Mastering the Netstat Command in Linux: A Comprehensive Guide

The netstat command in Linux is a powerful tool for monitoring network connections and diagnosing network issues effectively.

Understanding the Netstat Command

Netstat, short for network statistics, is a command-line tool available on Linux, Windows, and macOS. It provides real-time insights into active TCP and UDP connections, listening ports, routing tables, and network interfaces. While modern Linux distributions have moved towards ss (socket statistics) for faster performance and more detailed output, netstat remains useful for troubleshooting network problems and performing security analysis.

Netstat Command Syntax

The basic syntax of the netstat command is:

netstat [options]

Running netstat without options will display a list of active network connections and socket statistics. The first section of the output shows active connections with six columns:

Proto – displays the protocol used (TCP or UDP).
Recv-Q – shows the number of bytes received that are waiting to be processed.
Send-Q – indicates the number of bytes in the send queue waiting for transmission.
Local Address – displays the IP address and port number of the machine.
Foreign Address – shows the remote system’s IP address and port number connected to the machine.
State – indicates the connection status, such as LISTEN, ESTABLISHED, or TIME_WAIT.

Meanwhile, you’ll see UNIX domain statistics in the second section, which include:

Proto – specifies the protocol in use.
RefCnt – shows the reference count of the socket.
Flags – displays the socket flags, such as ACC (accept) or W (writeable).
Type – indicates the socket type, such as STREAM, DGRAM, or SEQPACKET.
State – shows the current state of the socket.
I-Node – represents the inode number associated with the socket.
Path – displays the file system path for the socket, if applicable.

Netstat Command Options

Like most Linux commands, netstat provides several options to customize its output. Here are some of the most commonly used options:

-a – display all active connections and listening ports.
-t – show TCP connections.
-u – show UDP connections.
-n – display numerical addresses instead of resolving hostnames.
-l – show only listening sockets.
-p – show the PID and name of the program to which each socket belongs.

You can also combine multiple options to filter specific details. For instance, to list all listening TCP and UDP connections with numerical addresses and associated processes, type:

netstat -tunlp

Netstat Command Examples

Unlike other network monitoring tools like telnet, which require manual installation on Linux, netstat comes preinstalled on many distributions, so you can start executing commands immediately in the terminal.

View All Active Connections

The netstat -a command displays all active network connections, including listening and non-listening sockets. It helps diagnose network activity, open ports, and potential security risks by identifying unexpected connections. Run the following command:

netstat -a

If a connection’s state is ESTABLISHED, it means an active two-way communication exists between your machine and a remote system. If it’s LISTEN, the port is open and waiting for incoming connections.

Check TCP Connections

If you want to view only active Transmission Control Protocol (TCP) connections, use netstat with the -a and -t options. This lets you quickly identify issues affecting TCP-based services such as web servers, SSH, and database connections.

netstat -at

If you notice many ESTABLISHED connections, it may indicate a high load on a specific service or an ongoing attack. Meanwhile, multiple TIME_WAIT or CLOSE_WAIT states show that the server struggles to close connections properly, which can lead to resource exhaustion.

List All UDP Connections

Monitoring User Datagram Protocol (UDP) connections helps identify packet loss, high latency, or unexpected traffic. To filter the output and display only UDP-based network activities, including both open and connected UDP ports, use this command:

netstat -au

Since UDP is a connectionless protocol, the output doesn’t include values in the State column, unlike in the previous example that shows active TCP connections.

TCP establishes a connection before transmitting data for reliable and error-free communication, which is ideal for web browsing, file transfers, and email. In contrast, UDP sends packets without requiring a handshake, making it faster but less reliable, which suits low-latency applications like DNS lookups and VoIP.

Show Numerical Addresses

By default, netstat resolves hostnames into human-readable domain names, which can slow down command execution on networks with numerous connections. To disable hostname resolution and display numerical IP addresses, add the -n option:

netstat -n

When executed, netstat displays connections in numerical form, such as 192.168.1.100:443 instead of example.tld:443. This is useful when analyzing local and foreign addresses in active connections, as it provides a faster and clearer view of network activity.

Display Listening Ports

You can identify which services are actively listening for incoming connections on all open ports by executing:

netstat -l

The output displays only sockets in the LISTEN state, meaning they are actively waiting for incoming connections. For more filtered results, combine the -l option with -t for TCP or -u for UDP-only connections:

netstat -lt  # Show only listening TCP ports

netstat -lu  # Show only listening UDP ports

Analyze Routing Tables

The netstat -r command examines how your system routes network traffic.

netstat -r

It provides details such as destination networks, gateways, and interface information. Here’s what each column in the output represents:

Destination – the target network or IP address.
Gateway – the next hop for reaching the destination.
Genmask – the subnet mask defining the network range.
Flags – indicators such as UG (Up, Gateway) or U (Up, direct route).
MSS – the maximum segment size (MSS) for TCP connections on the route.
Window – the maximum TCP window size for the route.
irtt – the initial round-trip time (RTT) for TCP connections, measured in milliseconds.
Iface – the network interface handling the route.

Identify Protocol Statistics

Using netstat with the -s option, you can find detailed statistics for different network protocols, including TCP, UDP, ICMP, and IP. This is beneficial for identifying packet loss, transmission errors, and dropped connections.

netstat -s

The output organizes statistics by protocol. For instance, TCP stats include values for active connections, retransmissions, and dropped packets, while UDP stats show details on datagrams received, sent, or discarded.

Pro tip: When troubleshooting network issues with netstat -s, look for:

High retransmissions – indicates network congestion or unstable connections.
Packet loss in UDP – suggests network interference or insufficient bandwidth.
ICMP errors – signals routing issues or firewall restrictions.

Enhance Your Hosting Experience

Ready to take your hosting experience to the next level? Consider Hostinger for reliable and affordable VPS hosting solutions. Experience seamless server performance and outstanding customer support today!

Conclusion

Mastering the netstat command in Linux can significantly enhance your ability to monitor and troubleshoot network activity on your system. By understanding its syntax, options, and practical applications, you can efficiently diagnose issues, analyze network performance, and improve security. Whether you’re a beginner or intermediate user, incorporating netstat into your toolkit will undoubtedly make network management more accessible and effective.

Netstat Command FAQ

What does the netstat command do?

The netstat command provides real-time insights into network connections, including active TCP and UDP connections, listening ports, routing tables, and protocol statistics.

How do I use the netstat command?

To use netstat, open your terminal and enter the command with desired options. For example, netstat -a to view all active connections or netstat -t for TCP connections only.

How is netstat different from the ss command?

The ss command is a modern replacement for netstat. It offers faster performance and more detailed output, but netstat remains widely used for its simplicity and familiarity.