Netstat Command in Linux

In this article, you will learn all there is to the netstat command in Linux. We will be going through different topics like what netstat is, and learn about different terminologies like ports, processes, and protocols. We will also be looking into the syntax of the netstat command along with options used with the netstat command.

Also, we shall briefly look at the different files that are used by the netstat command and also understand the output messages and what they mean. In the very end, we will also be looking at some practical examples of the netstat command in the terminal. So buckle up and pay attention, because it is going to be a hell of a ride!

What is netstat in Linux?

Netstat is a command-line-based tool in Linux-based operating systems that gives you a lot of information about networks. The command literally gives you a treasure chest of information that is extremely useful like routing tables, network connection, interface statistics, multicast memberships and so many more.

The netstat command is a basic network service debugging tool that is very helpful to system administrators as it tells you information like what ports are open and which programs are listening on ports.

Netstat stands for network statistics and can display all the socket connections like UDP and TCP. it also displays the sockets that are pending connections. the netstat utility is also available for Windows operating systems and Mac.

Understanding what happened behind the scenes

Before we proceed further, let us lay down some fundamentals by understanding what exactly happens behind the curtain.

Network sockets can be in 2 stages, either connected or waiting to be connected. These connections use networking protocols like UDP (user datagram protocol) or TCP (transport control protocol).

Connections use network ports and IP (internet protocol) addresses to create a connection successfully. Let us now take a closer look at what sockets are and how they function.

A socket is software used to handle one end of a network data connection. Apart from the 2 stages mentioned earlier, there are other states in which a socket can be such as the state when a socket is in the middle of connecting to a remote device.

A socket that listens is called the server, and the socket that requests the connection is the client. The netstat utility lets you see which sockets are connected, and which are listening.

Syntax of Linux netstat command

Before looking at the many options used with the netstat command, let us look at the syntax of the netstat command:

netstat <options>

Installing Linux netstat

The netstat tool does not come preinstalled in most distributions of Linux. To download on Debian based operating systems, type the following command in the terminal:

sudo apt install net-tools

Options used with Linux netstat command

In the syntax of the netstat command, we have seen that there is a field to enter the option. We can use the many available options which we can use to tinker with the way the output is printed. Let us look t the various available options of the netstat command.

1. -r

This option displays the kernel routing tables. This option can also be written as “–route”

2. -g

This option Display multicast group membership information for IPv4 and IPv6 addresses. You can also write this option as “–groups”

3. -i

This option Display a table of all the network interfaces. You can also write this option as “–interfaces”

4. -M

This option Display a list of masqueraded connections. You can also write this option as “–masqueraded”

5. -s

This option Display summary statistics for each protocol. You can also write this option as “–statistics”

6. -v

This option provides verbose the output to get a better understanding of what happened. You can also write this option as “–verbose”

7. -W

This option does not truncate the internet protocol addresses using the output as vast as needed. You can also write this option as “–wide”

8. -n

This option shows the numerical addresses, instead of determining the port, user names, or symbolic host. You can also write this option as “–numeric”

9. –numeric-hosts

This option shows the numerical host addresses and does not affect the resolution of user names or ports.

10. –numeric-ports

This option shows the numerical port numbers and does not affect the resolution of user names or hosts.

11. –numeric-users

This option shows the numerical user IDs and does not affect the resolution of port names or hosts.

12. -o

This option includes information related to networking timers.

13. -c

This option prints the selected information every second continuously. You can also write this option as “–continuos”

14. -e

As the name suggests, this option displays additional information. You can also write this option as “–extend”

15. -p

This shows the name and PID of the program. You can also write this option as “–program”

16. -l

This option shows only the sockets that are listening. You can also write this option as “–listening”

17. -F

This option prints routing information from the FIB.

18. -C

This option prints routing information from the route cache.

19. -a

This option shows both the socket types – listening and nonlistening. You can also write this option as “–all”

20. –help

This option displays the help menu

Understanding the output of netstat command

Before we actually see some practical examples, we must also understand the different output messages netstat shows in the terminal for us to understand what is actually happening or happened.

Output regarding Internet connection

One kind of information netstat gives us through its output is information regarding active internet connections like UDP, raw, and TCP. let us look at some of the output netstat displays regarding internet connections.

1. Proto

This output message shows the protocol used socket. It can either be TCP, RAW or UDP.

2. Recv-Q

This output message shows the count of bytes not copied by the user program connected to this socket.

3. Send-Q

This output message shows the count of bytes not acknowledged by the remote host.

4. Local Address

This output message shows the address and port number of the local end of the socket.

5. Foreign Address

This output message shows the address Address and port number of the remote end of the socket.

6. User

This output message shows the username or UID of the owner of the socket.

7. PID/name of the process

This output message shows the process id (PID) and process name of the process that owns the socket separated by a slash.

8. State

This output message shows the state of the socket.

Output regarding the active UNIX domain sockets

Another kind of output message that netstat prints are the information regarding the active UNIX domain sockets. Let us look at some categories of this message:

1. Proto

This output message displays the protocol used by the socket, Usually UNIX.

2. RefCnt

This output message displays the reference count.

3. Flags

This output message displays the flags.

4. Type

This output message shows the type of socket access.

