In this tutorial, you will learn how to use netstat command in Linux. netstat, an acronym for network statistics is a Linux command line utility used to print information about the Linux networking subsystem. netstat can display all udp, tcp and unix socket connections in the system. It lists both connected and listening sockets which are ready for connection to take place. Normally, netstat command is used by system administrators for network troubleshooting on Linux. With netstat you will be able to accomplish the following tasks:
- Print network connections
- Masquerade connections
- Multicast memberships
- Obtain routing tables
- Get interface statistics
Nowadays, netstat command is still useful but it has become obsolete and it’s replaced by ss command used for displaying network socket related information on a Linux system.
How to Use netstat Command in Linux
If netstat command is not installed in your Linux system, you can install it by running the command below on Debian or Ubuntu;
apt install net-tools -y
yum install net-tools -y
Consult the specific Linux distro package manager on how to install netstat command.
- Display a list of open sockets
In CLI (terminal) type netstat command and you will obtain a list of open sockets. If you don’t specify any address families, then the active sockets of all configured address families will be printed.
netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:45430 localhost:2222 ESTABLISHED
tcp 0 0 localhost:2222 localhost:45430 ESTABLISHED
tcp 0 0 thehero:54354 104.21.21.42:https ESTABLISHED
tcp 0 0 thehero:46286 wq-in-f188.1e100.n:5228 ESTABLISHED
tcp 0 0 thehero:49568 1.80.190.35.bc.go:https ESTABLISHED
udp 0 0 thehero:bootpc _gateway:bootps ESTABLISHED
udp 0 0 thehero:49916 mba01s07-in-f3.1e10:443 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 5 [ ] DGRAM 1289 /run/systemd/notify
unix 2 [ ] DGRAM 46567 /run/user/1000/systemd/notify
unix 3 [ ] SEQPACKET CONNECTED 50008 @0000f
unix 3 [ ] SEQPACKET CONNECTED 50010 @000102. Display all active listening connections
To show only listening sockets, use netstat -l
netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:mysql 0.0.0.0:* LISTEN
tcp 0 0 localhost:2222 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN
tcp6 0 0 [::]:37641 [::]:* LISTEN
tcp6 0 0 [::]:sunrpc [::]:* LISTEN
udp 0 0 0.0.0.0:57311 0.0.0.0:*
udp 0 0 thehero:domain 0.0.0.0:*
udp 0 0 localhost:domain 0.0.0.0:*
udp6 0 0 [::]:sunrpc [::]:*
udp6 0 0 [::]:mdns [::]:*
udp6 0 0 [::]:42344 [::]:*
raw 0 0 0.0.0.0:icmp 0.0.0.0:* 7
raw6 0 0 [::]:ipv6-icmp [::]:* 7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 27839 /run/libvirt/libvirt-sock
unix 2 [ ACC ] STREAM LISTENING 27841 /run/snapd.socket
unix 2 [ ACC ] STREAM LISTENING 27843 /run/snapd-snap.socket
unix 2 [ ACC ] STREAM LISTENING 27845 /run/uuidd/request
unix 2 [ ACC ] SEQPACKET LISTENING 1333 /run/udev/control3. Display all TCP listening ports
To list all active listening TCP ports, use netstat -lt
netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:mysql 0.0.0.0:* LISTEN
tcp 0 0 localhost:2222 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:45361 0.0.0.0:* LISTEN
tcp 0 0 localhost:5939 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:44499 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:37793 0.0.0.0:* LISTEN
tcp 0 0 localhost:33060 0.0.0.0:* LISTEN
tcp6 0 0 [::]:37641 [::]:* LISTEN
tcp6 0 0 [::]:sunrpc [::]:* LISTEN
tcp6 0 0 [::]:http [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 ip6-localhost:ipp [::]:* LISTEN
4. Display all UDP listening ports
To list all active listening UDP ports, use netstat -lu
netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:57311 0.0.0.0:*
udp 0 0 thehero:domain 0.0.0.0:*
udp 0 0 localhost:domain 0.0.0.0:*
udp 0 0 0.0.0.0:bootps 0.0.0.0:*
udp 0 0 0.0.0.0:sunrpc 0.0.0.0:*
udp 0 0 0.0.0.0:37306 0.0.0.0:*
udp 0 0 0.0.0.0:42990 0.0.0.0:*
udp 0 0 0.0.0.0:nfs 0.0.0.0:*
udp 0 0 0.0.0.0:35537 0.0.0.0:*
