Understanding and troubleshooting with the netstat command

Table of Contents

The netstat command is a highly practical tool for network diagnostics, configurations, and other port-scanning activities. More specifically, system administrators use it for network troubleshooting and performance diagnostics.

The netstat command works on Microsoft Windows, Linux, Unix, FreeBSD, and more. Therefore, all the commands in this article will produce the same results irrespective of your operating system, unless otherwise stated for Linux.

The Linux operating system comes with a considerable number of built-in capabilities pre-installed. Depending on their level of expertise, users may not be fully aware of the capabilities of a particular command. This article provides the basics of netstat and how to troubleshoot network issues with it.

Functions

We will learn how the netstat command functions by seeing its commonly used applications. We will see how to generate routing information, network interface statistics, or run port-scanning operations with the command. It might be a good idea to take notes on the most frequently recurring options and what they do, because they will come in handy while working with other commands.

Displaying kernel routing table

Using the netstat command with the -r option lists the kernel routing information in the same way as with the route command. 

$ netstat -rn 
Kernel IP routing table 
Destination     Gateway         Genmask         Flags   MSS
Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0
0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0
0 eth0

Note that the additional -n option is used to disable hostname lookup. It configures the netstat command to display addresses as dot-separated quad IP numbers instead of host and network names in the form of symbols.

Displaying configured network interface statistics

The -i option configures the netstat command to display network interface statistics. By including the -a option, we’ll include all interfaces present on the kernel in the output, not just those currently configured. 

$ netstat -i
Kernel Interface table
Iface       MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0     31611      0      0 0         27503      0      0      0 BMRU
lo        65536 0      2913      0      0 0          2913      0      0      0 LRU

Simply put, the MTU field displays the current MTU, while the Met field displays the metric values of the interface. The other fields display additional information:

  • The -OK suffixed fields indicate successfully received (RX) or transferred (TX) packets.
  • The -ERR suffixed fields indicate connections with errors.
  • The -DRP suffixed fields indicate the amount of packets dropped.
  • The -OVR suffixed fields indicate the amount of packets lost due to overrun.

The netstat command supports the use of some options in listing active and passive sockets. These options include:

  • -t for active TCP socket connections
  • -u for active UDP socket connections
  • -w for active RAW socket connections
  • -x for active Unix socket connections

Adding the -a option will display sockets that are listening for connection. This output will be a list of all servers currently running on the Linux machine.

TCP/IP and port-scanning operations with netstat

Port scanning is the process of locating listening ports in a system.

A listening port is a free port that listens for incoming traffic from applications and processes. You can use a firewall to manage listening ports by opening or closing them. The open ports accept incoming packets from remote locations, while the closed ports are occupied by an application or a process.

Some common ports that are open by default:

Port number Description
20 File Transfer Protocol (FTP)
22 Secure Shell (SSH)
25 Simple Mail Transfer Protocol (SMTP)
53 Domain Name System (DNS)
80 Hypertext Transfer Protocol (HTTP)
110 Post Office Protocol (POP3)
143 Internet Message Access Protocol (IMAP)
443 HTTP Secure (HTTPS)

Listening operations should be implemented on a frequent basis, as any port opened to outside connections is a possible point of entry into your system. If there’s anything unwanted listening for connections, make sure to remove the package by following the steps below:

  • Navigate to System Security | Firewalls in your system’s control panel.
  • Select New Rule.
  • For an inbound port, select Inbound Rules; for an outbound port, select Outbound Rules, then click Next.
  • Specify the protocol used by the port (TCP or UDP).
  • Click Specific Local Ports and enter the port number.
  • Click Next, followed by Block the Connection, and Next again.
  • Choose the applicable network location(s), click Next, then Finish.

A service can always be disabled, but it’s best to remove the underlying package so that it cannot be started by accident. Packages can always be reinstalled later.

Quick check

Let’s examine, for example, how to use the netstat -untlp command to address any currently connected and listening ports.

