10+ netstat command switches with example – Unix/Linux

The “netstat” is one of the powerful command/tool to find out the network statics of your server. The “netstat” tool is available in both Unix and Windows OS. The word “netstat” stands for “Network Statics”. The “netstat” print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.

Some useful switches of “netstat”

1, To display the kernel routing tables.

--route , -r

Example:

# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
169.254.0.0     *               255.255.0.0     U         0 0          0 venet0
default         *               0.0.0.0         U         0 0          0 venet0

2, To display multicast group membership information for IPv4 and IPv6.

--groups , -g

Example:

# netstat -g
IPv6/IPv4 Group Memberships
Interface       RefCnt Group
--------------- ------ ---------------------
lo              1      all-systems.mcast.net
venet0          1      all-systems.mcast.net
lo              1      ff02::1
venet0          1      ff02::1

3, To display a table of all network interfaces, or the specified iface).

--interface=iface , -i

Example:

# netstat -i
Kernel Interface table
Iface       MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
lo        16436   0    52255      0      0      0    52255      0      0      0 LRU
venet0     1500   0   110363      0      0      0   109924      0     32      0 BOPRU
venet0:0   1500   0      - no statistics available -                            BOPRU

4, To display summary statistics for each protocol.

--statistics , -s

Example:

# netstat -s
Ip:
    163067 total packets received
    0 forwarded
    ---
Icmp:
    77 ICMP messages received
    59 input ICMP message failed.
    ---

5, To view verbosely.
Tell the user what is going on by being verbose. Especially print some useful information about unconfigured address families.

 --verbose , -v

6, To show numerical addresses instead of trying to determine symbolic host, port or user names.

--numeric , -n

Example:

# netstat -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 101.203.303.404:80          5.5.5.5:36376               TIME_WAIT
tcp        0      0 101.203.303.404:80          5.5.5.5:36391               TIME_WAIT
tcp        0      0 101.203.303.404:80          5.5.5.5:36351               TIME_WAIT

7, To show the PID and name of the program to which each socket belongs.

-p, --program

Example:

# netstat -p
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address               State         PID/Program name
tcp        0      0 hostname.org:ssh            202.303.404.505:4082          ESTABLISHED   20508/sshd
tcp        0      0 hostname.org:ssh            202.303.404.505:neveroffline  TIME_WAIT     -

See the last section in the output (PID/Program name).

8, listening and non-listening sockets.
8.1, To show both listening and non-listening sockets.

-a, --all

8.2, Show only listening sockets. (These are omitted by default.)

-l, --listening

9, Protocol-wise listening.
9.1, For “tcp”

-t

9.2, For “udp”

-u

10, To print the selected information every second continuously.

-c, --continuous

Example:

# netstat -c 5

Refresh the output in every 5 Seconds periodically.

11, To display additional information.

-e, --extend

Example:

-bash-3.2# netstat -e
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       User       Inode
tcp        0      0 hostname.org:http           hostname.c:37075            TIME_WAIT   root       0
tcp        0      0 hostname.org:http           hostname.c:37107            ESTABLISHED nobody     2104288293
tcp        0    248 hostname.org:ssh            111.111.222.333:56421       ESTABLISHED root       2101210646

Use this option twice for maximum detail.

The “netstat” output description.

>> Proto : The protocol (tcp, udp, raw) used by the socket.
>> Recv-Q : The count of bytes not copied by the user program connected to this socket.
>> Send-Q : The count of bytes not acknowledged by the remote host.
>> Local Address : Address and port number of the local end of the socket. Unless the –numeric (-n) option is specified, the socket address is resolved to its
>> canonical host name (FQDN), and the port number is translated into the corresponding service name.
>> Foreign Address : Address and port number of the remote end of the socket. Analogous to “Local Address.”
>> State : The state of the socket. Since there are no states in raw mode and usually no states used in UDP, this column may be left blank. Normally this can be one of several values:
>> ESTABLISHED : The socket has an established connection.
>> SYN_SENT : The socket is actively attempting to establish a connection.
>> SYN_RECV : A connection request has been received from the network.
>> FIN_WAIT1 : The socket is closed, and the connection is shutting down.
>> FIN_WAIT2 : Connection is closed, and the socket is waiting for a shutdown from the remote end.
>> TIME_WAIT : The socket is waiting after close to handle packets still in the network.
>> CLOSED : The socket is not being used.
>> CLOSE_WAIT : The remote end has shut down, waiting for the socket to close.
>> LAST_ACK : The remote end has shut down, and the socket is closed. Waiting for acknowledgement.
>> LISTEN : The socket is listening for incoming connections. Such sockets are not included in the output unless you specify the –listening (-l) or –all (-a) option.
>> CLOSING : Both sockets are shut down but we still don’t have all our data sent.
>> UNKNOWN : The state of the socket is unknown.

Important Files for “netstat” command:
The netstat command fetches details from the following file from your Unix server/machine.

>> /etc/services — The services translation file
>> /proc — Mount point for the proc file-system, which gives access to kernel status information via the following files.
>> /proc/net/dev — device information
>> /proc/net/raw — raw socket information
>> /proc/net/tcp — TCP socket information
>> /proc/net/udp — UDP socket information
>> /proc/net/igmp — IGMP multicast information
>> /proc/net/unix — Unix domain socket information
>> /proc/net/ipx — IPX socket information
>> /proc/net/ax25 — AX25 socket information
>> /proc/net/appletalk — DDP (appletalk) socket information
>> /proc/net/nr — NET/ROM socket information
>> /proc/net/route — IP routing information
>> /proc/net/ax25_route — AX25 routing information
>> /proc/net/ipx_route — IPX routing information
>> /proc/net/nr_nodes — NET/ROM nodelist
>> /proc/net/nr_neigh — NET/ROM neighbours
>> /proc/net/ip_masquerade — masqueraded connections
>> /proc/net/snmp — statistics

That’s it! 🙂

Netstat related:

Other commands:
groupdel, groupmems, groupmod, useradd , usermod , chgrp, chown, ls, head, tail, top, ps, find, crontab, ftp commandstar, rpm, Rkhunter , Rsync, grep

Post navigation

Arunlal A

Senior System Developer at Zeta. Linux lover. Traveller. Let's connect! Whether you're a seasoned DevOps pro or just starting your journey, I'm always eager to engage with like-minded individuals. Follow my blog for regular updates, connect on social media, and let's embark on this DevOps adventure together! Happy coding and deploying!

Leave a Reply

Your email address will not be published. Required fields are marked *