NETSTAT - Examples

Return to Wiki Index

To display all network connections, including listening ports and established connections:

netstat -a

This command shows all sockets (TCP, UDP, etc.), including listening and non-listening ones.

To display only the listening ports:

netstat -l

This command shows only the ports that are actively listening for incoming connections.

To display network statistics, including interface usage and packet statistics:

netstat -s

This provides information about the network interfaces and protocol usage on the system.

To view the system's routing table:

netstat -r

This command displays the routing table that shows how packets are routed in the network.

To display network interface statistics:

netstat -i

This command shows statistics for each network interface on the system, including packet counts, errors, and collisions.

On Linux and BSD systems, `netstat` is used similarly but may differ in syntax or options. In BSD-based systems (including FreeBSD, OpenBSD, and NetBSD), `netstat` may include additional or slightly different options.

In BSD-based systems, the `-n` option is used to display IP addresses and port numbers in numerical format without resolving them to hostnames or service names. For example:

netstat -an

This command prevents DNS resolution for IP addresses and port names.

In Linux, `netstat` is often used with options like `-t` (TCP), `-u` (UDP), and `-p` (process) to filter the output. An example of this on Linux:

netstat -tuln

This shows all listening TCP and UDP ports in numeric form, without resolving hostnames or service names.

Using `netstat` can help in identifying suspicious network connections and detect possible unauthorized access to the system.

Look for unexpected listening ports or foreign IP addresses:

netstat -tuln

If an unfamiliar service or port is listening on the system, investigate further.

One of the first steps to securing a system is to monitor the open ports and active connections. Disabling unused services can help reduce the attack surface.

Identify listening ports:

netstat -l

Once you identify services listening on unnecessary ports, disable them in the system configuration files or firewall settings.

Use `netstat` in combination with process information to identify suspicious processes associated with network connections. For example, on Linux, use the `-p` option to show the PID associated with a connection:

netstat -tulpn

This command shows the PID of each process, allowing you to identify which service or process is holding a particular port.

Using a firewall in conjunction with `netstat` helps in ensuring that only authorized services are accessible to external networks. Once a firewall is configured, `netstat` can be used to verify which ports are open and which services are running.

Example:

netstat -an | grep 'LISTEN'

This helps in confirming that the firewall is correctly blocking or allowing the right ports.

If `netstat` produces no output or a blank response, there may not be any active connections or network interfaces. Confirm that the network interfaces are up and the system has active network traffic.

Check the status of interfaces:

ifconfig -a

This shows all interfaces, including those that are down. If the interface is up, try checking the system logs for any network-related issues.

On some Linux distributions, `netstat` may not be installed by default. In such cases, install the `net-tools` package that includes `netstat`:

For Debian-based systems :

sudo apt-get install net-tools

Or on Red Hat-based systems:

sudo yum install net-tools

In some cases, `netstat` might show inconsistent or incomplete data, especially on systems that use modern tools like `ss` (socket stat). If you're facing issues with missing or inaccurate data, consider switching to `ss` for a more detailed view of socket statistics.

For example, use `ss` to show all open sockets:

ss -tuln

This command offers more advanced features and is considered faster and more reliable than `netstat` on modern Linux systems.

If you're troubleshooting network connectivity issues, check for processes that may be binding to incorrect or closed ports. You can use `netstat` to identify such issues and resolve them by reconfiguring the application or service.

Example:

netstat -tuln

If a service is not listening on the expected port, verify the service's configuration and restart it.

• https://man7.org/linux/man-pages/man8/netstat.8.html
• https://www.freebsd.org/cgi/man.cgi?query=netstat
• https://www.openbsd.org/cgi-man.cgi?query=netstat
• https://www.netbsd.org/docs/guide/en/chap-network.html
• https://wiki.archlinux.org/title/Netstat