Introduction
In the world of Linux system management, knowing the status of network connections is essential to diagnose problems, optimize performance and ensure security. One of the most traditional and still widely used outils is the commandnetstat. Although it has been partially replaced byssin modern distributions, netstat remains a valuable reference for its wide set of options and its legible output. In this article we will explore what netstat is, how to install it, its basic syntax, the most useful options and several practical examples you can apply in your day to day.
What is netstat?
Netstat (abbreviation of network statistics) is a command line tool that shows information about network connections, routing tables, interface statistics and more. It provides a detailed view of open sockets, both TCP and UDP, and allows filtering by state, direction, port and protocol. Its output may include the PID and the name of the process that each connection occupies when running with root privileges, which is very useful for identifying applications that consume bandwidth or that present suspicious behaviors.
Installation and availability
In most Linux distributions, netstat is part of the packagenet-tools. In Debian / Ubuntu based systems you can install it with:
sudo apt update && sudo apt install net-tools
In RHEL, CentOS or Fedora distributions the package is also callednet-toolsand is installed with:
sudo yum install net-toolsorsudo dnf install net-tools
Once installed, the command is available asnetstatfrom any terminal.
Basic syntax
The simplest way to run netstat is:
netstat [opciones]
Without arguments, it shows all active connections and listening sockets. To limit the output to a type of protocol or to a specific state, options that modify the command behavior are used.
Most commonly used options
The following are the options that are often most useful for system managers:
-a(all): shows all connections, both established and listening.-t(tcp): limits output to TCP connections.-u(udp): limits output to UDP connections.-l(listening): shows only the sockets that are waiting for connections (listening).-n(numic): displays addresses and ports in numerical format, avoiding the resolution of DNS names and services.-p(program): shows the PID and the name of the process that owns each socket (requires root privileges).-r(route): shows the routing table.-i(interfaces): shows statistics of network interfaces.-s(statistics): shows summary statistics by protocol (TCP, UDP, IP, ICMP, etc.).
These options can be combined, for example,netstat -tunlpis a common way to see all TCP and UDP ports in listening, showing the associated process and avoiding name resolution.
Practical examples
1. See all TCP connections established
netstat -tan | grep ESTABLISHED
This combination lists only the TCP connections that are in established state, showing addresses and ports in numerical format.
2. Identify which process is using a specific port
sudo netstat -tunlp | grep :80
With root privileges, the filter:80shows which process you are listening to in port 80 (HTTP), including your PID and name.
3. Monitor traffic by interface
netstat -i
You get a summary of packages transmitted and received, errors and collisions for each network interface.
4. Get global protocol statistics
netstat -s
This option shows detailed meters for TCP, UDP, IP, ICMP and other protocols, useful for detecting anomalies such as excessive retransmissions or discarded packages.
5. See the routing table
netstat -r
Equivalent to commandroute -n, shows the routes known to the kernel, including the default link door.
Interpretation of the exit
Each line of the netstat output represents a socket and contains several fields:
- Proto: protocol (tcp, udp, raw, etc.).
- Recv-QandSend-Q: amount of data in the receiving and sending queue.
- Local Address: IP address and local port.
- Foreign Address: IP address and remote port (or * for listening).
- State: connection status (ESTABLISHED, LISTEN, TIME _ WAIT, etc.).
- PID / Program name: (if used -p) identifier and process name.
Understanding these fields allows, for example, to detect state connectionsTIME_WAITexcessive which may indicate an early closure of sessions, or identify unexpected listening ports that could be a sign of an unauthorized service.
Limitations and the alternativess
Although netstat is powerful, it has some disadvantages:
- Use the file
/proc/netAnd it can be slower on systems with a large number of sockets. - Its development is almost stopped; many distributions consider it obsolete.
- Some advanced filtering options are absent.
The commandss(socket statistics) is part of the packageiproute2and is designed to be a faster and more flexible replacement. For example,ss -tunlpoffers the same information asnetstat -tunlpbut with better performance and more expressive filtering options.
However, knowing netstat is still useful because many scripts and old documentation still refer to it, and its output is sometimes more legible to novice users.
Conclusion
The commandnetstatremains an essential tool for any Linux administrator who needs to quickly inspect the state of the network, identify processes using certain ports or review protocol statistics. Despite the emergence ofss, netstat offers a combination of simplicity and detail that makes it valid for routine diagnostic tasks and for environments where classic tools are preferred. Domain your options and know how to interpret your output will allow you to solve connectivity problems, optimize performance and maintain the security of your Linux systems.
