Analyse Linux Network with netstat

Under Linux, netstat displays the existing network connections, routing tables, interface statistics, masquerading connections and multicast memberships. This article will show several application examples of netstat. In addition to netstat, iptstate will also show existing network connections (displayed in real time).

Examples

Displaying Network Connections

netstat -tapen is appropriate for displaying the currently existing network connections. The individual parameters have the following meanings:

• -t (only display TCP connections, -u would show only UDP connections)
• -a (show all connections, both connections that have the status=LISTEN as well as other states)
• -p (show the PIDs and the program names, which belong to those connections)
• -e (extended display showing more details)
• -n (numeric display)

[root@tpw ~]# netstat -tapen
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       User       Inode      PID/Program name   
tcp        0      0 0.0.0.0:5060                0.0.0.0:*                   LISTEN      500        66008      3260/twinkle        
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      0          5355       1289/rpcbind        
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      0          6668       1589/sshd           
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      0          5505       1322/cupsd          
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      0          12548      2297/sendmail: acce 
tcp        0      0 0.0.0.0:33466               0.0.0.0:*                   LISTEN      0          6486       1532/rpc.statd      
tcp        0      0 192.168.1.52:59861          192.168.1.254:22            ESTABLISHED 500        100032     3703/ssh            
tcp        0      0 192.168.1.52:36330          217.188.215.74:443          ESTABLISHED 500        104396     2608/firefox        
tcp        0      0 192.168.1.52:33252          74.125.79.97:443            ESTABLISHED 500        101832     2608/firefox        
tcp        0      0 :::111                      :::*                        LISTEN      0          5360       1289/rpcbind        
tcp        0      0 :::22                       :::*                        LISTEN      0          6670       1589/sshd           
tcp        0      0 ::1:631                     :::*                        LISTEN      0          5504       1322/cupsd          
[root@tpw ~]# 

Displaying Routing Tables

netstat -r

[root@tpw ~]# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     *               255.255.255.0   U         0 0          0 eth0
default         192.168.1.254   0.0.0.0         UG        0 0          0 eth0
[root@tpw ~]# 

Displaying Interface Statistics

netstat -i

[root@tpw ~]# netstat -i
Kernel Interface table
Iface       MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500   0    26524      0      0      0    22118      0      0      0 BMRU
lo        16436   0       34      0      0      0       34      0      0      0 LRU
[root@tpw ~]# 

netstat -s

[root@tpw ~]# netstat -s
Ip:
    28144 total packets received
    1 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    28069 incoming packets delivered
    23144 requests sent out
    10 dropped because of missing route
Icmp:
    12 ICMP messages received
    0 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 12
    13 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 13
IcmpMsg:
        InType3: 12
        OutType3: 13
Tcp:
    146 active connections openings
    0 passive connection openings
    4 failed connection attempts
    29 connection resets received
    2 connections established
    16637 segments received
    12078 segments send out
    67 segments retransmitted
    0 bad segments received.
    59 resets sent
Udp:
    11421 packets received
    0 packets to unknown port received.
    0 packet receive errors
    10998 packets sent
UdpLite:
TcpExt:
    7 TCP sockets finished time wait in fast timer
    543 delayed acks sent
    Quick ack mode was activated 12 times
    6 packets directly queued to recvmsg prequeue.
    8 packets directly received from prequeue
    13040 packets header predicted
    799 acknowledgments not containing data received
    1470 predicted acknowledgments
    5 times recovered from packet loss due to SACK data
    4 congestion windows recovered after partial ack
    2 TCP data loss events
    3 timeouts after SACK recovery
    7 fast retransmits
    33 other TCP timeouts
    12 DSACKs sent for old packets
    2 DSACKs received
    10 connections reset due to unexpected data
    23 connections reset due to early user close
    3 connections aborted due to timeout
    TCPDSACKIgnoredNoUndo: 1
    TCPSackShifted: 71
    TCPSackMerged: 35
    TCPSackShiftFallback: 10
IpExt:
    InMcastPkts: 19
    OutMcastPkts: 14
    InBcastPkts: 54
    OutBcastPkts: 51
    InOctets: 20989496
    OutOctets: 5396900
    InMcastOctets: 5540
    OutMcastOctets: 3421
    InBcastOctets: 6629
    OutBcastOctets: 5898
[root@tpw ~]# 

Additional Information

• iptstate also presents existing network connection in real time

Author: Werner Fischer Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.