≡ Menu

UNIX / Linux: 10 Netstat Command Examples

Netstat command displays various network related information such as network connections, routing tables, interface statistics, masquerade connections, multicast memberships etc.,

In this article, let us review 10 practical unix netstat command examples.

1. List All Ports (both listening and non listening ports)

List all ports using netstat -a

# netstat -a | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 localhost:30037         *:*                     LISTEN
udp        0      0 *:bootpc                *:*                                

Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     6135     /tmp/.X11-unix/X0
unix  2      [ ACC ]     STREAM     LISTENING     5140     /var/run/acpid.socket

List all tcp ports using netstat -at

# netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 localhost:30037         *:*                     LISTEN
tcp        0      0 localhost:ipp           *:*                     LISTEN
tcp        0      0 *:smtp                  *:*                     LISTEN
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN

List all udp ports using netstat -au

# netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp        0      0 *:bootpc                *:*
udp        0      0 *:49119                 *:*
udp        0      0 *:mdns                  *:*

2. List Sockets which are in Listening State

List only listening ports using netstat -l

# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 localhost:ipp           *:*                     LISTEN
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN
udp        0      0 *:49119                 *:*

List only listening TCP Ports using netstat -lt

# netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 localhost:30037         *:*                     LISTEN
tcp        0      0 *:smtp                  *:*                     LISTEN
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN

List only listening UDP Ports using netstat -lu

# netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp        0      0 *:49119                 *:*
udp        0      0 *:mdns                  *:*

List only the listening UNIX Ports using netstat -lx

# netstat -lx
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     6294     private/maildrop
unix  2      [ ACC ]     STREAM     LISTENING     6203     public/cleanup
unix  2      [ ACC ]     STREAM     LISTENING     6302     private/ifmail
unix  2      [ ACC ]     STREAM     LISTENING     6306     private/bsmtp

3. Show the statistics for each protocol

Show statistics for all ports using netstat -s

# netstat -s
Ip:
    11150 total packets received
    1 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    11149 incoming packets delivered
    11635 requests sent out
Icmp:
    0 ICMP messages received
    0 input ICMP message failed.
Tcp:
    582 active connections openings
    2 failed connection attempts
    25 connection resets received
Udp:
    1183 packets received
    4 packets to unknown port received.
.....

Show statistics for TCP (or) UDP ports using netstat -st (or) -su

# netstat -st

# netstat -su

4. Display PID and program names in netstat output using netstat -p

netstat -p option can be combined with any other netstat option. This will add the “PID/Program Name” to the netstat output. This is very useful while debugging to identify which program is running on a particular port.

# netstat -pt
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        1      0 ramesh-laptop.loc:47212 192.168.185.75:www        CLOSE_WAIT  2109/firefox
tcp        0      0 ramesh-laptop.loc:52750 lax:www ESTABLISHED 2109/firefox

5. Don’t resolve host, port and user name in netstat output

When you don’t want the name of the host, port or user to be displayed, use netstat -n option. This will display in numbers, instead of resolving the host name, port name, user name.

This also speeds up the output, as netstat is not performing any look-up.

# netstat -an

If you don’t want only any one of those three items ( ports, or hosts, or users ) to be resolved, use following commands.

# netsat -a --numeric-ports

# netsat -a --numeric-hosts

# netsat -a --numeric-users

6. Print netstat information continuously

netstat will print information continuously every few seconds.

# netstat -c
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 ramesh-laptop.loc:36130 101-101-181-225.ama:www ESTABLISHED
tcp        1      1 ramesh-laptop.loc:52564 101.11.169.230:www      CLOSING
tcp        0      0 ramesh-laptop.loc:43758 server-101-101-43-2:www ESTABLISHED
tcp        1      1 ramesh-laptop.loc:42367 101.101.34.101:www      CLOSING
^C

7. Find the non supportive Address families in your system

netstat --verbose

At the end, you will have something like this.

	netstat: no support for `AF IPX' on this system.
	netstat: no support for `AF AX25' on this system.
	netstat: no support for `AF X25' on this system.
	netstat: no support for `AF NETROM' on this system.

