Linux netstat Command Tutorial for Beginners (8 Examples)

If you are new to Linux command line, and are interested in learning networking stuff, there are many command line utilities that you should be aware of. One such tool is netstat. In this article, we will discuss this command using some easy to understand examples.

But before we do that, it's worth mentioning that all these examples have been tested on an Ubuntu 16.04 LTS machine.

Linux netstat command

The netstat command lets you print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. Following is its syntax:

netstat [OPTIONS]

Here's how the man page explains it:

       Netstat  prints  information about the Linux networking subsystem.  The
       type of information printed is controlled by  the  first  argument,  as
       follows:

   (none)
       By  default,  netstat  displays  a  list of open sockets.  If you don't
       specify any address families, then the active sockets of all configured
       address families will be printed.

   --route , -r
       Display  the kernel routing tables. See the description in route(8) for
       details.  netstat -r and route -e produce the same output.

   --groups , -g
       Display multicast group membership information for IPv4 and IPv6.

   --interfaces, -i
       Display a table of all network interfaces.

   --masquerade , -M
       Display a list of masqueraded connections.

   --statistics , -s
       Display summary statistics for each protocol.

Following are some Q&A-styled examples that should give you a good idea on how the netstat command works.

Q1. How to use netstat command?

Basic usage is fairly simple - just run the netstat command without any options.

netstat

For example, in my case, the following output was produced:

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 192.168.1.7:59510       mails11.telegram.:https ESTABLISHED
tcp        0      0 192.168.1.7:57318       13.70.5.200:https       ESTABLISHED
tcp        0      1 192.168.1.7:51238       52.114.32.7:https       SYN_SENT   
tcp      390      0 192.168.1.7:60392       del03s09-in-f10.1:https ESTABLISHED
tcp        0      1 192.168.1.7:51240       52.114.32.7:https       SYN_SENT   
tcp        0      0 192.168.1.7:50196       del03s10-in-f10.1:https TIME_WAIT  
tcp        0      0 192.168.1.7:41996       maa05s05-in-f4.1e:https TIME_WAIT  
tcp        0      0 192.168.1.7:56680       wa-in-f94.1e100.n:https ESTABLISHED
tcp        0      0 192.168.1.7:54578       del03s10-in-f14.1:https TIME_WAIT  
tcp        0      0 192.168.1.7:51310       del03s10-in-f2.1e:https TIME_WAIT

So by default, the command displays a list of all open sockets.

Q2. How to make netstat show numerical addresses?

By default, the netstat command tries to determine symbolic host, port, or user names. This may slow down the tool. However, if you're fine with numerical values, you can make the tool output numeric values using the -n command line option.

netstat -n

For example in my case, the following output was produced:

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 192.168.1.7:59510       149.154.171.22:443      ESTABLISHED
tcp        0      0 192.168.1.7:57318       13.70.5.200:443         ESTABLISHED
tcp        0      0 192.168.1.7:51682       52.114.32.7:443         TIME_WAIT  
tcp        0      0 192.168.1.7:54884       172.217.161.14:443      TIME_WAIT  
tcp        0      0 192.168.1.7:35112       172.217.161.5:443       ESTABLISHED
tcp        0      0 192.168.2.97:45662      148.251.237.53:21       ESTABLISHED
tcp        0      0 192.168.1.7:50892       149.154.164.224:443     ESTABLISHED
tcp        0      0 192.168.1.7:58772       172.217.194.189:443     TIME_WAIT  
tcp        0      1 192.168.1.7:47728       144.76.158.93:443       SYN_SENT   
tcp        0      1 192.168.1.7:47730       144.76.158.93:443       SYN_SENT   
tcp        0      0 192.168.1.7:59548       149.154.171.22:443      ESTABLISHED
tcp        0      0 192.168.1.7:35818       169.55.74.50:443        ESTABLISHED
tcp        0      0 192.168.1.7:50888       149.154.164.224:443     ESTABLISHED
tcp        0      0 192.168.1.7:44156       152.195.11.6:443        ESTABLISHED
tcp        0      0 192.168.1.7:58478       52.229.174.94:443       ESTABLISHED
tcp       52      0 127.0.0.1:60342         127.0.1.1:139           ESTABLISHED
tcp        0      0 192.168.1.7:58820       172.217.161.3:443       ESTABLISHED
tcp        0      0 192.168.1.7:45588       52.175.17.224:443       TIME_WAIT  
tcp        0      0 192.168.1.7:50890       149.154.164.224:443     ESTABLISHED
tcp        0      0 192.168.1.7:58192       52.77.195.144:443       ESTABLISHED
tcp        0      0 192.168.1.7:54224       172.217.31.2:443        ESTABLISHED
tcp        0      0 127.0.1.1:139           127.0.0.1:60342         ESTABLISHED
tcp        0      0 192.168.1.7:34500       192.241.190.153:443     ESTABLISHED
tcp        0      0 192.168.1.7:54888       172.217.161.14:443      ESTABLISHED

