Hubbry Logo
NetstatNetstatMain
Open search
Netstat
Community hub
Netstat
logo
8 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Netstat
Netstat
Netstat
View on Wikipedia
from Wikipedia
netstat
DevelopersVarious open-source and commercial developers
Initial release1983; 42 years ago (1983)
Written inPlan 9: C
Operating systemUnix, Unix-like, Plan 9, Inferno, OS/2, Microsoft Windows, ReactOS
PlatformCross-platform
TypeCommand
LicenseOS/2, Windows: Proprietary commercial software
net-tools, ReactOS: GPLv2
Plan 9: MIT License

In computing, netstat is a command-line network utility that displays open network sockets, routing tables, and a number of network interface (network interface controller or software-defined network interface) and network protocol statistics. It is available on Unix, Plan 9, Inferno, and Unix-like operating systems including macOS, Linux, Solaris and BSD. It is also available on IBM OS/2 and on Microsoft Windows NT-based operating systems including Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10.

It is used for finding problems in the network and to determine the amount of traffic on the network as a performance measurement.[1] On Linux this program is mostly obsolete, although still included in many distributions.

On Linux, netstat (part of "net-tools") is superseded by ss (part of iproute2). The replacement for netstat -r is ip route, the replacement for netstat -i is ip -s link, and the replacement for netstat -g is ip maddr, all of which are recommended instead.[2][3][4][5]

Statistics provided

[edit]

Netstat provides statistics for the following:

  • Proto – The name of the protocol (TCP, UDP, etc.). On some systems, the protocol name may be followed by "4" or "6", depending on whether the protocol is running over IPv4 or IPv6.
  • Local Address – The IP address of the local computer and the port number being used. The name of the local computer that corresponds to the IP address and the name of the port is shown unless the -n parameter is specified. An asterisk (*) is shown for the host if the server is listening on all interfaces. If the port is not yet established, the port number is shown as an asterisk.
  • Foreign Address – The IP address and port number of the remote computer to which the socket is connected. The names that corresponds to the IP address and the port are shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).
  • State – Indicates the state of a TCP connection. The possible states are as follows: CLOSE_WAIT, CLOSED, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, LISTEN, SYN_RECEIVED, SYN_SEND, and TIME_WAIT. For more information about the states of a TCP connection, see RFC 793.

Parameters

[edit]

Parameters used with this command must be prefixed with a hyphen (-) rather than a slash (/). Some parameters are not supported on all platforms.

Name Description Windows ReactOS macOS BSD NetBSD FreeBSD Linux Solaris OS/2
-a Displays all active connections and the TCP and UDP ports on which the computer is listening. Yes Yes Yes Yes Yes Yes
-b Displays the binary (executable) program's name involved in creating each connection or listening port. (Windows XP, Windows Server 2003 and newer Windows operating systems; not Microsoft Windows 2000 or older). Yes No No
-b Causes -i to report the total number of bytes of traffic. No Yes Yes No
-e Displays ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s. Yes Yes No
-f Displays fully qualified domain names <FQDN> for foreign addresses (only available on Windows Vista and newer operating systems). Yes No No
-f Address Family Limits display to a particular socket address family, unix, inet, inet6 No Yes No
-g Displays multicast group membership information for both IPv4 and IPv6 (may only be available on newer operating systems) No No Yes
-i Displays network interfaces and their statistics No No Yes Yes Yes Yes Yes
-m Displays the memory statistics for the networking code (STREAMS statistics on Solaris). No No Yes Yes Yes Yes Yes
-n Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names. Yes Yes Yes Yes Yes Yes Yes Yes
-o Displays active TCP connections and includes the process id (PID) for each connection. You can find the application based on the PID in the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p. This parameter is available on Microsoft Windows XP, Windows Server 2003, and Windows 2000 if a hotfix is applied.[6] Yes No No
-p protocol Shows connections for the protocol specified by protocol. In this case, protocol can be tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display statistics by protocol, protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6. Yes Yes Yes Yes Yes Yes
-p Show which processes are using which sockets (similar to -b under Windows) (you must be root to do this) No No Yes
-P protocol Shows connections for the protocol specified by protocol. In this case, protocol can be ip, ipv6, icmp, icmpv6, igmp, udp, tcp, or rawip. No No Yes
-r Displays the contents of the IP routing table. (This is equivalent to the route print command under Windows.) Yes Yes Yes Yes Yes Yes Yes Yes Yes
-s Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 protocol for Windows XP is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols. Yes Yes Yes Yes Yes Yes Yes Yes
-t Display only TCP connections. No Yes Yes
-u Display only UDP connections. No No Yes Yes
-W Display wide output - doesn't truncate hostnames or IPv6 addresses No No Yes No
-x Displays NetworkDirect connections, listeners, and shared endpoints. Yes
-y Displays the TCP connection template for all connections.Cannot be combined with the other options. Yes
-v When used in conjunction with -b it will display the sequence of components involved in creating the connection or listening port for all executables. Yes No No
Interval Redisplays the selected information every Interval seconds. Press CTRL+C to stop the redisplay. If this parameter is omitted, netstat prints the selected information only once. Yes Yes No
-h Displays help at the command prompt. Yes No Yes Yes Yes Yes Yes Yes No
-? Displays help at the command prompt. Yes No No No No No No No Yes
/? Displays help at the command prompt. Yes Yes No No No No No No No

