Linux Netstat Command - How To Use Netstat For Linux Network Management

What is Netstat?

• Active network connections: See what your computer is connecting to
• Routing tables: View the paths your computer uses to send information
• Network interfaces: Get details on your network devices and their activity

With netstat, you can get a clear picture of your network status and find any issues.

Basic Syntax

netstat [options]

You can combine different options to get the specific information you need. Some common examples:

• netstat -a: Shows all active connections
• netstat -r: Displays the routing table
• netstat -i: Lists network interface statistics

The options let you adjust netstat's output to focus on the details that matter for your troubleshooting or analysis.

Listing All Active Connections

netstat -a

This command shows both listening and established connections, giving an overview of your network activity. The output includes details like the protocol (TCP or UDP), local and foreign addresses, and the current state of each connection.

For example:

Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 localhost:mysql         0.0.0.0:*               LISTEN     
tcp        0      0 192.168.1.100:ssh       192.168.1.50:1234       ESTABLISHED
udp        0      0 0.0.0.0:bootpc          0.0.0.0:*                          

Here, we can see a listening MySQL server, an established SSH connection, and a UDP connection for DHCP (bootpc).

Listing TCP and UDP Connections

netstat -at

And for UDP connections:

netstat -au

This is useful when you're troubleshooting issues related to a specific protocol or service. For instance, if you're having problems with a web server, you might use netstat -at to check its TCP connections.

Showing Listening Ports

netstat -l

You can also combine this with the -t or -u options to filter for TCP or UDP ports:

netstat -lt netstat -lu

This is a quick way to see which services are running on your system and which ports they're using. For example:

Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN     
tcp6       0      0 [::]:https              [::]:*                  LISTEN

Here, we can see that the system is running an HTTP server on port 80 (http) and an HTTPS server on port 443 (https), both listening for IPv4 and IPv6 connections.

By using these netstat commands to show active connections and listening ports, you can get a clear picture of your Linux system's network services and find any potential issues or security risks.

Showing Interface Statistics

netstat -i

This command shows a list of all network interfaces on your system, along with important metrics for each one. The output includes:

• Interface name (e.g., eth0, lo)
• MTU (Maximum Transmission Unit) size
• Number of packets received (RX) and sent (TX)
• Number of receive (RX) and transmit (TX) errors
• Number of received (RX) and sent (TX) packets dropped

For example:

Kernel Interface table
Iface   MTU RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0   1500  1234      0      0 0         5678      0      0      0 BMRU
lo    65536   100      0      0 0          100      0      0      0 LRU

Here, we can see statistics for the eth0 (Ethernet) and lo (loopback) interfaces. The RX columns show the number of packets received, received with errors, dropped, and overruns. The TX columns show the same information for sent packets.

Monitoring these statistics can help you find performance issues or errors on specific interfaces. For instance, a high number of RX-ERR or TX-ERR might show a physical problem with a network cable or port.

Showing Kernel Routing Table

netstat -r

This command shows each route as a line with several fields:

• Destination: The destination network or host
• Gateway: The gateway (router) used to reach the destination
• Genmask: The netmask for the destination network
• Flags: Flags showing route features (e.g., U for up, G for gateway)
• MSS: The default maximum segment size for TCP connections over this route
• Window: The default TCP window size
• irtt: The initial round trip time (irtt) for the route

For example:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

Here, we can see two routes. The first is the default route, which sends all traffic to the gateway at 192.168.1.1. The second is a route for the local 192.168.1.0/24 network, which is directly connected to the eth0 interface.

By looking at the routing table, you can understand how your system directs network traffic and troubleshoot connectivity issues. For instance, if packets aren't reaching a specific destination, you might check the routing table to see if there's a valid route for that destination.

netstat's interface statistics and routing table displays are powerful tools for monitoring your Linux system's network performance and connectivity. By keeping an eye on these metrics, you can find and fix network problems before they affect your users or applications.

Monitoring Network Activity Continuously

For example, running:

netstat -c

This command will show the network information and update it every second. This is useful for finding sudden changes in network behavior, such as a spike in connections or a sudden drop in throughput. By monitoring the output over time, you can find trends and anomalies that might indicate a developing problem.

