Introduce
netstat (network statistics) is a network tool from the net-tools package, using the command line, used to troubleshoot and configure the network. netstat is a cross-platform tool that is available on Linux, Unix-Like operating systems and available on Windows. It is one of the most basic Unix / Linux network service debugging tools, powerful and very useful for Linux network administrators as well as system administrators in solving problems. related to the network such as number of connections, traffic, speed, status of each port, Ip … It can also be considered as a monitoring tool, helping to monitor network connections (both incoming and outgoing ) by providing information such as the routing table or some network interface statistics.
In the scope of this article, I will together with you learn how to use netstat on Linux operating systems!
Note
Currently the iproute2 toolkit has been replaced by default for net-tools in new Linux distributions such as RHEL7, CentOS 7, … Along with that, the new ss tool is also used instead of netstat. with some advantages simpler and faster than traditional netstat tool. The functions and usage of the ss command are generally similar to netstat .
Netstat command setting options
The netstat command is built with various optional flags, for information on command usage and options, you will use netstat -h or netstat --help
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 | thanhthu ~ netstat -h usage: netstat [-vWeenNcCF] [<Af>] -r netstat {-V|--version|-h|--help} netstat [-vWnNcaeol] [<Socket> ...] netstat { [-vWeenNac] -i | [-cnNe] -M | -s [-6tuw] } -r, --route display routing table -i, --interfaces display interface table -g, --groups display multicast group memberships -s, --statistics display networking statistics (like SNMP) -M, --masquerade display masqueraded connections -v, --verbose be verbose -W, --wide don't truncate IP addresses -n, --numeric don't resolve names --numeric-hosts don't resolve host names --numeric-ports don't resolve port names --numeric-users don't resolve user names -N, --symbolic resolve hardware names -e, --extend display other/more information -p, --programs display PID/Program name for sockets -o, --timers display timers -c, --continuous continuous listing -l, --listening display listening server sockets -a, --all display all sockets (default: connected) -F, --fib display Forwarding Information Base (default) -C, --cache display routing cache instead of FIB -Z, --context display SELinux security context for sockets <Socket>={-t|--tcp} {-u|--udp} {-U|--udplite} {-S|--sctp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom <AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: inet List of possible address families (which support routing): inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25) netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP) |
There are a lot of options, some of the most commonly used options that you can pay attention to here are
-a: Displays all sockets, including listening and non-listening-l: Displays the sockets that are listening-t: Show only tcp connections-u: Show udp connections only-n: See the digital address (not resolution)-p: Show PID program for each socket-r: Show the routing table-s: Pull and show network statistics sorted by protocol-i: Show a list of network interfaces
Next, I will show you a few specific examples of using this netstat command!
The netstat command examples are commonly used
1. List all the ports
netstat -a
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | thanhthu ~ netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:32182 0.0.0.0:* LISTEN tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN tcp 0 0 localhost:40131 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:32196 0.0.0.0:* LISTEN tcp 0 0 localhost:10248 0.0.0.0:* LISTEN tcp 0 0 localhost:10249 0.0.0.0:* LISTEN tcp 0 0 localhost:35947 0.0.0.0:* LISTEN tcp 0 0 localhost:sge-qmaster 0.0.0.0:* LISTEN tcp 0 0 localhost:10256 0.0.0.0:* LISTEN tcp 0 0 i121035-lt:45024 1.80.190.35.bc.go:https ESTABLISHED tcp 0 0 i121035-lt:59730 th-in-f100.1e100.:https ESTABLISHED tcp 0 0 localhost:sge-qmaster localhost:48358 ESTABLISHED tcp 0 0 i121035-lt:50182 server-54-192-23-:https ESTABLISHED tcp 0 0 localhost:48312 localhost:sge-qmaster ESTABLISHED tcp 0 0 localhost:59498 localhost:6443 ESTABLISHED tcp 0 0 localhost:sge-qmaster localhost:48360 ESTABLISHED tcp 0 0 localhost:59672 localhost:6443 ESTABLISHED tcp 0 0 i121035-lt:44486 ti-in-f94.1e100.n:https ESTABLISHED tcp 0 0 localhost:59688 localhost:6443 ESTABLISHED tcp 0 0 localhost:59634 localhost:6443 ESTABLISHED tcp 0 0 localhost:sge-qmaster localhost:48300 ESTABLISHED tcp 0 0 i121035-lt:43512 10.42.0.36:5000 TIME_WAIT |
This is a checksum too, it includes a lot of information including all ports (of both TCP and UDP protocol), listening and non-listening sockets. Because it includes so many things, in practice, when using it, we will combine options and other options to filter out groups of specific and detailed information as below commands.