Examples

[edit]

Cross platform

[edit]

On macOS, BSD systems, Linux distributions, and Microsoft Windows:

To display the statistics for only the TCP or UDP protocols, type one of the following commands:

netstat -sp tcp

netstat -sp udp

Unix-like

[edit]

On Unix-like systems:

To display all ports open by a process with id pid:

netstat -aop | grep "pid"

To continuously display open TCP and UDP connections numerically and also which program is using them on Linux:

netstat -nutpacw

Windows

[edit]

On Microsoft Windows:

To display active TCP connections and the process IDs every 5 seconds, type the following command (works on NT based systems only, or Windows 2000 with hotfix):

netstat -o 5

To display active TCP connections and the process IDs using numerical form, type the following command (works on NT based systems only, or Windows 2000 with hotfix):

netstat -no

*nix

[edit]
Command Explanation
netstat -a Shows all sockets, both listening and non-listening, all protocols like TCP, UDP etc.
netstat -at Shows only TCP connections (-au shows only UDP connections)
netstat -ant Shows all TCP connections with no DNS resolution (show IP addresses instead).
netstat -al Shows only listening sockets.
netstat -aep Also show PID and to which program each socket belongs, e adds extra info like the user. Run as root to see all PIDs.
netstat -s Shows network statistics.
netstat -r Shows kernel routing information. This is the same output as route -e.
netstat -i Displays a table of all network interfaces. Add -e to get output similar to ifconfig.
netstat -ct Displays TCP connections continuously.
netstat -g Display multicast group membership information for IPv4 and IPv6.
netstat -lntu Display all services listening for TCP and UDP, all free open ports on the local machine.
netstat -atnp | grep ESTA Displays all currently "established" TCP connections.

Wildcards

[edit]

Netstat uses an asterisk * as a wildcard which means "any". An example would be

Example output: 

....Local Address Foreign Address State
... *:smtp          *:*   LISTEN

Under "Local Address" *, in *:smtp, means the process is listening on all of the network interfaces the machine has for the port mapped as smtp (see /etc/services for service resolution). This can also be shown as 0.0.0.0. The first *, in *:*, means connections can come from any IP address, and the second *, in *:*, means the connection can originate from any port on the remote machine.

Caveats

[edit]

Some versions of netstat lack explicit field delimiters in their printf-generated output, leading to numeric fields running together and thus corrupting the output data.

Platform specific remarks

[edit]
The ReactOS netstat command
The macOS netstat command

Under Linux, raw data can often be obtained from the /proc/net/dev to work around the printf output corruption arising in netstat's network interface statistics summary, netstat -i, until such time as the problem is corrected.[citation needed]

On the Windows platform, netstat information can be retrieved by calling the GetTcpTable and GetUdpTable functions in the IP Helper API, or IPHLPAPI.DLL. Information returned includes local and remote IP addresses, local and remote ports, and (for GetTcpTable) TCP status codes. In addition to the command-line netstat.exe tool that ships with Windows, GUI-based netstat programs are available.

