linux poison RSS
linux poison Email

How to use Netstat?

Netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface statistics. Netstat is a useful tool for checking your network configuration and activity.

just typing netstat should display a long list of information that's usually more than you want to go through at any given time. The trick to keeping the information useful is knowing what you're looking for and how to tell netstat to only display that information.

For example, if you only want to see TCP connections, use netstat --tcp. This shows a list of TCP connections to and from your machine. The following example shows connections to our machine on ports 993 (imaps), 143 (imap), 110 (pop3), 25 (smtp), and 22 (ssh).It also shows a connection from our machine to a remote machine on port 389 (ldap).

Note: To speed things up you can use the --numeric option to avoid having to do name resolution on addresses and display the IP only.

1: netstat --tcp

% netstat --tcp --numeric
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 TIME_WAIT
tcp 0 0 TIME_WAIT
tcp 0 0 TIME_WAIT
If you want to see what (TCP) ports your machine is listening on, use netstat --tcp --listening. Another useful flag to add to this is --programs which indicates which process is listening on the specified port. The following example shows a machine listening on ports 80 (www), 443 (https), 22 (ssh), and 25 (smtp);

2: netstat --tcp --listening --programs

# sudo netstat --tcp --listening --programs
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:www *:* LISTEN 28826/apache2
tcp 0 0 *:ssh *:* LISTEN 26604/sshd
tcp 0 0 *:smtp *:* LISTEN 6836/
tcp 0 0 *:https *:* LISTEN 28826/apache2
Note: Using --all displays both connections and listening ports.

The next example uses netstat --route to display the routing table. For most people, this will show one IP and and the gateway address but if you have more than one interface or have multiple IPs assigned to an interface, this command can help troubleshoot network routing problems.

3: netstat --route

% netstat --route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface U 0 0 0 eth0 UG 1 0 0 eth0
The last example of netstat uses the --statistics flag to display networking statistics. Using this flag by itself displays all IP, TCP, UDP, and ICMP connection statistics. To just show some basic information. For example purposes, only the output from --raw is displayed here. Combined with the uptime command, this can be used to get an overview of how much traffic your machine is handling on a daily basis.

4: netstat --statistics --route

% netstat --statistics --raw
620516640 total packets received
0 forwarded
0 incoming packets discarded
615716262 incoming packets delivered
699594782 requests sent out
5 fragments dropped after timeout
3463529 reassemblies required
636730 packets reassembled ok
5 packet reassembles failed
310797 fragments created
// ICMP statistics truncated

Note: For verbosity, the long names for the various flags were given. Most can be abbreviated to avoid excessive typing (e.g. netstat -tn, netstat -tlp, netstat -r, and netstat -sw).

While netstat is a common utility, hopefully this has demonstrated some different ways to make use of the command. For more information see man 8 netstat.


Post a Comment

Related Posts with Thumbnails