Netstat (Network Statistics) is a powerful command-line tool that allows you to monitor the state of your network connections, sockets, and routing tables in real-time, which works both in Linux and Windows. It can display important information about network interfaces, active connections, and network statistics. The tool has been around for many years, and it’s a staple in the toolkit of network administrators and system administrators. In this blog, we’ll dive into what netstat is, its different options, and how you can use it to monitor your network.
Prerequisites
Before diving into the specifics of netstat, it’s important to understand some basic networking concepts, such as IP addresses, ports, and protocols.
How to Use Netstat
Netstat is a command-line tool that can be run on Windows, Linux, and macOS. On Windows, you can run it from the Command Prompt, and on Linux and macOS, you can run it from the terminal. To use netstat, simply type netstat followed by the options you want to use.
$ netstat [OPTION]
Different Options of Netstat
Netstat has several options that allow you to display different types of information. Some of the most commonly used options are:
a: Displays all active connections, including the ones that are in a listening state.t: Displays only TCP connections.u: Displays only UDP connections.l: Displays only connections in a listening state.p: Shows the process name that is associated with each connection.
Monitoring Network Interfaces
Netstat allows you to monitor the state of your network interfaces. You can use the -i option to display information about the network interfaces. Here’s an example:
$ netstat -i
itvraag@L5PRO:~$ netstat -i
Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0 1500 12082 0 0 0 34 0 0 0 BMRU
lo 65536 0 0 0 0 0 0 0 0 LRU
Real-Time Monitoring
You can use the -c option to display real-time updates of the network statistics. This is useful for monitoring the state of your network in real-time, and detecting any changes or anomalies. Here’s an example:
$ netstat -c
Use-Cases for netstat
Netstat can be used for a variety of purposes, including:
- Monitoring network traffic: You can use netstat to monitor the amount of traffic that’s passing through your network interfaces, and detect any anomalies or unexpected spikes in traffic.
- Debugging network issues: You can use netstat to diagnose network issues, such as slow performance or connectivity problems.
- Analyzing network security: By examining the state of your network connections, you can detect potential security risks, such as unauthorized access attempts.
Examples
# Example 1: Display all active network connections
netstat -an | grep itvraag.nl
# Example 2: Display the number of bytes sent and received by each active connection
netstat -e | grep itvraag.nl
# Example 3: Display active connections and listening ports
netstat -a | grep itvraag.nl
# Example 4: Display active connections, including the process ID and name of each process
netstat -p | grep itvraag.nl
# Example 5: Display statistics for the network interfaces
netstat -i | grep itvraag.nl
# Example 6: Display the routing table information
netstat -r | grep itvraag.nl
Here is an example of the output from the command netstat -anp:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN 1124/mysqld
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 987/sshd
tcp 0 0 10.0.0.1:80 123.45.67.89:52441 ESTABLISHED 2345/nginx
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 654/cupsd
udp 0 0 0.0.0.0:68 0.0.0.0:* 789/dhclient
In this example, the -anp option displays all active network connections, including the program name and process ID associated with each connection. The columns in the output are as follows:
- Proto: The protocol used by the connection (e.g., TCP or UDP)
- Recv-Q: The number of bytes in the receive queue
- Send-Q: The number of bytes in the send queue
- Local Address: The local address and port of the connection
- Foreign Address: The foreign address and port of the connection
- State: The state of the connection (e.g., LISTEN, ESTABLISHED, CLOSED)
- PID/Program name: The process ID and name of the program associated with the connection.
This information can be useful in troubleshooting network issues and monitoring network activity.
Tips for Using Netstat
- Use the appropriate options: Make sure to use the options that are relevant to your task, and that display the information you need.
- Monitor your network in real-time: Use the
coption to monitor your network in real-time, and detect any changes or anomalies. - Automate the process: Consider automating the process of using netstat by writing scripts that run the command and parse the output.
- Integrate with other tools: Consider integrating netstat with other network monitoring and analysis tools, such as Wireshark and tcpdump, to gain a more comprehensive view of your network.
Conclusion
Netstat is a powerful and versatile tool that can be used to monitor the state of your network connections, sockets, and routing tables. By understanding the different options and use-cases for netstat, you can effectively use it to diagnose network issues, detect security risks, and monitor your network. To further develop your skills in network administration and security, we recommend reading up on topics such as iptables, firewall rules, and network security protocols.
Challenge
As a challenge, try using netstat to monitor your network and identify any active connections. Try using different options and see how they affect the output. Can you spot any potential security risks? Can you think of any practical use-cases for using netstat in your day-to-day work as a network administrator or system administrator?
