AMP AMP

How to use netstat command for managing LINUX networks

To use netstat command for managing LINUX networks

Netstat is an extremely powerful tool which is used to view the network connection information on a machine. Netstat is available on all Unix-like OS and on Windows OS. It includes information such as listening/active ports and which protocols they are using. Established connections will also list the IP address (potentially an attacker' s) that the machine is connected to. It helps you quickly identify any suspicious network behavior on the machine and help point you in the right direction to files and connections that may require additional investigation.

Use netstat with option a

[root@linuxhelp Desktop]# netstat -a 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN     
tcp        0      0 192.168.122.1:domain    0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN     
.
.
.
unix  3      [ ]         STREAM     CONNECTED     19246    /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     34014    @/tmp/dbus-TDsKbs1z9u
unix  3      [ ]         STREAM     CONNECTED     32577    @/tmp/.X11-unix/X0


It will display the TCP, UDP and all listening ports.

To Display all TCP port

[root@linuxhelp Desktop]# netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN     
tcp        0      0 192.168.122.1:domain    0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN     
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN     
tcp        0      1 server.linuxhelp1:40492 192.168.5.190:http      SYN_SENT   
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN     
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN     

To Display all UDP port

[root@linuxhelp Desktop]# netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
udp        0      0 0.0.0.0:48021           0.0.0.0:*                          
udp        0      0 192.168.122.1:domain    0.0.0.0:*                          
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                          
udp        0      0 0.0.0.0:mdns            0.0.0.0:*                          
udp        0      0 0.0.0.0:syslog          0.0.0.0:*                          
udp        0      0 0.0.0.0:49691           0.0.0.0:*                          
udp6       0      0 [::]:syslog             [::]:*

To List all the listening ports of your machine

[root@linuxhelp Desktop]# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN     
tcp        0      0 192.168.122.1:domain    0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN     
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN     
.
.
.
unix  2      [ ACC ]     STREAM     LISTENING     17904    /var/run/NetworkManager/private
unix  2      [ ACC ]     STREAM     LISTENING     33779    /run/user/0/at-spi2-socket-3513
unix  2      [ ACC ]     STREAM     LISTENING     12276    /run/systemd/private

To list all TCP listening ports

[root@linuxhelp Desktop]# netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN     
tcp        0      0 192.168.122.1:domain    0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN     
tcp        0      0 localhost:ipp           0.0.0.0:*               LISTEN     
tcp        0      0 localhost:smtp          0.0.0.0:*               LISTEN     
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN     
tcp6       0      0 localhost:smtp          [::]:*                  LISTEN     

To list all UDP listening ports

[root@linuxhelp Desktop]# netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
udp        0      0 0.0.0.0:48021           0.0.0.0:*                          
udp        0      0 192.168.122.1:domain    0.0.0.0:*                          
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                          
udp        0      0 0.0.0.0:mdns            0.0.0.0:*                          
udp        0      0 0.0.0.0:syslog          0.0.0.0:*                          
udp        0      0 0.0.0.0:49691           0.0.0.0:*                          
udp6       0      0 [::]:syslog             [::]:*      

To list all UNIX ports

[root@linuxhelp Desktop]# netstat -lx
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     STREAM     LISTENING     32958    @/tmp/dbus-v3TGU96W
unix  2      [ ACC ]     STREAM     LISTENING     31330    @/tmp/.ICE-unix/3199
unix  2      [ ACC ]     STREAM     LISTENING     33796    /run/user/0/at-spi2-socket-3559
unix  2      [ ACC ]     STREAM     LISTENING     12299    /run/lvm/lvmetad.socket
.
.
.
unix  2      [ ACC ]     STREAM     LISTENING     33779    /run/user/0/at-spi2-socket-3513
unix  2      [ ACC ]     STREAM     LISTENING     12276    /run/systemd/private