udp6 0 0 [::]:sunrpc [::]:*
udp6 0 0 [::]:mdns [::]:*
udp6 0 0 [::]:42344 [::]:* 5. Display all UNIX listening ports
To list all active listening UNIX ports, use netstat -lx
netstat -lx
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 27839 /run/libvirt/libvirt-sock
unix 2 [ ACC ] STREAM LISTENING 27841 /run/snapd.socket
unix 2 [ ACC ] STREAM LISTENING 27843 /run/snapd-snap.socket
unix 2 [ ACC ] STREAM LISTENING 27845 /run/uuidd/request
unix 2 [ ACC ] SEQPACKET LISTENING 1333 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 27847 /run/libvirt/virtlockd-sock
unix 2 [ ACC ] STREAM LISTENING 27849 /run/libvirt/virtlockd-admin-sock
unix 2 [ ACC ] STREAM LISTENING 27851 /run/libvirt/virtlogd-sock
unix 2 [ ACC ] STREAM LISTENING 27853 /run/libvirt/virtlogd-admin-sock
unix 2 [ ACC ] STREAM LISTENING 27861 /run/libvirt/libvirt-admin-sock
unix 2 [ ACC ] STREAM LISTENING 27863 /run/libvirt/libvirt-sock-ro
unix 2 [ ACC ] STREAM LISTENING 46570 /run/user/1000/systemd/private
unix 2 [ ACC ] STREAM LISTENING 46581 /run/user/1000/bus
unix 2 [ ACC ] STREAM LISTENING 46582 /run/user/1000/gnupg/S.dirmngr
unix 2 [ ACC ] STREAM LISTENING 46583 /run/user/1000/gnupg/S.gpg-agent.browser
unix 2 [ ACC ] STREAM LISTENING 46584 /run/user/1000/gnupg/S.gpg-agent.extra
unix 2 [ ACC ] STREAM LISTENING 46585 /run/user/1000/gnupg/S.gpg-agent.ssh6. Display all listening and non-listening sockets
To show both listening and non listening TCP,UDP and UNIX sockets, use netstat -a
netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:mysql 0.0.0.0:* LISTEN
tcp 0 0 localhost:2222 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:45361 0.0.0.0:* LISTEN
tcp 0 0 localhost:5939 0.0.0.0:* LISTEN
tcp 0 0 thehero:48964 mba01s07-in-f10.1:https ESTABLISHED
tcp 0 0 thehero:57532 185.64.189.112:https ESTABLISHED
tcp 0 0 localhost:45430 localhost:2222 ESTABLISHED
tcp 0 0 thehero:57044 104.21.21.42:https ESTABLISHED
tcp6 0 0 [::]:37641 [::]:* LISTEN
tcp6 0 0 [::]:sunrpc [::]:* LISTEN
tcp6 0 0 [::]:http [::]:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
udp 0 0 0.0.0.0:57311 0.0.0.0:*
udp 0 0 thehero:domain 0.0.0.0:*
udp 0 0 localhost:domain 0.0.0.0:*
udp6 0 0 [::]:sunrpc [::]:*
udp6 0 0 [::]:mdns [::]:*
udp6 0 0 [::]:42344 [::]:*
raw 0 0 0.0.0.0:icmp 0.0.0.0:* 7
raw6 0 0 [::]:ipv6-icmp [::]:* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 27839 /run/libvirt/libvirt-sock
unix 2 [ ACC ] STREAM LISTENING 27841 /run/snapd.socket
unix 2 [ ACC ] STREAM LISTENING 27843 /run/snapd-snap.socket
unix 2 [ ACC ] STREAM LISTENING 27845 /run/uuidd/request
unix 2 [ ACC ] SEQPACKET LISTENING 1333 /run/udev/control
unix 5 [ ] DGRAM 1289 /run/systemd/notify
unix 2 [ ACC ] STREAM LISTENING 27847 /run/libvirt/virtlockd-sock7. Display all listening and non-listening TCP sockets
To show all listening and non listening TCP port connections, use netstat -at
netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:mysql 0.0.0.0:* LISTEN
tcp 0 0 localhost:2222 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:sunrpc 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:45361 0.0.0.0:* LISTEN
tcp 0 0 localhost:5939 0.0.0.0:* LISTEN
tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:nfs 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:37793 0.0.0.0:* LISTEN
tcp 0 0 localhost:33060 0.0.0.0:* LISTEN
tcp 0 0 thehero:36308 mba01s07-in-f3.1e:https TIME_WAIT
tcp 0 0 thehero:47206 172.67.196.98:https ESTABLISHED
tcp 130 0 thehero:49088 mba01s07-in-f10.1:https CLOSE_WAIT
tcp 0 0 thehero:41050 8.159.244.35.bc.g:https TIME_WAIT
tcp 0 0 thehero:37040 e2a.google.com:https ESTABLISHED
tcp 0 0 localhost:45430 localhost:2222 ESTABLISHED
tcp 0 0 thehero:59220 104.16.66.85:https ESTABLISHED
tcp 0 0 localhost:2222 localhost:45430 ESTABLISHED
tcp 0 0 thehero:34790 62.27.211.130.bc.:https TIME_WAIT
tcp 0 0 thehero:52334 1.80.190.35.bc.go:https TIME_WAIT
tcp 0 0 thehero:47674 99.201.186.35.bc.:https TIME_WAIT