netstat -at:netstat -atonly TCP portsnetstat -au:netstat -auonly UDP portsnetstat -l: This is an option with range less than-awhen listing only ports that are listening state. This option also usually comes with the-tor-uto filter out TCP or UDP connections.
Check out the progress
Using netstat’s -p option will show us the program name and their process ID (PID). For example, we use the command netstat -ltupn . This command makes sense to show all TCP and UDP ports that are listening, along with their program name and PID. Here I often use the -n option to display the addresses and port numbers represented as numbers, without displaying a specific name.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 | thanhthu ~ netstat -pltun Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 664/systemd-resolve tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1271/sshd tcp 0 0 0.0.0.0:32182 0.0.0.0:* LISTEN 2945/k3s tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 27507/cupsd tcp 0 0 127.0.0.1:40131 0.0.0.0:* LISTEN 2945/k3s tcp 0 0 0.0.0.0:32196 0.0.0.0:* LISTEN 2945/k3s tcp 0 0 127.0.0.1:10248 0.0.0.0:* LISTEN 2945/k3s tcp 0 0 127.0.0.1:10249 0.0.0.0:* LISTEN 2945/k3s tcp 0 0 127.0.0.1:35947 0.0.0.0:* LISTEN 966/containerd tcp 0 0 127.0.0.1:6444 0.0.0.0:* LISTEN 2945/k3s tcp 0 0 127.0.0.1:10256 0.0.0.0:* LISTEN 2945/k3s tcp6 0 0 :::22 :::* LISTEN 1271/sshd tcp6 0 0 ::1:631 :::* LISTEN 27507/cupsd tcp6 0 0 :::10250 :::* LISTEN 2945/k3s tcp6 0 0 :::3306 :::* LISTEN 3678/docker-proxy tcp6 0 0 :::10251 :::* LISTEN 2945/k3s tcp6 0 0 :::6443 :::* LISTEN 2945/k3s tcp6 0 0 :::10252 :::* LISTEN 2945/k3s udp 0 0 127.0.0.53:53 0.0.0.0:* 664/systemd-resolve udp 0 0 0.0.0.0:68 0.0.0.0:* 30433/dhclient udp 0 0 0.0.0.0:8472 0.0.0.0:* - udp 0 0 0.0.0.0:631 0.0.0.0:* 27508/cups-browsed udp 0 0 0.0.0.0:43286 0.0.0.0:* 816/avahi-daemon: r udp 0 0 224.0.0.251:5353 0.0.0.0:* 25223/chrome udp 0 0 224.0.0.251:5353 0.0.0.0:* 25223/chrome udp 0 0 224.0.0.251:5353 0.0.0.0:* 25329/chrome --type udp 0 0 224.0.0.251:5353 0.0.0.0:* 25329/chrome --type udp 0 0 0.0.0.0:5353 0.0.0.0:* 816/avahi-daemon: r udp6 0 0 :::43431 :::* 816/avahi-daemon: r udp6 0 0 :::5353 :::* 816/avahi-daemon: r |
Display network statistics
To display network statistics information, we use the netstat -s command or we can also filter information by TCP connections, UDP …
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 | thanhthu ~ netstat -s Ip: Forwarding: 1 882951 total packets received 1 with invalid addresses 129399 forwarded 0 incoming packets discarded 752132 incoming packets delivered 851013 requests sent out 280 dropped because of missing route 2 reassemblies required 1 packets reassembled ok Icmp: 115 ICMP messages received 30 input ICMP message failed ICMP input histogram: destination unreachable: 110 echo requests: 2 echo replies: 3 353 ICMP messages sent 0 ICMP messages failed ICMP output histogram: destination unreachable: 348 echo requests: 3 echo replies: 2 IcmpMsg: InType0: 3 InType3: 110 InType8: 2 OutType0: 2 ..................... |
