netstat command in Linux | Linux netstat command

Introduction

The "netstat“ command is a network utility tool available in Linux and other operating systems. It is used to display various network-related information, such as active network connections, listening ports, routing tables, and network interface statistics.

Linux command “netstat” stands for Network Statistics. It provides data on various interface characteristics, such as open sockets, routing tables, and connection details.

Additionally, it may be used to display every socket connection, including TCP and UDP connections. Along with the sockets that are already attached, it also shows the sockets that are waiting to be connected. For network and system administrators, it is a useful tool.

Use of netstat command

The command "netstat" can be helpful for various network-related tasks, such as:

Checking active connections:

You can use netstat to view the currently established network connections on your system. This can be useful for troubleshooting network issues or identifying unauthorized connections.

Monitoring listening ports:

netstat allows you to see which ports on your system are open and actively listening for incoming connections. This is helpful for understanding which services or applications are running and accessible from the network.

Examining network statistics:

Using the -s option, netstat can provide detailed network statistics for various protocols, such as TCP, UDP, ICMP, and IP. It can show information like the number of packets transmitted and received, errors, retransmissions, and more.

Analyzing routing tables:

The -r option displays the kernel routing table, which shows how network traffic is directed between different networks and gateways. This can be useful for diagnosing routing problems or understanding the network topology.

It’s worth noting that while netstat has been widely used in the past, it has been deprecated in many Linux distributions. The ss command (socket statistics) is often recommended as a replacement due to its improved performance and functionality. However, netstat is still available on many systems and can be used effectively for basic network monitoring and troubleshooting tasks.

Installation of netstat tool

In Linux, the netstat is not a built-in tool, so first we have to download the package by using this command.

$ sudo apt install net-tools

All Options for netstat Command

Some options you need to remember like:

a) -t: To see the connection of TCP Ports

b) -u: See the Connection of UDP Ports.

c) -n: Shows IP addresses and port numbers in numerical format instead of resolving them to hostnames and service names.

d) a: – Displays all active connections and listening ports. This option shows both TCP and UDP connections.

e) -p: Shows the process ID and program name associated with each connection.

Example:

$netstat -putan | grep 192.168.0.105

tcp        0      0 192.168.0.105:55998     142.250.192.74:443      ESTABLISHED 5616/chrome --type= 
tcp        0      0 192.168.0.105:58004     50.16.8.31:443          ESTABLISHED 5616/chrome --type= 
tcp        0      0 192.168.0.105:50610     172.217.167.163:443     ESTABLISHED 5616/chrome --type= 
tcp        0      0 192.168.0.105:34284     172.217.27.206:443      ESTABLISHED 5616/chrome --type= 
tcp        0      0 192.168.0.105:58862     172.217.194.188:5228    ESTABLISHED 5616/chrome --type= 
tcp        0      0 192.168.0.105:47798     142.250.183.130:443     ESTABLISHED 5616/chrome --type= 
tcp        0      0 192.168.0.105:52584     45.115.185.136:443      ESTABLISHED 5616/chrome --type= 
tcp        0      0 192.168.0.105:59212     142.251.42.10:443       ESTABLISHED 5616/chrome --type= 
tcp        0      0 192.168.0.105:56666     3.217.133.181:443       ESTABLISHED 5616/chrome --type= 
tcp        0      0 192.168.0.105:34098     172.67.207.105:443      ESTABLISHED 5616/chrome --type= 
tcp        0      1 192.168.0.105:36062     142.250.199.164:443     LAST_ACK    -                   

B) To see all the Listening Ports:

It is used to see all the Listening ports. The output part is divided into two parts:

a) Active Internet Connection: It shows the connection at the Internet Level which is outside the server connection.

b) Actiive Domain Sockets: It shows the connection at the Server Level which is inside the server connection.

$ netstat -l

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 localhost:mysql         0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:7070            0.0.0.0:*               LISTEN     
tcp        0      0 localhost:27017         0.0.0.0:*               LISTEN     
tcp        0      0 localhost:6379          0.0.0.0:*               LISTEN     
               7          
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     57570    /run/user/1000/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     57575    /run/user/1000/bus
unix  2      [ ACC ]     STREAM     LISTENING     57576    /run/user/1000/gnupg/S.dirmngr

C) To see the ipv6 Address Connection

$ netstat -a6 | more

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN     
tcp6       0      0 [::]:netbios-ssn        [::]:*                  LISTEN     
tcp6       0      0 [::]:http               [::]:*                  LISTEN     
tcp6       0      0 ip6-localhost:6379      [::]:*                  LISTEN     
tcp6       0      0 [::]:microsoft-ds       [::]:*                  LISTEN     
udp6       0      0 [::]:34015              [::]:*                             
udp6       0      0 [::]:mdns               [::]:*                             
raw6       0      0 [::]:ipv6-icmp          [::]:*                  7          

D) To see the routing table

It is used to display the kernel routing table which includes destination, gateway, genmask, and interface.

