November 18

Linux: Netstat – Key Commands

The various options available for netstat are far too numerous to be detailed in full here.

In this post, we’ll consider the most important netstat commands. These are commands no Linux administrator can do without.
Display All Connections

$ netstat -a

Above command lists all connections from different protocols like tcp, udp and unix sockets
List Only TCP connections

$ netstat -at

List Only UDP Connections

$ netstat -au

Show IP Address without Reverse DNS lookup

$ netstat -ant

List All Listening Conditions

$ netstat -l

List Only Listening TCP Ports

$ netstat -lt

List only listening UDP Ports

$ netstat -lu

Display Summary Statistics

$ netstat -s

The above command spits out a wealth of information including total packets received, incoming packets delivered, active TCP connections, failed TCP connection attempts etc.

You can spend the better part of a day analyzing the output. 😉

To print out statistics of only select protocols like TCP or UDP use the corresponding options like t and u along with the s option.
Display Statistics for TCP

$ netstat -st

Display Statistics for UDP

$ netstat -su

Displays Domain Name Where Possible for IP Address

$ netstat -F

Display Only IP address

$ netstat -n

Above command will display output without resolving host, port and user name.
Get Netstat Output Continuously

$ netstat -c

The -c option can be combined with other netstat options like -t (see below).

$ netstat -ct

Displays TCP Connections Continuously

$ netstat -tcp

Above command will output TCP connections along with PID continuously.
Display Process Identifier (PID)

$ netstat -p

Above command adds PID/program name to output.

The -p option can be combined with other options (see below).
Show Service Name with PID Number

$ netstat -tp

Displays TCP Connections without Domain Names

$ netstat –tcp –numeric

List Only Listening TCP Connections

$ netstat -tnl

List Only listening UDP Connections

$ netstat -unl

List Process name/PID and User ID

$ sudo netstat -nlpt

Show Listening Connections of TCP with Process Information and Extended Information

$ sudo netstat -ltpe

Show Kernel’s Network Routing Table

$ netstat -r

Display Kernel Routing Information

$ netstat -rn

Above command will not resolve host names.
Print Network Interfaces

netstat -ie

Display all Open connections to a Specific Port

$ netstat -anp | grep “:”

Insert port no (above) in place of colon :
Show Active/Established Connections

$ netstat -atnp | grep ESTA

Get Continuous List of Active Connections

$ watch -d -n0 “netstat -atnp | grep ESTA”

Check if a Service is Running

$ sudo netstat -aple | grep ntp

You can substitute http, smtp for ntp
Netstat – Security Commands

There are some netstat commands that are more geared toward security than others.

In an era when attacks from both individuals or government agencies are common, it’s important to be au courant with a bunch of security netstat commands.

These commands are useful in identifying malicious visitors.

Here are a bunch of security-oriented netstat commands. Some of them are useful in bringing small-scale DOS attacks under control.
Display IPs with High Number of Connections

$ netstat -tn 2>/dev/null | grep :80 | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr | head

IP Addresses Connected to Port 80

$ netstat -tn 2>/dev/null | grep ‘:80 ‘ | awk ‘{print $5}’ |sed -e ‘s/::ffff://’ | cut -f1 -d: | sort | uniq -c | sort -rn | head

Display Number of Active Connections on Port 80

$ netstat -an |grep :80 |wc -l

Displays Foreign IP Addresses Only

$ netstat -antu | grep :80 | grep -v LISTEN | awk ‘{print $5}’

Display Active SYNC_REC

The below command will output how many active SYNC_REC are occurring and happening on the server. The number should be low (less than 5). If the number is in double digits, you may be suffering a DoS attack or being mail bombed.

$ netstat -n -p|grep SYN_REC | wc -l

List Unique IP Addresses Sending SYN_REC Connection

Like the above command, this command too lists all unique IP addresses of the node that are sending SYN_REC connection status

$ netstat -n -p | grep SYN_REC | awk ‘{print $5}’ | awk -F: ‘{print $1}’

Connections Per Remote IP

$ netstat -antu | awk ‘{print $5}’ | awk -F: ‘{print $1}’ | sort | uniq -c | sort -n

or

$ netstat -antu | awk ‘$5 ~ /[0-9]:/{split($5, a, “:”); ips[a[1]]++} END {for (ip in ips) print ips[ip], ip | “sort -k1 -nr”}’

Check Open Ports (both ipv4 and ipv6)

$ netstat -plntu

Check Open Ports (both ipv4 and ipv6)

$ netstat -plnt

Number of Open Connections per IP

$ netstat -an | grep 80 | wc -l

Active Internet Connections

$ netstat -pnut -w | column -t -s $’\t’


Copyright 2021. All rights reserved.

Posted November 18, 2021 by Timothy Conrad in category "Linux

About the Author

If I were to describe myself with one word it would be, creative. I am interested in almost everything which keeps me rather busy. Here you will find some of my technical musings. PGP: 4CB8 91EB 0C0A A530 3BE9 6D76 B076 96F1 6135 0A1B