On the Windows platform, this command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.

On the Windows platform running Remote Desktop Services (formerly Terminal Services) it will only show connections for the current user, not for the whole computer.

On macOS, the /System/Library/CoreServices/Applications folder (or /Applications/Utilities in OS X Mountain Lion and earlier) contains a network GUI utility called Network Utility, the Netstat tab of which runs the netstat command and displays its output in the tab.

See also

[edit]

References

[edit]

Further reading

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Netstat

View on Grokipedia
from Grokipedia
Netstat (short for "network statistics") is a command-line utility available on operating systems, Windows, and other systems that displays detailed information about the networking subsystem, including active network connections, tables, interface statistics, masquerade connections, and memberships. It provides insights into TCP and UDP ports, listening sockets, protocol statistics for IPv4 and (such as IP, ICMP, TCP, and UDP), and Ethernet or interface performance metrics like packet counts and errors. Originally developed as part of standard system tools, netstat enables users and administrators to monitor network activity, diagnose connectivity issues, and gather on open sockets and paths without requiring elevated privileges for basic operations. The tool's output can be customized through various options, such as displaying numerical addresses instead of symbolic names, showing process identifiers associated with connections, or filtering by specific protocols like TCP or UDP. For instance, on systems, the default invocation lists open sockets across all address families, while the -r flag reveals the table, including destinations, gateways, and interface details. In Windows environments, netstat supports interval-based refreshes for continuous monitoring and can identify executables responsible for network usage, aiding in security audits and performance optimization. Although netstat remains widely used for its simplicity and broad compatibility, modern alternatives like the ss command in have emerged for more efficient querying, reflecting evolving needs.

Overview

Description

Netstat is a command-line utility that displays network connections (both active and passive), routing tables, interface statistics, and multicast memberships. On systems such as , it also shows masquerade connections. On systems such as , it is part of the net-tools package, a collection of legacy networking utilities. On Windows, netstat is a built-in command available in the Command Prompt. The tool plays a key role in network diagnostics by allowing users to monitor active sockets, examine protocol statistics, and identify potential connectivity issues, such as open ports or routing problems. It enables administrators and users to inspect the state of network interfaces and connections without needing specialized hardware. Netstat originated in early Unix systems, introduced as a new program in the 4.2BSD release in 1983 to display network statistics and active connections. It has since evolved into a widely adopted tool across various operating systems. Operating at the user level, netstat queries kernel data structures via system calls, and its basic output requires no root privileges, though certain advanced options may do so.

History

netstat was first introduced in the 4.2BSD release of Unix in August 1983, as a utility to display network-related data structures, particularly in conjunction with the new interface for over networks. This implementation provided essential visibility into active sockets, protocol statistics, and routing tables, supporting the growing adoption of TCP/IP in academic and research environments during the early 1980s. It was later adopted in other systems, including System V derivatives and modern BSD variants like and macOS. In the Linux ecosystem, became available through the net-tools package, which originated from the NET-2 networking distribution and was integrated into Linux distributions starting in the early to manage the kernel's evolving networking subsystem. The package, including , arp, and , was maintained as a standard set of utilities for versions from 2.0 onward, with compatibility extending to kernel 2.2 in 1999, though limitations emerged with advanced features like IPv6. By the , amid discussions on modernization, the and distributions began deprecating net-tools in favor of utilities, citing outdated code and performance issues, though remained installable as a legacy tool. Microsoft incorporated netstat into its TCP/IP protocol suite with the release of on July 27, 1993, enabling administrators to monitor connections and statistics on enterprise workstations and servers. Subsequent Windows versions, including NT 4.0, , and modern releases like and 11, retained and enhanced netstat, integrating it with evolving networking stacks while introducing alternatives such as cmdlets (e.g., Get-NetTCPConnection, available since PowerShell 3.0 in 2012) for more scriptable network diagnostics. As of 2025, netstat continues to be a bundled utility in Windows environments, providing cross-platform consistency with its Unix roots despite the rise of specialized tools.

