10+ netstat command switches with example – Unix/Linux
The “netstat” is one of the powerful command/tool to find out the network statics of your server. The “netstat” tool is available in both Unix and Windows OS. The word “netstat” stands for “Network Statics”. The “netstat” print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.
Some useful switches of “netstat”
1, To display the kernel routing tables.
--route , -r
# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 169.254.0.0 * 255.255.0.0 U 0 0 0 venet0 default * 0.0.0.0 U 0 0 0 venet0
2, To display multicast group membership information for IPv4 and IPv6.
--groups , -g
# netstat -g IPv6/IPv4 Group Memberships Interface RefCnt Group --------------- ------ --------------------- lo 1 all-systems.mcast.net venet0 1 all-systems.mcast.net lo 1 ff02::1 venet0 1 ff02::1
3, To display a table of all network interfaces, or the specified iface).
--interface=iface , -i
# netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg lo 16436 0 52255 0 0 0 52255 0 0 0 LRU venet0 1500 0 110363 0 0 0 109924 0 32 0 BOPRU venet0:0 1500 0 - no statistics available - BOPRU
4, To display summary statistics for each protocol.
--statistics , -s
# netstat -s Ip: 163067 total packets received 0 forwarded --- Icmp: 77 ICMP messages received 59 input ICMP message failed. ---
5, To view verbosely.
Tell the user what is going on by being verbose. Especially print some useful information about unconfigured address families.
--verbose , -v
6, To show numerical addresses instead of trying to determine symbolic host, port or user names.
--numeric , -n
# netstat -n Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 101.203.303.404:80 220.127.116.11:36376 TIME_WAIT tcp 0 0 101.203.303.404:80 18.104.22.168:36391 TIME_WAIT tcp 0 0 101.203.303.404:80 22.214.171.124:36351 TIME_WAIT
7, To show the PID and name of the program to which each socket belongs.
# netstat -p Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 hostname.org:ssh 202.303.404.505:4082 ESTABLISHED 20508/sshd tcp 0 0 hostname.org:ssh 202.303.404.505:neveroffline TIME_WAIT -
See the last section in the output (PID/Program name).
8, listening and non-listening sockets.
8.1, To show both listening and non-listening sockets.
8.2, Show only listening sockets. (These are omitted by default.)
9, Protocol-wise listening.
9.1, For “tcp”
9.2, For “udp”
10, To print the selected information every second continuously.
# netstat -c 5
Refresh the output in every 5 Seconds periodically.
11, To display additional information.
-bash-3.2# netstat -e Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode tcp 0 0 hostname.org:http hostname.c:37075 TIME_WAIT root 0 tcp 0 0 hostname.org:http hostname.c:37107 ESTABLISHED nobody 2104288293 tcp 0 248 hostname.org:ssh 126.96.36.1993:56421 ESTABLISHED root 2101210646
Use this option twice for maximum detail.
The “netstat” output description.
>> Proto : The protocol (tcp, udp, raw) used by the socket.
>> Recv-Q : The count of bytes not copied by the user program connected to this socket.
>> Send-Q : The count of bytes not acknowledged by the remote host.
>> Local Address : Address and port number of the local end of the socket. Unless the –numeric (-n) option is specified, the socket address is resolved to its
>> canonical host name (FQDN), and the port number is translated into the corresponding service name.
>> Foreign Address : Address and port number of the remote end of the socket. Analogous to “Local Address.”
>> State : The state of the socket. Since there are no states in raw mode and usually no states used in UDP, this column may be left blank. Normally this can be one of several values:
>> ESTABLISHED : The socket has an established connection.
>> SYN_SENT : The socket is actively attempting to establish a connection.
>> SYN_RECV : A connection request has been received from the network.
>> FIN_WAIT1 : The socket is closed, and the connection is shutting down.
>> FIN_WAIT2 : Connection is closed, and the socket is waiting for a shutdown from the remote end.
>> TIME_WAIT : The socket is waiting after close to handle packets still in the network.
>> CLOSED : The socket is not being used.
>> CLOSE_WAIT : The remote end has shut down, waiting for the socket to close.
>> LAST_ACK : The remote end has shut down, and the socket is closed. Waiting for acknowledgement.
>> LISTEN : The socket is listening for incoming connections. Such sockets are not included in the output unless you specify the –listening (-l) or –all (-a) option.
>> CLOSING : Both sockets are shut down but we still don’t have all our data sent.
>> UNKNOWN : The state of the socket is unknown.
Important Files for “netstat” command:
The netstat command fetches details from the following file from your Unix server/machine.
>> /etc/services — The services translation file
>> /proc — Mount point for the proc file-system, which gives access to kernel status information via the following files.
>> /proc/net/dev — device information
>> /proc/net/raw — raw socket information
>> /proc/net/tcp — TCP socket information
>> /proc/net/udp — UDP socket information
>> /proc/net/igmp — IGMP multicast information
>> /proc/net/unix — Unix domain socket information
>> /proc/net/ipx — IPX socket information
>> /proc/net/ax25 — AX25 socket information
>> /proc/net/appletalk — DDP (appletalk) socket information
>> /proc/net/nr — NET/ROM socket information
>> /proc/net/route — IP routing information
>> /proc/net/ax25_route — AX25 routing information
>> /proc/net/ipx_route — IPX routing information
>> /proc/net/nr_nodes — NET/ROM nodelist
>> /proc/net/nr_neigh — NET/ROM neighbours
>> /proc/net/ip_masquerade — masqueraded connections
>> /proc/net/snmp — statistics
That’s it! 🙂