$ netstat -ar | more

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         _gateway        0.0.0.0         UG        0 0          0 wlo1
link-local      0.0.0.0         255.255.0.0     U         0 0          0 wlo1
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 wlo1

E) To see all the interfaces in the connection

The “-i” is used to display all the interfaces in the connection.

$ netstat -ai | more

Kernel Interface table
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
docker0   1500        0      0      0 0             0      0      0      0 BMU
eno1      1500        0      0      0 0             0      0      0      0 BMU
lo       65536     4130      0      0 0          4130      0      0      0 LRU
wlo1      1500   386033      0      0 0        188297      0      0      0 BMRU

F) To see all the statistics

It will show the result in the interface manner.

$ netstat -s | more

Ip:
    Forwarding: 1
    358054 total packets received
    1 with invalid headers
    1 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    352918 incoming packets delivered
    192633 requests sent out
    20 outgoing packets dropped
Icmp:
    358 ICMP messages received
    39 input ICMP message failed
    ICMP input histogram:
        destination unreachable: 355
        timeout in transit: 3
    225 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 225
IcmpMsg:
        InType3: 355
        InType11: 3
        OutType3: 225
Tcp:
    1451 active connection openings
    0 passive connection openings
    73 failed connection attempts
    92 connection resets received
    14 connections established
    256349 segments received
    132592 segments sent out
    1328 segments retransmitted
    82 bad segments received
    567 resets sent

Disadvantage

While the command "netstat” can be useful for network analysis and troubleshooting, it also has a few disadvantages:

Limited functionality:

It provides basic network information, but it lacks some advanced features and filtering options. For more detailed and specific network analysis, other tools like tcpdump or wireshark may be more appropriate.

Deprecation:

It has been deprecated in many Linux distributions, meaning it may not receive further updates or improvements. Newer tools like ss (socket statistics) are recommended as replacements, as they offer better performance and more features.

Lack of real-time monitoring:

It provides a snapshot of the network connections at the time it is executed. It doesn’t offer real-time monitoring capabilities, so you can’t see dynamic changes in network activity or track connections as they are established or terminated.

Incomplete process information:

While netstat can display the process ID (PID) and program name associated with a network connection using the -p option, it may not always provide comprehensive process information. This is because some connections may be owned by system processes or kernel threads, which may not be easily identifiable by their program name alone.

Limited support for IPv6:

Although netstat can display IPv6 connections, it may not provide the same level of detail and support as it does for IPv4 connections. Some options or information may not be available or may not be as well-documented for IPv6.

Output complexity:

The output of netstat can be quite verbose and may require further parsing or filtering to extract specific information. This can make it challenging to quickly analyze the output, especially in situations where a large number of connections or processes are involved.

Considering these limitations, it’s recommended to explore alternative tools like ss, tcpdump, nmap, or specialized network monitoring software for more comprehensive network analysis and monitoring needs.

FAQ

Recent Articles on Computer Networks

1. Introduction to Computer Networking | What is Computer Network
2. What are Topology & Types of Topology in Computer Network
3. What is FootPrinting in Cyber Security and its Types, Purpose
4. Introduction to Cloud Computing | What is Cloud Computing
5. Distributed Shared Memory and its advantages and Disadvantages
6. What is VPN? How doe VPN Work? What VPN should I use?
7. What is an Internet and How the Internet Works
8. What is a Website and How Does a Website or web work?
9. Introduction to Virus and different types of Viruses in Computer
10. What is TCP and its Types and What is TCP three-way Handshake
11. What is UDP Protocol? How does it work and what are its advantages?
12. What is an IP and its Functions, What is IPv4 and IPv6 Address
13. What is MAC Address and its Types and Difference MAC vs IP
14. What is ARP and its Types? How Does it Work and ARP Format
15. Sessions and Cookies and the Difference Between Them
16. What is ICMP Protocol and its Message Format?

Related Articles on Linux

1. What is Linux Operating System | Introduction to Linux
2. Directory in Linux Define | Linux Directory & its Commands
3. Explain the chmod command in Linux | Linux chmod command
4. Linux User Management || User Management in Linux
5. Linux Computer Network Advanced Command | Network Command
6. Redirection in Linux I/O| Linux I/O Redirection