5. State

This output message shows the state of the sockets

6. PID/program name

This output message displays the PID and the name of the process separated by a slash

7. Path

This output message displays the path name as which the matching process attached to the socket.

8. Active IPX sockets

This output message displays the list of the active IPX sockets.

9. Active NET/ROM sockets

This output message displays the list of all the active NET/ROM sockets.

10. Active AX.25 sockets

This output message displays the list of the active AX.25 sockets.

Now that we have laid down the fundamentals, let us look at some practical examples of the netstat command in the terminal

Listing all ports of TCP and UDP connections

To list all the listening ports of the connections UDP and TCP, use the option “-a” as follows:

netstat -a

Listing TCP port connections

If you wish to list only the TCP (Transmission Control Protocol) port connections, use the option “t” as follows:

netstat -at

Listing the connections that are listening

To list all the listening connections use the option “-l” as follows:

netstat -l

Listing the TCP listening ports

If you wish to list all the active TCP listening ports, you can pair the options “-l” and “-t” as follows:

netstat -lt

Listing the UDP listening ports

If you wish to list all the active UDP listening ports, you can pair the options “-l” and “-u” as follows:

netstat -lu

Listing the UNIX listening ports

If you wish to list all the active TCP listening ports, you can pair the options “-l” and “-x” as follows:

netstat -lx

Showing statistics

If you want to show statistics by the protocol on the terminal, use the option “-s” as follows: netstat -s, by default, the command shows statistics for the protocols TCP, UDP, ICMP, and IP.

Showing statistics of the TCP protocol

To show statistics of the TCP protocol, combine the option “-s” with the option “-t” as follows:

netstat -st

Showing statistics of the UDP protocol

To show statistics of the UDP protocol, combine the option “-s” with the option “-u” as follows:

netstat -su

Showing PID and process name

If you want to show the service name along with their PID number, you can use the command as below:

netstat -tp

Promiscuous mode

To display the promiscuous mode, use the command:

netstat -ac

Displaying the IP routing of kernel

To display the kernel IP routing table, use the option “-r” as follows:

netstat -r

Displaying the transactions of network interfaces

To show the transactions of the network interface transactions (both receiving and transferring), use the option “-i”.

Providing verbose to the output

To provide verbose to the output to provide a better understanding of what is happening, use the option “-v” or “–verbose” along with the netstat command as follows :

netstat -v
netstat --verbose

Displaying information regarding IPV4 and IPv6 addresses

To show multicast group membership information for both IPv4 and IPv6 addresses, use the option “-g” as follows:

netstat -g

Showing the kernel interface table

To show the kernel interface table, combine the option “-i” and “-e” with the netstat command as follows:

netstat -ie

Finding programs that are listening

If you want to find a specific listening program, you can combine the netstat command with the grep, by piping both of them as follows:

netstat -ap | grep http

The above command will search all the listening programs and send the list as the input to the grep command, which will filter out only the programs with the phrase “http” in them.

Printing information continuously

To print information from netstat continuously, use the option “-c” as follows:

netstat -c

Printing raw network statistics

If you want to print raw network statisticls pass the first argument of netstat as “–statisctics” and the second argument as “–raw” as follows:

netstat --statistics --raw

Listing UDP port connections

If you wish to list only the UDP (User Datagram Protocol) port connections, use the option “u” as follows:

netstat -au

Displaying kernel routine information

To display the kernel routing information pair the netstat command with the option “-r” a shown below:

netstat -r

Listing network interfaces

To list all the network interfaces, pair the netstat command along with the option “-i” as follows:

netstat -i

Disabling reverse DNS Lookup for faster output

By default, netstat finds out the hostname for each IP address by a reverse DNS lookup. This feature causes slowdowns in the output. If at all you don’t want to to know the hostname and want to disable the reverse DNS lookup by using the option ‘n’ as shown in the output below:

Displaying the PID and UID

While checking network statistics, if you want to print the PID and UID, pair the netstat command with the option “-p”. You will have to use the option “-p” with sudo privileges, otherwise, it will not display the PID.

Files used by netstat

Now that we have covered pretty much everything, there is one little thing left to discuss – the files used by netstat. Let us look at the different files netstat uses.

1. /etc/services

This file is the services translation file.

2. /proc/net/raw

This file contains device information

3. /proc/net/raw

This file contains raw socket information.

4. /proc/net/tcp

This file contains information about the TCP socket

5. /proc/net/udp

This file contains information about the UDP socket

6. /proc/net/igmp

This file contains information regarding IGMP multicast

7. /proc/net/unix

This file contains information about the UNIX domain socket

8. /proc/net/ipx

This file contains information about the IPX socket

9. /proc/net/ax25

This file contains information about the AX25 socket

10. /proc/net/ipx_route

This file contains information about IPX routing

11. /proc/net/nr_nodes

This file contains information about the NET/ROM nodelist

12. /proc/net/nr_neigh

This file contains information about the neighbors of NET/ROM

13. /proc/net/ip_masquera

This file contains information about the masqueraded connections

Summary

As you have seen, linux netstat command is a really helpful tool (mostly for system admins) that displays various information about networks. You have now learned what netstat is, what sockets are and how they work, the syntax of the netstat command along with options used with the netstat command, and various practical commands of the netstat command