Finding Processes Using Ports

For instance:

netstat -p

This command will show a list of active network connections, along with the PID and name of the program that owns each socket. If you see a port in use that you don't recognize, you can use the PID to investigate further with tools like ps and lsof.

This is especially useful for troubleshooting port conflicts. If two programs are trying to use the same port, netstat -p will show you which processes are involved. You can then take steps to reconfigure one of the programs to use a different port.

It's also a valuable security tool. By regularly checking for unfamiliar processes using network ports, you can find suspicious activity that might indicate a hacked or compromised system.

Combining Netstat with Grep

For example, to show only connections to a specific port (e.g., 80 for HTTP), you can use:

netstat -an | grep ':80'

This pipes the output of netstat -an (which shows all sockets, numeric output) to grep, which searches for lines containing :80. The result is a list of all connections involving port 80.

You can use a similar method to find connections to a specific IP address:

netstat -an | grep '192.168.1.100'

This is a powerful way to quickly find relevant information, especially when you're dealing with a busy system or a complex network issue. By combining netstat with grep, you can answer questions like:

• Is my web server accepting connections on port 80?
• Are there any connections to a suspicious IP address?
• Which clients are currently connected to my database server?

With these advanced netstat techniques - continuous monitoring, finding processes, and filtering output - you can take your network troubleshooting skills to the next level. Whether you're a system administrator managing a fleet of Linux servers or a power user trying to optimize your own system, netstat is an important tool to have in your kit.

Showing Network Traffic Statistics

To view these statistics, run:

netstat -s

This command will print a summary of the traffic statistics for TCP, UDP, ICMP, and other protocols. The statistics include information like:

• Segments sent and received
• Segments retransmitted
• Errors received
• Packets sent and received
• Packets dropped

For example, in the TCP section, you might see:

Tcp:
    1234 active connections openings
    5678 passive connection openings
    10 failed connection attempts
    123 connection resets received
    1 connections established
    1234567 segments received
    7654321 segments send out
    123 segments retransmited
    0 bad segments received.
    1234 resets sent

These statistics can help you find network performance issues. A high number of retransmitted segments might show network congestion or an unreliable network link. A large number of failed connection attempts could point to a problem with a service or a port scanner attack.

Similarly, the UDP and ICMP sections show statistics for those protocols. High levels of ICMP "destination unreachable" messages could mean routing problems or a DDoS attack.

By regularly checking these statistics, you can set a baseline for your system's normal network activity. Any large changes from this baseline can be an early warning sign of a developing problem.

Checking Network Bandwidth Usage

To see this information, run:

netstat -i

The output will look something like this:

Kernel Interface table
Iface   MTU RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0   1500 1234567   0      0 0      7654321    0      0      0 BMRU
lo    65536   1234   0      0 0         1234    0      0      0 LRU

The RX-OK and TX-OK columns show the total number of bytes received and transmitted by each interface. By checking these numbers over time, you can see which interfaces are handling the most traffic and whether any are approaching their capacity limits.

For instance, if you see that an interface's TX-OK value is consistently high and growing, it might mean that the interface is saturated and could benefit from a bandwidth upgrade.

You can also use this information to find bandwidth hogs - applications or users that are using a large portion of your network resources. By matching high bandwidth usage with other system activity, you can find the source of the traffic and take steps to manage it.

netstat's traffic statistics and bandwidth monitoring features are important for any Linux system administrator or network manager. By watching these metrics, you can make sure that your network is performing well and that you have the capacity to handle your workload. With netstat in your toolbox, you're well-equipped to analyze and troubleshoot Linux network traffic.

Monitoring Network Services on Linux Servers

netstat -tulpn

This command lists all TCP and UDP ports that are being listened on, along with the related processes. The output looks like this:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1234/sshd       
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      5678/cupsd      
tcp6       0      0 :::80                   :::*                    LISTEN      9012/apache2

Each line shows a network service that is running on the server, along with:

• The protocol (TCP or UDP)
• The local address and port
• The foreign address and port (if any)
• The state of the socket (e.g., LISTEN, ESTABLISHED)
• The PID and name of the process that owns the socket

By running this command regularly, you can track which network services are running on your server. You can check that all the needed services are up (like SSH, HTTP, and databases) and that there are no unexpected services listening.

