How to Use the Netstat Command in Linux

Updated on 08 May, 2025
How to Use the Netstat Command in Linux header image

netstat, or network statistics, is a command-line tool for diagnosing network issues and gathering network statistics. It displays active connections and listening sockets for TCP, UDP, and UNIX domain sockets, lists associated ports, provides basic network interface statistics, and shows the kernel’s routing table. You can monitor connections, identify open ports, and troubleshoot network issues.

This article will show you how to install and use netstat for monitoring and diagnosing networks in Linux systems.

Install netstat

The netstat command is part of the net-tools package and is available by default in the package repository of popular Linux distributions. Install net-tools to use the netstat command on your Linux system.

To install the net-tools package:

  • On Debian/Ubuntu distributions, use:

    console
    $ sudo apt install net-tools -y
    
  • On RHEL distributions, use:

    console
    $ sudo dnf install net-tools -y
    
  • On Arch Linux, use:

    console
    $ sudo pacman -Sy net-tools
    
  • On SUSE Linux, use:

    console
    $ sudo zypper install net-tools -y
    
  • On Alpine Linux, use:

    console
    $ sudo apk add net-tools
    

Verify the netstat installation.

console
$ netstat --version

Output:

net-tools 2.10
... 

netstat Command Syntax

The command uses the following syntax:

netstat [OPTIONS]

The options modify the command's behavior. Without specifying any, the netstat command displays a list of open sockets.

netstat Command Output Anatomy

Execute the netstat command to view all the active connections on your system.

console
$ netstat

Output:

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address        State
tcp        0      0 hostname:49922          example.com:https      ESTABLISHED
tcp        0      0 hostname:44568          cdn-1-0-0-127:https    ESTABLISHED
...
...
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  3      [ ]         STREAM     CONNECTED     7931     /run/user/1050/bus
unix  3      [ ]         STREAM     CONNECTED     7835     /run/dbus/system_bus_socket

The output has two sections:

  • The Active Internet Connections shows TCP and UDP based connections between your localhost hostname and remote hosts such as example.com.
  • The Active UNIX domain sockets show local Unix Sockets that are open.

Below is the explanation for each column from the above output:

  • Proto: The active network protocol, can be a tcp, udp, or unix socket.
  • Recv-Q (Receive Queue): Displays bytes of data received by the kernel but not read by the application.
  • Send-Q (Send Queue): Display bytes of data queued by the application to send that have not yet been acknowledged by the target.
  • Local Address: Display the system hostname, IP address, and port.
  • Foreign Address: Display the reverse lookup of the remote host.
  • State: The state of the connection, and ESTABLISHED denotes established connections.
  • RefCnt (Reference Count): Displays how many users or connections are connected to the socket.
  • Flags: Display flags related to UNIX sockets.
  • Type: Display the socket type, such as STREAM, DGRAM, SEQPACKET, and RAW.
  • I-Node: Display the inode number associated with the unix socket.
  • Path: Display the path of the filesystem associated with the unix socket.

The netstat command without any options shows only the non-listening sockets.

netstat Options

The most commonly used options are:

  • --listening or -l: Displays listening sockets.
  • --all or -a: Displays both the established and non-established connections.
  • --tcp or -t: Displays sockets that use TCP protocol.
  • --udp or -u: Displays sockets that use UDP protocol.
  • --numeric or -n: Displays the port number instead of port name and IP address instead of DNS or hostname.
  • --program or -p: Displays an additional PID/Program name column in the output and shows the program/process associated with that socket. You need to use sudo with this flag to see systemwide processes.

The following sub-sections cover various use cases of these and other flags, some in combination with others.

Note
  • netstat does not list the listening sockets without the -l or -a option.
  • The -p flag shows the process owned by the current user. To see all processes (including non-owned ones), use sudo with the netstat command.

Display Open Connections With Process IDs (PIDs)

Execute netstat with the -p or --program option to display open connections with their associated PID (Process ID) or program name.

console
$ sudo netstat -p

Output:

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address      State       PID/Program name
tcp        0      0 hostname:55604          2.0.0.127.in-a:https ESTABLISHED 2320/firefox
tcp        0      0 hostname:40128          3.0.0.127.i:https    ESTABLISHED 33638/app --st
...
...
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  3      [ ]         STREAM     CONNECTED     12358    750/pipewire         /run/user/1050/pipewire-0
unix  3      [ ]         STREAM     CONNECTED     31580    3898/speech-dispatc  /run/user/1050/speech-dispatcher/speechd.sock

The PID/Program name column shows the PID and program name associated with your connection.

View Open Ports in Linux Using Netstat

Execute the netstat with the -ltup option to view your system's open ports for TCP and UDP protocols.

console
$ sudo netstat -ltup

Output:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 localhost:mshvlm        0.0.0.0:*               LISTEN      763/mpd
udp        0      0 0.0.0.0:35069           0.0.0.0:*                           1451/firefox

Display the Routing Table in Linux Using Netstat

Use the -r or --route option with the netstat command to display the kernel routing table and check the default gateway on your system.

console
$ netstat -r

Output:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         _gateway        0.0.0.0         UG        0 0          0 enp1s0
192.168.10.2.ch _gateway        255.255.255.255 UGH       0 0          0 enp1s0
192.168.10.1    0.0.0.0         255.255.254.0   U         0 0          0 enp1s0
_gateway        0.0.0.0         255.255.255.255 UH        0 0          0 enp1s0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 wlp4s0
...

