Netstat command examples and its usage
Introduction to Netstat
Suppose imagine a situation where you want to know details about all network connections, be it incoming or outgoing.
Its a utility which you will commonly fid in unix based machines by default. Its very powerful if used effectively. Netstat will tell you all connection statistics in detail than any other tool. Netstat will show you the current live network activity.
Netstat can also be used to display the routing table in a linux machine which we normaly get by running the "route" command.
Lets see what all tricks and techniques we can do with netstat to show us network statistics and information in a linux machine.
1.Display routing table using netstat:
Normally we all use the route command to display our linux machines routing table. Lets see how we can use netstat to display kernel routing table
[root@myvm1 ~]# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.159.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.159.2 0.0.0.0 UG 0 0 0 eth0 [root@myvm1 ~]#
in the above example we have used the "n" and "r" options i will explain what are those.
r= is obviously for the route listing.
n=using this option will avoid DNS lookups(only ip's will be shown)
the first three columns are self explanatery. the fourth column shows whether the interface used to communicate to that network is up by "U". and G stands for, that it uses gateway.
The fifth column shows the MSS. Now what is MSS? So there comes a little bit of networking into place. MSS stands for Maximum Segment Size. Normally we do not need to worry about the MSS value because kernal takes care of all that by itself(based on NIC cards and other networking factors). Will post MSS in detail in another post, Because we are discussing netstat here not MSS!!!!!
Now again 6th column is also a networking based column, it shows window size..will keep seperate post for window size.
Sorry to say that but 7th column also is a networking column!! irtt stands for initial round trip time.and the remaining one column is for interface.
2.Lets see how to check interface details from Netstat
[root@myvm1 ~]# netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 815837 0 0 0 514080 0 0 0 BMRU lo 16436 0 548 0 0 0 548 0 0 0 LRU [root@myvm1 ~]#
the above shown diagram shows the interface details through netstat command.
MTU and Met columns show Maximum transmissio(MSS is inside and MTU).
Rx and Tx columns shows the trasmitted and recieved packets.Error free are shown as (Rx-OK,Tx-OK). and errerfull are shown as (Rx-ERR,Tx-ERR)
By default simply typing netstat will give you a lot of information you never asked for. But the main job is to isolate what you require from that much information. And there lies the correct linux skills.
3.See what TCp ports are opened using Netstat
to see what tcp ports are opened in your machine you can use the below options with netstat.
--tcp or -t for showing tcp connections.
--listening or -l will show all listening ports
--programs or -p will show the PID details of the program which opened that port
[root@myvm1 ~]# netstat --tcp --listening --programs -n Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:679 0.0.0.0:* LISTEN 3889/rpc.statd tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 4291/mysqld tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3859/portmap tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3178/cupsd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4350/sendmail: acce tcp 0 0 :::80 :::* LISTEN 354/httpd tcp 0 0 :::22 :::* LISTEN 4152/sshd
4.See summery of all protocols with netstat.
using -s can be an interesting option when you want to see the summery of all protocols like tcp,udp,icmp etc with netstat.
an example output of -s option is shown below:
Note: all output of -s option is not shown in the picture.
[root@myvm1 ~]# netstat -s Ip: 781419 total packets received 162 with invalid addresses 0 forwarded 0 incoming packets discarded 781257 incoming packets delivered 512934 requests sent out 1 dropped because of missing route Icmp: 50 ICMP messages received 0 input ICMP message failed. ICMP input histogram: destination unreachable: 10 timeout in transit: 3 echo requests: 13 echo replies: 24 53 ICMP messages sent 0 ICMP messages failed ICMP output histogram: destination unreachable: 11 echo request: 29 echo replies: 13 IcmpMsg: InType0: 24 InType3: 10 InType8: 13 InType11: 3 OutType0: 13 OutType3: 11 OutType8: 29 Tcp: 812 active connections openings 12384 passive connection openings 5 failed connection attempts 81 connection resets received 1 connections established 761204 segments received 509528 segments send out 163 segments retransmited 0 bad segments received. 5 resets sent Udp: 2885 packets received 11 packets to unknown port received. 0 packet receive errors 3143 packets sent TcpExt: 1 invalid SYN cookies received 6812 TCP sockets finished time wait in fast timer 4708 delayed acks sent 1001 delayed acks further delayed because of locked socket Quick ack mode was activated 31 times 7580 packets directly queued to recvmsg prequeue. 297993 packets directly received from backlog 7694595 packets directly received from prequeue 509783 packets header predicted 7728 packets header predicted and directly queued to user 67857 acknowledgments not containing data received 137274 predicted acknowledgments TCPDSACKUndo: 28 76 congestion windows recovered after partial ack 0 TCP data loss events 42 retransmits in slow start 113 other TCP timeouts 22 DSACKs sent for old packets 133 DSACKs received 6 connections reset due to early user close 10 connections aborted due to timeout IpExt: InMcastPkts: 985 OutMcastPkts: 609 InBcastPkts: 17106 OutBcastPkts: 6 [root@myvm1 ~]#
5.Monitor all traffic continuesly live and actively with netstat.
you can monitor traffic and connections actively by using -c option with netstat. Using -c option with all previously mentioned commands can be very useful in getting network information.
6.see ifconfig like information with netstat:
as we have seen before that by using -i option we can get interface statistics from netstat. using -e option along with -i option will improve the output more or less similar to the ifconfig output for an interface.
see the example output below:
[root@myvm1 ~]# netstat -ie Kernel Interface table eth0 Link encap:Ethernet HWaddr 00:0C:29:93:A0:52 inet addr:192.168.159.128 Bcast:192.168.159.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff:fe93:a052/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:816092 errors:0 dropped:0 overruns:0 frame:0 TX packets:514402 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:472160755 (450.2 MiB) TX bytes:223864906 (213.4 MiB) Interrupt:75 Base address:0x2024 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:548 errors:0 dropped:0 overruns:0 frame:0 TX packets:548 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:100017 (97.6 KiB) TX bytes:100017 (97.6 KiB) [root@myvm1 ~]#
7.Find number of connections made by ips
suppose you want to find the number of connections made by ip addresses. you can use the below command to find that out.
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Add new comment