netstat

What is netstat?

In computing, netstat (network statistics) is a command-line network utility that displays network connections for Transmission control protocol (TCP) (both incoming and outgoing), routing tables, and a number of network interface (Network interface card (NIC) or software defined network interface) and network protocol statistics.

How to use netstat

##### syntax
netstat <OPTIONS>

##### examples with parameters
netstat -r # display routing table, if this does not work, try "route -n"
netstat -i # display all network interfaces e.g. : (ens33, lo)
netstat -l # display all listening server sockets
netstat -a # display all sockets (default: connected)
netstat -c # continuous listening, can be perfect when you want constant updates on your connection

##### combinations that are very common
netstat -tul # tcp, udp and listening sockets
netstat -tuln # tcp, udp, listening ports and convert services to ports (e.g. : http = 80, 80 will be shown and not http)
netstat -tulpn # -p option provides the services used with the listening ports, e.g. port = 80, service = apache2

Netstat command explained

proto (protocol)

  • Transport layer protocol used, e.g. tcp or udp (osi layer 4)

  • TCP stands for Transport control protocol, this is used when a packet MUST arrive (e.g. : http, https, mysql)

  • UDP stands for User-datagram protocol, this is used when a packet can lose some of it contents, but it does not matter if a part of the packet goes lost, for example : streaming a movie

Recv-Q/Send-Q

Proto     Recv-Q   Send-Q    Local Address      Foreign Address     State        PID/Program name
# Recv-Q
tcp       8216172  0         127.0.0.1:9503     127.0.0.1:47654     ESTABLISHED  34390/python
# Send-Q
tcp       0        4189632   127.0.0.1:47686    127.0.0.1:9503      ESTABLISHED  34379/python

Recv-Q

means that process 34390 has a connection open, between port 9503 on the local host, and port 47654 on the local host, and that 8216172 bytes of data have been received by the kernel on port 9503 but haven’t yet been copied by the process.

Send-Q

means that process 34379 has a connection open, between port 47686 on the local host, and port 9503 on the local host, and that 4189632 bytes of data have been sent from port 47686 but not acknowledged yet (so they’re still in the TCP window).

Local Address

process is bound to <host>:<port>, so for example; a process can be bound to 127.0.0.1:8381 (localhost on port 8381)

Foreign Address

The address and port number of the remote end of the connection. (what ip's with which ports can connect to the service)

State

The state of the local socket. For UDP sockets, this is usually blank. See the state table, below.

PID/Program name

This is what the name says, the process id and the name of the program.

PreviousssNextNetwork interaction (curl, wget)

Last updated