Functionality

Statistics Provided

Netstat retrieves and displays a range of network-related statistics, focusing on active connections, information, interface performance, and additional protocol details. These statistics offer insights into the current state of network activity, helping administrators monitor connectivity, traffic flow, and potential issues without delving into lower-level kernel data. Active internet connections form one of the core outputs, enumerating TCP and UDP sockets in various states. For TCP connections, it shows established sessions, ports, and transient states like SYN_SENT (indicating outgoing connection attempts), along with local and remote addresses, ports, and connection states such as ESTABLISHED or LISTEN. UDP sockets, being connectionless, display only local addresses and ports, without states. This data aids in identifying open ports and active communications. The output lists IP routes, including the destination network, gateway (next hop), interface used, and flags denoting route properties—such as U for active (up) routes and G for those requiring a gateway. This provides a snapshot of the system's forwarding paths for traffic. Interface statistics detail per-network-interface metrics, such as total bytes and packets received and transmitted, along with error counts (e.g., errors) and collision rates for Ethernet interfaces like eth0. These counters accumulate over time, reflecting overall interface health and utilization. Additional data includes Unix domain sockets, which show local inter-process communications with fields like reference count, type (e.g., stream), state, and socket paths; IP multicast group memberships, listing interfaces joined to multicast addresses; masquerade connections, which display (NAT) details such as original and reply addresses when using options like -M on systems; and protocol-specific statistics, such as ICMP message counts including errors like destination unreachable. When invoked with appropriate parameters, netstat can include the process ID (PID) and program name for socket-owning applications, facilitating identification of resource consumers.

Output Formats

The output of the netstat command is primarily presented in human-readable text format, consisting of tabular displays with headers and columns that vary depending on the specified options, such as active connections, routing tables, or interface statistics. These formats are designed for manual inspection by network administrators, with columns aligned for readability in terminal environments. For active Internet connections (typically invoked with options like -t for TCP or -u for UDP), the standard output format features the following columns:
ColumnDescription
ProtoThe protocol in use, such as tcp, udp, or raw.
Recv-QThe receive queue size in bytes (for established connections) or the SYN backlog queue (for listening sockets).
Send-QThe send queue size in bytes (for established connections) or the maximum SYN backlog (for listening sockets).
Local Address:PortThe local and number, separated by a colon (e.g., :80).
Foreign Address:PortThe remote and number for the connection (e.g., 192.168.1.1:12345), or : for sockets.
StateThe connection state, such as LISTEN (waiting for incoming connections), ESTABLISHED (active data transfer), SYN_SENT (connection initiation), or TIME_WAIT (closing phase).
Additional columns, like User (socket owner) or PID/Program name (process details), may appear with extended options such as -p on systems. On Windows, the active connections format is similar but omits Recv-Q and Send-Q by default, focusing on Proto, Local Address, Foreign Address, and State. The output (displayed with the -r option) uses a columnar format to represent kernel routing information, with the following key columns:
ColumnDescription
DestinationThe destination or host (e.g., 192.168.1.0 or default).
GatewayThe gateway address for packets, or * if directly connected.
GenmaskThe netmask (e.g., 255.255.255.0).
FlagsRoute flags, such as U (route is up), G (uses gateway), H (target is host), or D (dynamically installed).
MSSMaximum segment size for TCP (e.g., 1500).
WindowTCP window size (e.g., 32768).
irttInitial round-trip time estimate in milliseconds (e.g., 100).
IfaceThe outgoing interface (e.g., eth0).
This format aids in diagnosing routing paths and metrics. Windows routing output via netstat -r mirrors this structure closely, aligning with the route print command. Interface statistics (shown with the -i option on Unix-like systems) provide per-interface counters in a table format, including:
ColumnDescription
IfaceThe interface name (e.g., lo or eth0).
MTUMaximum transmission unit in bytes (e.g., 1500).
RX-OKPackets received without errors.
RX-ERRPackets received with errors.
RX-DRPPackets dropped during reception (e.g., due to buffer overflow).
TX-OKPackets transmitted successfully.
TX-ERRPackets transmitted with errors.
TX-DRPPackets dropped during transmission.
TypeThe interface hardware type (e.g., ethernet or loopback), though not always displayed in basic output.
Flags (Flg) may also appear, indicating status like UP or RUNNING. On Windows, interface details are aggregated under -e for Ethernet statistics, showing total bytes and packets sent/received rather than per-interface breakdowns. By default, netstat resolves IP addresses to hostnames, port numbers to service names (e.g., 80 to http), and user IDs to usernames, enhancing readability but potentially slowing output due to DNS lookups. The -n flag suppresses this resolution, displaying numerical IP addresses, port numbers, and user IDs instead, which is useful for scripting or high-volume analysis. Partial numeric options, such as --numeric-hosts or --numeric-ports, allow selective control. The -n behavior is consistent across platforms, including Windows. While the default output is text-based and human-oriented, some extended implementations support machine-parsable formats; for instance, supports output in XML and other machine-readable formats via the --libxo option using libxo(3), facilitating automated parsing in monitoring tools. However, this is not universal and depends on the system version.

