Netstat: Linux network information

If you use Linux (especially on a server) it is important to be able to have plenty of information at the tips of your fingers. This includes all types of information. One of the first places to look for for information is /var/log, however that can be cumbersome and doesn’t always give you the specific networking information you need.

There is one tool that is ready to hand you much of the networking information you will need from your server. That tool? Netstat. The netstat tool prints out (on the command line) information about the Linux networking subsystem. With this tool you can get valuable information about: Open sockets, routing tables,  multicast group membership, network interfaces, masqueraded connections, and protocol statistics. Each type of information can also be narrowed with the help of options.

In this article you will learn how to be able to make use of the netstat tool, so you can have as much networking information as you need at your fingertips.

Basic structure

The basic netstat command looks like:


Where ARGUMENT is the type of address family you want information about and OPTIONS is the optional option(s) that will specify the type of information you get returned.

Now let’s break this command down into address families.

Open Sockets

This is the easiest way to use netstat. If you issue the command without any arguments you will get a list of all sockets that are currently listening on a system. The output would look something like:

Proto RefCnt Flags Type       State         I-Node   Path
unix  3      [ ]   STREAM     CONNECTED     205824   /tmp/.X11-unix/X0
unix  3      [ ]   STREAM     CONNECTED     205823
unix  3      [ ]   STREAM     CONNECTED     203856   /tmp/.X11-unix/X0
unix  3      [ ]   STREAM     CONNECTED     203855

As you can see, from the output above, the information isn’t terribly useful. We can make it much more useful with a few options. What we want to do is tell netstat to give us output for specific applications that are listening for tcp connections. To do this we issue the command:

netstat –tcp –listening –programs

The output for this command would look something like:

Proto Recv-Q Send-Q Local Address Foreign Address Stat    PID/Program
tcp   0      0      *:ssh         *:*             LISTEN  25469/sshd
tcp   0      0      *:httpd       *:*             LISTEN  26754/httpd
tcp   0      0      localhost:ipp *:*             LISTEN  -

Now you can actually see some useful information. In the above output you can see that both sshd and httpd are listening for incoming connections. The above is just a snippet of what the output can look like. What is very handy about this command is it will show you if there is a command or local address listening for incoming connections that shouldn’t be listening. If you find an application that shouldn’t be listening, kill it to be safe.

Netstat is able to quickly print your machines’ kernel routing table with the command:

netstat -r

The output of this command will look like:

Kernel IP routing table
Destination  Gateway     Genmask         Flags   MSS Window  irtt Iface  *    U       0 0         0    eth0
default         UG      0 0         0    eth0


This is one of the handier of the netstat tools. With this you can find out exactly the statics for each protocol. The basic command structure is:

netstat –statistics

which will give you far more information than you want. Say, you only want to see statistics on the TCP protocol. For this you can issue the command:

netstat -t –statistics

The output to the above command will include information such as:

4343 active connections openings
8 passive connection openings
5 failed connection attempts
178 connection resets received
6 connections established
59075 segments received
60033 segments send out
76 segments retransmited
0 bad segments received.
303 resets sent

Or you could get information on UDP as well with the command:

netstat -u –statistics

Which would give you similar output for the UDP protocol.

Get creative

What if you wanted to see all unique IP addresses connected to a server? You can do that with netstat (and the help of a few other tools) like so:

netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq

The output of the above command would depend upon how much traffic your machine/server is getting. But it will include all unique IP addresses attempting to connect to your server.

What about checking to see if your server is under a DOS attack? You can do that with netstat like this:
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

The above command will list out the IP addresses requesting the highest amount of connections to your server. If you see a number that is far higher than it should be, you most likely are under a Denial of Service attack.



This entry was posted in Linux How-To. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *