Netstat

The basics
More advanced
What does the output mean

***UPDATE netstat has been superseeded by the ss command UPDATE***


The basics

netstat –t –u –show outbound connections

netstat –t –u –c -shows continuous connections

netstat -i # network interface stats shows The MTU and Met fields show the current MTU and metric values for that interface. The RX and TX columns show how many packets have been received or transmitted error-free (RX-OK /TX-OK ) or damaged (RX-ERR /TX-ERR ) ; how many were dropped (RX-DRP /TX-DRP ) ; and how many were lost because of an overrun (RX-OVR /TX-OVR )

netstat -a # To list all connections

netstat -at # limit the output to TCP connection

netstat -ant #eliminate the dns lookup time


More advanced

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n ' # List all open connection

netstat -plant | grep "LISTEN" # check all open ports and what ports they are associated to

netstat -anpt|grep httpd #Next we want to only list connections belonging to apache (-p list owners process name)

netstat -anpt|grep httpd|grep ESTABLISHED # We need to filter out only ESTABLISHED connections. (currently connected users)

netstat -anpt|grep httpd|grep ESTABLISHED|cut -b45-60|cut -d':' -f1 # to get only remote ips connected

netstat -anpt|grep httpd|grep ESTABLISHED|cut -b45-60|cut -d':' -f1|sort -rn|uniq -c|sort -t' ' +1 # will list just ip's. sorted by number of occurences of remote ip address:

watch "netstat -anpt|grep httpd|grep ESTABLISHED|cut -b45-60|cut -d':' -f1|sort -rn|uniq -c|sort -t' ' +1" #a list of ips connecting to your web server at the current moment.

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n ‘ # List all open connection

netstat -plant | grep “LISTEN” # check all open ports and what ports they are associated to

To reduce the time of time_wait ()

echo 30 /proc/sys/net/ipv4/tcp_fin_timeout this wont survive a reboot but a good initial test) otherwise change /etc/sysctl.conf

netstat | awk '{print $4 }' | less | egrep -v "Local|Type|]|sockets" | awk -F: '{print $2}' | egrep -v ^$ | uniq -c # show list of connections via port/name

netstat -plan | grep :22 | awk '{ print $5}' | egrep -v ":::*|0.0.0.0:*"| awk -F: '{print $1}'| sort | uniq –c to see which ip is connecting most on port 22

netstat -tan | grep ':80 ' | awk '{print $6}' | sort | uniq –c # shows the state of connections for port 80 remove grep to see for all processes.


What does the output mean

under the Foreign Address

0.0.0.0* = means that port is listening on all 'network interfaces'
:::* =is ipv6 shorthand for ipv4 0.0.0.0.
127.0.0.1=it means that port is ONLY listening for connections from your PC itself
::ffff: =is the prefix for an ipv6 address

Due to the way TCP/IP works connections can not be closed immediately. Packets may arrive out of order or be retransmitted after the connection has been closed,states include:

CLOSING #The socket is not being used.

ESTABLISHED#The socket has an established connection.

FIN_WAIT1#The socket is closed, and the connection is shutting down.

LAST_ACK#The remote end has shut down, and the socket is closed. Waiting for acknowledgement.

LISTEN#The socket is listening for incoming connections

SYN_RECV#A connection request has been received from the network.

TIME_WAIT# indicates that this side has closed the connection. The connection is being kept around so that any delayed packets can be matched to the connection and handled appropriately. The connections will be removed when they time out. (in short it is cooldown time for sorting out-of-order packets)

CLOSE_WAIT # indicates that the other side of the connection has closed the connection