Typing netstat should display a long list of information that's usually more than you want to go through at any given time.
The trick to keeping the information useful is knowing what you're looking for and how to tell netstat to only display that information.
For example, if you only want to see TCP connections, use netstat --tcp.
This shows a list of TCP connections to and from your machine. The following example shows connections to our machine on ports 993 (imaps), 143 (imap), 110 (pop3), 25 (smtp), and 22 (ssh).It also shows a connection from our machine to a remote machine on port 389 (ldap).
Note: To speed things up you can use the --numeric option to avoid having to do name resolution on addresses and display the IP only.
Code Listing 1: netstat --tcp
% netstat --tcp --numeric Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 192.168.128.152:993 192.168.128.120:3853 ESTABLISHED tcp 0 0 192.168.128.152:143 192.168.128.194:3076 ESTABLISHED tcp 0 0 192.168.128.152:45771 192.168.128.34:389 TIME_WAIT tcp 0 0 192.168.128.152:110 192.168.33.123:3521 TIME_WAIT tcp 0 0 192.168.128.152:25 192.168.231.27:44221 TIME_WAIT tcp 0 256 192.168.128.152:22 192.168.128.78:47258 ESTABLISHED
If you want to see what (TCP) ports your machine is listening on, use netstat --tcp --listening.
Another useful flag to add to this is --programs which indicates which process is listening on the specified port.
The following example shows a machine listening on ports 80 (www), 443 (https), 22 (ssh), and 25 (smtp);
Code Listing 2: netstat --tcp --listening --programs
# sudo netstat --tcp --listening --programs Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 *:www *:* LISTEN 28826/apache2 tcp 0 0 *:ssh *:* LISTEN 26604/sshd tcp 0 0 *:smtp *:* LISTEN 6836/ tcp 0 0 *:https *:* LISTEN 28826/apache2
Note: Using --all displays both connections and listening ports.
The next example uses netstat --route to display the routing table. For most people, this will show one IP and and the gateway address but if you have more than one interface or have multiple IPs assigned to an interface, this command can help troubleshoot network routing problems.
Code Listing 3: netstat --route
% netstat --route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.1.1 0.0.0.0 UG 1 0 0 eth0
The last example of netstat uses the --statistics flag to display networking statistics. Using this flag by itself displays all IP, TCP, UDP, and ICMP connection statistics.
To just show some basic information. For example purposes, only the output from --raw is displayed here.
Combined with the uptime command, this can be used to get an overview of how much traffic your machine is handling on a daily basis.
Code Listing 4: netstat --statistics --route
% netstat --statistics --raw Ip: 620516640 total packets received 0 forwarded 0 incoming packets discarded 615716262 incoming packets delivered 699594782 requests sent out 5 fragments dropped after timeout 3463529 reassemblies required 636730 packets reassembled ok 5 packet reassembles failed 310797 fragments created // ICMP statistics truncated
Note: For verbosity, the long names for the various flags were given. Most can be abbreviated to avoid excessive typing (e.g. netstat -tn, netstat -tlp, netstat -r, and netstat -sw).
netstat [-a] [-n] [-v]
netstat [-g | -m | -p | -s | -f address_family ] [-n] [-P protocol]
netstat [ -i ] [ -I interface ] [ interval ]
netstat -r [-a] [-n] [-v ]
netstat -M [-n] [-s ]
netstat -D [ -I interface ]
|-a||Show the state of all sockets and all routing table entries; normally, sockets used by server processes are not shown and only interface, host, network, and default routes are shown.|
|-n||Show network addresses as numbers. netstat normally displays addresses as symbols. This option may be used with any of the display formats.|
|-v||Verbose. Show additional information for the sockets and the routing table.|
|-g||Show the multicast group memberships for all interfaces.|
|-m||Show the STREAMS statistics.|
|-p||Show the address resolution (ARP) tables.|
|-s||Show per-protocol statistics. When used with the -M option, show multicast routing statistics instead.|
|-i||Show the state of the interfaces that are used for TCP/IP traffic.|
|-r||Show the routing tables.|
|-M||Show the multicast routing tables. When used with the -s option, show multicast routing statistics instead.|
|-d||Show the state of all interfaces that are under Dynamic Host Configuration Protocol (DHCP) control.|
|-D||Show the status of DHCP configured interfaces.|
imit statistics or address control block reports to those of the specified address_family, which can be one of:
inet For the AF_INET address family
|-P protocol||Limit display of statistics or state of all sockets to those applicable to protocol.|
|- I interface||
Show the state of a particular interface. interface can be any valid interface such as ie0 or
Displays generic net statistics of the host you are currently connected to.
Shows all connections to the server including the source and destination ips and ports if you have proper permissions.
Displays routing table for all ips bound to the server.
Using netstat you can monitor every connection going in and out of your computer. This monitors all major protocols including tcp and udp, and every port. netstat is a standard Unix program, so it is likely installed.
netstat also displays unix connections are fairly useless. To display only tcp and udp connection.
- Execute: netstat -t -u
For displaying continuously
- Execute: netstat -t -u -c
tcp 0 0 10.0.0.9:57053 71-95-19-141.stat:16359 ESTABLISHED tcp 0 19109 10.0.0.9:49249 5ac33076.bb.sky.c:52782 ESTABLISHED tcp 0 0 10.0.0.9:53874 catv54039CF5.pool:16628 ESTABLISHED tcp 0 0 10.0.0.9:37182 host86-140-193-28.:6881 ESTABLISHED tcp 0 0 10.0.0.9:45563 61-224-49-29.dyna:48227 ESTABLISHED tcp 0 0 10.0.0.9:47665 220.127.116.11:43837 ESTABLISHED