The term “netstat” stands for Network Statistics. In layman’s terms, netstat command displays the current network connections, networking protocol statistics, and a variety of other interfaces.
If we enter netstat in the terminal, without any background knowledge of computer networking, the system throws a wide range of networking jargon at us. It is the responsibility of the programmer to extract important information while flushing out the rest.
In this article, we will answer some of the queries related to computer networking using the netstat command.
Identify Active Network Connections Using the Netstat Command
To display all the active network connections in Linux, we use
netstat -a
Output:
The standard output contains six columns:
- Proto (Protocol) – The type of protocol used for the network connection, like TCP, UDP, etc.
- Recv-Q (Receiving Queue) – The amount of data (in bytes) in the waiting queue for the socket.
- Send-Q (Sending Queue) – The amount of data (in bytes) in the sending queue for the socket.
- Addresses – Each address contains the name of the host followed by ‘:’ and a port number
- Local Address – The address of the computer in which
netstatcommand is running. - Foreign Address – The address of the computer which is on the other end of the network.
- Local Address – The address of the computer in which
- State – The state of each network connection.
To understand this better, suppose we open a website www.lookip.net. On running the command:
netstat -a | grep lookip.net
We will get the following output:
As it quite clear that, we extracted all the network connections in progress with a particular foreign address. In the command, ‘|‘ is used to pass the output of one sub-command to another, whereas grep is a searching tool in Linux.
Note: This technique cannot be applied for all kinds of websites since not every website has a foreign address matching the URL.
To further experiment with the data provided by the netstat command, we can write commands focusing on protocols, addresses, or states:
Display all established connections
netstat -a | grep ESTABLISHED
Display all TCP connections in listening state
netstat -a | grep tcp | grep LISTEN
Instead of creating custom commands, Linux provides some in-built options for fetching specific information.
Filtering based on Protocols
For TCP specific queries, -t option is used. To display only the TCP connections:
netstat -at
Note: To apply multiple filters in a single netstat command, the options are appended.
For UDP specific queries, -u option is used. To display all the sockets following UDP :
netstat -au
State-based option:
To display all listening sockets:
netstat -l
Identify the programs using network connections using Netstat
To fetch the programs and their process IDs, we use:
netstat -p
For TCP specific programs:
netstat -pt
Output :
As we can notice, Chrome is accessing the internet with the process id as 16648. This information can be used to kill or stop any program accessing some network without the knowledge of the user.
Note: It may happen that some program information might be hidden if the current user is not the root user. To become a root user in Linux, the command sudo su and entering the password can help. For further information, refer to this.
Using the Netstat Command to List IP Addresses of Each Network Connection
For fetching all the data related to IP addresses and ports numerically, we use:
netstat -n
We can display addresses numerically for programs following TCP by:
netstat -ptn
Output:
The difference is very vivid as we can see the IP addresses as well as port numbers for each connection.
What are the statistics for each protocol?
To access the summary statistics for each type of protocol using the netstat command, we run:
netstat -s
Output:
Using the Netstat Command to Display the Routing Table
Any device on a network needs to decide where to route the data packets. The routing table contains information to make these decisions. To acquire the contents of the routing table in numerics, we use the following command option:
netstat -rn
Output:
The kernel routing table consists of the following columns:
- Destination – The address of the destination computer.
- Gateway – The intermediate gateway address.
- Genmask – The netmask which used to specify available hosts in a network.
- Flags – Specifies which kind of routing.
- MSS – Default Maximum Segment Size
- Window – Default Window Size
- irtt (Initial Round Trip Time) – Total time to send a signal and receive its acknowledgment.
- Iface (Interface) – The interface through which the packets will be routed.
Note: The columns having zero value means that the default size is being used.
List out the active network interfaces
To access any information from the internet, there has to be some link between the system and the network. That point of interconnection is provided by a network interface. We run the command:
netstat -i
Output:
The kernel interface table comprises of:
- Iface (Interface) – The kind of interface
- MTU – Maximum Transmission Unit
- RX – Received packets
- TX – Transmitted packets
- OK – Error-free packets
- ERR – Packets with some error
- DRP – Dropped packets
- OVR – Packets lost due to overflow
- Flg – Flags defining interface configuration
The command netstat features a wide range of knowledge which makes it impossible, to sum up in just one article. We can always refer man pages in Linux by:
man netstat
and to learn more about netstat options we can ask help in terminal by:
netstat -h
Great Explanation. Nicely written article. Good job.
learned alot