10 basic usages of Netstat

Netstat Introduction

Netstat is a command-line tool that lists all network socket connections on the system, including TCP, UDP, and UNIX sockets, and it can also list sockets that are in a listening state (that is, waiting for an access request). If you want to confirm that the WEB service on the system has not been up, you can see if port 80 has not been opened. The above features make Netstat a necessary tool for network management and system administrators. In this tutorial, I'll show you a few examples of how to use Netstat to find the network connection information and the port number that the system is powered on.

The following is a brief introduction to the Man Handbook from Netstat:

Netstat-print network connections, routing tables, connected data statistics, spoofed connections, and broadcast domain members.

1. List all connections

The first one to introduce is the simplest command: Lists all current connections. You can use the-a option.

$ netstat-aactive Internet connections (servers and established) Proto recv-q send-q Local Address Foreign addre SS State TCP 0 0 Enlightened:domain *:* LISTEN TCP 0 0 L OCALHOST:IPP *:* LISTEN TCP 0 0 enlightened.local:54750 li240-5.members.li:h TTP establishedtcp 0 0 enlightened.local:49980 Del01s07-in-f14.1:https ESTABLISHEDtcp6 0 0 Ip6-loca                                Lhost:ipp [::]:* LISTEN UDP 0 0 enlightened:domain *:* UDP 0 0 *:BOOTPC *:* UDP 0 0 enlightened.loc                                AL:NTP *:* UDP 0 0 LOCALHOST:NTP *:*                 UDP 0 0 *:ntp *:* UDP 0 0 *:58570                   *:*             UDP 0 0 *:mdns *:* UDP 0 0 *:49459                             *:* UDP6 0 0 fe80::216:36ff:fef8:ntp [::]:*                UDP6 0 0 IP6-LOCALHOST:NTP [::]:* udp6 0 0 [::]:NTP [::]:* udp6 0 0 [::]:mdns [::]:* U              DP6 0 0 [::]:63811 [::]:* udp6 0 0 [::]:54952       [::]:* Active UNIX domain sockets (servers and established) Proto refcnt Flags Type  State I-node Pathunix 2 [ACC] STREAM LISTENING 12403 @/tmp/dbus-idgfj3ugxxunix 2 [ ACC] STREAM LISTENING 40202 @/dbus-vfs-daemon/socket-6nuc6ccx

The preceding command lists all connections for all sockets under TCP, UDP, and UNIX protocols. However, this information is not detailed enough, and administrators often need to look at the specific connection of a protocol or port.

2. List only connections for TCP or UDP protocols

Use the- t option to list the connections for the TCP protocol:

$ netstat-atactive Internet connections (servers and established) Proto recv-q send-q Local Address           Foreign address
   state      TCP        0      0 enlightened:domain      *:*                     LISTEN     tcp        0      0 Localhost:ipp           *:*                     LISTEN     TCP        0      0 enlightened.local:36310 del01s07-in-f24.1:https establishedtcp        0      0 enlightened.local:45038 a96-17-181-10.depl:http establishedtcp        0      0 enlightened.local:37892 Abts-north-static-:http established .....

Use the- u option to list the connections for the UDP protocol:

$ netstat-auactive Internet connections (servers and established) Proto recv-q send-q Local Address           Foreign address
   state      UDP        0      0 *:34660                 *:*                                UDP        0      0 enlightened:domain      *:*                                UDP        0      0 *:BOOTPC                *:*                                UDP        0      0 enlightened.local:ntp   *:*                                UDP        0      0 LOCALHOST:NTP           *:*                                UDP        0      0 *:ntp                   *:*                                udp6       0      0 fe80::216:36ff:fef8:ntp [::]:*                             UDP6       0      0 ip6-localhost:ntp       [::]:*                             udp6       0      0 [::]:NTP                [::]:*

The above also shows the connection between IPv4 and IPv6.