This command displays anything listening for incoming traffic and the port it is listening on. Breaking this command down, the first parameter, -t, identifies your request for information pertaining to TCP. Next, -u represents UDP; -l requests listening sockets; -p attempts to show the name of the program; and -n shows numeric values. Putting it all together, you get netstat -tulpn:

$ sudo netstat -untlp

The first column displays active and established connections in the following headers:

Header Description
Proto The connection protocol (TCP or UDP)
Recv-Q Queue of bytes received or ready to be received
Send-Q Queue of bytes ready to be sent
Local address The details of the address and the local connection port (an asterisk indicates that the port is open)
Foreign address The details of the address and the remote connection port (an asterisk indicates that the port is not yet established)
State The state of the socket showing whether the connection to the port is established or not, and if it’s an open or a closed port

How to list all ports

The -a command is used to list all ports. The output will be similar to this: 

$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 enlightened:domain      *:*                     LISTEN
tcp        0      0 localhost:ipp           *:*                     LISTEN
tcp        0      0 enlightened.local:54750 li240-5.members.li:http ESTABLISHED
tcp        0      0 enlightened.local:49980 del01s07-in-f14.1:https ESTABLISHED
tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN
udp        0      0 enlightened:domain      *:*
udp        0      0 *:bootpc                *:*
udp        0      0 enlightened.local:ntp   *:*
udp        0      0 localhost:ntp           *:*
udp        0      0 *:ntp                   *:*
udp        0      0 *:58570                 *:*
udp        0      0 *:mdns                  *:*
udp        0      0 *:49459                 *:*
udp6       0      0 fe80::216:36ff:fef8:ntp [::]:*
udp6       0      0 ip6-localhost:ntp       [::]:*
udp6       0      0 [::]:ntp                [::]:*
udp6       0      0 [::]:mdns               [::]:*
udp6       0      0 [::]:63811              [::]:*
udp6       0      0 [::]:54952              [::]:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     12403    @/tmp/dbus-IDgfj3UGXX
unix  2      [ ACC ]     STREAM     LISTENING     40202    @/dbus-vfs-daemon/socket-6nUC6CCx

Here the LISTEN state signifies that sshd is listening for incoming IP packets on all network interfaces and IPs on TCP port 22. The ESTABLISHED state shows an active SSH connection, listing the system's local address and port as well as the Recv-Q and Send-Q columns.

Listing all active listening ports

Use the netstat command and the -l option to listen only to active ports, with the following output:

$ netstat -l
Active Internet connections (only servers)
Proto  Recv-Q Send-Q   Local Address         Foreign Address
State
tcp         0      0

You can also list the ports that are being listened to. This works for root users on a Linux machine:

$sudo netstat -plnt

Listing specific ports

TCP and UDP ports perform different functions. TCP provides an orderly and error-checked stream of packets, while UDP provides a faster stream of packets at the expense of error checking. The netstat command supports options to list both ports separate from one another.

TCP ports

Adding the -at option to the netstat command will display all TCP ports. Note that excluding the -a option will display only active ports:

$ netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address State
tcp        0      0 enlightened:domain      *:* LISTEN
tcp        0      0 localhost:ipp           *:*                     LISTEN
tcp        0      0 enlightened.local:36310 del01s07-in-f24.1:https ESTABLISHED
tcp        0      0 enlightened.local:45038 a96-17-181-10.depl:http ESTABLISHED
tcp        0      0 enlightened.local:37892 ABTS-North-Static-:http ESTABLISHED
.....

UDP ports

Likewise, the -au options added to the netstat command will list all UDP ports. Forgoing the -a option will display only active ports: 

$ netstat -au
AActive Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp        0      0 *:34660                 *:*
udp        0      0 enlightened:domain      *:*
udp        0      0 *:bootpc                *:*
udp        0      0 enlightened.local:ntp   *:*
udp        0      0 localhost:ntp           *:*
udp        0      0 *:ntp                   *:*
udp6       0      0 fe80::216:36ff:fef8:ntp [::]:*
udp6       0      0 ip6-localhost:ntp       [::]:*
udp6       0      0 [::]:ntp                [::]:*

Troubleshooting with netstat

Troubleshooting with netstat involves identifying, diagnosing, and solving network problems by adding options to the command. In addition to the -untlp option above, you can use the grep option for troubleshooting issues.

