Microsoft Windows XP

Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, netstat displays active TCP connections.

netstat  [-a ] [-e ] [-n ] [-o ] [-p  Protocol ] [-r ] [-s ] [Interval ]

-a   : Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.

-e   : Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.

-n   : Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.

-o   : Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a. -n. and -p.

-p   Protocol   : Shows connections for the protocol specified by Protocol. In this case, the Protocol can be tcp. udp. tcpv6. or udpv6. If this parameter is used with -s to display statistics by protocol, Protocol can be tcp. udp. icmp. ip. tcpv6. udpv6. icmpv6. or ipv6.

-s   : Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 protocol for Windows XP is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols.

-r   : Displays the contents of the IP routing table. This is equivalent to the route print command.

Interval   : Redisplays the selected information every Interval seconds. Press CTRL+C to stop the redisplay. If this parameter is omitted, netstat prints the selected information only once.

/?   : Displays help at the command prompt.

Linux and Unix netstat command help

In the syntax above, address_family_options may be any combination of the following options:

netstat ("network statistics") is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface (network interface controller or software-defined network interface) and network protocol statistics. It is available on Unix -like operating systems including OS X. Linux. Solaris. and BSD. and on Windows NT -based operating systems including Windows XP. Windows Vista. Windows 7 and Windows 8 .

statistics.

Displays generic statistics about the network activity of the local system.

Shows information about all active connections to the server, including the source and destination IP addresses and ports, if you have proper permissions.

Displays the routing table for all IP addresses bound to the server.

Collects statistics about the amount of active connections on port 80, and pipes this data to the wc command, which displays the number of connections by counting the lines of the original netstat output.

ac — Print statistics about the amount of time users have been connected.

arp — Manipulate the system ARP cache.

ifconfig — View or modify the configuration of network interfaces.

10 basic examples of linux netstat command

Netstat is a command line utility that can be used to list out all the network (socket) connections on a system. It lists out all the tcp, udp socket connections and the unix socket connections.

Apart from connected sockets it can also list listening sockets that are waiting for incoming connections. So by verifying an open port 80 you can confirm if a web server is running on the system or not. This makes it a very useful tool for network and system administrators.

In this tutorial we shall be checking out few examples of how to use netstat to find information about network connections and open ports on a system.

Here is a quick intro to netstat from the man pages

The first and most simple command is to list out all the current connections. Simply run the netstat command with the a option.

The above command shows all connections from different protocols like tcp, udp and unix sockets. However this is not quite useful. Administrators often want to pick out specific connections based on protocols or port numbers for example.

To list out only tcp connections use the t options.

Similarly to list out only udp connections use the u option.

The above output shows both ipv4 and ipv6 connections.

By default, the netstat command tries to find out the hostname of each ip address in the connection by doing a reverse dns lookup. This slows down the output. If you do not need to know the host name and just the ip address is sufficient then suppress the hostname lookup with the n option.

The above command shows ALL TCP connections with NO dns resolution. Got it. Good.

Any network daemon/service keeps an open port to listen for incoming connections. These too are like socket connections and are listed out by netstat. To view only listening ports use the l options.

Now we can see only listening tcp ports/connections. If you want to see all listening ports, remove the t option. If you want to see only listening udp ports use the u option instead of t.

Make sure to remove the 'a' option, otherwise all connections would get listed and not just the listening connections.

When viewing the open/listening ports and connections, its often useful to know the process name/pid which has opened that port or connection. For example the Apache httpd server opens port 80. So if you want to check whether any http server is running or not, or which http server is running, apache or nginx, then track down the process name.

The process details are made available by the 'p' option.

When using the p option, netstat must be run with root privileges, otherwise it cannot detect the pids of processes running with root privileges and most services like http and ftp often run with root privileges.

Along with process name/pid its even more useful to get the username/uid owning that particular process. Use the e option along with the p option to get the username too.

The above example lists out Listening connections of Tcp type with Process information and Extended information.

The extended information contains the username and inode of the process. This is a useful command for network administrators.

Note - If you use the n option with the e option, the uid would be listed and not the username.

The netstat command can also print out network statistics like total number of packets received and transmitted by protocol type and so on.

To list out statistics of all packet types

To print out statistics of only select protocols like TCP or UDP use the corresponding options like t and u along with the s option. Simple!

The kernel routing information can be printed with the r option. It is the same output as given by the route command. We also use the n option to disable the hostname lookup.

The netstat command can also print out the information about the network interfaces. The i option does the task.

The above output contains information in a very raw format. To get a more human friendly version of the output use the e option along with i.

The above output is similar to the output shown by the ifconfig command.

Netstat can output connection information continuously with the c option.

The above command will output tcp connections continuously.

The g option will display the multicast group information for IPv4 and IPv6 protocols.

Okay, we covered the basic examples of netstat command above. Now its time to do some geek stuff with style.

Active socket connections are in "ESTABLISHED" state. So to get all current active connections use netstat with grep as follows

And do leave your feedback and suggestions in the comments box below.