To list the Listening protocols

[root@linuxhelp Desktop]# netstat -s
Ip:
    12204 total packets received
    0 forwarded
    0 incoming packets discarded
    10842 incoming packets delivered
    13218 requests sent out
    8 dropped because of missing route
.
.
.
IpExt:
InMcastPkts: 176
OutMcastPkts: 28
InBcastPkts: 1092
InOctets: 844353
OutOctets: 797829
InMcastOctets: 27282
OutMcastOctets: 4926
InBcastOctets: 101409
InNoECTPkts: 12204

To display the process name with PID for TCP listening ports

[root@linuxhelp Desktop]# netstat -nlpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1318/haproxy
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      2566/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1301/sshd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1302/cupsd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2265/master         
tcp6       0      0 :::22                   :::*                    LISTEN      1301/sshd
tcp6       0      0 ::1:631                 :::*                    LISTEN      1302/cupsd
tcp6       0      0 ::1:25                  :::*                    LISTEN      2265/master         

To display the process name with PID for UDP listening ports

[root@linuxhelp Desktop]# netstat -nlpu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
udp        0      0 0.0.0.0:48021           0.0.0.0:*                           1308/haproxy
udp        0      0 192.168.122.1:53        0.0.0.0:*                           2566/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           2566/dnsmasq
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           699/avahi-daemon: r 
udp        0      0 0.0.0.0:514             0.0.0.0:*                           700/rsyslogd
udp        0      0 0.0.0.0:49691           0.0.0.0:*                           699/avahi-daemon: r 
udp6       0      0 :::514                  :::*                                700/rsyslogd

To display the kernel ip routing information

[root@linuxhelp Desktop]# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irttIface
default         192.168.5.1     0.0.0.0         UG        0 0          0 eno16777736
192.168.5.0     0.0.0.0         255.255.255.0   U         0 0          0 eno16777736
192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0

To display the network interface transaction

[root@linuxhelp Desktop]# netstat -i
Kernel Interface table
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eno16777  1500     5673      0      0 0         10316      0      0      0 BMRU
lo       65536    10041      0      0 0         10041      0      0      0 LRU
virbr0    1500        0      0      0 0             0      0      0      0 BMU

To display the kernel interface table

[root@linuxhelp Desktop]# netstat -ie
Kernel Interface table
eno16777736: flags=4163< UP,BROADCAST,RUNNING,MULTICAST>   mtu 1500
        ether 00:0c:29:1b:17:36  txqueuelen 1000  (Ethernet)
        RX packets 259  bytes 16518 (16.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73< UP,LOOPBACK,RUNNING>   mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10
        loop  txqueuelen 0  (Local Loopback)
        RX packets 2  bytes 140 (140.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2  bytes 140 (140.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
The result will be similar to ifconfig command

To view the ipv4 and ipv6 information

[root@linuxhelp Desktop]# netstat -g
IPv6/IPv4 Group Memberships
Interface       RefCnt Group
--------------- ------ ---------------------
lo     1      all-systems.mcast.net
eno1677773      1      224.0.0.251
eno1677773      1      all-systems.mcast.net
virbr0          1      224.0.0.251
virbr0          1      all-systems.mcast.net
lo              1      ff02::1

To run the netstat information continuously

[root@linuxhelp Desktop]# netstat &ndash c
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ]         DGRAM                    12379    /run/systemd/shutdownd
unix  2      [ ]         DGRAM                    12229    @/org/freedesktop/systemd1/notify
unix  5      [ ]         DGRAM                    7578     /run/systemd/journal/socket
unix  27     [ ]         DGRAM                    7580     /dev/log
unix  3      [ ]         STREAM     CONNECTED     27291    
.
.
.

It will be running continuously to cancel this operation, press ctrl + c.

To view the unconfigured address using verbose option

[root@linuxhelp Desktop]# netstat --verbose
netstat: no support for `AF IPX'  on this system.
netstat: no support for `AF AX25'  on this system.
netstat: no support for `AF X25'  on this system.
netstat: no support for `AF NETROM'  on this system.

To check specific listening ports

root@linuxhelp Desktop]#netstat -ap | grep ssh
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      1301/sshd
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      1301/sshd


Here it shows all the ssh listening ports you can check any listening ports by using this command.

