Netstat: Installation and Usage Guide for Linux

Netstat, short for network statistics, is a command-line utility used to diagnose network problems and collect network statistics. In Linux, the netstat command displays active TCP, UDP, and UNIX domain socket connections and listening sockets, lists related ports, provides basic network interface statistics, and reveals the kernel’s routing table. It helps you monitor connections, identify open ports, and troubleshoot network issues.

This guide explains how to install and use netstat to monitor and troubleshoot Linux networks.

Installing netstat on Linux

The netstat tool is part of the net-tools package, which is typically available by default in the repositories of popular Linux distributions. To use the netstat command, you need to install the net-tools package on your Linux system.

To install the net-tools package:

Debian/Ubuntu

$ sudo apt install net-tools -y

RHEL

$ sudo dnf install net-tools -y

Arch Linux

$ sudo pacman -Sy net-tools

SUSE Linux

$ sudo zypper install net-tools -y

Alpine Linux

$ sudo apk add net-tools

To confirm that netstat is installed, run:

$ netstat --version

Expected output:

net-tools 2.10
…

Netstat Command Syntax

Use the following syntax to run the command:

netstat [OPTIONS]

Options adjust the behavior of the command. If you run netstat without options, it displays a list of open sockets.

Understanding Netstat Command Output

Run the command to see all active connections on the system:

$ netstat

Sample output:

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 hostname:49922 example.com:https ESTABLISHED
tcp 0 0 hostname:44568 cdn-1-0-0-127:https ESTABLISHED
…
…
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 3 [ ] STREAM CONNECTED 7931 /run/user/1050/bus
unix 3 [ ] STREAM CONNECTED 7835 /run/dbus/system_bus_socket

The output has two key sections:

• Active Internet connections: Shows TCP and UDP connections between the local hostname and remote hosts like example.com.
• Active UNIX domain sockets: Lists local Unix sockets currently open.

Below is an explanation of each column from the output:

• Proto: Indicates the active protocol (TCP, UDP, or UNIX socket).
• Recv-Q (Receive Queue): Bytes of data received by the kernel but not yet read by the application.
• Send-Q (Send Queue): Bytes of data queued by the application to send and not yet acknowledged by the destination.
• Local Address: Hostname, IP address, and port of the local system.
• Foreign Address: Reverse lookup of the remote host.
• State: Connection state; for example, ESTABLISHED indicates an active connection.
• RefCnt (Reference Count): Number of users or connections associated with the socket.
• Flags: Flags related to UNIX sockets.
• Type: Socket type, such as STREAM, DGRAM, SEQPACKET, or RAW.
• I-Node: Inode number tied to the UNIX socket.
• Path: Filesystem path linked to the UNIX socket.

By default, running netstat without options shows only non-listening sockets.

Commonly Used netstat Options

Frequently used options include:

• –listening or -l: Show listening sockets.
• –all or -a: Show both established and non-established connections.
• –tcp or -t: Display sockets using the TCP protocol.
• –udp or -u: Display sockets using the UDP protocol.
• –numeric or -n: Show port numbers instead of port names and IP addresses instead of hostnames.
• –program or -p: Add a PID/Program name column to the output to show the program or process using the socket. Use sudo with this option to view system-wide processes.

The following sub-sections demonstrate various use cases of these and other flags, sometimes in combination.

Note

netstat does not display listening sockets without the -l or -a option.
The -p flag shows processes owned by the current user. To view all processes, including those you do not own, run sudo with the netstat command.

Display Open Connections With Process IDs (PIDs)

Run netstat with the -p or --program option to display open connections along with their associated PID (Process ID) or program name.

$ sudo netstat -p

Sample output:

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 hostname:55604 2.0.0.127.in-a:https ESTABLISHED 2320/firefox
tcp 0 0 hostname:40128 3.0.0.127.i:https ESTABLISHED 33638/app –st
…
…
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 3 [ ] STREAM CONNECTED 12358 750/pipewire /run/user/1050/pipewire-0
unix 3 [ ] STREAM CONNECTED 31580 3898/speech-dispatc /run/user/1050/speech-dispatcher/speechd.sock

The PID/Program name column shows the PID and the associated program name for each connection.

