Dec 132014

Of the several command line tools available to Linux administrators, netstat ranks among the most useful.

Netstat displays network connections for Transmission Control Protocol (incoming and outgoing), routing tables, and several network interface and network protocol statistics.

Although some Linux administrators are known to grumble that ss is a newer, better and faster tool performing similar chores, netstat still rules with the majority of Linux systems administrators including yours truly.

Besides helping to resolve networking issues, the other reason netstat is a valuable tool for Linux systems administrators is because it can serve as a first line of defense in identifying potentially hostile visitors harboring malicious intentions.

Besides Linux, netstat can be used on BSD, Windows XP, Windows Vista, Windows 7 and Windows 8 operating systems.

Netstat – Key Commands

The various options available for netstat are far too numerous to be detailed in full here.

In this post, we’ll consider the most important netstat commands. These are commands no Linux administrator can do without.

Display All Connections
$ netstat -a

Above command lists all connections from different protocols like tcp, udp and unix sockets

List Only TCP connections
$ netstat -at
List Only UDP Connections
$ netstat -au
Show IP Address without Reverse DNS lookup
$ netstat -ant
List All Listening Conditions
$ netstat -l
List Only Listening TCP Ports
$ netstat -lt
List only listening UDP Ports
$ netstat -lu
Display Summary Statistics
$ netstat -s

The above command spits out a wealth of information including total packets received, incoming packets delivered, active TCP connections, failed TCP connection attempts etc.

You can spend the better part of a day analyzing the output. 😉

To print out statistics of only select protocols like TCP or UDP use the corresponding options like t and u along with the s option.

Display Statistics for TCP
$ netstat -st
Display Statistics for UDP
$ netstat -su
Displays Domain Name Where Possible for IP Address
$ netstat -F
Display Only IP address
$ netstat -n

Above command will display output without resolving host, port and user name.

Get Netstat Output Continuously
$ netstat -c

The -c option can be combined with other netstat options like -t (see below).

$ netstat -ct
Displays TCP Connections Continuously
$ netstat -tcp

Above command will output TCP connections along with PID continuously.

Display Process Identifier (PID)
$ netstat -p

Above command adds PID/program name to output.

The -p option can be combined with other options (see below).

Show Service Name with PID Number
$ netstat -tp

Displays TCP Connections without Domain Names
$ netstat --tcp --numeric
List Only Listening TCP Connections
$ netstat -tnl
List Only listening UDP Connections
$ netstat -unl
List Process name/PID and User ID
$ sudo netstat -nlpt
Show Listening Connections of TCP with Process Information and Extended Information
$ sudo netstat -ltpe
Show Kernel’s Network Routing Table
$ netstat -r
Display Kernel Routing Information
$ netstat -rn

Above command will not resolve host names.

Print Network Interfaces
netstat -ie
Display all Open connections to a Specific Port
$ netstat -anp | grep ":"

Insert port no (above) in place of colon :

Show Active/Established Connections
$ netstat -atnp | grep ESTA
Get Continuous List of Active Connections
$ watch -d -n0 "netstat -atnp | grep ESTA"
Check if a Service is Running
$ sudo netstat -aple | grep ntp

You can substitute http, smtp for ntp

Netstat – Security Commands

There are some netstat commands that are more geared toward security than others.

In an era when attacks from both individuals or government agencies are common, it’s important to be au courant with a bunch of security netstat commands.

These commands are useful in identifying malicious visitors.

Here are a bunch of security-oriented netstat commands. Some of them are useful in bringing small-scale DOS attacks under control.

Display IPs with High Number of Connections
$ netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
IP Addresses Connected to Port 80
$ netstat -tn 2>/dev/null | grep ':80 ' | awk '{print $5}' |sed -e 's/::ffff://' | cut -f1 -d: | sort | uniq -c | sort -rn | head
Display Number of Active Connections on Port 80
$ netstat -an |grep :80 |wc -l
Displays Foreign IP Addresses Only
$ netstat -antu | grep :80 | grep -v LISTEN | awk '{print $5}'
Display Active SYNC_REC

The below command will output how many active SYNC_REC are occurring and happening on the server. The number should be low (less than 5). If the number is in double digits, you may be suffering a DoS attack or being mail bombed.

$ netstat -n -p|grep SYN_REC | wc -l
List Unique IP Addresses Sending SYN_REC Connection

Like the above command, this command too lists all unique IP addresses of the node that are sending SYN_REC connection status

$ netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}'
Connections Per Remote IP
$ netstat -antu | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -n


$ netstat -antu | awk '$5 ~ /[0-9]:/{split($5, a, ":"); ips[a[1]]++} END {for (ip in ips) print ips[ip], ip | "sort -k1 -nr"}'
Check Open Ports (both ipv4 and ipv6)
$ netstat -plntu
Check Open Ports (both ipv4 and ipv6)
$ netstat -plnt
Number of Open Connections per IP
$ netstat -an | grep 80 | wc -l
Active Internet Connections
$ netstat -pnut -w | column -t -s $'\t'

Netstat – Bottom Line

Mastering netstat should be among your top priorities if you intend to be at the forefront of understanding networking and the security aspects of administering a web server.

My hope is that the various commands I’ve outlined above has piqued your interest into learning and mastering this valuable command line tool.

Go ahead, try a few of the above netstat commands on your Linux system.

Sorry, the comment form is closed at this time.