Appearance
Netstat - Network Statistics and Connections
Netstat (network statistics) is a command-line tool that displays network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. It's available on Windows, Linux, macOS, and other Unix-like systems, though with some platform-specific differences.
Basic Usage
Display All Connections
bash
# Show all connections and listening ports
netstat -a
# Show all connections with numeric addresses
netstat -an
# Show all connections with process information (Linux/macOS)
netstat -anp
# Show all connections with process information (Windows)
netstat -anoShow Listening Ports Only
bash
# Show only listening ports
netstat -l # Linux/macOS
netstat -an | findstr LISTENING # Windows
# Show listening ports with numeric addresses
netstat -ln # Linux/macOS
# Show listening ports with process info
netstat -lnp # Linux/macOS
netstat -ano | findstr LISTENING # WindowsProtocol-Specific Options
TCP Connections
bash
# Show TCP connections only
netstat -t # Linux/macOS
netstat -p tcp # Windows
# Show TCP listening ports
netstat -lt # Linux/macOS
netstat -an -p tcp | findstr LISTENING # Windows
# Show TCP connections with numeric addresses
netstat -tn # Linux/macOS
netstat -an -p tcp # Windows
# Show TCP connections with process info
netstat -tnp # Linux/macOS
netstat -ano -p tcp # WindowsUDP Connections
bash
# Show UDP connections only
netstat -u # Linux/macOS
netstat -p udp # Windows
# Show UDP listening ports
netstat -lu # Linux/macOS
netstat -an -p udp # Windows
# Show UDP connections with numeric addresses
netstat -un # Linux/macOS
netstat -an -p udp # Windows
# Show UDP connections with process info
netstat -unp # Linux/macOS
netstat -ano -p udp # WindowsCommon Option Combinations
Most Useful Commands
bash
# All connections, numeric, with processes
netstat -anp # Linux/macOS
netstat -ano # Windows
# TCP listening ports with processes
netstat -tlnp # Linux/macOS
netstat -ano -p tcp | findstr LISTENING # Windows
# UDP listening ports with processes
netstat -ulnp # Linux/macOS
netstat -ano -p udp # Windows
# All listening ports (TCP and UDP)
netstat -tuln # Linux/macOS
netstat -an | findstr LISTENING # WindowsPlatform-Specific Options
Linux/macOS Specific
bash
# Show process names and PIDs
netstat -p
# Show extended information
netstat -e
# Continuous monitoring (refresh every second)
netstat -c
# Continuous monitoring with custom interval
netstat -c 5
# Show multicast group memberships
netstat -g
# Show masquerading connections (Linux only)
netstat -M
# Show raw sockets
netstat -w
# Show UNIX domain sockets
netstat -xWindows Specific
cmd
# Show executable involved in creating connection
netstat -b
# Show process ID (PID) for each connection
netstat -o
# Show fully qualified domain names
netstat -f
# Show Ethernet statistics
netstat -e
# Show per-protocol statistics
netstat -s
# Show connections for specific protocol
netstat -p tcp
netstat -p udp
netstat -p ip
netstat -p ipv6
netstat -p icmp
netstat -p icmpv6
# Combine options
netstat -ab # Show processes and executables
netstat -aon # Show all with numeric addresses and PIDsRouting and Interface Information
Routing Table
bash
# Display routing table
netstat -r # All platforms
netstat -rn # Numeric addresses
# Windows specific routing
netstat -r -p ip
netstat -r -p ipv6
# Linux/macOS additional routing info
netstat -rn -A inet # IPv4 only
netstat -rn -A inet6 # IPv6 onlyInterface Statistics
bash
# Show interface statistics
netstat -i # Linux/macOS
netstat -e # Windows
# Show interface statistics continuously
netstat -ic # Linux/macOS
