LinuxCommandLibrary

netstat

Display network connections, routing tables, interfaces

TLDR

List all ports

$ netstat [[-a|--all]]
copy

List all listening ports
$ netstat [[-l|--listening]]
copy

List listening TCP ports
$ netstat [[-t|--tcp]]
copy

Display PID and program names
$ netstat [[-p|--program]]
copy

List information continuously
$ netstat [[-c|--continuous]]
copy

List routes and do not resolve IP addresses to hostnames
$ netstat [[-rn|--route --numeric]]
copy

List listening TCP and UDP ports (+ user and process if you're root)
$ netstat [[-tulpne|--tcp --udp --listening --program --numeric --extend]]
copy

SYNOPSIS

netstat [options]

PARAMETERS

-a, --all
    Displays all sockets, including both listening and non-listening (established) connections.

-l, --listening
    Shows only listening sockets (i.e., servers waiting for connections).

-t, --tcp
    Displays only TCP (Transmission Control Protocol) connections.

-u, --udp
    Displays only UDP (User Datagram Protocol) connections.

-n, --numeric
    Shows numerical addresses and port numbers instead of resolving hostnames, service names, and user IDs. This speeds up output.

-p, --programs
    Displays the PID (Process ID) and name of the program owning the socket. Requires root privileges to see all processes.

-r, --route
    Shows the kernel IP routing table. This is equivalent to using the route -e command.

-i, --interfaces
    Displays a table of all network interfaces and their statistics, including bytes sent/received and error counts.

-s, --statistics
    Presents per-protocol statistics for various network protocols (e.g., IP, ICMP, TCP, UDP).

-c, --continuous
    Displays the selected information continuously, updating every one second until interrupted (Ctrl+C).

DESCRIPTION

The netstat (network statistics) command is a command-line utility used to display network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. It provides a comprehensive overview of network activity on a Linux system.

Historically, netstat has been an essential tool for system administrators and network engineers for troubleshooting network connectivity issues, monitoring network performance, and identifying open ports or suspicious connections. It can show both active and passive sockets, including TCP, UDP, raw, and Unix domain sockets. Although widely used for decades, netstat is now considered deprecated in many modern Linux distributions. Its functionality has largely been superseded by tools from the iproute2 suite, primarily ss for socket information and ip for routing and interface details, which offer more robust features and better performance.

CAVEATS

The netstat command is part of the net-tools package, which has been largely superseded by the iproute2 suite in modern Linux distributions. While still present for backward compatibility, new development and features are focused on ss and ip. Users are encouraged to transition to these newer tools for more efficient and robust network management. Parsing netstat output in scripts can be fragile due to its text-based, human-readable format.

COMMON USE CASES

Here are some common ways to use netstat:
- To list all active TCP connections: netstat -atn
- To list all listening UDP ports with associated programs: netstat -ulpn
- To view the routing table: netstat -rn
- To monitor interface statistics continuously: netstat -ic

TCP SOCKET STATES

netstat output often includes TCP socket states, which are crucial for understanding connection lifecycles:
- LISTEN: The server is waiting for a connection request.
- ESTABLISHED: A connection is actively open and data is being exchanged.
- TIME_WAIT: The client has closed its end of the connection, but is waiting for the server to acknowledge.
- CLOSE_WAIT: The server has received a FIN from the client and is waiting for the application to close the socket.
- SYN_SENT: A connection request has been sent.
- SYN_RECV: A connection request has been received and a SYN-ACK has been sent.

HISTORY

The netstat utility has been a staple in Unix-like operating systems for decades, providing essential network diagnostic capabilities. It was historically bundled as part of the net-tools package. With the advent of IPv6 and the need for more efficient and scriptable network management tools, the iproute2 suite began to replace net-tools. Commands like ss and ip were developed to offer superior performance, better IPv6 support, and more machine-parseable output, leading to netstat's eventual deprecation in many contemporary Linux systems.

SEE ALSO

ss(8), ip(8), lsof(8), route(8)

Copied to clipboard