Usage

Common Parameters

The netstat command supports several parameters that are widely shared across systems and Windows, enabling users to customize output for network diagnostics. These options control the scope of displayed information, such as , routing, and statistics, and are typically case-sensitive on systems. The -a displays all sockets, including both and non- ones, providing a complete view of active and potential network endpoints. On systems, it shows detailed socket states; on Windows, it includes all TCP connections and UDP ports. The -r outputs the kernel , listing routes for network traffic forwarding. This is equivalent to the route command's verbose output and is consistent across platforms, showing destination, gateway, and interface details. The -i parameter presents interface statistics, including a table of network interfaces with packet counts, errors, and transmission metrics. It is primarily used on systems, where it helps monitor interface performance. The -n parameter enforces numeric output, displaying addresses, ports, and hosts as numbers without attempting DNS resolution, which speeds up execution and avoids resolution delays. This option is standard on both systems and Windows for precise, hostname-free results. On systems, -t limits output to TCP sockets, -u to UDP sockets, -l to listening sockets only, and -p to include the process ID (PID) and program name associated with each socket, requiring elevated privileges for full visibility. These protocol and process filters enhance targeted analysis. The -s generates per-protocol statistics summaries, detailing metrics like packets sent, received, and errors for protocols such as TCP, UDP, and IP. It provides aggregated data without individual connection details and is available on Windows as well. An interval option, such as netstat -i 1 on systems, enables continuous updates by redisplaying the selected statistics (e.g., interface data) every specified seconds, useful for real-time monitoring until interrupted. On Windows, a similar effect is achieved by appending a number directly, like netstat -s 1. Parameters on systems are case-sensitive, distinguishing uppercase variants like -A from lowercase, and can be combined for refined queries, such as netstat -anp to show all numeric TCP/UDP sockets with associated processes. Platform-specific extensions, like additional filters on Windows, build upon these core options.

Platform-Specific Options

On Unix-like systems such as and BSD derivatives, netstat includes options that leverage kernel-specific networking features like IP masquerading and handling. The -M option lists masquerade connections, useful for inspecting NAT translations in firewall configurations. The -g option displays group memberships for both IPv4 and addresses, aiding in the diagnosis of group communication issues. Additionally, the -e option extends the output with details like user IDs and inode numbers for sockets, which can be invoked twice for fuller information. The -c option runs netstat in continuous mode, refreshing output every second to monitor dynamic network changes. In modern distributions, netstat from the deprecated net-tools package often issues warnings recommending alternatives like or ip from iproute2. Windows implementations of netstat provide options optimized for its Winsock API and TCP/IP stack, emphasizing process association and hardware-level metrics. The -e option outputs Ethernet interface statistics, such as total bytes and packets transmitted or received, which can combine with -s for protocol-specific breakdowns. The -f option resolves foreign addresses to fully qualified domain names where possible, enhancing for DNS-integrated environments. The -o option appends the process ID (PID) owning each TCP connection, facilitating identification of applications using network resources. The -b option reveals the full path to executables involved in connections or listening ports, though it requires elevated privileges and may slow execution due to its depth. The -p option filters by protocol, such as TCP or UDP (including variants like TCPv6), allowing targeted views of traffic types. The -x option delivers extended TCP/IP statistics, including connection offload states for network adapter hardware. On macOS, derived from BSD, netstat emphasizes per-interface monitoring and integration, with options that align closely with behaviors. The -s option generates comprehensive per-protocol statistics, repeatable to omit zeroed counters, and pairs effectively with -f inet6 for -focused output that highlights address-specific metrics.) Combining -a (all sockets) and -n (numeric addresses) with -p tcp yields detailed TCP connection states without name resolution, suitable for performance-sensitive diagnostics. The -I option, followed by an interface name like en0, reports traffic counters for that interface alone, and when used with -s, breaks down protocol usage per interface to isolate bottlenecks.)