So you can see only numeric values were produced in output (in Foreign Adress column) this time.

Q3. How to make netstat display only tcp connections?

This you can do using the -t command line option.

netstat -t

For example, in my case, the following output was produced:

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 192.168.1.7:44236       152.195.11.6:https      ESTABLISHED
tcp        0      0 192.168.1.7:59510       mails11.telegram.:https ESTABLISHED
tcp        0      0 192.168.1.7:57318       13.70.5.200:https       ESTABLISHED
tcp        0      0 192.168.1.7:42706       maa05s05-in-f4.1e:https ESTABLISHED
tcp        0      0 192.168.1.7:51984       del03s10-in-f2.1e:https ESTABLISHED
tcp        0      0 192.168.1.7:51786       52.114.32.7:https       ESTABLISHED
tcp        0      0 192.168.1.7:52294       xx-fbcdn-shv-01-m:https ESTABLISHED
tcp        0      0 192.168.1.7:54372       del03s01-in-f2.1e:https ESTABLISHED
tcp        0      1 192.168.1.7:47788       hyperserver.semse:https SYN_SENT   
tcp        0      0 192.168.1.7:52298       xx-fbcdn-shv-01-m:https ESTABLISHED
tcp        0      0 192.168.1.7:51840       149.154.164.224:https   TIME_WAIT  
tcp        0      0 192.168.1.7:35258       del03s10-in-f1.1e:https ESTABLISHED
tcp        0      0 192.168.2.97:45662      blog.gsmarena.com:ftp   ESTABLISHED
tcp        0      0 192.168.1.7:50728       del03s10-in-f10.1:https TIME_WAIT  
tcp        0      0 192.168.1.7:56468       del03s09-in-f3.1e:https ESTABLISHED
tcp        0      0 192.168.1.7:50892       149.154.164.224:https   ESTABLISHED
tcp        0      0 192.168.1.7:45670       52.175.17.224:https     ESTABLISHED
tcp        0      0 192.168.1.7:55180       del03s10-in-f14.1:https TIME_WAIT  
tcp        0      1 192.168.1.7:47790       hyperserver.semse:https SYN_SENT   
tcp        0      0 192.168.1.7:59548       mails11.telegram.:https ESTABLISHED
tcp        0      0 192.168.1.7:35818       32.4a.37a9.ip4.st:https ESTABLISHED
tcp        0      0 192.168.1.7:50888       149.154.164.224:https   ESTABLISHED
tcp        0      0 192.168.1.7:33360       del03s10-in-f13.1:https TIME_WAIT  
tcp        0      0 192.168.1.7:52332       207.46.140.70:https     ESTABLISHED
tcp        0      0 192.168.1.7:58478       52.229.174.94:https     ESTABLISHED
tcp        0      0 192.168.1.7:54374       del03s01-in-f2.1e:https TIME_WAIT  
tcp        0      0 192.168.1.7:50216       104.24.1.68:https       TIME_WAIT  
tcp       52      0 localhost:60342         ansh:netbios-ssn        ESTABLISHED
tcp        0      0 192.168.1.7:50890       149.154.164.224:https   ESTABLISHED
tcp        0      0 192.168.1.7:55200       del03s10-in-f14.1:https TIME_WAIT  
tcp        0      0 192.168.1.7:54224       del03s01-in-f2.1e:https ESTABLISHED
tcp        0      0 ansh:netbios-ssn        localhost:60342         ESTABLISHED
tcp        0      0 192.168.1.7:55212       del03s10-in-f14.1:https TIME_WAIT  
tcp        0      1 192.168.1.7:47800       hyperserver.semse:https SYN_SENT   
tcp        0      0 192.168.1.7:45668       52.175.17.224:https     ESTABLISHED
tcp        0      0 192.168.1.7:58878       del03s10-in-f3.1e:https TIME_WAIT  
tcp        0      0 192.168.1.7:34500       do-11.lastpass.co:https ESTABLISHED
tcp        0      0 192.168.1.7:41844       a23-35-40-198.dep:https ESTABLISHED