Netstat(8) - Linux man page

netstat - Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships

netstat [address_family_options ] [--tcp |-t ] [--udp |-u ] [--raw |-w ] [--listening |-l ] [--all |-a ] [--numeric |-n ] [--numeric-hosts ][ --numeric-ports] [--numeric-ports ] [--symbolic |-N ] [--extend |-e [--extend |-e] ] [--timers |-o ] [--program |-p ] [--verbose |-v ] [--continuous |-c] [delay]

netstat <--route |-r > [address_family_options ] [--extend |-e [--extend |-e] ] [--verbose |-v ] [--numeric |-n ] [--numeric-hosts ][ --numeric-ports] [--numeric-ports ] [--continuous |-c] [delay]

netstat <--interfaces |-I |-i > [iface ] [--all |-a ] [--extend |-e ] [--verbose |-v ] [--program |-p ] [--numeric |-n ] [--numeric-hosts ][ --numeric-ports] [--numeric-ports ] [--continuous |-c] [delay]

netstat <--groups |-g > [--numeric |-n ] [--numeric-hosts ][ --numeric-ports] [--numeric-ports ] [--continuous |-c] [delay]

netstat <--masquerade |-M > [--extend |-e ] [--numeric |-n ] [--numeric-hosts ][ --numeric-ports] [--numeric-ports ] [--continuous |-c] [delay]

netstat <--statistics |-s > [--tcp |-t ] [--udp |-u ] [--raw |-w ] [delay]

netstat <--version |-V >

netstat <--help |-h >

address_family_options.

This program is obsolete. Replacement for netstat is ss. Replacement for netstat -r is ip route. Replacement for netstat -i is ip -s link. Replacement for netstat -g is ip maddr.

Netstat

Netstat command displays various network related information such as network connections, routing tables, interface statistics, masquerade connections, multicast memberships etc.,

netstat -p option can be combined with any other netstat option. This will add the “PID/Program Name” to the netstat output. This is very useful while debugging to identify which program is running on a particular port.

When you don’t want the name of the host, port or user to be displayed, use netstat -n option. This will display in numbers, instead of resolving the host name, port name, user name.

If you don’t want only any one of those three items ( ports, or hosts, or users ) to be resolved, use following commands.

netstat will print information continuously every few seconds.

Netstat

The netstat command is used to query the routing table of the local host and that status of TCP/IP networking. In Solaris the command is located in the /usr/bin directory. In Linux /bin/netstat. Options are pretty much common (which is a rare thing :-)

When used with the -i option, netstat displays the state of the Ethernet interfaces, with r option it displayed routing information and with -s option statistical information:

• netstat -i # the state of the Ethernet interfaces
• netstat -r # displays routing info
• netstat -s # statistical information

One of the more useful options is:

The `-p` options tells it to try to determine what program has the socket open, which is often very useful info. For example, someone nmap's their system and wants to know what is using port 666 for example. Running netstat -pa will show you its satand running on that tcp port.

One of the most twisted, but useful invocations is:

This will show you a sorted list of how many sockets are in each connection state. For example:

The exact syntax of this command is Unix flavor dependent. In general, it can provide information on:

• Active TCP connections at this local host.
• State of all TCP/IP servers on this local host and the sockets used by them.
• Devices and links used by TCP/IP.
• The IP routing tables (gateway tables) in use at this local host.

Typical usage

netstat -r The -r switch can be used to display TCP the routing table.

netstat -rn same but without hostname lookup

Terminal Mac OS X Команда терминала netstat - показать состояние сети

По умолчанию для активных сокетов отображаются внутренние (локальные и внешние) адреса, размеры очередей на отправку и получение (в байтах), протокол и внутреннее состояние протокола. Адреса выводятся в формате "host.port" или "network.port". Если известны имя хоста и его адрес (в файлах /etc/hosts или /etc/networks ) отображается символьное имя хоста. Если неизвестно символьное имя или использован параметр -n, адрес печатается числом в соответствии с семейством адресов.

CLOSED: сокет не используется

LISTEN: сокет ожидает входящего соединения. Не связанные ожидающие сокеты отображаются только при использовании параметра -a.

SYN_SENT: идет попытка установки соединения с удаленным узлом в активном режиме.

SYN_RCVD: сокет в пассивном режиме получил запрос на соединение с удаленным узлом.

ESTABLISHED: имеется соединение между локальным приложением и удаленным узлом.

CLOSE_WAIT: Соединение было закрыто удаленным узлом и система ожидает его закрытия локальным приложением.

LAST_ACK:  Соединение было закрыто удаленным узлом, локальное приложение закрыло соединение и система ожидает подтверждение от удаленного узла для признания закрытым.

FIN_WAIT_1: Локальное приложение закрыло соединение, удаленный узел не дал подтверждения о закрытии и система его ожидает.

FIN_WAIT_2:  Локальное приложение закрыло соединение, удаленный узел дал подтверждения о закрытии и система ожидает закрытия соединения.

CLOSING: Соединение было закрыто одновременно и локальным приложением и удаленным.

TIME_WAIT: Соединение было закрыто локальным приложением, удаленный узел закрыл эту половину соединения и система ожидает, чтобы удаленный узел получил подтверждение о закрытии.

Таблицы маршрутизации показывают доступные маршруты и их статус.

Каждый маршрут состоит и адреса назначения или сети и шлюза используемого в передаче пакетов. Поле флагов отображает собранную информацию о маршруте. Индивидуальные флаги описываются в материалах route(8) и route(4). Следующая таблица описывает связь между флагами и показываемыми символами: