How to use the netstat command in Linux

Filed Under: UNIX/Linux
Netstat Command

The term “netstat” stands for Network Statistics. In layman’s terms, netstat command displays the current network connections, networking protocol statistics, and a variety of other interfaces.

If we enter netstat in the terminal, without any background knowledge of computer networking, the system throws a wide range of networking jargon at us. It is the responsibility of the programmer to extract important information while flushing out the rest.

In this article, we will answer some of the queries related to computer networking using the netstat command.

Identify Active Network Connections Using the Netstat Command

To display all the active network connections in Linux, we use

netstat -a

Output:

Netstat All 1
Netstat All 1

The standard output contains six columns:

  • Proto (Protocol) – The type of protocol used for the network connection, like TCP, UDP, etc.
  • Recv-Q (Receiving Queue) – The amount of data (in bytes) in the waiting queue for the socket.
  • Send-Q (Sending Queue) – The amount of data (in bytes) in the sending queue for the socket.
  • Addresses – Each address contains the name of the host followed by ‘:’ and a port number
    • Local Address – The address of the computer in which netstat command is running.
    • Foreign Address – The address of the computer which is on the other end of the network.
  • State – The state of each network connection.

To understand this better, suppose we open a website www.lookip.net. On running the command:

netstat -a | grep lookip.net

We will get the following output:

Netstat All Search Lookip
Search lookip.net using the netstat command

As it quite clear that, we extracted all the network connections in progress with a particular foreign address. In the command, ‘|‘ is used to pass the output of one sub-command to another, whereas grep is a searching tool in Linux.

Note: This technique cannot be applied for all kinds of websites since not every website has a foreign address matching the URL.

To further experiment with the data provided by the netstat command, we can write commands focusing on protocols, addresses, or states:

Display all established connections

netstat -a | grep ESTABLISHED

Display all TCP connections in listening state

netstat -a | grep tcp | grep LISTEN

Instead of creating custom commands, Linux provides some in-built options for fetching specific information.

Filtering based on Protocols

For TCP specific queries, -t option is used. To display only the TCP connections:

netstat -at

Note: To apply multiple filters in a single netstat command, the options are appended.

For UDP specific queries, -u option is used. To display all the sockets following UDP :

netstat -au

State-based option:

To display all listening sockets:

netstat -l

Identify the programs using network connections using Netstat

To fetch the programs and their process IDs, we use:

netstat -p

For TCP specific programs:

netstat -pt

Output :

Netstat Programs Tcp
Programs following TCP

As we can notice, Chrome is accessing the internet with the process id as 16648. This information can be used to kill or stop any program accessing some network without the knowledge of the user.

Note: It may happen that some program information might be hidden if the current user is not the root user. To become a root user in Linux, the command sudo su and entering the password can help. For further information, refer to this.


Using the Netstat Command to List IP Addresses of Each Network Connection

For fetching all the data related to IP addresses and ports numerically, we use:

netstat -n

We can display addresses numerically for programs following TCP by:

netstat -ptn

Output:

Netstat Programs Tcp Numeric
Programs following TCP (numeric)

The difference is very vivid as we can see the IP addresses as well as port numbers for each connection.


What are the statistics for each protocol?

To access the summary statistics for each type of protocol using the netstat command, we run:

netstat -s

Output:

Netstat Stat
Statistics for each protocol

Using the Netstat Command to Display the Routing Table

Any device on a network needs to decide where to route the data packets. The routing table contains information to make these decisions. To acquire the contents of the routing table in numerics, we use the following command option:

netstat -rn

Output:

Netstat Routing Contents
Contents of routing table

The kernel routing table consists of the following columns:

  • Destination – The address of the destination computer.
  • Gateway – The intermediate gateway address.
  • Genmask – The netmask which used to specify available hosts in a network.
  • Flags – Specifies which kind of routing.
  • MSS – Default Maximum Segment Size
  • Window – Default Window Size
  • irtt (Initial Round Trip Time) – Total time to send a signal and receive its acknowledgment.
  • Iface (Interface) – The interface through which the packets will be routed.

Note: The columns having zero value means that the default size is being used.


List out the active network interfaces

To access any information from the internet, there has to be some link between the system and the network. That point of interconnection is provided by a network interface. We run the command:

netstat -i

Output:

Netstat Interface
Network interfaces

The kernel interface table comprises of:

  • Iface (Interface) – The kind of interface
  • MTU – Maximum Transmission Unit
  • RX – Received packets
  • TX – Transmitted packets
  • OK – Error-free packets
  • ERR – Packets with some error
  • DRP – Dropped packets
  • OVR – Packets lost due to overflow
  • Flg – Flags defining interface configuration

The command netstat features a wide range of knowledge which makes it impossible, to sum up in just one article. We can always refer man pages in Linux by:

man netstat

and to learn more about netstat options we can ask help in terminal by:

netstat -h

References:

Leave a Reply

Your email address will not be published. Required fields are marked *

close
Generic selectors
Exact matches only
Search in title
Search in content
Search in posts
Search in pages