BestHub
Sign in
Operations 12 min read

Master Netstat: Decode Connections, Sockets & Routing with Practical Commands

This guide explains the netstat command’s purpose, interprets its output sections for active Internet connections and UNIX domain sockets, details common options such as -a, -t, -u, -l, -p, and provides numerous practical examples for listing ports, monitoring traffic, displaying routing tables, and identifying processes.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Master Netstat: Decode Connections, Sockets & Routing with Practical Commands

Introduction

The netstat command displays various network‑related information, such as network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.

Understanding the Output

Running netstat produces two main sections:

Active Internet connections – active TCP/UDP connections. Columns Recv‑Q and Send‑Q show the receive and send queues; they are normally zero.

Active UNIX domain sockets – local inter‑process sockets. Columns include protocol, reference count, flags, type, state, and the path used by the socket.

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        State
tcp   0      2    210.34.6.89:telnet    210.34.6.96:2873       ESTABLISHED
tcp   296    0    210.34.6.89:1165     210.34.6.84:netbios-ssn ESTABLISHED
... (additional lines omitted for brevity)

Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type    State      I-Node Path
unix  1      [ ]   STREAM  CONNECTED  16178   @000000dd
unix  9      [ ]   DGRAM   5292      /dev/log

Common Parameters

-a

– show all sockets, including listening ones. -t – display only TCP sockets. -u – display only UDP sockets. -n – show numerical addresses instead of resolving names. -l – list only listening sockets. -p – show PID/program name for each socket (requires root). -r – display the kernel routing table. -c – continuously display information every second. -s – display per‑protocol statistics.

Practical Command Examples

1. List all ports (listening and non‑listening)

# netstat -a | more
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address      Foreign Address    State
tcp   0      0     localhost:30037    *:*                LISTEN
udp   0      0     *:bootpc          *:*
... (additional lines omitted)

2. List only listening sockets

# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address      Foreign Address    State
tcp   0      0     localhost:ipp     *:*                LISTEN
udp   0      0     *:49119           *:*                LISTEN

3. Show protocol statistics

# netstat -s
Ip:
 11150 total packets received
 1 with invalid addresses
 ...
Tcp:
 582 active connections openings
 2 failed connection attempts
 ...
Udp:
 1183 packets received
 4 packets to unknown port received

4. Show PID/program name

# netstat -pt
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        State       PID/Program name
tcp   1      0     ramesh-laptop.loc:47212 192.168.185.75:www   CLOSE_WAIT  2109/firefox

5. Hide hostnames, ports or usernames

Use -n to display numeric values only, which also speeds up output.

# netstat -an

6. Continuous output

# netstat -c
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address      Foreign Address    State
tcp   0      0     ramesh-laptop.loc:36130 101-101-181-225.ama:www ESTABLISHED
... (updates every second)

7. Show unsupported address families

# netstat --verbose
netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.

8. Display routing information

# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window irtt Iface
192.168.1.0     *               255.255.255.0   U       0   0      0    eth2
default         192.168.1.1     0.0.0.0         UG      0   0      0    eth2

9. Find which program uses a specific port

# netstat -ap | grep ssh
tcp   1      0   dev-db:ssh   101.174.100.22:39213   CLOSE_WAIT  -

10. List network interfaces

# netstat -i
Kernel Interface table
Iface   MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0    1500 0   0      0      0      0      0      0      0      0      BMU

11. IP and TCP analysis examples

Identify the top IPs connecting to a service:

wss8848@ubuntu:~$ netstat -nat | grep "192.168.1.15:22" | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -nr | head -20

Count TCP states:

wss8848@ubuntu:~$ netstat -nat | awk '{print $6}' | sort | uniq -c
143 ESTABLISHED
36 LISTEN
113 TIME_WAIT
...

These examples illustrate how netstat can be used for troubleshooting, performance monitoring, and security auditing.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

LinuxSocketNetwork Monitoringcommand-linenetstat
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment