netstat
Display network connections, routing tables, interfaces
TLDR
List all ports
List all listening ports
List listening TCP ports
Display PID and program names
List information continuously
List routes and do not resolve IP addresses to hostnames
List listening TCP and UDP ports (+ user and process if you're root)
SYNOPSIS
netstat [options]
PARAMETERS
-a, --all
Displays all sockets, including both listening and non-listening (established) connections.
-l, --listening
Shows only listening sockets (i.e., servers waiting for connections).
-t, --tcp
Displays only TCP (Transmission Control Protocol) connections.
-u, --udp
Displays only UDP (User Datagram Protocol) connections.
-n, --numeric
Shows numerical addresses and port numbers instead of resolving hostnames, service names, and user IDs. This speeds up output.
-p, --programs
Displays the PID (Process ID) and name of the program owning the socket. Requires root privileges to see all processes.
-r, --route
Shows the kernel IP routing table. This is equivalent to using the route -e command.
-i, --interfaces
Displays a table of all network interfaces and their statistics, including bytes sent/received and error counts.
-s, --statistics
Presents per-protocol statistics for various network protocols (e.g., IP, ICMP, TCP, UDP).
-c, --continuous
Displays the selected information continuously, updating every one second until interrupted (Ctrl+C).
DESCRIPTION
The netstat (network statistics) command is a command-line utility used to display network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. It provides a comprehensive overview of network activity on a Linux system.
Historically, netstat has been an essential tool for system administrators and network engineers for troubleshooting network connectivity issues, monitoring network performance, and identifying open ports or suspicious connections. It can show both active and passive sockets, including TCP, UDP, raw, and Unix domain sockets. Although widely used for decades, netstat is now considered deprecated in many modern Linux distributions. Its functionality has largely been superseded by tools from the iproute2 suite, primarily ss for socket information and ip for routing and interface details, which offer more robust features and better performance.
CAVEATS
The netstat command is part of the net-tools package, which has been largely superseded by the iproute2 suite in modern Linux distributions. While still present for backward compatibility, new development and features are focused on ss and ip. Users are encouraged to transition to these newer tools for more efficient and robust network management. Parsing netstat output in scripts can be fragile due to its text-based, human-readable format.
COMMON USE CASES
Here are some common ways to use netstat:
- To list all active TCP connections: netstat -atn
- To list all listening UDP ports with associated programs: netstat -ulpn
- To view the routing table: netstat -rn
- To monitor interface statistics continuously: netstat -ic
TCP SOCKET STATES
netstat output often includes TCP socket states, which are crucial for understanding connection lifecycles:
- LISTEN: The server is waiting for a connection request.
- ESTABLISHED: A connection is actively open and data is being exchanged.
- TIME_WAIT: The client has closed its end of the connection, but is waiting for the server to acknowledge.
- CLOSE_WAIT: The server has received a FIN from the client and is waiting for the application to close the socket.
- SYN_SENT: A connection request has been sent.
- SYN_RECV: A connection request has been received and a SYN-ACK has been sent.
HISTORY
The netstat utility has been a staple in Unix-like operating systems for decades, providing essential network diagnostic capabilities. It was historically bundled as part of the net-tools package. With the advent of IPv6 and the need for more efficient and scriptable network management tools, the iproute2 suite began to replace net-tools. Commands like ss and ip were developed to offer superior performance, better IPv6 support, and more machine-parseable output, leading to netstat's eventual deprecation in many contemporary Linux systems.