To display the Raw network statistics

[root@linuxhelp Desktop]# netstat --statistics --raw
Ip:
    16124 total packets received
    0 forwarded
    0 incoming packets discarded
    14330 incoming packets delivered
    17429 requests sent out
    8 dropped because of missing route
.
.
.
OutMcastOctets: 4926
InBcastOctets: 138207
InNoECTPkts: 16124


To print the listening port information with some time period

[root@linuxhelp Desktop]# netstat -ac 3 | grep http
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN     
tcp        0      1 server.linuxhelp1:59364 192.168.5.64:http       SYN_SENT   
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN     
tcp        0      1 server.linuxhelp1:59368 192.168.5.64:http       SYN_SENT   
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN     
tcp        0      1 server.linuxhelp1:46140 192.168.5.190:http      SYN_SENT   

To display the process of listening ports, PID and along with user name

[root@linuxhelp Desktop]# netstat -ltpe
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local         Address  Foreign    Address  State   User    Inode   PID/Program name    
tcp        0      0 0.0.0.0      :http     0.0.0.0:*  LISTEN   root    20089   1318    /haproxy
tcp        0      0 192.168.122.1:domain   0.0.0.0:*  LISTEN   root    22521   2566    /dnsmasq
tcp        0      0 0.0.0.0      :ssh      0.0.0.0:*  LISTEN   root    205

To print the information from route cache

[root@linuxhelp Desktop]# netstat -C
3Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ]         DGRAM                    12308    /run/systemd/shutdownd
unix  2      [ ]         DGRAM                    7605     /run/systemd/notify
unix  5      [ ]         DGRAM                    7626     /run/systemd/journal/socket
unix  22     [ ]         DGRAM                    7628     /dev/log
unix  3      [ ]         STREAM     CONNECTED     33938    /var/run/dbus/system_bus_socket
.
.
.
unix  3      [ ]         STREAM     CONNECTED     34014    @/tmp/dbus-TDsKbs1z9u
unix  3      [ ]         STREAM     CONNECTED     32577    @/tmp/.X11-unix/X0

To display selinux security context of the sockets

[root@linuxhelp Desktop]# netstat -Z
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name     Security Context                                 
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Security Context                                  Path
unix  2      [ ]         DGRAM                    12308    1/systemd            system_u:system_r:init_t:s0                        /run/systemd/shutdownd
unix  2      [ ]         DGRAM                    7605     1/systemd            system_u:system_r:init_t:s0                        /run/systemd/notify
unix  5      [ ]         DGRAM                    7626     1/systemd            system_u:system_r:init_t:s0                        /run/systemd/journal/socket
unix  22     [ ]         DGRAM                    7628     1/systemd            system_u:system_r:init_t:s0                        /dev/log
unix  3      [ ]         STREAM     CONNECTED     33938    668/dbus-daemon      system_u:system_r:system_dbusd_t:s0-s0:c0.c1023    /var/run/dbus/system_bus_socket
.
.
.
stem_r:syslogd_t:s0                     /run/systemd/journal/stdout
unix  3      [ ]         STREAM     CONNECTED     34014    3207/dbus-daemon     u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023   @/tmp/dbus-TDsKbs1z9u
unix  3      [ ]         STREAM     CONNECTED     32577    2512/Xorg            system_u:system_r:xserver_t:s0-s0:c0.c1023         @/tmp/.X11-unix/X0
Tag : Netstat
FAQ
Q
What is netstat command used for?
A
Netstat is a common command line TCP/IP networking utility available in most versions of Windows, Linux, UNIX and other operating systems. Netstat provides information and statistics about protocols in use and current TCP/IP network connections.
Q
What is the best way to go about finding all ports `
A
Try to use: netstat -tlnpl This command will indicate the port number and process ID(PID)/program name as well
Q
any other command which is like netstat?
A
try "ss" which is also provide same result as netstat
Q
while I try Netstat command , it shows command not found why?
A
install net-tools . And then try it
Q
how to install net tools
A
you can install net tools using a command For ubuntu/debian #sudo apt-get install net-tools For centos/redhat #yum install net-tools