netstat, or network statistics, is a command-line tool for diagnosing network issues and gathering network statistics. The Netstat Command in Linux displays active connections and listening sockets for TCP, UDP, and UNIX domain sockets, lists associated ports, provides basic network interface statistics, and shows the kernel’s routing table. You can monitor connections, identify open ports, and troubleshoot network issues.
This article will show you how to install and use netstat for monitoring and diagnosing networks in Linux systems.
Install netstat in Linux
The netstat command is part of the net-tools package and is available by default in the package repository of popular Linux distributions. Install net-tools to use the netstat command on your Linux system.
To install the net-tools package:
On Debian/Ubuntu distributions, use:
console$ sudo apt install net-tools -y
On RHEL distributions, use:
console$ sudo dnf install net-tools -y
On Arch Linux, use:
console$ sudo pacman -Sy net-tools
On SUSE Linux, use:
console$ sudo zypper install net-tools -y
On Alpine Linux, use:
console$ sudo apk add net-tools
Verify the netstat installation.
$ netstat --version
Output:
net-tools 2.10
... netstat Command Syntax
The command uses the following syntax:
netstat [OPTIONS]The options modify the command's behavior. Without specifying any, the netstat command displays a list of open sockets.
netstat Command Output Anatomy
Execute the netstat command to view all the active connections on your system.
$ netstat
Output:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 hostname:49922 example.com:https ESTABLISHED
tcp 0 0 hostname:44568 cdn-1-0-0-127:https ESTABLISHED
...
...
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 3 [ ] STREAM CONNECTED 7931 /run/user/1050/bus
unix 3 [ ] STREAM CONNECTED 7835 /run/dbus/system_bus_socketThe output has two sections:
- The Active Internet Connections shows TCP and UDP based connections between your localhost
hostnameand remote hosts such asexample.com. - The Active UNIX domain sockets show local Unix Sockets that are open.
Below is the explanation for each column from the above output:
- Proto: The active network protocol, can be a
tcp,udp, orunixsocket. - Recv-Q (Receive Queue): Displays bytes of data received by the kernel but not read by the application.
- Send-Q (Send Queue): Display bytes of data queued by the application to send that have not yet been acknowledged by the target.
- Local Address: Display the system hostname, IP address, and port.
- Foreign Address: Display the reverse lookup of the remote host.
- State: The state of the connection, and
ESTABLISHEDdenotes established connections. - RefCnt (Reference Count): Displays how many users or connections are connected to the socket.
- Flags: Display flags related to UNIX sockets.
- Type: Display the socket type, such as
STREAM,DGRAM,SEQPACKET, andRAW. - I-Node: Display the inode number associated with the
unixsocket. - Path: Display the path of the filesystem associated with the
unixsocket.
The netstat command without any options shows only the non-listening sockets.
netstat Options
The most commonly used options are:
--listeningor-l: Displays listening sockets.--allor-a: Displays both the established and non-established connections.--tcpor-t: Displays sockets that use TCP protocol.--udpor-u: Displays sockets that use UDP protocol.--numericor-n: Displays the port number instead of port name and IP address instead of DNS or hostname.--programor-p: Displays an additionalPID/Program namecolumn in the output and shows the program/process associated with that socket. You need to use sudo with this flag to see systemwide processes.
The following sub-sections cover various use cases of these and other flags, some in combination with others.
netstatdoes not list the listening sockets without the-lor-aoption.- The
-pflag shows the process owned by the current user. To see all processes (including non-owned ones), use sudo with the netstat command.
Display Open Connections With Process IDs (PIDs)
Execute netstat with the -p or --program option to display open connections with their associated PID (Process ID) or program name.
$ sudo netstat -p
Output:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 hostname:55604 2.0.0.127.in-a:https ESTABLISHED 2320/firefox
tcp 0 0 hostname:40128 3.0.0.127.i:https ESTABLISHED 33638/app --st
...
...
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 3 [ ] STREAM CONNECTED 12358 750/pipewire /run/user/1050/pipewire-0
unix 3 [ ] STREAM CONNECTED 31580 3898/speech-dispatc /run/user/1050/speech-dispatcher/speechd.sockThe PID/Program name column shows the PID and program name associated with your connection.
View Open Ports in Linux Using Netstat
Execute the netstat with the -ltup option to view your system's open ports for TCP and UDP protocols.
$ sudo netstat -ltup
Output:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost:mshvlm 0.0.0.0:* LISTEN 763/mpd
udp 0 0 0.0.0.0:35069 0.0.0.0:* 1451/firefoxDisplay the Routing Table in Linux Using Netstat
Use the -r or --route option with the netstat command to display the kernel routing table and check the default gateway on your system.
$ netstat -r
Output:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default _gateway 0.0.0.0 UG 0 0 0 enp1s0
192.168.10.2.ch _gateway 255.255.255.255 UGH 0 0 0 enp1s0
192.168.10.1 0.0.0.0 255.255.254.0 U 0 0 0 enp1s0
_gateway 0.0.0.0 255.255.255.255 UH 0 0 0 enp1s0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlp4s0
...In the above output, the following is the description of the columns:
- Destination: Destination IP or hostname.
