Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)


News Routing Recommended Links Reference Solaris Networking Reference Static Routing Default Route
      Quiz Horror Stories Unix History Humor Etc

The netstat command is used to query the routing table of the local host and that status of TCP/IP networking. In Solaris the command is located in the /usr/bin directory.  In Linux /bin/netstat. Options are pretty much common (which is a rare thing :-)

When used with the -i option, netstat displays the state of the Ethernet interfaces, with r option it displayed routing information and with -s option statistical information:

One of the more useful options is:

        netstat -pa

The `-p` options tells it to try to determine what program has the socket open, which is often very useful info. For example, someone nmap's their system and wants to know what is using port 666 for example. Running netstat -pa will show you its satand running on that tcp port.

One of the most twisted, but useful invocations is:

netstat -a -n|grep -E "^(tcp)"| cut -c 68-|sort|uniq -c|sort -n

This will show you a sorted list of how many sockets are in each connection state. For example:

      9  LISTEN      

The exact syntax of this command is Unix flavor dependent. In general, it can provide information on:

Typical usage

Displaying the Routing Table

netstat with the –r option displays the kernel routing table in the way similar to parameters supplied to the route command. For example on Red Hat linux 5.6 nestat -rn will display:

# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface UGH       0 0          0 eth1 UGH       0 0          0 eth0 UGH       0 0          0 eth0 UGH       0 0          0 eth1 UGH       0 0          0 eth1 UGH       0 0          0 eth1 UGH       0 0          0 eth1   UG        0 0          0 eth1   U         0 0          0 eth1   U         0 0          0 eth0   U         0 0          0 eth1   UG        0 0          0 eth1     U         0 0          0 eth0       UG        0 0          0 eth1       U         0 0          0 lo         UG        0 0          0 eth1

The –n option suppresses resolution of hostnames and displays all IPs in numeric form,  rather than the symbolic host and network names.

The second column shows the gateway to which the routing entry points. If no gateway is used, an asterisk is printed  with -n option and  with the -rn option.

The third column shows the “generality” of the route, i.e., the network mask for this route. Routing table displayed by netstat is sorted in reverse length of the netmask order. Host routes have netmask and displayed first.

When given an IP address to find a suitable route for, the kernel iterates through each entry of the routing table taking the bitwise AND of the address and the genmask before comparing it to the target of the route.

The fourth column displays the following flags that describe the route:

The next three columns show the MSS, Window and irtt that will be applied to TCP connections established via this route. The MSS is the Maximum Segment Size and is the size of the largest datagram the kernel will construct for transmission via this route. The Window is the maximum amount of data the system will accept in a single burst from a remote host. The acronym irtt stands for “initial round trip time.” The TCP protocol ensures that data is reliably delivered between hosts by retransmitting a datagram if it has been lost. The TCP protocol keeps a running count of how long it takes for a datagram to be delivered to the remote end, and an acknowledgement to be received so that it knows how long to wait before assuming a datagram needs to retransmitted; this process is called the round-trip time. The initial round-trip time is the value that the TCP protocol will use when a connection is first established. For most network types, the default value is okay, but for some slow networks, notably certain types of amateur packet radio networks, the time is too short and causes unnecessary retransmission. The irtt value can be set using the route command. Values of zero in these fields mean that the default is being used.

Finally, the last field displays the network interface that this route will use.

Displaying Interface Statistics

When invoked with the -i flag, netstat displays statistics for the network interfaces currently configured.

netstat -i
Kernel Interface table
eth0       1500   0 90999751      0      0      0  507641      0      0      0 BMRU
eth1       1500   0 70789700      0      0      0  88102544    0      0      0 BMRU
eth1:vip1  1500   0     - no statistics available -                        BMRU
lo         6436   0    65636      0      0      0  65636       0      0      0 LRU

If the –a option is also given, it prints all interfaces present in the kernel, not only those that have been configured currently.

The MTU and Met fields show the current MTU and metric values for that interface. The RX and TX columns show how many packets have been received or transmitted error-free (RX-OK/TX-OK) or damaged (RX-ERR/TX-ERR); how many were dropped (RX-DRP/TX-DRP); and how many were lost because of an overrun (RX-OVR/TX-OVR).

The last column shows the flags that have been set for this interface. These characters are one-character versions of the long flag names that are printed when you display the interface configuration with ifconfig:

Displaying Connections

netstat supports a set of options to display active or passive sockets. The options –t, –u, –w, and –x show active TCP, UDP, RAW, or Unix socket connections. If you provide the –a flag in addition, sockets that are waiting for a connection (i.e., listening) are displayed as well. This display will give you a list of all servers that are currently running on your system.

