PFSENSE - NETSTAT Command

Return to Wiki Index

The basic syntax of the `netstat` command is:

netstat [options]

Where `[options]` can be any of the following flags, which modify the behavior of the command.

• `-a` : Display all sockets (both listening and non-listening).
• `-n` : Show numerical addresses instead of resolving hostnames.
• `-r` : Show the routing table.
• `-i` : Display network interfaces and their statistics.
• `-s` : Display statistics by protocol (TCP, UDP, ICMP, etc.).
• `-p` : Show the PID and program name associated with each socket.
• `-t` : Display TCP connections only.
• `-u` : Display UDP connections only.
• `-l` : Show only listening sockets.

To display all network connections (both listening and non-listening), use the `-a` option.

netstat -a

This command will show all active connections, including TCP and UDP connections, along with the listening sockets.

To show the numerical addresses of network connections instead of hostnames, use the `-n` option. This can be helpful for avoiding DNS resolution delays.

netstat -an

This command will show the connections using IP addresses instead of hostnames.

To display the routing table, use the `-r` option.

netstat -r

This will display the kernel routing table, showing how the system routes network traffic.

To view network interface statistics, use the `-i` option. This command will show the statistics for each interface.

netstat -i

The output includes information like the number of packets received and sent, errors, dropped packets, etc.

Use the `-s` option to display statistics for each network protocol (e.g., TCP, UDP, ICMP, etc.).

netstat -s

This command will show protocol-specific statistics, including the number of packets received, sent, errors, and other related metrics.

To show only the listening sockets (ports that are waiting for incoming connections), use the `-l` option.

netstat -l

This will display all listening sockets, helping you identify which services are ready to accept connections.

To filter and show only TCP connections, use the `-t` option.

netstat -t

This will show all active TCP connections, including both incoming and outgoing.

To show only UDP connections, use the `-u` option.

netstat -u

This command will show all active UDP connections.

To display the PID (Process ID) and the associated program name with each socket, use the `-p` option.

netstat -p

This will show the process ID and the name of the program that owns each socket.

Multiple options can be combined to display more specific information. For example, to display all active connections with numerical addresses and associated PID/program name, use:

netstat -anp

This will show all connections with numerical addresses and the corresponding PID and program names.

If you want to display all listening TCP ports, use:

netstat -lt

This will display only the TCP sockets that are in the listening state.

To show active UDP connections along with the associated program names and PIDs:

netstat -up

This command will display active UDP connections and the processes associated with them.

To display the routing table along with interface information, use:

netstat -ri

This command will show the routing table and interface statistics in a readable format.

Here are some practical troubleshooting scenarios where `netstat` can be useful:

• **Identifying open ports**: Use `netstat -an` to see which ports are open on your pfSense system.
• **Finding listening services**: Use `netstat -l` to determine which services are waiting for incoming connections.
• **Monitoring network performance**: Use `netstat -i` to check for packet errors, drops, and overall interface health.
• **Debugging connection issues**: Use `netstat -p` to find which processes are using specific network ports, helping to diagnose application-level issues.