netstat is a very useful utility that some system administrators used every day, and some have to resort to it only for troubleshooting. But in any case, understanding this utility and being able to use it is very useful.
The command has a total of 10 parameters, of which probably the most frequently used is the parameter -a, which displays all connections and ports in use. However, even specifying parameters netstat from displays quite useful information.
Consider now the useful parameters of the utility netstat
Full domain name: When using the parameter -f will be displayed full domain names connected remote hosts. Names will be resolved by any accessible ways. In the figure below you can see an example of this action:
Which process is using the open port: With a combination of parameters -a -n -o You can track which process is using an open port. From the output of the command, we learn the process ID (PID), with which we can find the desired process in the task manager.
You can use another useful parameter for a friendlier display of information. Parameter -b will show the name of each process, however it requires admin rights.
Routing table display: When using the parameter -r you can see the current routing table.
I most often use exactly 4 specified parameters for diagnostics Windows problems. How else do you use netstat and why?
Helpful information
Do you like to dress fashionably and beautifully? Go to the online clothing store from Korea and buy yourself great quality items at an affordable price.
The release of WordPress 5.3 improves and expands the block editor introduced in WordPress 5.0 with a new block, more intuitive interaction, and improved accessibility. New features in the editor […]
After nine months of development, the FFmpeg 4.2 multimedia package is available, which includes a set of applications and a collection of libraries for operations on various multimedia formats (burning, converting, and […]
Linux Mint 19.2 is a Long Term Support release that will be supported until 2023. It comes with updated software and contains improvements and many new […]
Release Presented Linux distribution Mint 19.2, the second update of the Linux Mint 19.x branch built on a batch Ubuntu base 18.04 LTS and supported until 2023. The distribution is fully compatible […]
New service releases of BIND are available that contain bug fixes and feature enhancements. New releases can be downloaded from the downloads page on the developer's website: […]
Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Internet-connected Unix systems. It is freely available in accordance with […]
After almost two years of development, ZFS on Linux 0.8.0 is released, implementing file system ZFS packaged as a module for the Linux kernel. The module has been tested with Linux kernels from 2.6.32 to […]
The IETF (Internet Engineering Task Force), which develops the protocols and architecture of the Internet, has completed the formation of the RFC for the ACME (Automatic Certificate Management Environment) […]
Let’s Encrypt, a non-profit certification authority controlled by the community and providing certificates free of charge to everyone, summed up the past year and talked about plans for 2019. […]
    Command NETSTAT is designed to obtain information about the state of network connections and listening on this computer ports TCP and UDP, as well as to display statistical data on network interfaces and protocols.
Format command line:
NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-t] [interval]
Command line options:
-a- Display all connections and pending ports.
-b- Display executable file, involved in the creation of each connection, or the waiting port. Sometimes known executables contain multiple independent components. Then the sequence of components involved in the creation of the connection, or the waiting port is displayed. In this case, the name of the executable is below in parentheses, above is the component it calls, and so on until TCP/IP is reached. Note that this approach can take a long time and requires sufficient permissions.
-e- Display Ethernet statistics. Can be used in conjunction with the -s option.
-f- Display fully qualified domain name (FQDN) for external addresses.
-n- Display addresses and port numbers in numerical format.
-o- Display the code (ID) of the process of each connection.
-p protocol- Display connections for the protocol specified by this option. Valid values are TCP, UDP, TCPv6, or UDPv6. Used with the -s option to display protocol statistics. Valid values are IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-r- Display the contents of the route table.
-s- Display protocol statistics. By default, statistics are displayed for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6 protocols. The -p option allows you to specify a subset of the output.
-t- Display the current connection in the state of transferring the load from the processor to the network adapter when transferring data ("offload").
-v- Detailed information output, if possible.
interval- Re-output of statistical data after the specified interval in seconds. To stop outputting data, press CTRL+C. If the parameter is not specified, information about the current configuration is displayed once.
In practice, the utility netstat.exe convenient to use in a chain with paging commands ( more), redirecting standard output to a file ( > ) and search for text in the output results ( find).
netstat -a | more- display all connections in page-by-page display mode.
netstat -a -n| more- the same as in the previous example, but with the display of port numbers and IP addresses in numerical format. Unlike the previous example, the command netstat with parameter -t works much faster.
netstat -a -f | more- the same as in the previous example, but with the display of the full DNS names of the hosts participating in the connection.
netstat -a > C:\netstatall.txt- display all connections and write the results to the C:\netstatall.txt file.
netstat -a | find /I "LISTENING"- display all connections with LISTENING status, i.e. display a list of network interfaces and ports waiting for incoming connections ("listening" ports). Key /I in a team find specifies that when searching for text, it is not necessary to take into account the case of characters.
netstat -a | find /I "listening" > C:\listening.txt- display all connections with the LISTENING status and write the results to the C:\listening.txt file.