tcp 0 0 thehero:60682 142.250.27.188:5228 ESTABLISHED8. Display all listening and non-listening UDP sockets
To show all listening and non listening UDP port connections, use netstat -au
netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:57311 0.0.0.0:*
udp 0 0 thehero:domain 0.0.0.0:*
udp 0 0 localhost:domain 0.0.0.0:*
udp 0 0 0.0.0.0:bootps 0.0.0.0:*
udp 0 0 thehero:bootpc _gateway:bootps ESTABLISHED
udp 0 0 0.0.0.0:sunrpc 0.0.0.0:*
udp 0 0 0.0.0.0:37306 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 thehero:46051 104.21.21.42:443 ESTABLISHED
udp 0 0 224.0.0.251:mdns 0.0.0.0:*
udp 0 0 0.0.0.0:nfs 0.0.0.0:*
udp 0 0 0.0.0.0:35537 0.0.0.0:*
udp6 0 0 [::]:sunrpc [::]:*
udp6 0 0 [::]:mdns [::]:*
udp6 0 0 [::]:42344 [::]:*9. Display all listening and non-listening UNIX sockets
To show all listening and non listening UNIX port connections, use netstat -ax
netstat -ax
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 23241 /run/uuidd/request
unix 2 [ ACC ] STREAM LISTENING 23243 /run/libvirt/virtlockd-sock
unix 2 [ ACC ] STREAM LISTENING 23245 /run/libvirt/virtlockd-admin-sock
unix 2 [ ACC ] STREAM LISTENING 23247 /run/libvirt/virtlogd-sock
unix 2 [ ACC ] STREAM LISTENING 23249 /run/libvirt/virtlogd-admin-sock
unix 2 [ ACC ] STREAM LISTENING 23257 /run/libvirt/libvirt-admin-sock
unix 2 [ ACC ] SEQPACKET LISTENING 14866 /run/udev/control
unix 5 [ ] DGRAM 14822 /run/systemd/notify
unix 3 [ ] STREAM CONNECTED 109437
unix 3 [ ] SEQPACKET CONNECTED 49982
unix 3 [ ] STREAM CONNECTED 35923 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 28208 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 31165
unix 3 [ ] STREAM CONNECTED 110111
unix 3 [ ] STREAM CONNECTED 50115 10. Display the kernel routing tables
To display the kernel routing table, use netstat -r
netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default _gateway 0.0.0.0 UG 0 0 0 wlp2s0
link-local 0.0.0.0 255.255.0.0 U 0 0 0 virbr0
192.168.43.0 0.0.0.0 255.255.255.0 U 0 0 0 wlp2s0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr011. Display a table of all network interfaces
To show a table of all network interfaces with Maximum Transmission Unit (MTU) size, use netstat -i
netstat -i
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
enp1s0 1500 0 0 0 0 0 0 0 0 BMU
lo 65536 5211 0 0 0 5211 0 0 0 LRU
virbr0 1500 0 0 0 0 0 0 0 0 BMU
wlp2s0 1500 18834 0 0 0 17991 0 0 0 BMRU12. Display Kernel Interface Table
netstat -i, when used with option -e it display additional information just like ifconfig command, use netstat -ie
netstat -ie
Kernel Interface table
enp1s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether dc:0e:a1:f3:05:c2 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 5780 bytes 439891 (439.8 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5780 bytes 439891 (439.8 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
ether 52:54:00:55:5a:f5 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.43.195 netmask 255.255.255.0 broadcast 192.168.43.255
inet6 fe80::65df:c8fe:b605:47f6 prefixlen 64 scopeid 0x20<link>
ether 74:e5:43:4a:3b:97 txqueuelen 1000 (Ethernet)
RX packets 22647 bytes 11081214 (11.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 21897 bytes 5679196 (5.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 013. Display multicast group membership
To display information for IPv4 and IPv6, use netstat -g
netstat -g
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 224.0.0.251
lo 1 all-systems.mcast.net
enp1s0 1 all-systems.mcast.net
wlp2s0 2 224.0.0.251
wlp2s0 1 all-systems.mcast.net
virbr0 1 224.0.0.251
virbr0 1 all-systems.mcast.net
virbr0 1 224.0.0.106
lo 1 ff02::fb
lo 1 ip6-allnodes
lo 1 ff01::1
enp1s0 1 ip6-allnodes
enp1s0 1 ff01::1
wlp2s0 1 ff02::1:ff05:47f6
wlp2s0 1 ff02::fb
wlp2s0 1 ip6-allnodes
wlp2s0 1 ff01::114. Print netstat information every second continuously
Use option -c to obtain netstat information in every second continuously, netstat -c
netstat -c
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 thehero:45128 185.64.189.112:https ESTABLISHED
