Cheatsheet & Examples: netstat

netstat is a command-line tool used to display network connections, routing tables, interface statistics, and more. It helps monitor and troubleshoot network-related issues on a system.

Display all active network connections and their states

Example Usage:
netstat -a

What it does:
Shows all active network connections, including those in listening, established, and other states, along with their local and remote addresses.

Command-line Arguments Explained:

• -a: Displays all connections (both listening and non-listening).
• --all: Same as -a, but less commonly used.

Show listening ports and their associated process IDs

Example Usage:
sudo netstat -tulnp

What it does:
Lists TCP and UDP ports that are in a listening state, along with the process ID (PID) and program name using each port.

Command-line Arguments Explained:

• -t: Show TCP connections.
• -u: Show UDP connections.
• -l: Display only listening ports.
• -n: Show numerical addresses and port numbers instead of resolving them.
• -p: Display the process ID (PID) and name associated with each connection.

Display network connections in numerical format

Example Usage:
netstat -n

What it does:
Shows connection addresses and port numbers in numerical form instead of resolving them to hostnames or service names.

Command-line Arguments Explained:

• -n: Prevents DNS lookups and displays addresses and ports as numbers.
• --numeric: Equivalent to -n.

Display protocol statistics

Example Usage:
netstat -s

What it does:
Provides detailed statistics for each network protocol (e.g., TCP, UDP, IP, ICMP) in use.

Command-line Arguments Explained:

• -s: Displays protocol statistics (e.g., packets sent/received, errors).

Display the routing table

Example Usage:
netstat -r

What it does:
Shows the kernel's routing table, including the destination, gateway, netmask, and other routing information.

Command-line Arguments Explained:

• -r: Displays the routing table.
• --route: Same as -r.

Show interface statistics

Example Usage:
netstat -i

What it does:
Lists statistics for each network interface (e.g., packets transmitted/received, errors, collisions).

Command-line Arguments Explained:

• -i: Displays interface statistics.
• --interfaces: Same as -i.

Display detailed connection information

Example Usage:
netstat -e

What it does:
Shows extended information such as the user ID, PID, and other details for each connection.

Command-line Arguments Explained:

• -e: Displays extended information.
• --extend: Same as -e.

Show TCP connections only

Example Usage:
netstat -t

What it does:
Lists only TCP (Transmission Control Protocol) connections, including their states.

Command-line Arguments Explained:

• -t: Filters to show only TCP connections.

Show UDP connections only

Example Usage:
netstat -u

What it does:
Lists only UDP (User Datagram Protocol) connections, which are connectionless and often used for streaming or broadcasting.

Command-line Arguments Explained:

• -u: Filters to show only UDP connections.

Show connections with timestamps

Example Usage:
netstat -atv

What it does:
Displays active TCP connections along with timestamps for each connection, useful for analyzing idle or established connections.

Command-line Arguments Explained:

• -t: TCP connections.
• -a: All connections.
• -v: Verbose output, including additional details.

Count established connections

Example Usage:
netstat -ant | grep ESTABLISHED | wc -l

What it does:
Counts the number of established TCP connections by filtering the output of netstat -ant (all TCP connections) for the "ESTABLISHED" state and piping to wc -l.

Command-line Arguments Explained:

• -t: TCP connections.
• -a: All connections.
• -n: Numerical addressing.

Display all connections in a human-readable format

Example Usage:
netstat -atop

What it does:
Lists active TCP connections with process and port information, making it easier to interpret without numeric conversion.

Command-line Arguments Explained:

• -t: TCP connections.
• -a: All connections.
• -o: Shows timers for each connection.
• -p: Displays process information.

Show connections to a specific port (e.g., port 80)

Example Usage:
netstat -an | grep :80

What it does:
Filters and displays connections involving port 80 (HTTP) in numerical format.

Command-line Arguments Explained:

• -a: All connections.
• -n: Numerical addressing.
• grep: A separate utility used to filter output by the port number.

Monitor network activity in real time

Example Usage:
netstat -antp --interval=1

What it does:
Updates network connection information every second, useful for real-time monitoring of active connections.

Command-line Arguments Explained:

• -t: TCP connections.
• -a: All connections.
• -n: Numerical addressing.
• -p: Process information.
• --interval=1: Refreshes the output every 1 second.

Display connections with symbolic names

Example Usage:
netstat -a -p

What it does:
Shows connections with hostnames and service names resolved (if possible), which is the opposite of -n (numeric form).

Command-line Arguments Explained:

• -a: All connections.
• -p: Show process information.
• --symbolic: Resolves hostnames and service names instead of using numeric values.