTABLISHED
Use Case 6: List Routes and Do Not Resolve IP Addresses to Hostnames
Code:
netstat --route --numeric
Motivation:
For an accurate and fast overview of the routing table without DNS resolution delays, this command lists all routes in numeric form. This is especially useful when dealing with busy networks or when analyzing routing paths to troubleshoot traffic flow issues.
Explanation:
--route
: Outputs the kernel routing table.--numeric
: Displays numerical addresses instead of trying to determine symbolic host, port, or user names.
Example Output:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
Use Case 7: List Listening TCP and UDP Ports (+ User and Process If You’re Root)
Code:
netstat --listening --program --numeric --tcp --udp --extend
Motivation:
This comprehensive command is used to fully enumerate active listening ports across TCP and UDP protocols, complete with user and process information. Such detailed output is essential for complex diagnostic tasks where full visibility into the network stack is required.
Explanation:
--listening
: Shows only listening sockets.--program
: Includes PID and program names.--numeric
: Display addresses as numbers.--tcp
: Includes TCP ports.--udp
: Includes UDP ports.--extend
: Extends information on the current socket details to include user data.
Example Output:
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 *:http *:* LISTEN www-data 2315 2168/apache2
udp 0 0 192.168.1.10:4500 0.0.0.0:* root 73412 1396/pluto
Conclusion:
The netstat
command is an extremely versatile utility that presents users with detailed insights into network status and performance. Whether for routine system administration or thorough debugging, the different options and parameters of netstat
enable effective and efficient network monitoring and diagnostics. By studying these examples, users can understand how to apply netstat
to glean critical insights into system and network performance.