Netstat (Network Statistics)

Netstat is a command line utility to display network connections (Incoming and Outgoing), routing tables, and a network interface statistic.  This Utility available on Unix, Unix-like and Windows-NT based OS.

Netstat will also display active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP UP protocols), and IPv6 statistics (for the IPv6,ICMPv6, TCP over IPv6, and UDP over IPv6 protocols), used without parameters, netstat displays active TCP connections.


  • -a  Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.
  • -e  Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.
  • -n  Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
  • -o  Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p.
  • -p Protocol  Shows connections for the protocol specified by Protocol. In this case, the Protocol can be tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display statistics by protocol,Protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6.
  • -s  Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 protocol for Windows XP is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols.
  • -r  Displays the contents of the IP routing table. This is equivalent to the route print command.
  • Interval  Redisplays the selected information every Interval seconds. Press CTRL+C to stop the redisplay. If this parameter is omitted, netstat prints the selected information only once.
  • /?  Displays help at the command prompt.

Note: Below commands will majorly used in Unix and Unix-based OS.

Displaying the Routing Table

When we invoke netstat with –r flag it displays the kernel routing table in the way we been doing with route.

# netstat –nr
Kernel IP routing table
Destination   Gateway      Genmask         Flags  MSS Window  irtt Iface     *   UH       0 0          0 lo    *     U        0 0          0 eth0   UG       0 0          0 eth0

The –n option makes netstat print address a dotted quad IP numbers rather than the symbolic host network names.  This option is especially useful when we want to avoid address lookups over the network.

The second column of netstat output shows the gateway to which the routing entry points.  If no gateway is used, an asterisk is printed instead.  The third column shows the generality of the route, i.e., the network mask for this route.  When given an IP address to find a suitable rout for the kernel steps through each of the routing table entries, taking the bitwise AND of the address and genmask before comparing it to the target of the route.

The fourth column displays the following flags describe the route:

  • G  The route uses a gateway
  • U The interface to be used in up
  • H Only a single host can be reached through the route.  For example, this is the case for the loopback entry
  • D This route is dynamically created.  It is set if the table entry has been generated by a routing daemon like gated or by an ICMP redirect message.
  • M This route is set if the table entry was modified by an ICMP redirect message.
  • !  The route is a reject route and datagrams will be dropped.

Displaying Interface Statistics

When invoked with the –i flag, netstat display statistics for the network interfaces currently configured.  If option –a is also given, it prints all interfaces persent in the kernel, not only those that have been configured currently. 

# netstat -i
Kernel Interface table
lo      0   0   3185      0      0      0   3185      0      0      0 BLRU
eth0 1500   0 972633     17     20    120 628711    217      0      0 BRU

The MTU and Met fields show the current MTU and metric values for the interface.  The RX and TX columns show how many packets have been received or transmitted error –free (RX-OK/TX-OK) or damaged (RX-ERR/TX-ERR), how many were dropped (RX-DRP/TX-DRP), and how many were lost because of an overrun (RX-OVR/TX-OVR).

The last column shows the flags that have been for this interface.  These characters are one-character versions of the long flag names that are printed when you display the interface configuration with ifconfig.

  • B A broadcast address has been set.
  • L This interface is a loopback device.
  • M All packets are received.
  • O ARP is truned off for this interface.
  • P This is point-to-point connection.
  • R Interface is running
  • U Interface is up.

Displaying Connections

Netstat supports a set of options to display active or passive sockets.  The options –t, -u, -w, and –x show active TCP, UDP, RAW, or Unix socket connections.  If you provide the –a flag in addition, sockets that are waiting for a connection are displayed as well.  This display will given us a list of all servers that currently running on your system.
Invoking netstat –ta

$ netstat -ta
Active Internet Connections
Proto Recv-Q Send-Q Local Address    Foreign Address    (State)
tcp        0      0 *:domain         *:*                LISTEN  
tcp        0      0 *:time           *:*                LISTEN  
tcp        0      0 *:smtp           *:*                LISTEN  
tcp        0      0 vlager:smtp      vstout:1040        ESTABLISHED  
tcp        0      0 *:telnet         *:*                LISTEN  
tcp        0      0 localhost:1046   vbardolino:telnet  ESTABLISHED  
tcp        0      0 *:chargen        *:*                LISTEN  
tcp        0      0 *:daytime        *:*                LISTEN  
tcp        0      0 *:discard        *:*                LISTEN  
tcp        0      0 *:echo           *:*                LISTEN  
tcp        0      0 *:shell          *:*                LISTEN  
tcp        0      0 *:login          *:*                LISTEN  

Using the –a flag by itself will display all sockets from all families.

Other Statistics

  • Proto: The name of the protocol (TCP or UDP).

  • Local Address: The IP address of the local computer and the port number being used.  The name of the local computer that corresponds to the IP address and the name of the port is shown unless the –n parameter is specified.  If the port is not yet established, the port number is shown as a asterisk (*).

  • Foreign Address: The IP address and port number of the remote computer to which the socket is connected.  The names that corresponds to the IP address and the port are shown unless the –n parameter is specified.  If the port is not yet established, the port number is shown as an asterisk (*).

  • State: Indicates the state of TCP connection.  The possible states are as follows:

1.       CLOSE_WAIT
2.       CLOSED
4.       FIN_WAIT_1
5.       FIN_WAIT_2
6.       LAST_ACK
7.       LISTEN
9.       SYN_SEND

Post a Comment