How to use netstat command for managing LINUX networks
To use netstat command for managing LINUX networks
Netstat is an extremely powerful tool which is used to view the network connection information on a machine. Netstat is available on all Unix-like OS and on Windows OS. It includes information such as listening/active ports and which protocols they are using. Established connections will also list the IP address (potentially an attacker' s) that the machine is connected to. It helps you quickly identify any suspicious network behavior on the machine and help point you in the right direction to files and connections that may require additional investigation.
Use netstat with option a
[root@linuxhelp Desktop]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
tcp 0 0 192.168.122.1:domain 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN
.
.
.
unix 3 [ ] STREAM CONNECTED 19246 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 34014 @/tmp/dbus-TDsKbs1z9u
unix 3 [ ] STREAM CONNECTED 32577 @/tmp/.X11-unix/X0
It will display the TCP, UDP and all listening ports.
To Display all TCP port
[root@linuxhelp Desktop]# netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
tcp 0 0 192.168.122.1:domain 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN
tcp 0 1 server.linuxhelp1:40492 192.168.5.190:http SYN_SENT
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 localhost:ipp [::]:* LISTEN
tcp6 0 0 localhost:smtp [::]:* LISTEN
To Display all UDP port
[root@linuxhelp Desktop]# netstat -au
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:48021 0.0.0.0:*
udp 0 0 192.168.122.1:domain 0.0.0.0:*
udp 0 0 0.0.0.0:bootps 0.0.0.0:*
udp 0 0 0.0.0.0:mdns 0.0.0.0:*
udp 0 0 0.0.0.0:syslog 0.0.0.0:*
udp 0 0 0.0.0.0:49691 0.0.0.0:*
udp6 0 0 [::]:syslog [::]:*
To List all the listening ports of your machine
[root@linuxhelp Desktop]# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
tcp 0 0 192.168.122.1:domain 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN
.
.
.
unix 2 [ ACC ] STREAM LISTENING 17904 /var/run/NetworkManager/private
unix 2 [ ACC ] STREAM LISTENING 33779 /run/user/0/at-spi2-socket-3513
unix 2 [ ACC ] STREAM LISTENING 12276 /run/systemd/private
To list all TCP listening ports
[root@linuxhelp Desktop]# netstat -lt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
tcp 0 0 192.168.122.1:domain 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 localhost:ipp [::]:* LISTEN
tcp6 0 0 localhost:smtp [::]:* LISTEN
To list all UDP listening ports
[root@linuxhelp Desktop]# netstat -lu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:48021 0.0.0.0:*
udp 0 0 192.168.122.1:domain 0.0.0.0:*
udp 0 0 0.0.0.0:bootps 0.0.0.0:*
udp 0 0 0.0.0.0:mdns 0.0.0.0:*
udp 0 0 0.0.0.0:syslog 0.0.0.0:*
udp 0 0 0.0.0.0:49691 0.0.0.0:*
udp6 0 0 [::]:syslog [::]:*
To list all UNIX ports
[root@linuxhelp Desktop]# netstat -lx
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 32958 @/tmp/dbus-v3TGU96W
unix 2 [ ACC ] STREAM LISTENING 31330 @/tmp/.ICE-unix/3199
unix 2 [ ACC ] STREAM LISTENING 33796 /run/user/0/at-spi2-socket-3559
unix 2 [ ACC ] STREAM LISTENING 12299 /run/lvm/lvmetad.socket
.
.
.
unix 2 [ ACC ] STREAM LISTENING 33779 /run/user/0/at-spi2-socket-3513
unix 2 [ ACC ] STREAM LISTENING 12276 /run/systemd/private
To list the Listening protocols
[root@linuxhelp Desktop]# netstat -s
Ip:
12204 total packets received
0 forwarded
0 incoming packets discarded
10842 incoming packets delivered
13218 requests sent out
8 dropped because of missing route
.
.
.
IpExt:
InMcastPkts: 176
OutMcastPkts: 28
InBcastPkts: 1092
InOctets: 844353
OutOctets: 797829
InMcastOctets: 27282
OutMcastOctets: 4926
InBcastOctets: 101409
InNoECTPkts: 12204
To display the process name with PID for TCP listening ports
[root@linuxhelp Desktop]# netstat -nlpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1318/haproxy
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 2566/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1301/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1302/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2265/master
tcp6 0 0 :::22 :::* LISTEN 1301/sshd
tcp6 0 0 ::1:631 :::* LISTEN 1302/cupsd
tcp6 0 0 ::1:25 :::* LISTEN 2265/master
To display the process name with PID for UDP listening ports
[root@linuxhelp Desktop]# netstat -nlpu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:48021 0.0.0.0:* 1308/haproxy
udp 0 0 192.168.122.1:53 0.0.0.0:* 2566/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 2566/dnsmasq
udp 0 0 0.0.0.0:5353 0.0.0.0:* 699/avahi-daemon: r
udp 0 0 0.0.0.0:514 0.0.0.0:* 700/rsyslogd
udp 0 0 0.0.0.0:49691 0.0.0.0:* 699/avahi-daemon: r
udp6 0 0 :::514 :::* 700/rsyslogd
To display the kernel ip routing information
[root@linuxhelp Desktop]# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irttIface
default 192.168.5.1 0.0.0.0 UG 0 0 0 eno16777736
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eno16777736
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
To display the network interface transaction
[root@linuxhelp Desktop]# netstat -i
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eno16777 1500 5673 0 0 0 10316 0 0 0 BMRU
lo 65536 10041 0 0 0 10041 0 0 0 LRU
virbr0 1500 0 0 0 0 0 0 0 0 BMU
To display the kernel interface table
[root@linuxhelp Desktop]# netstat -ie
Kernel Interface table
eno16777736: flags=4163< UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:0c:29:1b:17:36 txqueuelen 1000 (Ethernet)
RX packets 259 bytes 16518 (16.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73< UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 0 (Local Loopback)
RX packets 2 bytes 140 (140.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2 bytes 140 (140.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
The result will be similar to ifconfig command
To view the ipv4 and ipv6 information
[root@linuxhelp Desktop]# netstat -g
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 all-systems.mcast.net
eno1677773 1 224.0.0.251
eno1677773 1 all-systems.mcast.net
virbr0 1 224.0.0.251
virbr0 1 all-systems.mcast.net
lo 1 ff02::1
To run the netstat information continuously
[root@linuxhelp Desktop]# netstat &ndash c
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 12379 /run/systemd/shutdownd
unix 2 [ ] DGRAM 12229 @/org/freedesktop/systemd1/notify
unix 5 [ ] DGRAM 7578 /run/systemd/journal/socket
unix 27 [ ] DGRAM 7580 /dev/log
unix 3 [ ] STREAM CONNECTED 27291
.
.
.
It will be running continuously to cancel this operation, press ctrl + c.
To view the unconfigured address using verbose option
[root@linuxhelp Desktop]# netstat --verbose
netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.
To check specific listening ports
root@linuxhelp Desktop]#netstat -ap | grep ssh
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 1301/sshd
tcp6 0 0 [::]:ssh [::]:* LISTEN 1301/sshd
Here it shows all the ssh listening ports you can check any listening ports by using this command.
To display the Raw network statistics
[root@linuxhelp Desktop]# netstat --statistics --raw
Ip:
16124 total packets received
0 forwarded
0 incoming packets discarded
14330 incoming packets delivered
17429 requests sent out
8 dropped because of missing route
.
.
.
OutMcastOctets: 4926
InBcastOctets: 138207
InNoECTPkts: 16124
To print the listening port information with some time period
[root@linuxhelp Desktop]# netstat -ac 3 | grep http
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
tcp 0 1 server.linuxhelp1:59364 192.168.5.64:http SYN_SENT
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
tcp 0 1 server.linuxhelp1:59368 192.168.5.64:http SYN_SENT
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
tcp 0 1 server.linuxhelp1:46140 192.168.5.190:http SYN_SENT
To display the process of listening ports, PID and along with user name
[root@linuxhelp Desktop]# netstat -ltpe
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0 :http 0.0.0.0:* LISTEN root 20089 1318 /haproxy
tcp 0 0 192.168.122.1:domain 0.0.0.0:* LISTEN root 22521 2566 /dnsmasq
tcp 0 0 0.0.0.0 :ssh 0.0.0.0:* LISTEN root 205
To print the information from route cache
[root@linuxhelp Desktop]# netstat -C
3Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 12308 /run/systemd/shutdownd
unix 2 [ ] DGRAM 7605 /run/systemd/notify
unix 5 [ ] DGRAM 7626 /run/systemd/journal/socket
unix 22 [ ] DGRAM 7628 /dev/log
unix 3 [ ] STREAM CONNECTED 33938 /var/run/dbus/system_bus_socket
.
.
.
unix 3 [ ] STREAM CONNECTED 34014 @/tmp/dbus-TDsKbs1z9u
unix 3 [ ] STREAM CONNECTED 32577 @/tmp/.X11-unix/X0
To display selinux security context of the sockets
[root@linuxhelp Desktop]# netstat -Z
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Security Context
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node PID/Program name Security Context Path
unix 2 [ ] DGRAM 12308 1/systemd system_u:system_r:init_t:s0 /run/systemd/shutdownd
unix 2 [ ] DGRAM 7605 1/systemd system_u:system_r:init_t:s0 /run/systemd/notify
unix 5 [ ] DGRAM 7626 1/systemd system_u:system_r:init_t:s0 /run/systemd/journal/socket
unix 22 [ ] DGRAM 7628 1/systemd system_u:system_r:init_t:s0 /dev/log
unix 3 [ ] STREAM CONNECTED 33938 668/dbus-daemon system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 /var/run/dbus/system_bus_socket
.
.
.
stem_r:syslogd_t:s0 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 34014 3207/dbus-daemon u:unconfined_r:unconfined_dbusd_t:s0-s0:c0.c1023 @/tmp/dbus-TDsKbs1z9u
unix 3 [ ] STREAM CONNECTED 32577 2512/Xorg system_u:system_r:xserver_t:s0-s0:c0.c1023 @/tmp/.X11-unix/X0
Tag :
Netstat
Q
What is netstat command used for?
A
Netstat is a common command line TCP/IP networking utility available in most versions of Windows, Linux, UNIX and other operating systems. Netstat provides information and statistics about protocols in use and current TCP/IP network connections.
Q
What is the best way to go about finding all ports `
A
Try to use:
netstat -tlnpl
This command will indicate the port number and process ID(PID)/program name as well
Q
any other command which is like netstat?
A
try "ss" which is also provide same result as netstat
Q
while I try Netstat command , it shows command not found why?
A
install net-tools . And then try it
Q
how to install net tools
A
you can install net tools using a command
For ubuntu/debian
#sudo apt-get install net-tools
For centos/redhat
#yum install net-tools