In the above output, the following is the description of the columns:

  • Destination: Destination IP or hostname.
  • Gateway: The next stop on the path of the routing entry.
  • Genmask: The network mask of a route.
  • Flags: Display the flags for the route:
    • U: The route is UP.
    • H: The destination is a specific host.
    • G: The destination is a gateway.
  • MSS: Stands for "Maximum segment size", which is the maximum size of a payload that the socket receives.
  • Window: The TCP window size.
  • irtt: Stands for "initial round trip time". It measures the round trip time of packets for a connection.
  • Iface: The network interface of the route.

The following is the description of the last entry of the output:

  • The traffic to 0.0.0.0 gets routed through the gateway wlp4s0.
  • The default gateway is 192.168.1.1, which is reached via the interface wlp4s0.
  • The flag U means the route is UP, and G means the route is a gateway.

Display Network Interface Statistics

Execute netstat with the -i or --interface to display network interface statistics on your system.

console
$ netstat -i

Output:

Kernel Interface table
Iface             MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
lo              65536     6111      0      0 0          6111      0      0      0 LRU
wlp4s0           1500  1164542      0      0 0        822802      0     38      0 BMRU

From the above output, you can see the following:

  • The lo interface with the default MTU 65536 has received and transmitted 6111 packets. The lo is a loopback interface that is up and running.
  • The wlp4s0 interface with the default MTU 1500 has received packets 1164542 bytes, transmitted 822802 bytes, and dropped 38 bytes. The wlp4s0 is up and running with the broadcast set and multicast enabled.

The explanation of each column for the network interface statistics:

  • Iface: The network interface name.
  • MTU (Maximum Transmission Unit): The maximum size in bytes that can be transmitted over the interface.
  • RX-OK: Displays the count of successfully received packets.
  • RX-ERR (Receive Error): Displays the number of error packets received, which could indicate the error in physical connections, hardware problems, or network congestion.
  • RX-DRP (Receive Dropped): Displays the number of packets dropped by the interface.
  • RX-OVR (Receive Overrun): Displays the number of data packets which the interface could not handle.
  • TX-OK: Displays the size of successfully transmitted packets.
  • TX-ERR (Transmission Error): Displays the error transmitted packets, which could indicate the error in hardware failure and wrong packet formatting.
  • TX-DRP (Transmission Dropped): Displays the number of packets dropped by the transmit queue.
  • TX-OVR (Transmission Overrun): Similar to RX-OVR, but for transmitted data.
  • Flg (Flags): Displays the state and capabilities of the interface.
    • B: Indicates a set broadcast address.
    • L: Indicates a loopback interface.
    • M: indicates promiscuous mode.
    • R: Indicate a running interface.
    • U: Indicate that the interface is up or active.

View All Active Network Connections

Execute netstat with the -apn option to view all active connections on your system.

console
$ sudo netstat -apn

Expected output:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:6600          0.0.0.0:*               LISTEN      724/mpd
tcp        0      0 192.168.1.6:49928       172.6.0.4:443           ESTABLISHED 1148/firefox
...
...
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
unix  3      [ ]         STREAM     CONNECTED     13452    893/dbus-broker      /run/user/1050/at-spi/bus_0
unix  2      [ ACC ]     STREAM     LISTENING     10355    724/mpd              /home/ndlr/.config/mpd/socket

Below is the explanation for each option in the above command:

  • -a or --all: Display all listening and non-listening connections.
  • -p or --program: Display the PID (Process ID) and program name.
  • -n or --numeric: Display the output in the numeric format.

Display Active TCP Connections

Add the -t or --tcp option to show all active connections for the TCP protocol.

console
$ sudo netstat -aptn

Output:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:6600          0.0.0.0:*               LISTEN      724/mpd
tcp        0      0 192.168.1.6:49928       172.6.0.4:443           ESTABLISHED 1148/firefox

Display Active UDP Connections

Add the -u or --udp option to show all active connections for the UDP protocol.

console
$ sudo netstat -apun

Output:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 0.0.0.0:47697           0.0.0.0:*                           1148/firefox
udp        0      0 192.168.1.6:68          192.168.1.1:67          ESTABLISHED 601/NetworkManager

Display Network Timer Data

The -o or --timer option displays the network timers. Use this option to diagnose network connection timeouts.

console
$ netstat -ano

Output:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 127.0.0.54:53           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      off (0.00/0/0)
...
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  3      [ ]         STREAM     CONNECTED     8613     /run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     8929     /run/dbus/system_bus_socket
...

Notice the Timer column that displays the timer data for the socket.

Display Listening Sockets

The -l or --listening option displays listening sockets. To check sockets for TCP and UDP protocols with the numerical address, use:

console
$ netstat -tuln

Output:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.54:53           0.0.0.0:*               LISTEN        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
udp        0      0 127.0.0.54:53           0.0.0.0:*                          
udp        0      0 127.0.0.53:53           0.0.0.0:*                          

Conclusion

In this article, you learned how to use netstat for monitoring, diagnosing, and gathering network information and statistics. You can now use netstat to get insight into your network performance and issues. To learn more about netstat, execute the command man 8 netstat or visit Netstat documentation.

Comments

No comments yet.