Back to Commands

netstat

networkingLinux/Unix
The netstat command is one of the most frequently used commands in Linux/Unix-like operating systems. netstat Display network connections, routing tables, interface statistics, masquerade connections, and multicast memberships
See ExamplesView Syntax

Quick Reference

Command Name:

netstat

Category:

networking

Platform:

Linux/Unix

Basic Usage:

netstat [options] [arguments]

Common Use Cases

    Syntax

    netstat [options]

    Options

    Option Description
    -a, --all Show all sockets (default: connected)
    -A, --protocol=FAMILY Show sockets of specified protocol family (e.g., inet, unix)
    -c, --continuous Continuous listing
    -C, --cache Show routing cache instead of FIB
    -e, --extend Show detailed information
    -F, --fib Show Forwarding Information Base (default)
    -g, --groups Show multicast group memberships
    -i, --interfaces Show network interfaces
    -l, --listening Show only listening sockets
    -M, --masquerade Show masqueraded connections
    -n, --numeric Don't resolve names
    -N, --symbolic Resolve hardware names
    -o, --timers Show timers
    -p, --programs Show PID/Program name for sockets
    -r, --route Show routing table
    -s, --statistics Show networking statistics (like SNMP)
    -t, --tcp Show only TCP sockets
    -u, --udp Show only UDP sockets
    -v, --verbose Be verbose
    -V, --version Display version information and exit
    -w, --raw Show only RAW sockets
    -x, --unix Show only Unix domain sockets
    -Z, --context Show SELinux security context for sockets

    Output Symbols in Netstat:

    Symbol Meaning
    Proto Protocol (TCP, UDP, etc.)
    Recv-Q Data received by the application but not yet read
    Send-Q Data sent by the application but not yet acknowledged by the remote host
    Local Address Local address and port number
    Foreign Address Remote address and port number
    State The state of the socket (ESTABLISHED, LISTEN, etc.)
    PID/Program name Process ID and name of the program using the socket

    Common Socket States:

    State Description
    ESTABLISHED The socket has an established connection
    SYN_SENT The socket is actively attempting to establish a connection
    SYN_RECV A connection request has been received from the network
    FIN_WAIT1 The socket is closed, and the connection is shutting down
    FIN_WAIT2 Connection is closed, and the socket is waiting for a shutdown from the remote end
    TIME_WAIT The socket is waiting after close to handle packets still in the network
    CLOSE The socket is not being used
    CLOSE_WAIT The remote end has shut down, waiting for the socket to close
    LAST_ACK The remote end has shut down, and the socket is closed. Waiting for acknowledgement
    LISTEN The socket is listening for incoming connections
    CLOSING Both sockets are shut down but we still don't have all our data sent
    UNKNOWN The state of the socket is unknown

    Examples

    How to Use These Examples

    The examples below show common ways to use the netstat command. Try them in your terminal to see the results. You can copy any example by clicking on the code block.

    # Basic Examples Basic
    netstat
    Display a list of open sockets.
    netstat -a
    Show all sockets (including listening sockets).
    # Advanced Examples Advanced
    netstat -tulpn Display TCP and UDP connections with numerical addresses and the PID/program name. netstat -r Display the kernel routing tables. netstat -ie Display interface statistics (similar to ifconfig). netstat -s Show statistics for each protocol. netstat -c Continuously display network information. netstat -at Show only TCP connections. netstat -au Show only UDP connections. netstat -l Show only listening sockets. netstat -o Display timer information. netstat -n Show numerical addresses instead of trying to resolve hostnames. netstat -p Show the PID and name of the program to which each socket belongs. netstat -anp | grep :80 Find which process is using port 80. netstat -anp | grep ESTABLISHED Show all established connections with PID/program name.

    Try It Yourself

    Practice makes perfect! The best way to learn is by trying these examples on your own system with real files.

    Understanding Syntax

    Pay attention to the syntax coloring: commands, options, and file paths are highlighted differently.

    Notes

    The netstat (network statistics) command is a versatile networking tool used for monitoring network connections, interface statistics, routing tables, and more. It provides system administrators and network engineers with a comprehensive view of network-related information on a system, making it invaluable for troubleshooting connectivity issues, monitoring network traffic, and understanding how applications interact with the network. Key features of the netstat command: 1. Connection Monitoring: netstat displays active TCP connections, allowing users to see which applications are communicating over the network, what remote addresses they're connecting to, and the state of those connections. 2. Port Usage: It shows which ports are in use and which processes are using them, helping identify applications that might be conflicting for the same port or potentially malicious software listening on unexpected ports. 3. Routing Information: With the -r option, netstat displays the kernel routing table, showing how network traffic is directed between different networks and interfaces. 4. Interface Statistics: The -i option provides statistics for network interfaces, including packet counts, errors, and drops, which can help diagnose hardware or driver issues. 5. Protocol Statistics: Using the -s option, netstat shows detailed statistics for each protocol (TCP, UDP, ICMP, etc.), useful for analyzing network performance and identifying anomalies. 6. Multicast Group Information: The -g option displays multicast group membership information, important for troubleshooting multicast applications. 7. Process Information: With the -p option (requiring root privileges), netstat can show which processes are associated with specific network connections, making it easier to identify what applications are generating network traffic. Common use cases for netstat include: - Troubleshooting connectivity issues by examining active connections and their states - Identifying applications that are using specific network ports - Monitoring network traffic patterns - Checking for unexpected or unauthorized network connections - Verifying proper routing configuration - Diagnosing network interface problems - Analyzing protocol-specific issues - Security auditing to identify potentially suspicious network activity While netstat remains available on most Linux distributions, it's worth noting that it's considered somewhat outdated and is being gradually replaced by newer tools like ss (Socket Statistics) from the iproute2 package, which offers similar functionality with improved performance and more features. Many system administrators still use netstat due to familiarity and its presence on virtually all Unix-like systems. The netstat command requires different levels of privileges depending on the options used. Basic connection information is available to all users, but viewing process information (-p) or certain types of socket information may require root privileges. The output format of netstat can be customized with various options to show only the information needed for a specific task, such as focusing on TCP connections (-t), listening sockets (-l), or displaying numerical addresses instead of hostnames (-n) for faster output.

    Related Commands

    These commands are frequently used alongside netstat or serve similar purposes:

    ss
    ip
    ifconfig
    route
    lsof
    tcpdump
    nmap
    iptables
    Explore All Commands

    Use Cases

    Learn By Doing

    The best way to learn Linux commands is by practicing. Try out these examples in your terminal to build muscle memory and understand how the netstat command works in different scenarios.

    See ExamplesTry Lab Exercises
    $ netstat
    View All Commands