Example of displayed information:
Active Connections
Name- the name of the protocol.
Local address- the local IP address involved in the connection or associated with the service waiting for incoming connections (listening port). If 0.0.0.0 is displayed as the address, then it means - "any address", i.e. all IP addresses existing on this computer can be used in the connection. The address 127.0.0.1 is a loopback interface used as an IP protocol facility for communication between processes without actual data transfer.
External address The external IP address involved in creating the connection.
State- connection status. State listening indicates that the status bar displays information about a network service that is waiting for incoming connections using the appropriate protocol to the address and port displayed in the Local address column. State ESTABLISHED indicates an active connection. In the "Status" column for TCP connections, the current stage of the TCP session can be displayed, determined by processing the flag values in the TCP header (Syn, Ask, Fin ...). Possible states:
CLOSE_WAIT- waiting for the connection to close.
CLOSED- the connection is closed.
ESTABLISHED- the connection is established.
LISTENING- pending connection (listening port)
TIME_WAIT- response time exceeded.
The name of the POU associated with this connection is displayed if the parameter is set -b on the command line when you run netstat.exe.
netstat -a -b- get a list of all network connections and related programs.
TCP 192.168.0.3:3389 89.22.52.11:5779 ESTABLISHED
CryptSvc
IN this example displays information about the connection, in the creation of which software components participate CryptSvc And svchost.exe.
netstat-ab- command line parameters can be combined. Parameter -ab equivalent -a -b
netstat -e- get statistical data for exchange via Ethernet protocol. Displays the total values of received and received bytes for all network adapters ethernet.
Interface Statistics
netstat -e -v- in addition to summary statistics, information about data exchange through individual network interfaces is displayed.
netstat -e -s- in addition to Ethernet statistics, statistics for IP , ICMP , TCP , UDP protocols are displayed
Interface Statistics
IPv4 statistics
Packages received Header errors received Address errors received Datagram sent Dropped received packets withdrawal requests Routes dropped Dropped output packets Assembly Required Successful build Build failures Fragments created |
= 10877781 = 0 = 27307 = 0 = 0 = 448 = 11384479 = 11919871 = 0 = 1517 = 6 = 0 = 0 = 0 = 5918 = 0 = 11836 |
IPv6 statistics
Packages received Header errors received Address errors received Datagram sent Received unknown protocols Dropped received packets Delivered received packages withdrawal requests Routes dropped Dropped output packets Output packets without a route Assembly Required Successful build Build failures Successfully fragmented datagram Datagram Fragmentation Failures Fragments created |
= 0 = 0 = 0 = 0 = 0 = 0 = 391 = 921 = 0 = 0 = 14 = 0 = 0 = 0 = 0 = 0 = 0 |
ICMPv4 statistics
ICMPv6 Statistics
TCP statistics for IPv4
TCP statistics for IPv6
UDP statistics for IPv4
UDP statistics for IPv6
netstat -s -p icmp- get statistics on ICMP protocol only
Example of displayed statistics:
ICMPv4 statistics
For cyclic polling of the state of network connections, the program launch is used, specifying the interval for outputting statistical data in seconds.
netstat -e 3- display statistics on Ethernet with an interval of 3 seconds.
netstat -f 10- display network connection statistics every 10 seconds using full DNS hostnames.
netstat -n 5 | find /i "Established"- display statistics on established connections every 5 seconds.
The Netstat command displays various network data such as network connections, routing table, interface statistics, masqueraded connections, multicast space, etc.,
In this article, let's look at 10 practical command examples Netstat in Unix.
Team netstat included in standard set UNIX network tools, displays various network-related information such as network connections, interface statistics, routing tables, masquerade, multicast, etc.
In this article, we will look at ten practical examples of using the command netstat on linux.
