How to use netstat command in Linux

Where necessary, you may need to have access to a VPS server so you can follow how to implement the steps in this article. You can get a cheaper VPS Server from Contabo with 4vCPU cores, 8GM RAM, and 32TB Bandwidth for less than $5.50 per month. Get this deal here now

UPDATED: 8 months ago | Elijah Were

$5.50 Monthly

4 vCPU Cores | 8GB RAM

$15.50 Monthly

6 vCPU Cores | 16GB RAM

$17.50 Monthly

8 vCPU Cores | 24GB RAM

In Ubuntu, the netstat command is used to display network-related information such as open ports, active connections, routing tables, and more.

Display all listening ports

Listening ports are ports on a computer or server that are actively waiting for incoming network connections. These ports are in a “listening” state, indicating that the system is ready to accept connections from remote devices or applications. Each network service or application running on a system may use a specific port to communicate, and when a service is set up to accept incoming connections, it binds to a particular port.

For example, a web server typically listens on port 80 (HTTP) or 443 (HTTPS). When someone accesses a website hosted on that server, their connection is established through the server’s listening port.

To identify listening ports on a system, you can use the netstat command in Linux.

netstat -tuln

If a server is running various services such as HTTP, FTP, RTMP, and SSH, and you run the above command, the output might look something like the following (assuming default or commonly used port numbers):

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:1935            0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN

In this example:

0.0.0.0:80 is the HTTP server listening on port 80.
0.0.0.0:21 is the FTP server listening on port 21.

0.0.0.0:1935 is the RTMP server listening on port 1935.
0.0.0.0:22 is the SSH server listening on port 22.

This output shows the local address and port for each service, with “LISTEN” indicating that these ports are actively waiting for incoming connections. The “0.0.0.0” in the “Local Address” column means that the service is listening on all available network interfaces. The exact output may vary based on the specific configuration of your server and the port numbers assigned to each service.

Show all established connections

Established connections refer to active and established network connections between two devices or applications. In the context of networking, when a connection is established, it means that a communication channel has been successfully set up, and data can be exchanged between the two entities.

You can use the netstat command to view established connections. Here’s an example of using netstat to display established TCP connections:

netstat -tan | grep ESTABLISHED

This command filters the output to only show established connections (ESTABLISHED state). The -t option indicates TCP, the -a option shows all sockets (both listening and non-listening), and the -n option displays numerical addresses.

Example output:

tcp        0      0 192.168.1.2:22         203.0.113.5:12345      ESTABLISHED
tcp        0      0 192.168.1.2:443        104.16.131.229:https   ESTABLISHED
tcp        0      0 192.168.1.2:5678       198.51.100.1:ssh       ESTABLISHED

In this output:

The first line shows an established connection on port 22 (SSH) between your local address 192.168.1.2 and the remote address 203.0.113.5 on port 12345.
The second line indicates an established connection on port 443 (HTTPS) with a remote server at 104.16.131.229.

The third line represents an established connection on port 5678 (custom port) with another remote server at 198.51.100.1.

This output provides information about the local and remote addresses, ports, and the state of the connection (which is ESTABLISHED in this case). The exact details may vary based on your system’s current network connections.

Display all network interfaces

To display all network interfaces and their associated information using the netstat command, you can use the following command:

netstat -ie

Here, the options used are:

-i: Displays information about the network interfaces.

-e: Provides additional information, including statistics.

The output will include details such as interface names, MAC addresses, IP addresses, MTU (Maximum Transmission Unit), and more for each network interface.

Example output:

Kernel Interface table
eth0      Link encap:Ethernet  HWaddr 00:1a:2b:3c:4d:5e
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::21a:2bff:fe3c:4d5e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12345 errors:0 dropped:0 overruns:0 frame:0
          TX packets:54321 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9876543 (9.8 MB)  TX bytes:8765432 (8.7 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:9876 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9876 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:12345678 (12.3 MB)  TX bytes:12345678 (12.3 MB)

In this example, eth0 and lo are the network interfaces. The output provides information about their hardware addresses (HWaddr), IP addresses (inet addr), IPv6 addresses (inet6 addr), status (UP for active), and various statistics for incoming and outgoing packets.

Show the kernel routing table

The kernel routing table, often referred to simply as the routing table, is a data structure maintained by the operating system’s kernel that contains information about the routes to various destinations in a computer network. This information is used by the operating system to determine the next hop for outgoing network packets.

The routing table is crucial for routers and networked devices to make decisions about where to send data packets based on their destination IP addresses. Each entry in the routing table includes information such as the destination network, the gateway (next hop), the network interface, and other attributes.

In Linux, you can view the kernel routing table using the netstat command. Here’s an example using the netstat command:

netstat -rn

Here is the sample output you might get when you run the above command:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

In this example:

The first line (0.0.0.0) represents the default route (UG flags) with the gateway (192.168.1.1) and the network interface (eth0).

The second line (192.168.1.0) indicates a route to the local network (192.168.1.0/24) with the network mask (255.255.255.0) and the network interface (eth0).

This output provides information about the destination, gateway, network mask, flags, and network interface for each route in the kernel routing table. The netstat -rn command may display additional routes depending on the system’s configuration and network setup.

Netstat command options

Here’s a comprehensive table summarizing various netstat command options:

Option	Description	Example Usage
`-a`	Display all sockets (both listening and non-listening)	`netstat -a`
`-c`	Continuous display (updating every second)	`netstat -c`
`-e`	Display additional information	`netstat -e`
`-g`	Display multicast group memberships	`netstat -g`
`-i`	Display network interfaces and their statistics	`netstat -i`
`-l`	Display listening ports	`netstat -l`
`-n`	Display numerical addresses (don’t resolve hostnames)	`netstat -n`
`-p`	Display process information	`netstat -p`
`-r`	Display kernel routing table	`netstat -r`
`-s`	Display statistics for each protocol	`netstat -s`
`-t`	Display TCP ports	`netstat -t`
`-u`	Display UDP ports	`netstat -u`
`-w`	Raw format, showing a wider range of information	`netstat -w`
`--numeric-ports`	Show numerical port numbers	`netstat --numeric-ports`
`--numeric-hosts`	Show numerical host addresses	`netstat --numeric-hosts`
`--programs`	Show program names	`netstat --programs`
`--verbose`	Verbose output with additional information	`netstat --verbose`

These options allow you to customize the netstat command according to your specific needs, whether you’re interested in network interfaces, routing tables, listening ports, established connections, or detailed statistics. Keep in mind that netstat is deprecated, and it’s recommended to use alternatives like ss or ip for more up-to-date and feature-rich information.

Hire us to handle what you want

Hire us through our Fiverr Profile and leave all the complicated & technical stuff to us. Here are some of the things we can do for you:

Website migration, troubleshooting, and maintenance.
Server & application deployment, scaling, troubleshooting, and maintenance
Deployment of Kubernetes, Docker, Cloudron, Ant Media, Apache, Nginx, OpenVPN, cPanel, WHMCS, WordPress, and more
Everything you need on AWS, IBM Cloud, GCP, Azure, Oracle Cloud, Alibaba Cloud, Linode, Contabo, DigitalOcean, Ionos, Vultr, GoDaddy, HostGator, Namecheap, DreamHost, and more.

We will design, configure, deploy, or troubleshoot anything you want. Starting from $10, we will get your job done in the shortest time possible. Your payment is safe with Fiverr as we will only be paid once your project is completed.