Q4. How to make netstat display only udp connections

This you can do using the -u command line option.

netstat -u

Q5. How to make netstat show only listening sockets?

This is possible by using the -l command line option.

netstat -l

For example, the following output was produced in my case:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 ansh:domain             *:*                     LISTEN     
tcp        0      0 localhost:ipp           *:*                     LISTEN     
tcp        0      0 *:microsoft-ds          *:*                     LISTEN     
tcp        0      0 *:netbios-ssn           *:*                     LISTEN     
tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN     
tcp6       0      0 [::]:microsoft-ds       [::]:*                  LISTEN     
tcp6       0      0 [::]:netbios-ssn        [::]:*                  LISTEN     
...
...
...

Q6. How to make netstat show name and PID of programs?

In case you want netstat to show name of process IDs of processes to which each socket belongs, use the -p command line option.

netstat -p

For example:

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.1.7:57318       13.70.5.200:https       ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:36732       13.76.170.95:https      ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:52050       149.154.164.224:https   ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:55974       del03s10-in-f14.1:https ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:52074       149.154.164.224:https   ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:60590       mails11.telegram.:https ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:52254       149.154.164.224:https   ESTABLISHED 3247/firefox    
tcp        0      0 192.168.2.97:45662      blog.gsmarena.com:ftp   ESTABLISHED 3160/filezilla  
tcp        0      0 192.168.1.7:35818       32.4a.37a9.ip4.st:https ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:52528       52.114.32.7:https       ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:55950       del03s10-in-f14.1:https ESTABLISHED 3247/firefox    
tcp       68      0 localhost:60342         ansh:netbios-ssn        ESTABLISHED 2625/gvfsd-smb-brow
tcp        0      0 192.168.1.7:44974       152.195.11.6:https      ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:36730       13.76.170.95:https      ESTABLISHED 3247/firefox    
tcp        0      0 ansh:netbios-ssn        localhost:60342         ESTABLISHED -               
tcp        0      0 192.168.1.7:52732       del03s10-in-f2.1e:https ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:60314       52.229.174.94:https     ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:53072       207.46.140.70:https     ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:34500       do-11.lastpass.co:https ESTABLISHED 3247/firefox

See the last column for PID/program name info.

Q7. How to make netstat print network statistics?

This can be done using the -s command line option.

netstat -s

In this case, the tool produces information like total packets received, discarded, delivered, and much more. Following is an example output when the -s command line option was used.

Ip:
    592215 total packets received
    41 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    580699 incoming packets delivered
    539118 requests sent out
    627 outgoing packets dropped
    482 dropped because of missing route
    2 fragments failed
Icmp:
    2337 ICMP messages received
    6 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 2337
    3917 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 3917
IcmpMsg:
        InType3: 2337
        OutType3: 3917
Tcp:
    10943 active connections openings
    127 passive connection openings
    38 failed connection attempts
    467 connection resets received
    34 connections established
    443643 segments received
    414589 segments send out
    6929 segments retransmited
    428 bad segments received.
    11713 resets sent

...
...
...

Q8. How to make netstat display kernel routing table?

This can be done using the -r command line option.

netstat -r

Following is the output produced in my case:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         192.168.1.1     0.0.0.0         UG        0 0          0 wlx18a6f713679b
link-local      *               255.255.0.0     U         0 0          0 wlx18a6f713679b
192.168.1.0     *               255.255.255.0   U         0 0          0 wlx18a6f713679b

Note that netstat -r and route -e produce the same output.

Conclusion

So as you would have understood by now, the netstat command is a very important tool. It provides a lot of features - we've just scratched the surface here. Once you are done practicing what all we've discussed in this tutorial, head to the tool's man page for more info.

Share this page:

3 Comment(s)