Using the –a flag by itself will display all sockets from all families.

Top Visited
Past week
Past month


Old News

[Oct 2, 2008] netstat to find ports which are in use on linux server

Another example of more or less complex pipeline using cat

Below is command to find out number of connections to each ports which are in use using netstat & cut.

netstat -nap | grep 'tcp\|udp' | awk '{print $4}' | cut -d: -f2 | sort | uniq -c | sort -n

Below is description of each commands :: Netstat command is used to check all incoming and outgoing connections on linux server. Using Grep command you can sort lines which are matching pattern you defined. AWk is very important command generally used for scanning pattern and process it. It is powerful tool for shell scripting. Sort is used to sort output and sort -n is for sorting output in numeric order. Uniq -c this help to get uniq output by deleting duplicate lines from it.

[Sep 6, 2007] Just Barebones netstat

While trying to debug random lockups of our Oracle database server, I found a cool command to monitor the connections being served by a machine.

I already knew about netstat and netstat -c which gives the user a continuous display of the connections.

But I found another way to view the connections in real time using the watch command:

watch -d "netstat -toupe 2>/dev/null"
Pretty cool!!

[Nov 4, 2004] Using Netstat For Surveillance And Troubleshooting by Carla Schroder


Using Netstat For Surveillance And Troubleshooting

Two of the fundamental aspects of Linux system security and troubleshooting are knowing what services are running, and what connections and services are available. We're all familiar with ps for viewing active services. netstat goes a couple of steps further, and displays all available connections, services, and their status. It shows one type of service that ps does not: services run from inetd or xinetd, because inetd/xinetd start them up on demand. If the service is available but not active, such as telnet, all you see in ps is either inetd or xinetd:

$ ps ax | grep -E 'telnet|inetd'
  520 ?            Ss         0:00 /usr/sbin/inetd

But netstat shows telnet sitting idly, waiting for a connection:

$ netstat --inet -a | grep telnet
tcp      0     0     *:telnet      *:*    LISTEN

This netstat invocation shows all activity:

$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address  Foreign Address State
tcp     0      0      *:telnet       *:*           LISTEN
tcp     0      0      *:ipp          *:*           LISTEN
tcp     0      0      *:smtp         *:*           LISTEN
tcp     0      0 nest.anthill.echid:ircd     ESTABLISHED
udp     0      0      *:ipp          *:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags    Type     State       I-Node Path
unix  2      [ ACC ]  STREAM   LISTENING   1065   /tmp/ksocket-carla/klaunchertDCh2b.slave-socket
unix  2      [ ACC ]  STREAM   LISTENING   1002   /tmp/ssh-OoMGfFm666/agent.666
unix  2      [ ACC ]  STREAM   LISTENING   819    private/smtp

Your total output will probably run to a couple hundred lines. (A fun and quick way to count lines of output is netstat -a | wc -l.) You can ignore everything under "Active UNIX domain sockets." Those are local inter-process communications, not network connections. To avoid displaying them at all, do this:

$ netstat --inet -a

This will display only network connections, both listening and established. Already netstat has earned its keep--both the telnet and smtp services are running. This is bad, because I don't want to have either a telnet or smtp server running on this machine. So now I know I need to turn them off, and re-configure my startup files so they won't start at boot.

How do you know what services you want running? That is a mondo subject for another day, and an important one. For example, if your system has been compromised, this is one place to find evidence of a Trojan horse or other malware phoning home. In this example, ipp is Internet Printing Protocol, which belongs to CUPS (Common Unix Printing System.) If you want your printer to work, this needs to be here. The connection on is my active IRC (Internet Relay Chat) connection. Refer to your /etc/services file to learn more about TCP and UDP ports, and the services assigned to them.

What It Means

"Proto" is short for protocol, which is either TCP or UDP. "Recv-Q" and "Send-Q" mean receiving queue and sending queue. These should always be zero; if they're not you might have a problem. Packets should not be piling up in either queue, except briefly, as this example shows:

tcp   0   593 ESTABLISHED

That happened when I hit the "check mail" button in KMail; a brief queuing of outgoing packets is normal behavior. If the receiving queue is consistently jamming up, you might be experiencing a denial-of-service attack. If the sending queue does not clear quickly, you might have an application that is sending them out too fast, or the receiver cannot accept them quickly enough.