8. Display the kernel routing information using netstat -r

# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     *               255.255.255.0   U         0 0          0 eth2
link-local      *               255.255.0.0     U         0 0          0 eth2
default         192.168.1.1     0.0.0.0         UG        0 0          0 eth2

Note: Use netstat -rn to display routes in numeric format without resolving for host-names.

9. Find out on which port a program is running

# netstat -ap | grep ssh
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        1      0 dev-db:ssh           101.174.100.22:39213        CLOSE_WAIT  -
tcp        1      0 dev-db:ssh           101.174.100.22:57643        CLOSE_WAIT  -

Find out which process is using a particular port:

# netstat -an | grep ':80'

10. Show the list of network interfaces

# netstat -i
Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0         0      0      0 0             0      0      0      0 BMU
eth2       1500 0     26196      0      0 0         26883      6      0      0 BMRU
lo        16436 0         4      0      0 0             4      0      0      0 LRU

Display extended information on the interfaces (similar to ifconfig) using netstat -ie:

# netstat -ie
Kernel Interface table
eth0      Link encap:Ethernet  HWaddr 00:10:40:11:11:11
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Memory:f6ae0000-f6b00000
Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • logoff March 29, 2010, 2:31 am

    my favourite netstat combination is sudo netstat -pnutl

    it needs sudo to see all the applications names, but it works without it, but shows less information

  • Athul March 29, 2010, 3:06 am

    Ramesh ,

    Good stuff . Thing I wanted to try out , but felt too lazy to read the man.

  • Commy April 6, 2010, 12:21 am

    Great stuff, so many things can be achieved by using netstat i.e ‘netstat -ie’ can be used in the place of ‘ifconfig ethX’ and ‘netstat -r’ in the place of ‘route -n’.

    Thanx Ramesh.

  • diptanu April 6, 2010, 1:25 am

    excellent article for network stuff specially the netsatat -pt and netstat -c..
    But would like to also know (if possible) the meaning of timer in netstat and how to interpret the same..In man page its showing (this needs to be written)
    Thanking you all again

  • hideaki May 6, 2010, 4:32 pm

    netstat is pretty archaic. You should be using /sbin/ss on Linux.

  • Prachi November 9, 2010, 11:33 pm

    what is the output of the following command:
    netstat -anp

  • Vimarsh January 17, 2011, 11:05 am

    netstat -l and netstat -p are not working on AIX. not sure about other flavors

  • Vimarsh January 17, 2011, 11:05 am

    $ netstat -p
    netstat: A flag requires a parameter: p
    usage: netstat [-Aan] [-f address_family] [core unix netinet addr]
    [-D]
    [-cCgimnrsPv] [-f address_family] [-p proto] [core unix netinet addr]
    [-n] [-I interface] [interval] [core unix netinet addr]
    $ uname
    AIX
    $ netstat -l
    netstat: Not a recognized flag: l
    usage: netstat [-Aan] [-f address_family] [core unix netinet addr]
    [-D]
    [-cCgimnrsPv] [-f address_family] [-p proto] [core unix netinet addr]
    [-n] [-I interface] [interval] [core unix netinet addr]
    $

  • Leon February 7, 2011, 3:02 pm

    i sometimes use the following command to see all active connections

    $netstat -atnp |grep ESTA

    or in realtime

    $watch -d -n0 “netstat -atnp |grep ESTA”

    cheers

  • Atul Khachanel May 5, 2011, 9:14 am

    Nice explanation on netstat 🙂

  • prathamesh June 14, 2011, 8:46 pm

    How you can add system time in netstat ? like system time .. netstat output..

  • vibhi June 29, 2011, 6:38 am

    explain netstat -plten

  • Dilip Bhapkar September 13, 2011, 8:37 am

    Overall Good site to brush Skill !! Well Gatering of information!!!

  • Abhijit January 3, 2012, 2:39 pm

    Awesome stuff !! Keep writing more Ramesh..

  • Adrian January 9, 2012, 9:20 am

    For a basic usage this is much better than reading the man page. Thank u very much!

  • Musab March 6, 2012, 10:07 am

    Dear Ramesh
    I cannot express my thanks and regards to you, what a beautiful work you are doing my friend.
    Don’t have any words to say
    Thanks a ton for helping us

  • mina April 22, 2012, 6:00 am

    that was great.thank u

  • venkata April 26, 2012, 3:13 pm

    Nice clarification on Netstat.