# Detailed interface information
netstat -ie # Linux/macOSFiltering and Searching
Port-Specific Searches
bash
# Find connections on specific ports
netstat -an | grep :80 # Linux/macOS
netstat -an | findstr :80 # Windows
netstat -an | grep :443 # HTTPS
netstat -an | grep :22 # SSH
netstat -an | grep :21 # FTP
netstat -an | grep :25 # SMTP
netstat -an | grep :53 # DNS
netstat -an | grep :3306 # MySQL
netstat -an | grep :5432 # PostgreSQLConnection State Filtering
bash
# Filter by connection state
netstat -an | grep LISTEN # Listening ports
netstat -an | grep ESTABLISHED # Active connections
netstat -an | grep TIME_WAIT # Closing connections
netstat -an | grep CLOSE_WAIT # Waiting to close
netstat -an | grep FIN_WAIT # Finishing connections
netstat -an | grep SYN_SENT # Outgoing connections
netstat -an | grep SYN_RECV # Incoming connections
# Windows equivalents
netstat -an | findstr LISTENING
netstat -an | findstr ESTABLISHED
netstat -an | findstr TIME_WAITProcess-Specific Searches
bash
# Find connections by process name (Linux/macOS)
netstat -anp | grep nginx
netstat -anp | grep apache
netstat -anp | grep mysql
netstat -anp | grep ssh
# Find connections by PID (Windows)
netstat -ano | findstr 1234
# Find process using specific port
netstat -anp | grep :80 # Linux/macOS
netstat -ano | findstr :80 # WindowsStatistics and Monitoring
Protocol Statistics
bash
# Show statistics for all protocols
netstat -s
# Show statistics for specific protocol
netstat -s -p tcp # Windows
netstat -s -p udp # Windows
netstat -s -p ip # Windows
# Linux/macOS protocol statistics
netstat -s | grep -A 10 "Tcp:"
netstat -s | grep -A 10 "Udp:"
netstat -s | grep -A 10 "Ip:"Continuous Monitoring
bash
# Monitor connections continuously
netstat -c # Linux/macOS (1 second intervals)
netstat -c 5 # Linux/macOS (5 second intervals)
# Windows continuous monitoring (using loops)
# PowerShell
while ($true) { netstat -an; Start-Sleep 5; Clear-Host }
# Command Prompt
for /l %i in (1,0,2) do (netstat -an & timeout /t 5 & cls)Modern Alternatives
SS Command (Linux)
bash
# SS is the modern replacement for netstat on Linux
ss -tuln # TCP and UDP listening ports
ss -tulpn # Include process information
ss -an # All connections, numeric
ss -l # Listening ports only
ss -t # TCP only
ss -u # UDP only
ss -p # Show processes
ss -n # Numeric addresses
# Filter by state
ss -t state listening
ss -t state established
ss -t state time-wait
# Filter by port
ss -tuln sport :80
ss -tuln dport :443
ss -tuln sport :1024-65535
# Show socket memory usage
ss -m
# Show detailed socket information
ss -iLSOF Command (Linux/macOS)
bash
# List open files and network connections
lsof -i # All network connections
lsof -i TCP # TCP connections only
lsof -i UDP # UDP connections only
lsof -i :80 # Connections on port 80
lsof -i :443 # Connections on port 443
# Show listening ports
lsof -i -sTCP:LISTEN
lsof -i -sUDP:LISTEN
# Show connections by process
lsof -i -c nginx
lsof -i -c apache
lsof -i -c mysql
# Show connections by user
lsof -i -u www-data
lsof -i -u mysql
# Show IPv4 only
lsof -i 4
# Show IPv6 only
lsof -i 6Practical Examples
Security Monitoring
bash
# Check for suspicious connections
netstat -an | grep ESTABLISHED | grep -v "127.0.0.1\|::1"
# Monitor for connections to unusual ports
netstat -an | grep -E ":(1234|4444|5555|6666|7777|8888|9999)"
# Check for processes listening on all interfaces
netstat -anp | grep "0.0.0.0:"
# Find connections from specific IP ranges
netstat -an | grep "192.168."
netstat -an | grep "10\."
