
netstat
, or network statistics, is a command-line tool for diagnosing network issues and gathering network statistics. It displays active connections and listening sockets for TCP, UDP, and UNIX domain sockets, lists associated ports, provides basic network interface statistics, and shows the kernel’s routing table. You can monitor connections, identify open ports, and troubleshoot network issues.
This article will show you how to install and use netstat
for monitoring and diagnosing networks in Linux systems.
Install netstat
The netstat
command is part of the net-tools
package and is available by default in the package repository of popular Linux distributions. Install net-tools
to use the netstat
command on your Linux system.
To install the net-tools
package:
On Debian/Ubuntu distributions, use:
console$ sudo apt install net-tools -y
On RHEL distributions, use:
console$ sudo dnf install net-tools -y
On Arch Linux, use:
console$ sudo pacman -Sy net-tools
On SUSE Linux, use:
console$ sudo zypper install net-tools -y
On Alpine Linux, use:
console$ sudo apk add net-tools
Verify the netstat
installation.
$ netstat --version
Output:
net-tools 2.10
...
netstat
Command Syntax
The command uses the following syntax:
netstat [OPTIONS]
The options modify the command's behavior. Without specifying any, the netstat command displays a list of open sockets.
netstat
Command Output Anatomy
Execute the netstat
command to view all the active connections on your system.
$ netstat
Output:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 hostname:49922 example.com:https ESTABLISHED
tcp 0 0 hostname:44568 cdn-1-0-0-127:https ESTABLISHED
...
...
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 3 [ ] STREAM CONNECTED 7931 /run/user/1050/bus
unix 3 [ ] STREAM CONNECTED 7835 /run/dbus/system_bus_socket
The output has two sections:
- The Active Internet Connections shows TCP and UDP based connections between your localhost
hostname
and remote hosts such asexample.com
. - The Active UNIX domain sockets show local Unix Sockets that are open.
Below is the explanation for each column from the above output:
- Proto: The active network protocol, can be a
tcp
,udp
, orunix
socket. - Recv-Q (Receive Queue): Displays bytes of data received by the kernel but not read by the application.
- Send-Q (Send Queue): Display bytes of data queued by the application to send that have not yet been acknowledged by the target.
- Local Address: Display the system hostname, IP address, and port.
- Foreign Address: Display the reverse lookup of the remote host.
- State: The state of the connection, and
ESTABLISHED
denotes established connections. - RefCnt (Reference Count): Displays how many users or connections are connected to the socket.
- Flags: Display flags related to UNIX sockets.
- Type: Display the socket type, such as
STREAM
,DGRAM
,SEQPACKET
, andRAW
. - I-Node: Display the inode number associated with the
unix
socket. - Path: Display the path of the filesystem associated with the
unix
socket.
The netstat
command without any options shows only the non-listening sockets.
netstat
Options
The most commonly used options are:
--listening
or-l
: Displays listening sockets.--all
or-a
: Displays both the established and non-established connections.--tcp
or-t
: Displays sockets that use TCP protocol.--udp
or-u
: Displays sockets that use UDP protocol.--numeric
or-n
: Displays the port number instead of port name and IP address instead of DNS or hostname.--program
or-p
: Displays an additionalPID/Program name
column in the output and shows the program/process associated with that socket. You need to use sudo with this flag to see systemwide processes.
The following sub-sections cover various use cases of these and other flags, some in combination with others.
netstat
does not list the listening sockets without the-l
or-a
option.- The
-p
flag shows the process owned by the current user. To see all processes (including non-owned ones), use sudo with the netstat command.
Display Open Connections With Process IDs (PIDs)
Execute netstat
with the -p
or --program
option to display open connections with their associated PID (Process ID) or program name.
$ sudo netstat -p
Output:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 hostname:55604 2.0.0.127.in-a:https ESTABLISHED 2320/firefox
tcp 0 0 hostname:40128 3.0.0.127.i:https ESTABLISHED 33638/app --st
...
...
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 3 [ ] STREAM CONNECTED 12358 750/pipewire /run/user/1050/pipewire-0
unix 3 [ ] STREAM CONNECTED 31580 3898/speech-dispatc /run/user/1050/speech-dispatcher/speechd.sock
The PID/Program name
column shows the PID and program name associated with your connection.
View Open Ports in Linux Using Netstat
Execute the netstat
with the -ltup
option to view your system's open ports for TCP and UDP protocols.
$ sudo netstat -ltup
Output:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost:mshvlm 0.0.0.0:* LISTEN 763/mpd
udp 0 0 0.0.0.0:35069 0.0.0.0:* 1451/firefox
Display the Routing Table in Linux Using Netstat
Use the -r
or --route
option with the netstat
command to display the kernel routing table and check the default gateway on your system.
$ netstat -r
Output:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default _gateway 0.0.0.0 UG 0 0 0 enp1s0
192.168.10.2.ch _gateway 255.255.255.255 UGH 0 0 0 enp1s0
192.168.10.1 0.0.0.0 255.255.254.0 U 0 0 0 enp1s0
_gateway 0.0.0.0 255.255.255.255 UH 0 0 0 enp1s0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlp4s0
...