    Thanks

  • Mohamed April 30, 2012, 3:04 am

    Great stuff, thanks for sharing

    Thanks a lot

  • imtiyaj May 2, 2012, 4:51 am

    Thankx for perfect explanation

  • Vj May 2, 2012, 10:38 am

    Great stuff, pretty useful.
    I have one question, can someone please help?

    How do we find out the historic usage of a port.
    For example I want to know what all processes/pids connected to particular port in last 24 hours?

  • cven June 28, 2012, 4:40 am

    Pentastic , very much useful

  • Te July 1, 2012, 10:41 pm

    Below is the output of the netstat command with -n & -r options in which the destination field shows compacted address (127.1/16). I wanted to know that is there any way or options available to netstat command to display entire Destination IP (127.1.0.0/16) rather than (127.1/16) ?

    #netstat -r -n
    Destination Gateway Flags Refs Use Mtu Interface
    127.0.0.1 127.0.0.1 UH 110 296172 33212 lo0
    127.1/16 link#7 UC 2 0 – vlan10

    Plz Suggest….

  • Iranna G October 27, 2012, 1:43 am

    Very informative article. Thanks.

  • sri December 8, 2012, 2:20 pm

    I have output of netstat -nr as below
    161.129/28 161.131.208.1 UG 0 534925 en1 – –
    what does 161.129/28 mean ? Please clarify

  • kel December 30, 2012, 9:12 pm

    hi,guys,very good article,but could you plz explain the output of netstat
    for exapmle,the netstat -tunlp
    there have some port dont have pid and program name,so ,tell me why
    thanks~

  • vimal January 2, 2013, 10:21 am

    Awesome Unix stuff……Superb……

  • Sanjay K January 20, 2013, 11:14 pm

    What is the TIME_WAIT in netstat output ?

  • sai February 4, 2013, 11:26 pm

    Great article ty for your efforts in making such an understandable article..

  • steve March 22, 2013, 2:00 am

    this is great but misses a critical point… it is not enough to know the commands or visualize the output from those commands. Critical is to be able to interpret the meaning & impact of the intelligence

    Q: is there a tutorial on this?

  • VasudevanRao April 8, 2013, 11:44 pm

    Hi,

    Wonderful and awesome Linux-Unix examples.

    Vasu Rao

  • Mayur April 19, 2013, 6:09 am

    i have thousands of zipped tarfiles( ab.tar.gz, km.tar.gz,.. etc) in a directory named say dir1 .now i want to find all files (along with path) in zipped tar files in which a particular word say ‘mayur’ is existing.

    Which command we should use!!!

  • Ashish June 16, 2013, 6:15 pm

    @Mayur

    You can just zgrep mayur /path

  • Harish August 18, 2013, 10:50 pm

    Very good stuff…….Thank u..

  • duskoKoscica December 6, 2013, 6:22 am

    Interesting story, but in Windows some things could be hidden beyond the reach of this netstat thing.
    How is it with Linux things.

  • shanthan January 26, 2014, 9:28 am

    I use netstat to check if the pythonscript is completely stoped check the port is listening and getting traffic, i need to make sure traffic is zero before starting the script. if not it iwll not start properly.
    netatat -l | grep 1000 | wc -l
    1000 is port and wc -l counts the traffic.

  • Anonymous June 25, 2014, 3:33 am

    God Bless you Ramesh

  • Any July 3, 2014, 11:50 pm

    netstat -tunap|grep vsftpd

    or

    netstat -tunap|grep Port

  • Lalu July 30, 2015, 4:45 am

    Awesome Article about netstat.Thank you so much

  • Ricardo Altares May 19, 2016, 4:49 pm

    Great and helpful hints

  • Meena March 15, 2017, 7:30 am

    Hi all,
    How to check packet loss with in Linux box?

  • siva May 9, 2017, 8:57 am

    have a question here !!

    how to check the process id with the port number in linux and AIX?

    cat /proc/sys/kernel/threads-max what is the need of this file and if i change the value ,will it require reboot to reflect to process the jobs?

  • Madhavi ala July 28, 2017, 11:49 am

    Excellent tutorial for Netstat commands