- Gateway: The next stop on the path of the routing entry.
- Genmask: The network mask of a route.
- Flags: Display the flags for the route:
- U: The route is UP.
- H: The destination is a specific host.
- G: The destination is a gateway.
- MSS: Stands for "Maximum segment size", which is the maximum size of a payload that the socket receives.
- Window: The TCP window size.
- irtt: Stands for "initial round trip time". It measures the round trip time of packets for a connection.
- Iface: The network interface of the route.
The following is the description of the last entry of the output:
- The traffic to
0.0.0.0gets routed through the gatewaywlp4s0. - The default gateway is 192.168.1.1, which is reached via the interface
wlp4s0. - The flag
Umeans the route is UP, andGmeans the route is a gateway.
Display Network Interface Statistics
Execute netstat with the -i or --interface to display network interface statistics on your system.
$ netstat -i
Output:
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
lo 65536 6111 0 0 0 6111 0 0 0 LRU
wlp4s0 1500 1164542 0 0 0 822802 0 38 0 BMRUFrom the above output, you can see the following:
- The
lointerface with the default MTU65536has received and transmitted6111packets. Thelois a loopback interface that is up and running. - The
wlp4s0interface with the default MTU1500has received packets1164542bytes, transmitted822802bytes, and dropped38bytes. Thewlp4s0is up and running with the broadcast set and multicast enabled.
The explanation of each column for the network interface statistics:
- Iface: The network interface name.
- MTU (Maximum Transmission Unit): The maximum size in bytes that can be transmitted over the interface.
- RX-OK: Displays the count of successfully received packets.
- RX-ERR (Receive Error): Displays the number of error packets received, which could indicate the error in physical connections, hardware problems, or network congestion.
- RX-DRP (Receive Dropped): Displays the number of packets dropped by the interface.
- RX-OVR (Receive Overrun): Displays the number of data packets which the interface could not handle.
- TX-OK: Displays the size of successfully transmitted packets.
- TX-ERR (Transmission Error): Displays the error transmitted packets, which could indicate the error in hardware failure and wrong packet formatting.
- TX-DRP (Transmission Dropped): Displays the number of packets dropped by the transmit queue.
- TX-OVR (Transmission Overrun): Similar to RX-OVR, but for transmitted data.
- Flg (Flags): Displays the state and capabilities of the interface.
- B: Indicates a set broadcast address.
- L: Indicates a loopback interface.
- M: indicates promiscuous mode.
- R: Indicate a running interface.
- U: Indicate that the interface is up or active.
View All Active Network Connections
Execute netstat with the -apn option to view all active connections on your system.
$ sudo netstat -apn
Expected output:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:6600 0.0.0.0:* LISTEN 724/mpd
tcp 0 0 192.168.1.6:49928 172.6.0.4:443 ESTABLISHED 1148/firefox
...
...
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 3 [ ] STREAM CONNECTED 13452 893/dbus-broker /run/user/1050/at-spi/bus_0
unix 2 [ ACC ] STREAM LISTENING 10355 724/mpd /home/ndlr/.config/mpd/socketBelow is the explanation for each option in the above command:
-aor--all: Display all listening and non-listening connections.-por--program: Display the PID (Process ID) and program name.-nor--numeric: Display the output in the numeric format.
Display Active TCP Connections
Add the -t or --tcp option to show all active connections for the TCP protocol.
$ sudo netstat -aptn
Output:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:6600 0.0.0.0:* LISTEN 724/mpd
tcp 0 0 192.168.1.6:49928 172.6.0.4:443 ESTABLISHED 1148/firefoxDisplay Active UDP Connections
Add the -u or --udp option to show all active connections for the UDP protocol.
$ sudo netstat -apun
Output:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:47697 0.0.0.0:* 1148/firefox
udp 0 0 192.168.1.6:68 192.168.1.1:67 ESTABLISHED 601/NetworkManagerDisplay Network Timer Data
The -o or --timer option displays the network timers. Use this option to diagnose network connection timeouts.
$ netstat -ano
Output:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN off (0.00/0/0)
...
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 3 [ ] STREAM CONNECTED 8613 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 8929 /run/dbus/system_bus_socket
...Notice the Timer column that displays the timer data for the socket.
Display Listening Sockets
The -l or --listening option displays listening sockets. To check sockets for TCP and UDP protocols with the numerical address, use:
$ netstat -tuln
Output:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 127.0.0.54:53 0.0.0.0:*
udp 0 0 127.0.0.53:53 0.0.0.0:* Conclusion
In this article, you learned how to use the netstat command in Linux for monitoring, diagnosing, and gathering network information and statistics. You can now use netstat to gain insight into your network performance and troubleshoot issues. To learn more about netstat, execute the command man 8 netstat or visit Netstat documentation.