Show routing table
To see the kernel’s IP routing table, use the netstat -r command:
1 2 3 4 5 6 7 8 9 10 11 | thanhthu ~ netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default _gateway 0.0.0.0 UG 0 0 0 enp1s0 10.42.0.0 0.0.0.0 255.255.255.0 U 0 0 0 cni0 link-local 0.0.0.0 255.255.0.0 U 0 0 0 enp1s0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-0eadd6bb4887 172.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-d21d6936f375 192.168.19.0 0.0.0.0 255.255.255.0 U 0 0 0 enp1s0 |
Display network interfaces
To display the network interfaces of the kernel we use the command netstat -i
1 2 3 4 5 6 7 8 9 10 11 12 13 | thanhthu ~ netstat -i Kernel Interface table Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg br-0eadd 1500 1 0 0 0 629 0 0 0 BMRU br-d21d6 1500 0 0 0 0 0 0 0 0 BMU cni0 1450 360459 0 0 0 370384 0 0 0 BMRU docker0 1500 0 0 0 0 0 0 0 0 BMU enp1s0 1500 521818 0 647 0 229844 0 0 0 BMRU flannel. 1450 0 0 0 0 0 0 625 0 BMRU lo 65536 435776 0 0 0 435776 0 0 0 LRU veth8509 1450 93651 0 0 0 47643 0 0 0 BMRU veth0698 1450 15316 0 0 0 15264 0 0 0 BMRU |
Netstat in conjunction with other linux commands
Apart from combining the options directive different command, netstat becomes more useful when combined with other linux commands using the pipe mechanism pipe in linux. For example:
- When you want to test a specific port, such as port 22:
1 2 | netstat -lntp | grep ':22' |
1 2 3 4 | thanhthu ~ netstat -lntp | grep ':22' tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1271/sshd tcp6 0 0 :::22 :::* LISTEN 1271/sshd |
- Displays the number of connections per ip to the server
1 2 | netstat -apn |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | thanhthu ~ netstat -apn |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n 1 10.0.1.9 1 10.0.4.115 1 10.42.0.33 1 1.54.241.81 1 74.125.23.189 1 91.108.56.150 2 10.42.0.39 2 10.43.69.202 2 13.230.76.0 2 162.247.242.21 2 192.168.19.60 2 74.125.204.94 3 10.42.0.35 3 104.21.92.71 3 13.225.89.117 4 10.42.0.28 4 10.42.0.29 4 172.67.188.158 6 10.42.0.26 6 10.42.0.40 9 12 10.42.0.42 13 10.42.0.30 25 0.0.0.0 136 127.0.0.1 |
Inside:
netstat -apn: Displays all connections with program name and their PID, ip and port addresses in numerical form, without name resolution.grep 'tcp|udp': Filter for TCP and UDP connectionsawk '{print $5}': Just print out column 5 which is column IP: PORTcut -d: -f1: Divide the resulting rows into columns, the division point is a character: then get column 1 information (IPs have no ports)sort: sort the resultuniq -c: group the same IPs, show the first column that shows the number of identical IPssort -n: sort the results by number, from low to high
Conclusion
Through the above article, I have introduced to you the basic functions and usage of netstat . Hopefully, through this article, you can understand and have a better understanding of netstat – a classic method to troubleshoot network problems on Unix / Linux operating systems.
Thank you for watching my post: 3