"Local address" is either your IP and port number, or IP and the name of a service. "Foreign address" is the hostname and service you are connected to. The asterisk is a placeholder for IP addresses, which of course cannot be known until a remote host connects. "State" is the current status of the connection. Any TCP state can be displayed here, but these three are the ones you want to see:

LISTEN- waiting to receive a connection
ESTABLISHED- a connection is active
TIME_WAIT- a recently terminated connection;
this should last only a minute or two, then change back to LISTEN. The socket pair cannot be re-used as long the TIME_WAIT state persists.

UDP is stateless, so the "State" column is always blank.

A socket pair is both sides of a TCP/IP connection, like this example for a locally-attached printer:

localhost:ipp               localhost:34493             ESTABLISHED

Or a telnet connection to a remote server:     ESTABLISHED

A socket is any hostname-port combination, or IP address-port.

Continuous Capture, "Borken" DNS, and Interface Checking

Because all these things change often, how do you capture the changes? Run netstat continuously with the -c flag and record the output:

$ netstat --inet -a -c > netstat.txt

Then check email, start and stop services, surf the web, log in to a telnet BBS and play Legend of the Red Dragon; then review your capture file to see what it all looks like.

If netstat is taking too long, or not resolving a hostname at all, give it the -n flag to turn off DNS lookups:

$ netstat --inet -an

netstat can help diagnose NIC problems. Use the -i flag when you're troubleshooting a flakey connection, and you suspect your NIC:

$ netstat -i
Kernel Interface table
eth0    1500  0    28698  0      0      0     33742  0      0      0     BMRU
lo      6436 0    14     0      0      0     14     0      0      0     LRU
You should see large numbers in the RX-OK (received OK) and TX-OK (transmitted OK) columns, and very low numbers in all the others. If you are seeing a lot of RX-ERRs or TX-ERRs, suspect the NIC or the patch cable. This is what the flags mean:
B = broadcast address
L = loopback device
M = promiscuous mode
R = interface is running
U = interface is up


Linux Network Administrator's Guide, by Olaf Kirch & Terry Dawson

Recommended Links

Google matched content

Softpanorama Recommended

Top articles



Solaris Linux HP-UX AIX


netstat(1M) – show network status (man pages section 1M System Administration Commands) - Sun Microsystems







See Also


SunOS 5.10 Last Revised 21 Jan 2007

Linux Netstat

netstat [options] [delay]

TCP/IP command. Show network status. Print information on active sockets, routing tables, interfaces, masquerade connections, or multicast memberships. By default, netstat lists open sockets. When a delay is specified, netstat will print new information every delay seconds.


The first five options (-g, -i, -M, -r, and -s) determine what kind of information netstat should display.

-g, --groups

Show multicast group memberships.

-i, --interface[=name]

Show all network interfaces, or just the interface specified by name.

-M, --masquerade

Show masqueraded connections.

-r, --route

Show kernel routing tables.

-s, --statistics

Show statistics for each protocol.

-a, --all

Show all entries.

-A family, --protocol=family

Show connections only for the specified address family. Accepted values are inet, unix, ipx, ax25, netrom, and ddp. Specify multiple families in a comma-separated list.

-c, --continuous

Display information continuously, refreshing once every second.


Print routing information from the route cache.

-e, --extend

Increase level of detail in reports. Use twice for maximum detail.


Print routing information from the forward information database (FIB). This is the default.

-l, --listening

Show only listening sockets.

-n, --numeric

Show network addresses, ports, and users as numbers.


Show host addresses as numbers, but resolve others.


Show ports as numbers, but resolve others.


Show user ID numbers for users, but resolve others.

-N, --symbolic

Where possible, print symbolic host, port, or usernames instead of numerical representations. This is the default behavior.

-o, --timers

Include information on network timers.

-p, --program

Show the process ID and name of the program owning the socket.

-t, --tcp

Limit report to information on TCP sockets.

-u, --udp

Limit report to information on UDP sockets.

-v, --verbose

Verbose mode.

-w, --raw

Limit report to information on raw sockets.


Q1. Which command (and options) will show the routing table, but will bypass hostname lookup ?

A: netstat –nr

Q2. Which command (and options) will show the state of all sockets ?

A: netstat –a


FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  


Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy


War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes


Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law


Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least

Copyright © 1996-2016 by Dr. Nikolai Bezroukov. was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case is down you can use the at


The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Created: May 16, 1996; Last modified: September 12, 2017