Using netstat + grep

To see what process is occupying a specific port, you can use the grep option.

# netstat -an | grep ':80'

This is helpful, for example, when you’re trying to run a web server on a particular port and discover it’s already in use.

If you discover that an unknown service is connected to a port, take immediate action by copying and pasting the details into a search engine to identify the service.

Listing raw network statistics only

Network statistics are displayed using the -s option with the netstat command:

$ netstat -s
Ip:
 30525 total packets received
 0 forwarded
 0 incoming packets discarded
  20375 incoming packets delivered
 16250 requests sent out
 40 outgoing packets dropped
Icmp:
 325 ICMP messages received
 0 input ICMP message failed.
 ICMP input histogram:
 destination unreachable: 125
 325 ICMP messages sent
 0 ICMP messages failed
 ICMP output histogram:
 destination unreachable: 125
 ... OUTPUT TRUNCATED …

Advanced uses of the netstat command

We have seen how netstat can be used for troubleshooting and displaying statistics. The netstat command can also be applied in two advanced use cases.

Monitoring logins in an SSH Server

Let’s say you’re running a public server such as an SSH web server. The SSH server will open a port in the server system for users to access and log in.

The default port for sshd is TCP port 22. With the netstat command, you can monitor all open ports, using the options together with the command, as shown below: 

$ sudo netstat -untap | sed '2p;/ssh/!d'
Proto Recv-Q Send-Q Local Address  Foreign Address  State   PID/Program name
tcp        0      0 0.0.0.0:22     0.0.0.0:*        LISTEN  1296/sshd: /usr/sbi
tcp6       0      0 :::22          :::*             LISTEN  1296/sshd: /usr/sbi

The IP address and port number are combined to tell your Linux machine where to send SSH packets.

Monitoring a web browsing session

The netstat command can also be used to monitor your internet browsing session: 

$ netstat -punta
Proto  Local Address         Foreign Address    State        PID/Program name
[...]
tcp    192.168.43.234:50586  72.21.91.66:443    ESTABLISHED  2798/firefox
tcp    192.168.43.234:38262  52.36.174.147:443  ESTABLISHED  6481/chrome
tcp    192.168.43.234:53232  99.86.33.45:443    ESTABLISHED  2798/firefox
[...]

Your computer may secretly listen or connect to an unknown website. An excellent way to detect this is to monitor connections with the netstat command:

$ netstat -abf 5 > activity.txt

The -a option lists all connections and listening ports; -b displays all applications making the connections; while -f shows the complete DNS name of every listed connection, for ease of identifying the connection source. The > symbol pushes the results to an activity.txt file.

Conclusion

While the netstat command is a powerful system administrator tool, you don’t have to be a sysadmin to make use of it. As we have seen, netstat is useful in many scenarios, even if our goal is just securing day-to-day browsing activities.

But netstat should not be limited to the commands discussed here alone—options and flags can significantly expand the scope of what is possible with the netstat command.

Was this article helpful?
Monitor your Linux environment

Check the health and availability of your Linux servers for optimal performance with Site24x7's Linux monitoring tool.

Related Articles

Resolve process network usage issues

Understanding network usage in processes is the key to learning and fixing potential problems related to it. Learn more about Linux network issues, the key metrics to be tracked, the tools to be used, and common solutions.

How to troubleshoot high I/O wait time in Linux

Is high I/O wait time affecting system performance? Find out how to easily identify and fix performance issues.

Understanding and troubleshooting page faults and memory swapping

Paging and memory swapping are two common memory management techniques for the allocation and deallocation of memory. Learn pertinent issues with page faults and memory swaps as commonly occurring exceptions.

Write For Us

Write for Site24x7 is a special writing program that supports writers who create content for Site24x7 "Learn" portal. Get paid for your writing.

Write For Us

Write for Site24x7 is a special writing program that supports writers who create content for Site24x7 “Learn” portal. Get paid for your writing.

Apply Now
Write For Us