List all ports: netstat -a
# netstat -a | more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain *:* LISTEN udp6 0 0 fe80::20c:29ff:fe68:ntp [::]:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 20492 /var/run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTENING 23323 /var/run/php5-fpm.sock
List all TCP ports: netstat -at
# netstat -at Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp 0 0 *:http *:* LISTEN
List all UDP ports: netstat -au
# netstat -au Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 localhost:domain *:* udp 0 0 *:bootpc *:* udp6 0 0 fe80::20c:29ff:fe68:ntp [::]:*
List all listening ports: netstat -l
# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain *:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN udp 0 0 192.168.128.134:ntp *:*
List TCP listening ports: netstat -lt
# netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN
List listening UDP ports: netstat -lu
# netstat -lu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 *:bootpc *:* udp6 0 0 [::]:ntp [::]:*
List UNIX sockets listening: netstat -lx
# netstat -lx Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 3141 /var/run/fail2ban/fail2ban.sock unix 2 [ ACC ] STREAM LISTENING 20492 /var/run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTEN ING 23323 /var/run/php5-fpm.sock
Show statistics of all ports: netstat -s
# netstat -s Ip: 11150 total packets received 1 with invalid addresses 0 forwarded 0 incoming packets discarded 11149 incoming packets delivered 11635 requests sent out Icmp: 13791 ICMP messages received 12 input ICMP message failed. Tcp: 15020 active connections openings 97955 passive connection openings 135 failed connection attempts Udp: 2841 packets received 180 packets to unknown port received. .....
Show statistics of TCP ports only: netstat -st
# netstat -st
Show statistics of UDP ports only: netstat -su
# netstat -su
Option netstat -p will add "PID/Program Name" to the netstat output, and can be combined with any other set of options. This is very useful when debugging, to determine which program is running on a particular port.
# netstat -pt Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 org-ru-putty.vm.udf:www 52-106.plus.kerch:55723 ESTABLISHED 9486/nginx: worker tcp 0 0 org-ru-putty.vm.udf:www 52-1 06.plus.kerch:55757 ESTABLISHED 9486/nginx: worker
When you don't need to resolve hostname, portname, username, use the option netstat -n to display values in digital format. The command will show IP address instead of host, port number instead of port name, UID instead of username.
This will also speed up the output, as netstat won't do unnecessary lookups.
# netstat -an
To display numerical values for only some of these items, use the following commands:
# netsat -a --numeric-ports # netsat -a --numeric-hosts # netsat -a --numeric-users
Option netstat -c will display information continuously, in the style top, refreshing the screen every few seconds.
# netstat -c Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 org-ru-putty.vm.udf:www 182.131.74.202:59933 FIN_WAIT2 tcp 0 0 org-ru-putty.vm.udf:www 182.131.74.202:6376 1 FIN_WAIT2 tcp 0 0 org-ru-putty.vm.udf:www 92-181-66-102-irk.:4585 ESTABLISHED ^C
Option netstat --verbose will show detailed output, and at the very end will display unsupported Address Family.
netstat: no support for `AF IPX" on this system. netstat: no support for `AF AX25" on this system. netstat: no support for `AF X25" on this system. netstat: no support for `AF NETROM" on this system.
Show kernel routing table: netstat -r
# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default 192.168.128.2 0.0.0.0 UG 0 0 0 eth0 192.168.128.0 * 255.255.255.0 U 0 0 0 eth0
Note: Use netstat -rn to view the route in digital format without resolving hostnames.
Find out which port is occupied by a certain program:
# netstat -ap | grep ssh (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 *:ssh *:* LISTEN - tcp6 0 0 [::]:ssh [::]:* LISTEN -
Find out which process is using a particular port:
# netstat -an | grep ":80"
Show list of network interfaces: netstat -i
# netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 1911037 0 0 0 1382056 0 0 0 BMRU lo 16436 0 0 0 0 0 0 0 0 0 LRU
Show extended information about interfaces (similar to ifconfig): netstat -ie
# netstat -ie Kernel Interface table eth0 Link encap:Ethernet HWaddr 00:0c:29:68:4c:a4 inet addr:192.168.128.134 Bcast:192.168.128.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe68:4ca4/ 64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:24278 errors:0 dropped:0 overruns:0 frame:0 TX packets:11275 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:33203025 (33.2 MB) TX bytes: 665822 (665.8 KB) Interrupt:19 Base address:0x2000
Let's summarize the above and combine the keys into one useful command which will show:
Note: Not all processes can be identified by the last key, foreign processes will not be shown. You must have root permissions to see everything.
# netstat -lnptux Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 9614/nginx tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 601/sshd udp 0 0 8.8.4.4:123 0.0.0.0:* 574/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 574/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 574/ntpd Cnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 4233 826 160413 7301/php-fpm.conf /var/run/php5-fpm.sock
January 2013, website
Please enable JavaScript© 2009–2019, site - When using site materials, indicate the source.