In the above output, the following is the description of the columns:
- Destination: Destination IP or hostname.
- Gateway: The next stop on the path of the routing entry.
- Genmask: The network mask of a route.
- Flags: Display the flags for the route:
- U: The route is UP.
- H: The destination is a specific host.
- G: The destination is a gateway.
- MSS: Stands for "Maximum segment size", which is the maximum size of a payload that the socket receives.
- Window: The TCP window size.
- irtt: Stands for "initial round trip time". It measures the round trip time of packets for a connection.
- Iface: The network interface of the route.
The following is the description of the last entry of the output:
- The traffic to
0.0.0.0
gets routed through the gatewaywlp4s0
. - The default gateway is 192.168.1.1, which is reached via the interface
wlp4s0
. - The flag
U
means the route is UP, andG
means the route is a gateway.
Display Network Interface Statistics
Execute netstat
with the -i
or --interface
to display network interface statistics on your system.
$ netstat -i
Output:
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
lo 65536 6111 0 0 0 6111 0 0 0 LRU
wlp4s0 1500 1164542 0 0 0 822802 0 38 0 BMRU
From the above output, you can see the following:
- The
lo
interface with the default MTU65536
has received and transmitted6111
packets. Thelo
is a loopback interface that is up and running. - The
wlp4s0
interface with the default MTU1500
has received packets1164542
bytes, transmitted822802
bytes, and dropped38
bytes. Thewlp4s0
is up and running with the broadcast set and multicast enabled.
The explanation of each column for the network interface statistics:
- Iface: The network interface name.
- MTU (Maximum Transmission Unit): The maximum size in bytes that can be transmitted over the interface.
- RX-OK: Displays the count of successfully received packets.
- RX-ERR (Receive Error): Displays the number of error packets received, which could indicate the error in physical connections, hardware problems, or network congestion.
- RX-DRP (Receive Dropped): Displays the number of packets dropped by the interface.
- RX-OVR (Receive Overrun): Displays the number of data packets which the interface could not handle.
- TX-OK: Displays the size of successfully transmitted packets.
- TX-ERR (Transmission Error): Displays the error transmitted packets, which could indicate the error in hardware failure and wrong packet formatting.
- TX-DRP (Transmission Dropped): Displays the number of packets dropped by the transmit queue.
- TX-OVR (Transmission Overrun): Similar to RX-OVR, but for transmitted data.
- Flg (Flags): Displays the state and capabilities of the interface.
- B: Indicates a set broadcast address.
- L: Indicates a loopback interface.
- M: indicates promiscuous mode.
- R: Indicate a running interface.
- U: Indicate that the interface is up or active.
View All Active Network Connections
Execute netstat
with the -apn
option to view all active connections on your system.
$ sudo netstat -apn
Expected output:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:6600 0.0.0.0:* LISTEN 724/mpd
tcp 0 0 192.168.1.6:49928 172.6.0.4:443 ESTABLISHED 1148/firefox
...
...
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 3 [ ] STREAM CONNECTED 13452 893/dbus-broker /run/user/1050/at-spi/bus_0
unix 2 [ ACC ] STREAM LISTENING 10355 724/mpd /home/ndlr/.config/mpd/socket
Below is the explanation for each option in the above command:
-a
or--all
: Display all listening and non-listening connections.-p
or--program
: Display the PID (Process ID) and program name.-n
or--numeric
: Display the output in the numeric format.
Display Active TCP Connections
Add the -t
or --tcp
option to show all active connections for the TCP protocol.
$ sudo netstat -aptn
Output:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:6600 0.0.0.0:* LISTEN 724/mpd
tcp 0 0 192.168.1.6:49928 172.6.0.4:443 ESTABLISHED 1148/firefox
Display Active UDP Connections
Add the -u
or --udp
option to show all active connections for the UDP protocol.
$ sudo netstat -apun
Output:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:47697 0.0.0.0:* 1148/firefox
udp 0 0 192.168.1.6:68 192.168.1.1:67 ESTABLISHED 601/NetworkManager
Display Network Timer Data
The -o
or --timer
option displays the network timers. Use this option to diagnose network connection timeouts.
$ netstat -ano
Output:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN off (0.00/0/0)
...
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 3 [ ] STREAM CONNECTED 8613 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 8929 /run/dbus/system_bus_socket
...
Notice the Timer
column that displays the timer data for the socket.
Display Listening Sockets
The -l
or --listening
option displays listening sockets. To check sockets for TCP and UDP protocols with the numerical address, use:
$ netstat -tuln
Output:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 127.0.0.54:53 0.0.0.0:*
udp 0 0 127.0.0.53:53 0.0.0.0:*
Conclusion
In this article, you learned how to use netstat
for monitoring, diagnosing, and gathering network information and statistics. You can now use netstat
to get insight into your network performance and issues. To learn more about netstat
, execute the command man 8 netstat
or visit Netstat documentation.
No comments yet.