If there are mandatory command line-based network monitoring tools every network administrator should a master in, netstat should be on the list. Netstat — which stands for network statistic — is a versatile tool every network administrator can use for monitoring the network they are handling. While this tool is tend to more popular in Linux and other Unix-like platforms, those who use Windows can also take advantage of this tool.
Nearly all Linux distributions have added netstat as the standard tool so you can just use it without installing it first. If your distro haven’t added the tool you can just install it. In Linux, netstat is a part of net-tools.
Netstat is a helpful and useful when it comes to network troubleshooting and performance measurement. You can use this tool for monitoring network connections both incoming and outgoing. It is one of the basic network service debugging tools, telling you what ports are open and whether any programs are listening on ports.
Just like other commands in Linux, you can get more info about netstat by reading its manual in terminal by typing man netstat. Or, you can also see the available parameters by typing netstat --help. This article will show you the top 10 examples use of netstat.
1. Displaying network interface transactions
# netstat -i
Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg enp3s0 1500 0 0 0 0 0 0 0 0 0 BMU lo 65536 0 1316 0 0 0 1316 0 0 0 LRU wlp2s0 1500 0 8950 0 0 0 9370 0 0 0 BMRU
2. Displaying kernel interface table
# netstat -ie
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:1360 errors:0 dropped:0 overruns:0 frame:0
TX packets:1360 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:118265 (118.2 KB) TX bytes:118265 (118.2 KB)
wlp2s0 Link encap:Ethernet HWaddr 48:d2:24:b0:20:f9
inet addr:192.168.1.102 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::3726:56d2:44f0:ade5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9041 errors:0 dropped:0 overruns:0 frame:0
TX packets:9472 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5795807 (5.7 MB) TX bytes:2201496 (2.2 MB)
3. Listing all the LISTENING ports of TCP and UDP connections
# netstat -a
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:mysql *:* LISTEN tcp 0 0 aliko-X200CA:domain *:* LISTEN tcp 0 0 192.168.1.102:41480 ec2-52-42-35-202.:https ESTABLISHED tcp 0 0 192.168.1.102:40242 sc-in-f188.1e100.n:5228 ESTABLISHED tcp 0 0 192.168.1.102:41482 ec2-52-42-35-202.:https ESTABLISHED tcp6 0 0 [::]:http [::]:* LISTEN udp 0 0 aliko-X200CA:domain *:* udp 0 0 *:bootpc *:* udp 0 0 *:mdns *:* udp 0 0 *:mdns *:* udp 0 0 *:55564 *:* udp 0 0 *:57703 *:* udp 0 0 *:ipp *:* udp6 0 0 [::]:43015 [::]:* udp6 0 0 [::]:mdns [::]:* udp6 0 0 [::]:mdns [::]:* raw6 0 0 [::]:ipv6-icmp [::]:* 7 Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 23667 @/tmp/.ICE-unix/1621 unix 2 [ ] DGRAM 22989 /run/user/1001/systemd/notify unix 2 [ ACC ] STREAM LISTENING 22990 /run/user/1001/systemd/private unix 2 [ ACC ] SEQPACKET LISTENING 1530 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 23001 /run/user/1001/keyring/control unix 2 [ ACC ] STREAM LISTENING 22237 /run/user/1001/keyring/pkcs11 unix 2 [ ACC ] STREAM LISTENING 22239 /run/user/1001/keyr
4. Listing all LISTENING connections
# netstat -l
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:mysql *:* LISTEN tcp 0 0 aliko-X200CA:domain *:* LISTEN tcp6 0 0 [::]:http [::]:* LISTEN udp 0 0 aliko-X200CA:domain *:* udp 0 0 *:bootpc *:* udp 0 0 *:mdns *:* udp 0 0 *:mdns *:* udp 0 0 *:55564 *:* udp 0 0 *:57703 *:* udp 0 0 *:ipp *:* udp6 0 0 [::]:43015 [::]:* udp6 0 0 [::]:mdns [::]:* udp6 0 0 [::]:mdns [::]:* raw6 0 0 [::]:ipv6-icmp [::]:* 7 Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 23667 @/tmp/.ICE-unix/1621 unix 2 [ ACC ] STREAM LISTENING 22990 /run/user/1001/systemd/private unix 2 [ ACC ] SEQPACKET LISTENING 1530 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 23001 /run/user/1001/keyring/control unix 2 [ ACC ] STREAM LISTENING 22237 /run/user/1001/keyring/pkcs11 unix 2 [ ACC ] STREAM LISTENING 22239 /run/user/1001/keyring/ssh
5. Displaying statistics by protocol
# netstat -s
Ip:
11360 total packets received
1 with invalid addresses
0 forwarded
0 incoming packets discarded
11359 incoming packets delivered
11745 requests sent out
124 outgoing packets dropped
Icmp:
293 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
destination unreachable: 293
302 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 302
IcmpMsg:
InType3: 293
OutType3: 302
6. Displaying kernel IP routing
# netstat -r
Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default 192.168.1.1 0.0.0.0 UG 0 0 0 wlp2s0 link-local * 255.255.0.0 U 0 0 0 wlp2s0 192.168.1.0 * 255.255.255.0 U 0 0 0 wlp2s0
7. Displaying IPv4 and IPv6 information
# netstat -g
IPv6/IPv4 Group Memberships Interface RefCnt Group --------------- ------ --------------------- lo 1 all-systems.mcast.net enp3s0 1 all-systems.mcast.net wlp2s0 2 224.0.0.251 wlp2s0 1 all-systems.mcast.net lo 1 ip6-allnodes lo 1 ff01::1 enp3s0 1 ip6-allnodes enp3s0 1 ff01::1 wlp2s0 2 ff02::fb wlp2s0 1 ff02::1:fff0:ade5 wlp2s0 1 ip6-allnodes wlp2s0 1 ff01::1
8. Displaying service name with PID
# netstat -tp
(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.1.102:35346 sin10s01-in-f14.1:https ESTABLISHED 2258/chrome tcp 0 0 192.168.1.102:40242 sc-in-f188.1e100.n:5228 ESTABLISHED 2258/chrome tcp 0 0 192.168.1.102:56224 jktd3khweb11v.clou:http ESTABLISHED 2258/chrome
9. Displaying RAW network statistics
# netstat --statistics --raw
Ip:
11973 total packets received
1 with invalid addresses
0 forwarded
0 incoming packets discarded
11972 incoming packets delivered
12412 requests sent out
124 outgoing packets dropped
Icmp:
293 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
destination unreachable: 293
302 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 302
10. Print netstat information continuously
# netstat -c
Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.1.102:56236 jktd3khweb11v.clou:http ESTABLISHED tcp 0 0 192.168.1.102:59698 192.0.73.2:https ESTABLISHED tcp 0 0 192.168.1.102:40242 sc-in-f188.1e100.n:5228 ESTABLISHED tcp 0 0 192.168.1.102:33964 45.e4.9bc0.ip4.sta:http ESTABLISHED udp 0 0 192.168.1.102:44048 sb-in-f157.1e100.:https ESTABLISHED Active UNIX domain sockets (w/o servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ] DGRAM 22989 /run/user/1001/systemd/notify unix 7 [ ] DGRAM 1532 /run/systemd/journal/socket unix 2 [ ] DGRAM 1629 /run/systemd/journal/syslog unix 19 [ ] DGRAM 1630 /run/systemd/journal/dev-log