View Open Ports in Linux Using Netstat

Run the command with the -ltup option to display open ports for both TCP and UDP protocols:

$ sudo netstat -ltup

Sample output:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 localhost:mshvlm 0.0.0.0:* LISTEN 763/mpd
udp 0 0 0.0.0.0:35069 0.0.0.0:* 1451/firefox

Display the Routing Table in Linux Using Netstat

Use the -r or --route option with the netstat command to display the kernel routing table and check the default gateway:

$ netstat -r

Sample output:

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default _gateway 0.0.0.0 UG 0 0 0 enp1s0
192.168.10.2.ch _gateway 255.255.255.255 UGH 0 0 0 enp1s0
192.168.10.1 0.0.0.0 255.255.254.0 U 0 0 0 enp1s0
_gateway 0.0.0.0 255.255.255.255 UH 0 0 0 enp1s0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 wlp4s0
…

Column descriptions:

• Destination: Destination IP or hostname.
• Gateway: The next hop on the routing path.
• Genmask: The network mask of a route.
• Flags: Displays the route flags:
  • U: The route is UP.
  • H: The destination is a specific host.
  • G: The destination is a gateway.
• MSS: Maximum segment size, which is the largest payload size the socket can receive.
• Window: TCP window size.
• irtt: Initial round trip time of packets for a connection.
• Iface: The network interface of the route.

Explanation of the last entry:

• Traffic to 0.0.0.0 routes through the gateway wlp4s0.
• The default gateway is 192.168.1.1, accessible via the wlp4s0 interface.
• Flag U indicates the route is UP, and G means the route is a gateway.

Display Network Interface Statistics

Run netstat with the -i or --interface option to display network interface statistics:

$ netstat -i

Sample output:

Kernel Interface table
Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
lo 65536 6111 0 0 0 6111 0 0 0 LRU
wlp4s0 1500 1164542 0 0 0 822802 0 38 0 BMRU

From the above output:

• The lo interface with an MTU of 65536 has received and transmitted 6111 packets. It is a loopback interface that is up and running.
• The wlp4s0 interface with an MTU of 1500 has received 1,164,542 packets, transmitted 822,802 packets, and dropped 38 packets. It is active with broadcast set and multicast enabled.

Explanation of each column:

• Iface: Network interface name.
• MTU: Maximum Transmission Unit in bytes.
• RX-OK: Count of successfully received packets.
• RX-ERR: Number of error packets received, which may indicate physical connection issues, hardware problems, or network congestion.
• RX-DRP: Number of packets dropped by the interface.
• RX-OVR: Number of data packets that the interface could not handle.
• TX-OK: Count of successfully transmitted packets.
• TX-ERR: Number of transmission error packets, possibly due to hardware failures or packet formatting issues.
• TX-DRP: Packets dropped by the transmit queue.
• TX-OVR: Transmission overruns similar to RX-OVR but for transmitted data.
• Flg (Flags): State and capabilities of the interface:
  • B: Broadcast address set.
  • L: Loopback interface.
  • M: Promiscuous mode enabled.
  • R: Running interface.
  • U: Interface is up or active.

View All Active Network Connections

Run netstat with the -apn option to display all active connections:

$ sudo netstat -apn

Expected output:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:6600 0.0.0.0:* LISTEN 724/mpd
tcp 0 0 192.168.1.6:49928 172.6.0.4:443 ESTABLISHED 1148/firefox
…
…
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 3 [ ] STREAM CONNECTED 13452 893/dbus-broker /run/user/1050/at-spi/bus_0
unix 2 [ ACC ] STREAM LISTENING 10355 724/mpd /home/ndlr/.config/mpd/socket

Explanation of the options:

• -a or –all: Display all listening and non-listening connections.
• -p or –program: Display the PID and program name.
• -n or –numeric: Display the output in numeric format.

Display Active TCP Connections

Add the -t or --tcp option to show all active TCP connections:

$ sudo netstat -aptn

Sample output:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:6600 0.0.0.0:* LISTEN 724/mpd
tcp 0 0 192.168.1.6:49928 172.6.0.4:443 ESTABLISHED 1148/firefox

Display Active UDP Connections

Add the -u or --udp option to show all active UDP connections:

$ sudo netstat -apun

Sample output:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:47697 0.0.0.0:* 1148/firefox
udp 0 0 192.168.1.6:68 192.168.1.1:67 ESTABLISHED 601/NetworkManager

Display Network Timer Data

Use the -o or --timer option to display network timer information and diagnose connection timeouts:

$ netstat -ano

Sample output:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN off (0.00/0/0)
…
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 3 [ ] STREAM CONNECTED 8613 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 8929 /run/dbus/system_bus_socket
…

The Timer column displays timer data for each socket.

Display Listening Sockets

Use the -l or --listening option to list listening sockets. To check sockets for TCP and UDP protocols with numerical addresses, run:

$ netstat -tuln

Sample output:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 127.0.0.54:53 0.0.0.0:*
udp 0 0 127.0.0.53:53 0.0.0.0:*

Conclusion

This article explained how to use the netstat command in Linux for monitoring, diagnosing, and collecting network statistics. You can now use netstat to analyze network performance and troubleshoot network issues. For more details, run man 8 netstat or check the official Netstat documentation.