This is also an important security practice. By monitoring the listening ports, you can find any unauthorized services that might have been installed by an attacker or a rogue application. If you see any unfamiliar services or ports, you can use the PID to investigate the related process.

In addition, you can use netstat to troubleshoot service issues. If a service isn't responding, you can check netstat to make sure it's running and listening on the correct port. If it's listening but not responding, you might need to check the service logs or restart the service.

Overall, running netstat -tulpn should be a regular part of your Linux server management routine. It's a quick and easy way to monitor your network services, catch potential issues, and keep your servers secure. Combined with other tools like ps, lsof, and log monitoring, netstat is a key part of a complete server management strategy.

Using Netstat with Monitoring Systems

This lets you set up automatic checks and alerts for network problems. For example, you could create an alert that triggers when the number of established connections to a specific port goes above a limit, or when the number of UDP packets dropped by an interface increases.

By integrating netstat with your monitoring system, you can find and fix network issues before they impact users. Instead of manually running netstat when a problem is reported, your monitoring system can constantly check netstat metrics and alert you to possible issues.

This type of automatic monitoring is especially helpful for large or complex networks, where manual checking isn't practical. It's also useful for finding intermittent issues that might be missed by spot checks.

Scripting with Netstat for Automatic Monitoring

For more complex processing, you might use a scripting language like Python to work with and analyze the netstat data. For example, a Python script could:

1. Run netstat -i to get interface statistics
2. Parse the output to extract the bytes sent and received for each interface
3. Calculate the change in bytes over time to get bandwidth usage
4. Check the bandwidth usage against defined limits
5. Send an alert if any limits are exceeded

By scripting netstat, you can create custom monitoring solutions matched to your network's specific needs. You can define your own metrics, limits, and alert conditions, and have the script run on a schedule that works for your environment.

Scripting also enables more advanced data analysis. You could have a script that combines netstat data over time and generates reports on long-term network usage trends. Or you could compare netstat data with other system metrics to find the root causes of performance issues.

Whether you use simple shell scripts or more advanced Python programs, scripting is a powerful way to automate netstat monitoring and get more value from the netstat data.

In conclusion, netstat is not just a one-time troubleshooting tool but a valuable data source for ongoing network monitoring. By integrating netstat with monitoring systems and using scripts to automate data collection and analysis, you can actively manage your network's health and performance. With a little setup, netstat can be the heart of a strong network monitoring solution.

Identifying Suspicious Network Activity

This output can help you find unusual or unauthorized connections that could mean a security breach or malware infection. Here's what to look for:

• Unfamiliar local or foreign addresses: Connections to or from IP addresses that you don't know could be a sign of unauthorized access.
• Unexpected ports: Connections on unusual ports, especially high-numbered ports, might indicate malware activity or a backdoor.
• Unknown processes: Connections linked with unfamiliar processes could mean that an attacker has installed unauthorized software.

For example, if you see a connection like this:

tcp   0   0 192.168.1.100:22 192.168.1.50:12345 ESTABLISHED 1234/sshd  

This shows an SSH connection from 192.168.1.50 to your system (192.168.1.100) on port 22. If you don't expect SSH access from that IP, it could be an unauthorized login attempt.

Similarly, a line like this:

tcp   0   0 192.168.1.100:31337 1.2.3.4:80 ESTABLISHED 5678/mystery_process

This could be very suspicious. It shows an outgoing connection from your system to an unfamiliar IP on port 31337, which is often used by trojans and backdoors. The unfamiliar process name adds to the concern.

By regularly checking netstat -anp, you can find these kinds of red flags early. This allows you to investigate further with tools like lsof, ps, and log analysis to determine if there's a real security issue.

It's a good idea to run this check regularly and anytime you see signs of a possible breach, like high CPU usage or suspicious log entries. By using netstat to find and respond to security issues quickly, you can reduce the damage and keep your Linux system safe.