netstat -an | grep "172\."Web Server Monitoring
bash
# Monitor HTTP connections
netstat -an | grep :80 | wc -l
# Monitor HTTPS connections
netstat -an | grep :443 | wc -l
# Check connection states for web server
netstat -an | grep ":80\|:443" | awk '{print $6}' | sort | uniq -c
# Find top connecting IPs
netstat -an | grep ":80\|:443" | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nrDatabase Monitoring
bash
# Monitor MySQL connections
netstat -an | grep :3306
# Monitor PostgreSQL connections
netstat -an | grep :5432
# Monitor Redis connections
netstat -an | grep :6379
# Monitor MongoDB connections
netstat -an | grep :27017System Performance Analysis
bash
# Count total connections
netstat -an | wc -l
# Count connections by state
netstat -an | awk '{print $6}' | sort | uniq -c
# Count listening services
netstat -ln | wc -l
# Monitor connection growth
watch "netstat -an | wc -l"Troubleshooting Common Issues
Port Already in Use
bash
# Find what's using a specific port
netstat -anp | grep :8080 # Linux/macOS
netstat -ano | findstr :8080 # Windows
# Kill process using specific port (Linux/macOS)
sudo kill $(netstat -anp | grep :8080 | awk '{print $7}' | cut -d/ -f1)
# Windows - find and kill process
netstat -ano | findstr :8080
taskkill /PID <PID> /FConnection Issues
bash
# Check if service is listening
netstat -an | grep :22 # SSH
netstat -an | grep :80 # HTTP
netstat -an | grep :443 # HTTPS
# Check connection states
netstat -an | grep ESTABLISHED | wc -l
netstat -an | grep TIME_WAIT | wc -l
netstat -an | grep CLOSE_WAIT | wc -lNetwork Interface Problems
bash
# Check interface statistics
netstat -i
# Look for errors
netstat -i | grep -E "(RX-ERR|TX-ERR|RX-DRP|TX-DRP)"
# Monitor interface continuously
watch "netstat -i"Scripting and Automation
Bash Monitoring Script
bash
#!/bin/bash
# Network monitoring script
LOG_FILE="/var/log/network-monitor.log"
DATE=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$DATE] Network Status Check" >> $LOG_FILE
# Count connections by state
echo "Connection States:" >> $LOG_FILE
netstat -an | awk '{print $6}' | sort | uniq -c >> $LOG_FILE
# Top listening ports
echo "Listening Ports:" >> $LOG_FILE
netstat -ln | grep LISTEN | awk '{print $4}' | cut -d: -f2 | sort -n | uniq >> $LOG_FILE
# Connection count
CONN_COUNT=$(netstat -an | wc -l)
echo "Total Connections: $CONN_COUNT" >> $LOG_FILE
echo "---" >> $LOG_FILEPowerShell Monitoring Script
powershell
# Network monitoring script for Windows
$LogFile = "C:\logs\network-monitor.log"
$Date = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
Add-Content $LogFile "[$Date] Network Status Check"
# Count connections by state
$States = netstat -an | ForEach-Object { ($_ -split '\s+')[3] } | Group-Object | Sort-Object Count -Descending
Add-Content $LogFile "Connection States:"
$States | ForEach-Object { Add-Content $LogFile "$($_.Count) $($_.Name)" }
# Listening ports
$Listening = netstat -an | Where-Object { $_ -match "LISTENING" } | ForEach-Object { ($_ -split '\s+')[1] }
Add-Content $LogFile "Listening Ports:"
$Listening | ForEach-Object { Add-Content $LogFile $_ }
Add-Content $LogFile "---"Performance Considerations
Large Systems
bash
# For systems with many connections, use filters
netstat -an | head -100 # First 100 lines
netstat -an | tail -100 # Last 100 lines
# Use ss instead of netstat on Linux (faster)
ss -tuln # Much faster than netstat
# Limit output to specific protocols
netstat -tn # TCP only
netstat -un # UDP onlyMemory Usage
bash
# Monitor netstat memory usage
time netstat -an > /dev/null
# Use more efficient alternatives
time ss -an > /dev/null # Linux
time lsof -i > /dev/null # macOS/LinuxBest Practices
Security
- Regularly monitor for unexpected listening services
- Check for connections to unusual ports or IPs
- Monitor for processes running with elevated privileges
- Use numeric output to avoid DNS lookups that might be logged
Performance
- Use ss instead of netstat on modern Linux systems
- Filter output to reduce processing time
- Use appropriate intervals for continuous monitoring
- Consider using specialized monitoring tools for production systems
Troubleshooting
- Always check both listening ports and active connections
- Correlate netstat output with system logs
- Use process information to identify applications
- Monitor connection states to identify issues
Cross-Platform Compatibility
- Test scripts on target platforms
- Use appropriate command syntax for each OS
- Consider using wrapper functions for portability
- Document platform-specific behaviors
Netstat remains one of the most important tools for network troubleshooting and monitoring. While newer tools like ss and lsof provide additional features, netstat's ubiquity across platforms makes it an essential skill for system administrators and developers.