Netstat command examples and its usage

Sarath Pillai's picture
linux netstat command

Introduction to Netstat

Suppose imagine a situation where you want to know details about all network connections, be it incoming or outgoing.

Its a utility which you will commonly fid in unix based machines by default. Its very powerful if used effectively. Netstat will tell you all connection statistics in detail than any other tool. Netstat will show you the current live network activity.

Netstat can also be used to display the routing table in a linux machine which we normaly get by running the "route" command.

Lets see what all tricks and techniques we can do with netstat to show us network statistics and information in a linux machine.

1.Display routing table using netstat:

Normally we all use the route command to display our linux machines routing table. Lets see how we can use netstat to display kernel routing table

[root@myvm1 ~]# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface   U         0 0          0 eth0         UG        0 0          0 eth0
[root@myvm1 ~]#

in the above example we have used the "n" and "r" options i will explain what are those.

r= is obviously for the route listing.

n=using this option will avoid DNS lookups(only ip's will be shown)

the first three columns are self explanatery. the fourth column shows whether the interface used to communicate to that network is up by "U". and G stands for, that it uses gateway.

The fifth column shows the MSS. Now what is MSS? So there comes a little bit of networking into place. MSS stands for Maximum Segment Size. Normally we do not need to worry about the MSS value because kernal takes care of all that by itself(based on NIC cards and other networking factors). Will post MSS in detail in another post, Because we are discussing netstat here not MSS!!!!!angry

Now again 6th column is also a networking based column, it shows window size..will keep seperate post for window size.

Sorry to say that but 7th column also is a networking column!! irtt stands for initial round trip time.and the remaining one column is for interface.

2.Lets see how to check interface details from Netstat

[root@myvm1 ~]# netstat -i
Kernel Interface table
eth0       1500   0   815837      0      0      0   514080      0      0      0 BMRU
lo        16436   0      548      0      0      0      548      0      0      0 LRU
[root@myvm1 ~]#

the above shown diagram shows the interface details through netstat command.

MTU and Met columns show Maximum transmissio(MSS is inside and MTU).

Rx and Tx columns shows the trasmitted and recieved packets.Error free are shown as (Rx-OK,Tx-OK). and errerfull are shown as (Rx-ERR,Tx-ERR)

By default simply typing netstat will give you a lot of information you never asked for. But the main job is to isolate what you require from that much information. And there lies the correct linux skills.

3.See what TCp ports are opened using Netstat

to see what tcp ports are opened in your machine you can use the below options with netstat.

--tcp or -t for showing tcp connections.

--listening or -l will show all listening ports

--programs or -p will show the PID details of the program which opened that port

[root@myvm1 ~]# netstat --tcp --listening --programs -n
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0       *                   LISTEN      3889/rpc.statd
tcp        0      0      *                   LISTEN      4291/mysqld
tcp        0      0       *                   LISTEN      3859/portmap
tcp        0      0     *                   LISTEN      3178/cupsd
tcp        0      0      *                   LISTEN      4350/sendmail: acce
tcp        0      0 :::80                       :::*                        LISTEN      354/httpd
tcp        0      0 :::22                       :::*                        LISTEN      4152/sshd

4.See summery of all protocols with netstat.

using -s can be an interesting option when you want to see the summery of all protocols like tcp,udp,icmp etc with netstat.

an example output of -s option is shown below:

Note: all output of -s option is not shown in the picture.

[root@myvm1 ~]# netstat -s
    781419 total packets received
    162 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    781257 incoming packets delivered
    512934 requests sent out
    1 dropped because of missing route
    50 ICMP messages received
    0 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 10
        timeout in transit: 3
        echo requests: 13
        echo replies: 24
    53 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 11
        echo request: 29
        echo replies: 13
        InType0: 24
        InType3: 10
        InType8: 13
        InType11: 3
        OutType0: 13
        OutType3: 11
        OutType8: 29
    812 active connections openings
    12384 passive connection openings
    5 failed connection attempts
    81 connection resets received
    1 connections established
    761204 segments received
    509528 segments send out
    163 segments retransmited
    0 bad segments received.
    5 resets sent
    2885 packets received
    11 packets to unknown port received.
    0 packet receive errors
    3143 packets sent
    1 invalid SYN cookies received
    6812 TCP sockets finished time wait in fast timer
    4708 delayed acks sent
    1001 delayed acks further delayed because of locked socket
    Quick ack mode was activated 31 times
    7580 packets directly queued to recvmsg prequeue.
    297993 packets directly received from backlog
    7694595 packets directly received from prequeue
    509783 packets header predicted
    7728 packets header predicted and directly queued to user
    67857 acknowledgments not containing data received
    137274 predicted acknowledgments
    TCPDSACKUndo: 28
    76 congestion windows recovered after partial ack
    0 TCP data loss events
    42 retransmits in slow start
    113 other TCP timeouts
    22 DSACKs sent for old packets
    133 DSACKs received
    6 connections reset due to early user close
    10 connections aborted due to timeout
    InMcastPkts: 985
    OutMcastPkts: 609
    InBcastPkts: 17106
    OutBcastPkts: 6
[root@myvm1 ~]#

5.Monitor all traffic continuesly live and actively with netstat.

you can monitor traffic and connections actively by using -c option with netstat. Using -c option with all previously mentioned commands can be very useful in getting network information.

6.see ifconfig like information with netstat:

as we have seen before that by using -i option we can get interface statistics from netstat. using -e option along with -i option will improve the output more or less similar to the ifconfig output for an interface.

see the example output below:

[root@myvm1 ~]# netstat -ie
Kernel Interface table
eth0      Link encap:Ethernet  HWaddr 00:0C:29:93:A0:52
          inet addr:  Bcast:  Mask:
          inet6 addr: fe80::20c:29ff:fe93:a052/64 Scope:Link
          RX packets:816092 errors:0 dropped:0 overruns:0 frame:0
          TX packets:514402 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:472160755 (450.2 MiB)  TX bytes:223864906 (213.4 MiB)
          Interrupt:75 Base address:0x2024

lo        Link encap:Local Loopback
          inet addr:  Mask:
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:548 errors:0 dropped:0 overruns:0 frame:0
          TX packets:548 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:100017 (97.6 KiB)  TX bytes:100017 (97.6 KiB)

[root@myvm1 ~]#

7.Find number of connections made by ips

suppose you want to find the number of connections made by ip addresses. you can use the below command to find that out.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

Rate this article: 
Average: 5 (6 votes)

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.