Netstat is a command-line tool that allows you to view network connections, routing tables, and various other network-related information on a Linux system. In this post, we will go over the steps to install netstat on Linux and explore some of its most commonly used commands and their use cases.
Install it if not present
Netstat is typically included as part of the default Linux installation, so you may already have it installed on your system. However, depending on the distribution release version, it doesn’t have it installed. This is because netstat is deprecated and replaced by the ss command. If you still want to install netstat, you can do it with the following command in Ubuntu or Debian:
$ sudo apt-get install net-tools -yOr in Red Hat or Centos:
$ sudo yum install net-tools -yUse netstat to track the current TCP and UDP connections
To check the current TCP and UDP listening ports on the host, you can run the following command:
$ netstat -tuln
Interpreting the results:
- Proto: This is the protocol type of the connection (tcp, udp, tcp6, udp6,…)
- Recv-Q: Established: The count of bytes not copied by the user program connected to this socket. Listening: Since Kernel 2.6.18 this column contains the current syn backlog.
- Send-Q: Established: The count of bytes not acknowledged by the remote host. Listening: Since Kernel 2.6.18 this column contains the maximum size of the syn back‐log.
- Local Address: The IP address of the current host. For more reference, 0.0.0.0 means all the IPs (:: for IPv6) and whatever IP starting with 127.x.x.x corresponds to localhost.
- Foreign Address: The IP address of the remote host.
- State: The status of the TCP connection. Only applicable for TCP because UDP are stateless.
Let’s explain more about the options used:
- -t: Option to show only TCP connections. –tcp has the same effect.
- -u: Show only UDP connections. Similar to –udp
- -l: Get only the listening ports. Equivalent to –listening
- -n: Get numeric hosts and ports. (i.e. Showing port 22 instead of ssh)
Then, if you want to filter the results to get a particular port or IP, you just need to pipe the output to a grep command:
$ netstat -tuln | grep :53
Get the process associated to the connection
An interesting usage of netstat is to get the process on the host behind the current connections by using the -p option. But it will need sudo privileges to get this information:
$ sudo netstat -tulnp
Let’s say that we want to learn more about the docker-proxy process with PID 7154. Then we use that PID to get the additional details from ps command:
$ ps -ef | grep <PID>
After running the above command, we have discovered the command line associated to the PID 7154, when it was started and which is the parent PID (3112).
The following can be run to gather further information, but it is outside of the scope of this post:
Check the traffic metrics with netstat
To analyse the traffic metrics on your host you can use the option -s or –statistics:
$ netstat -sBelow you’ll find an example of the output from the previous command. It can let you discover whether your host it’s being flooded through any of the possible protocols. For instance, if the “ICMP messages received” is abnormally high, that could mean that the host is being flooded by ping.
fse@fse2:~$ netstat -s
Ip:
Forwarding: 1
110646 total packets received
6 with invalid addresses
0 forwarded
0 incoming packets discarded
110631 incoming packets delivered
64830 requests sent out
Icmp:
0 ICMP messages received
0 input ICMP message failed
ICMP input histogram:
66 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 66
IcmpMsg:
OutType3: 66
Tcp:
124 active connection openings
7 passive connection openings
0 failed connection attempts
0 connection resets received
1 connections established
109420 segments received
63588 segments sent out
1 segments retransmitted
0 bad segments received
4 resets sent
Udp:
1021 packets received
170 packets to unknown port received
0 packet receive errors
1217 packets sent
0 receive buffer errors
0 send buffer errors
UdpLite:
TcpExt:
80 TCP sockets finished time wait in fast timer
1 packetes rejected in established connections because of timestamp
139 delayed acks sent
1 delayed acks further delayed because of locked socket
Quick ack mode was activated 19 times
73186 packet headers predicted
586 acknowledgments not containing data payload received
5230 predicted acknowledgments
Detected reordering 66 times using SACK
TCPLossProbes: 1
TCPLossProbeRecovery: 1
TCPDSACKOldSent: 19
TCPDSACKOfoSent: 19
TCPDSACKRecv: 23
2 connections reset due to unexpected data
TCPDSACKIgnoredNoUndo: 23
TCPSackShiftFallback: 66
TCPRcvCoalesce: 78033
TCPOFOQueue: 24782
TCPOFOMerge: 18
TCPOrigDataSent: 6522
TCPHystartTrainDetect: 1
TCPHystartTrainCwnd: 16
IpExt:
InOctets: 891741786
OutOctets: 4832546
InNoECTPkts: 110877
Sctp:
0 Current Associations
0 Active Associations
0 Passive Associations
0 Number of Aborteds
0 Number of Graceful Terminations
0 Number of Out of Blue packets
0 Number of Packets with invalid Checksum
0 Number of control chunks sent
0 Number of ordered chunks sent
0 Number of Unordered chunks sent
0 Number of control chunks received
0 Number of ordered chunks received
0 Number of Unordered chunks received
0 Number of messages fragmented
0 Number of messages reassembled
0 Number of SCTP packets sent
0 Number of SCTP packets received
Other useful netstat options
The netstat command allows you to obtain the routing table from the host like the route command with the -r option:
$ netstat -r
Get the statistics from all interfaces with -i:
$ netstat -i
And run continuously with option -c until you interrupt it with CTRL+C:
$ netstat -tulnc
To wrap up
In conclusion, netstat is a powerful command-line tool that allows you to view various network-related information on a Linux system. It can be used to troubleshoot network issues, monitor network traffic, and more. Nevertheless, if you have a chance to try and get familiar with ss command, that would be another great tool to add to your knowledge.