Diagnose and Analyze Network Connections with Netstat command

Photo by NASA on Unsplash

Diagnose and Analyze Network Connections with Netstat command

The netstat command (part of net-tools) is a versatile networking tool used for diagnosing and analyzing network connections on Unix-like operating systems, including Linux, macOS, and others. It provides various details about the TCP network connections, interfaces, routing tables, and network protocol statistics. Netstat is invaluable for network administrators, DevOps engineers, and anyone needing to troubleshoot network issues or monitor network activity.

Netstat Command Output

The output of the netstat command can vary significantly based on the options used when running it. In this example you can see the output from the netstat -tan for displaying active TCP connections in numerical form:

Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0    *               LISTEN     
tcp        0      0     ESTABLISHED
tcp6       0      0 :::80                   :::*                    LISTEN

Here's what each column represents:

  • Proto: The protocol used by the connection, such as TCP or UDP. In this example, 'tcp' indicates TCP connections and 'tcp6' indicates TCP connections over IPv6.

  • Recv-Q: The receive queue size. This shows the amount of data, in bytes, that has been received from the network and is waiting to be read by the process.

  • Send-Q: The send queue size. This shows the amount of data, in bytes, that has been sent to the network but has not yet been acknowledged by the receiver.

  • Local Address: The address and port number of the local side of the connection. An address of or :: means the system is listening on all interfaces for incoming connections. A specific IP address indicates a connection associated with a specific interface. The port number follows the IP address, separated by a colon.

  • Foreign Address: The address and port number of the remote side of the connection. An address of* or :::* in the context of a listening socket means the socket is waiting for a connection from any remote address and port. For established connections, this shows the remote system's IP address and port number.

  • State: The state of the connection. Common states include:

    • LISTEN: The socket is listening for incoming connections.

    • ESTABLISHED: The connection has been established, and communication is possible.

    • CLOSE_WAIT: The remote end has shut down, waiting for the socket to close.

    • TIME_WAIT: The connection is waiting after close to ensure that any delayed packet is received and processed.

This example shows a system with a listening SSH service on port 22 for both IPv4 ( and an established connection from a remote IP ( to the SSH service. Additionally, it shows a listening web server service on port 80 over IPv6 (:::80).

Understanding the netstat command output is essential for diagnosing network connectivity issues, monitoring which services are exposed and actively communicating, and ensuring that no unexpected services are running.

Most Useful Options for Netstat:

  • -a (All): Shows all active and listening sockets.

  • -t (TCP): Display TCP connections.

  • -u (UDP): Display UDP connections.

  • -n (Numeric): Shows addresses and ports in numerical form, avoiding the need for name resolution and thus speeding up the output.

  • -l (Listening): Lists all sockets that are listening for incoming connections. This can help identify services running on your system.

  • -p (Program): Shows the PID and the name of the program to which each socket belongs. This is particularly useful for identifying which application is using a particular port or connection.

  • -r (Routing): Displays the routing table. This is useful for troubleshooting routing problems or understanding how traffic is flowing through a network.

  • -s (Statistics): Displays network protocol statistics, like the number of packets and errors for TCP, UDP, and other protocols. This can be useful for diagnosing network performance issues.

While netstat is a powerful tool, it's important to note that its availability and updates have varied across different Unix-like systems. Some systems have deprecated netstat in favor of newer tools like ss and ip for Linux, which provide similar or enhanced functionality. However, netstat remains widely used and relevant for many network-related tasks.

Common Use Cases for Netstat

  1. Monitoring Incoming and Outgoing Connections: Netstat allows you to view all active connections to and from your system. This can help identify unexpected connections or troubleshoot connectivity issues.

     netstat -ant
  2. Checking Open Ports: It's crucial for security and system administration to know which ports are open and listening for connections. Netstat can list all listening ports, helping in configuring firewalls or detecting potential security breaches.

     netstat --tulpn
  3. Troubleshooting Network Issues: By displaying the status of each network connection, netstat can help diagnose network connectivity problems, such as why a connection is dropping or not being established. For example, by using the combination of netstat and grep commands you can filter the output for specific ports or programs:

     netstat -tan | grep :443
  4. Viewing Routing Tables: Netstat can display the IP routing table, which is useful for understanding how traffic is being routed on a network or troubleshooting routing issues.

     netstat -nr

    Example output from the command:

     Kernel IP routing table
     Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface         UG      0   0        0    wlan0   U       0   0        0    wlan0
    • Destination: This is the network destination of the route. The destination could be a specific IP address, a network IP address, or for the default route.

    • Gateway: The gateway column shows the next hop address that packets should take to reach the destination. If this field is, it means there's no next hop and the destination is directly connected to the network on the listed interface.

    • Genmask: This is the netmask for the destination network, which, combined with the destination, defines which IP addresses are encompassed by this route. A netmask of typically indicates a default route.

    • Flags: These are indicators of various route attributes:

      • U (up): The route is active.

      • G (gateway): The route is to a gateway (the destination requires passing through a router).

      • H (host): The route is to a host; the destination is a single host.

      • D (dynamic): The route was dynamically created by a daemon or a routing process.

      • M (modified): The route was modified by a daemon or a routing process.

    • MSS: The Maximum Segment Size is a TCP concept and is not directly relevant to the IP routing table. For routes, this column is usually zero.

    • Window: This is another TCP-related concept, indicating the size of the receive window. It's not relevant for routing and is typically zero in this context.

    • irtt: Initial Round Trip Time. Like MSS and Window, it's primarily related to TCP and is usually zero for routes.

    • Iface: This indicates the network interface (e.g., eth0, wlan0, etc.) used for this route. If the destination is directly connected to the network, packets will be sent through this interface.

  5. Monitoring Network Interface Statistics: Netstat provides information on network interfaces, including the amount of data transmitted and received, which can be useful for performance monitoring and troubleshooting.

     netstat -i


  1. HackerSploit YouTube: Netstat Commands - Network Administration Tutorial

  2. Wikipedia: Netstat

  3. Deprecated Linux networking commands and their replacements

  4. RedHat Blog: Linux networking 13 uses for netstat

  5. Microsoft: netstat