3. Disable reverse Domain name resolution to speed up query

By default, Netstat will find the host name for each IP address by using reverse Domain name resolution technology. This reduces the lookup speed. If you feel that the IP address is sufficient and you do not need to know the hostname, use the- n option to disable the Domain name resolution feature.

$ netstat-antactive Internet connections (servers and established) Proto recv-q send-q Local Address           Foreign address
   state      TCP        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN     tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     tcp        0      0 192.168.1.2:49058       173.255.230.5:80        establishedtcp        0      0 192.168.1.2:33324       173.194.36.117:443      ESTABLISHEDtcp6       0      0:: 1:631                 :::*                    LISTEN

The above command lists all TCP protocol connections and does not use domain name resolution technology. So easy? Very good.

4. List only the connections in the listener

The background process for any network service will open a port that listens for incoming requests. The sockets that are listening are also listed as Netstat, as well as connected sockets. Use the- l option to list the sockets that are listening.

$ netstat-tnlactive Internet connections (only servers) Proto recv-q send-q Local address           Foreign address         state
   tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN     tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     tcp6       0      0:: 1:631                 :::*                    LISTEN

Now we can see the TCP ports and connections in the listening state. If you look at all the listening ports, remove the- t option. If you only want to view UDP ports, use the- u option instead of the- t option.

Note: Do not use the-a option, otherwise netstat will list all connections, not just the listening ports.

5. Get the process name, process number, and user ID

When viewing port and connection information, it is very helpful for system administrators to be able to see their corresponding process names and process numbers. For a chestnut, Apache's httpd service opens port 80, and if you want to see if the HTTP service has been started, or if the HTTP service was started by Apache or Nginx, you can look at the process name.

Use the- p option to view process information.

~$ sudo netstat-nlptactive Internet connections (only servers) Proto recv-q send-q Local address           Foreign address         S Tate       Pid/program nametcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN      1144/dnsmasq    TCP        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      661/cupsd       tcp6       0      0:: 1:631                 :::*                    LISTEN      661/CUPSD

With the- p option, the Netstat must run under root, or it will not be able to get the process name running under Root, and many services, including HTTP and FTP, are running under root authority.

It is more useful to view the owner of a process than the process name and process number. Use the -ep option to view both the process name and the user name.

$ sudo netstat-ltpeactive Internet connections (only servers) Proto recv-q send-q Local address           Foreign address         St Ate       User       Inode       pid/program nametcp        0      0 enlightened:domain      *:*                     LISTEN      root       11090       1144/dnsmasq    tcp        0      0 Localhost:ipp           *:*                     LISTEN      root       9755        661/ CUPSD       tcp6       0      0 Ip6-localhost:ipp       [::]:*                  LISTEN      root       9754        661/cupsd

The above lists the listening sockets under the TCP protocol, displaying both process information and some additional information.

These additional information includes the user name and the index node number of the process. This command is useful for network management.

Note -If you use the- n and- e options together, the user column's properties are the ID number of the users, not the user name.

6. Print statistical data

Netstat can print out network statistics, including the number of packets under a protocol.

The statistics of all network packages are listed below:

$ NETSTAT-SIP:    32797 Total Packets received    0 forwarded    0 incoming packets discarded    32795 Incoming pack  ETS delivered    29115 requests sent out    outgoing packets droppedicmp:    ICMP Messages received    0 input ICMP message failed.    ICMP input histogram:        destination unreachable:125    ICMP messages sent    0 ICMP messages failed    ICMP Output histogram:        destination unreachable:125 ... OUTPUT truncated ...

If you want to print only the statistics for the TCP or UDP protocol, just add the corresponding option (-t and- u), so easy.

7. Displaying kernel routing information

Use the- r option to print kernel routing information. The information printed is the same as the output from the route command. We can also use the- n option to disallow domain name resolution.

$ netstat-rnkernel IP Routing tabledestination     Gateway         genmask         Flags   MSS Window  Irtt Iface0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

8. Print network interface

Netstat can also print network interface information, the-i option is for this function.

$ netstat-ikernel Interface tableiface   MTU Met   rx-ok rx-err rx-drp rx-ovr tx-ok    tx-err tx-drp TX-OVR flget H0       0     31611      0      0 0         27503      0      0      0 bmrulo        65536 0      2913      0      0 0          2913      0      0      0 LRU

The above output information is relatively primitive. We use the- e option with the-I option to output user-friendly information.

 $ netstat-iekernel Interface tableeth0 Link encap:ethernet HWaddr 00:16:36:f8:b2:64 inet addr:192.1 68.1.2 bcast:192.168.1.255 mask:255.255.255.0 inet6 addr:fe80::216:36ff:fef8:b264/64 scope:link up BR          Oadcast RUNNING multicast mtu:1500 metric:1 RX packets:31682 errors:0 dropped:0 overruns:0 frame:0  TX packets:27573 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:29637117  (29.6 MB) TX bytes:4590583 (4.5 MB) interrupt:18 memory:da000000-da020000 lo Link encap:local Loopback in ET addr:127.0.0.1 mask:255.0.0.0 inet6 addr::: 1/128 scope:host up LOOPBACK RUNNING mtu:65536 Metric:          1 RX packets:2921 errors:0 dropped:0 overruns:0 frame:0           TX packets:2921 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:305297 (305.2 KB) TX bytes:305297 (305.2 KB) 

The above output information is the same as the ifconfig output.

9. Netstat continuous output

We can continue to output information using the- C option of Netstat.

$ netstat-ct

This command continues to output TCP protocol information.

10. Displaying multicast group information

The option- g outputs multicast group information for IPV4 and IPV6.

$ netstat-gipv6/ipv4 Group Membershipsinterface       refcnt Group------------------------------------------Lo              1      all-systems.mcast.neteth0            1      224.0.0.251eth0            1      all-systems.mcast.netlo              1      Ip6-allnodeslo              1      ff01::1eth0            1      ff02::fbeth0            1      ff02::1:fff8:b264eth0            1      Ip6-allnodeseth0            1      ff01::1wlan0           1      ip6-allnodeswlan0           1      ff01::1

More usage

So far we have listed the basic usage of netstat, now let's go geek together.

Print the connection to the active state

The socket connection for the active state is represented by the "established" field, so we can use the grep command to get the active state of the connection:

$ NETSTAT-ATNP | grep ESTA (not all processes could is identified, non-owned process info won't be shown, you would has to be root to SE e it all.) TCP        0      0 192.168.1.2:49156       173.255.230.5:80        established 1691/chrome     TCP        0      0 192.168.1.2:33324       173.194.36.117:443      established 1691/chrome

To monitor the active state connection with the Watch command:

$ watch-d-n0 "NETSTAT-ATNP | grep ESTA "

To see if the service is running

If you want to see if the HTTP,SMTP or NTP service is running, use grep.

$ sudo netstat-aple | grep ntpudp        0      0 enlightened.local:ntp   *:*                                 root       17430       1789/ntpd       UDP        0      0 LOCALHOST:NTP           *:*                                 root       17429       1789/ntpd       UDP        0      0 *:ntp                   *:*                                 root       17422       1789/ntpd       udp6       0      0 fe80::216:36ff:fef8:ntp [::]:*                              root       17432       1789/ntpd       udp6       0      0 ip6-localhost:ntp       [::]:*                              root       17431       1789/ntpd       udp6       0      0 [::]:NTP                [::]:*                              root       17423       1789/ntpd       Unix  2      []         dgram                    17418    1789/ntpd

From here you can see that the NTP service is running. Using the grep command you can view HTTP or SMTP or any other service you want to see.

Well, most of Netstat's features have been introduced, if you want to know netstat more advanced features, read its manual (man netstat).

You are welcome to leave your feedback and suggestions below.

10 basic usages of Netstat