tcp 0 0 thehero:59684 mba01s07-in-f3.1e:https ESTABLISHED
tcp 0 0 thehero:52892 218.64.98.34.bc.g:https ESTABLISHED
tcp 0 0 thehero:54458 mba01s07-in-f10.1:https TIME_WAIT 15. Display summary statistics for each protocol
By default, the statistics displayed include TCP, UDP, IP and ICMP protocols. Use netstat -s
netstat -s
Ip:
Forwarding: 1
35807 total packets received
0 forwarded
0 incoming packets discarded
35740 incoming packets delivered
35383 requests sent out
20 outgoing packets dropped
3 dropped because of missing route
Icmp:
371 ICMP messages received
0 input ICMP message failed
ICMP input histogram:
destination unreachable: 371
321 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 321
Tcp:
2732 active connection openings
0 passive connection openings
1763 failed connection attempts
304 connection resets received
6 connections established
19318 segments received
21918 segments sent out
282 segments retransmitted
31 bad segments received
2456 resets sent
Udp:
15941 packets received
321 packets to unknown port received
0 packet receive errors
13420 packets sent
0 receive buffer errors
0 send buffer errors
16. Display statistics by UDP protocol
To show statistics by UDP protocol only, use netstat -su
netstat -su
Udp:
18349 packets received
330 packets to unknown port received
0 packet receive errors
15313 packets sent
0 receive buffer errors
0 send buffer errors17. Display statistics by TCP protocol
To show statistics by TCP protocol only, use netstat -st
netstat -st
Tcp:
3312 active connection openings
0 passive connection openings
2214 failed connection attempts
339 connection resets received
5 connections established
22223 segments received
25251 segments sent out
344 segments retransmitted
33 bad segments received
2996 resets sent18. Display the PID and name of the program
To show the PID and name of the program to which each socket belongs, use netstat -p
netstat -p
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 thehero:37700 ip23.67-202-110.s:https ESTABLISHED 3624/chrome --type=
tcp 0 0 thehero:56344 104.21.21.42:https TIME_WAIT -
tcp 0 0 thehero:52070 wb-in-f188.1e100.n:5228 ESTABLISHED 3624/chrome --type=
udp 0 0 thehero:55403 172.67.196.98:443 ESTABLISHED 3624/chrome --type=
udp 0 0 thehero:bootpc _gateway:bootps ESTABLISHED -
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 5 [ ] DGRAM 14822 - /run/systemd/notify
unix 2 [ ] DGRAM 42480 1813/systemd /run/user/1000/systemd/notify
unix 2 [ ] DGRAM 14850 - /run/systemd/journal/syslog
unix 18 [ ] DGRAM 14860 - /run/systemd/journal/dev-log
unix 9 [ ] DGRAM 14864 - /run/systemd/journal/socket
unix 2 [ ] DGRAM 31712 - /run/wpa_supplicant/wlp2s0
unix 3 [ ] SEQPACKET CONNECTED 49983 3214/chrome @0001119. Display unconfigured address families
To tell the user what is going on by being verbose. Especially print some useful information about unconfigured address families, use netstat -v
netstat -v
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 1 thehero:52190 5.113.199.20:https FIN_WAIT1
tcp 0 0 thehero:60312 5.98.18.50:https ESTABLISHED
tcp 0 0 thehero:57142 10.21.77.62:https ESTABLISHED
tcp 0 0 thehero:56462 mza01s07-in-f10.1:https ESTABLISHED
tcp 0 0 192.168.57.1:51514 osquery:ssh ESTABLISHED
tcp 0 93 thehero:43000 52.133.199.40:https FIN_WAIT1
tcp 0 1 thehero:35738 static.17.34.9.5.:https FIN_WAIT1
tcp 0 0 thehero:60436 52.134.74.217:https ESTABLISHED
tcp 0 0 thehero:34106 142.240.27.188:5228 ESTABLISHED
tcp 0 0 thehero:49206 52.113.215.7:https ESTABLISHED
tcp 0 1 thehero:40106 138.68.12.29:https SYN_SENT
...And that’s all about how to use netstat command in Linux/Unix system, refer netstat manual pages for more information.
man netstsat
or
info netstat
Other Tutorials
Reset Default Root Password on Request Tracker (RT)
Install Request Tracker (RT) on Ubuntu 20.04
Configure Nginx Reverse Proxy for Kibana
Install and Setup Wazuh Server with ELK Stack on Ubuntu 20.04
