Skip to main content

The `netstat` Command in Linux: A Comprehensive Guide

The netstat command, short for "network statistics," is a versatile tool used for network troubleshooting and performance measurement. It provides statistics about protocols in use and current TCP/IP network connections.

Basics of the netstat Command:

netstat allows users to view active network connections, ports on which the system is listening, Ethernet statistics, the IP routing table, and much more.

General Syntax:

netstat [OPTIONS]

Using the netstat Command

Building upon our understanding of the netstat command, let's analyze the output of several key commands and understand their significance.

Using the netstat Command: Detailed Outputs

Display All Active Connections

Command:

netstat -a

Sample Output:

Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 localhost:domain        *:*                     LISTEN
tcp        0      0 server.example.com:ssh  client.example.com:40149 ESTABLISHED
udp        0      0 *:bootpc                *:*

Explanation:

  • Proto: The protocol being used (TCP or UDP).

  • Recv-Q & Send-Q: Data queue sizes. Normally this should be 0. If not, there might be issues.

  • Local Address: The IP and port on the server.

  • Foreign Address: The client IP and port.

  • State: For TCP, this can be ESTABLISHED, LISTEN, CLOSE_WAIT, etc. For UDP, which is connectionless, this is often blank.

View All Listening Ports

Command:

netstat -l

Sample Output:

Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:ssh                   *:*                     LISTEN
udp        0      0 *:bootpc                *:*

Explanation:

  • This output only shows sockets that are in the LISTEN state, indicating they are waiting for incoming connections.

Display Network Statistics

Command:

netstat -s

Sample Output (trimmed for brevity):

Ip:
    12345 total packets received
    0 forwarded
    0 incoming packets discarded
Tcp:
    23456 active connections openings
    56778 passive connection openings
    ...

Explanation:

  • This output provides statistics on packets and connections for each protocol ( TCP, UDP, ICMP, etc.). It helps in diagnosing network issues or understanding network usage.

Show Numeric Addresses

Command:

netstat -n

Sample Output:

Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 192.168.1.5:22          192.168.1.7:5890        ESTABLISHED

Explanation:

  • Here, instead of displaying domain names, the actual IP addresses are shown, making the output more readable for scripts or quick diagnostics.

Display the Routing Table

Command:

netstat -r

Sample Output:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     *               255.255.255.0   U         0 0          0 eth0
default         192.168.1.1     0.0.0.0         UG        0 0          0 eth0

Explanation:

  • Destination: The destination network or host.

  • Gateway: The next hop or gateway through which the packet will be sent.

  • Genmask: The netmask for the destination.

  • Flags: Various flags:

    • U (route is up)
    • G (use gateway)
    • H (only a single host, not a network)

  • Iface: The network interface to use.

Routing Tables Explained

A routing table is a set of rules that determine where data packets will be directed over a network. Entries in the table contain destination address information and the next hop information, which tells the system how to move the packets toward their ultimate destination.

In the context of a home or business network, the routing table often points to a single gateway for all external addresses, while also directing local traffic to different segments of the network. On larger networks, and especially on routers, the routing table can be complex, containing rules to direct traffic based on a combination of destination, source, and type of service.

Key netstat Options

OptionShorthandDescription
--all-aShow both listening and non-listening sockets.
--listening-lShow listening sockets.
--tcp-tShow TCP connections.
--udp-uShow UDP connections.
--numeric-nShow numerical addresses instead of resolving hostnames.
--route-rDisplay the routing table.
--statistics-sShow statistics by protocol.
--verbose-vProvide additional details.
--help-hDisplay help information.

Conclusion

The netstat command provides invaluable insights into the network activity and statistics on a Linux system. While it's a versatile tool, many modern distributions are moving towards the ss command from the iproute2 suite as a replacement for netstat. Regardless, understanding the output and options of netstat will help diagnose and analyze network behaviors effectively. As always, the man command (man netstat) offers a comprehensive look into its usage and options.

What Can You Do Next 🙏😊

If you liked the article, consider subscribing to Cloudaffle, my YouTube Channel, where I keep posting in-depth tutorials and all edutainment stuff for software developers.

YouTube @cloudaffle