Examples

Cross-Platform Commands

The netstat utility provides several command options that function similarly across major operating systems, including systems (such as and ) and Windows, enabling portable network diagnostics without platform-specific adjustments. These shared options focus on displaying , routing, interfaces, and protocol statistics, though output formatting—such as column order and flag notations—may differ slightly to align with system conventions. This portability makes netstat valuable for scripting and cross-environment troubleshooting, where consistent syntax yields comparable insights into network activity. The -a option lists all active connections, including both established TCP sessions and listening UDP/TCP ports, revealing the full scope of network endpoints on the system. On systems, the output typically includes columns for protocol, local and foreign addresses with ports, and connection state (e.g., ESTABLISHED or ), while Windows presents similar data with Proto, Local Address, Foreign Address, and State columns, though the order may vary. For example:

Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 192.168.1.10:12345 203.0.113.5:80 ESTABLISHED

Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 192.168.1.10:12345 203.0.113.5:80 ESTABLISHED

This command is essential for identifying open ports and active peers without needing elevated privileges in basic use. Omitting the -n option allows resolution of IP addresses to hostnames where possible. The -r option displays the system's , showing how packets are forwarded based on destinations, gateways, and interfaces. implementations use flags like U (route is up) and G (uses a gateway), with output columns including Destination, Gateway, Genmask, Flags, Metric, Ref, Use, and Iface, whereas Windows formats it with Network Destination, Netmask, Gateway, Interface, and Metric columns for a tabular view akin to the route print command. A representative output might appear as:

Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 en0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 en0

Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 en0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 en0

This cross-platform consistency allows administrators to inspect configurations uniformly, though interpreting flags requires awareness of OS-specific notations. For interface statistics, systems employ the -i (or -I on for a specific interface) option to report per-interface metrics, such as packets, errors, and collisions, in a table with columns like Iface, MTU, RX-OK, RX-ERR, TX-OK, TX-ERR, and Flags. In contrast, Windows uses -e to summarize total Ethernet statistics across all adapters, including bytes and packets sent/received, without per-interface breakdown. An example -i output:

Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg en0 1500 0 12345 0 0 0 67890 0 0 0 BMRU lo0 65536 0 100 0 0 0 100 0 0 0 LRU

Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg en0 1500 0 12345 0 0 0 67890 0 0 0 BMRU lo0 65536 0 100 0 0 0 100 0 0 0 LRU

These options provide a portable way to monitor link-layer performance, with -i offering granularity on and -e providing aggregated Ethernet insights on Windows. The -s option generates per-protocol summaries for TCP, UDP, ICMP, and IP (including where supported), detailing segments or datagrams sent/received, along with error counts like retransmissions or failures. Output is structured as indented sections per protocol on all platforms, with systems showing active connections and Windows including similar counters but potentially grouped differently. For instance, a TCP summary might include:

Tcp: 123 active connections openings (0 passive) 5 failed connection attempts 4564 segments sent out 7890 segments received

Tcp: 123 active connections openings (0 passive) 5 failed connection attempts 4564 segments sent out 7890 segments received

This command aids in diagnosing protocol-level issues portably, as the core metrics remain consistent despite minor formatting variances. Across all supported platforms, combining -a with -n (as in netstat -an) suppresses DNS name resolution for addresses and ports, displaying numeric values (e.g., 192.168.1.10:80 instead of hostnames) to accelerate execution and reduce overhead, which is particularly beneficial in automated scripts or high-volume monitoring. This numeric mode integrates seamlessly with the -a output format while maintaining portability.

Unix-like Systems

In Unix-like systems such as and BSD variants, netstat provides detailed insights into network connections, sockets, and routing, often used for server configurations and connectivity issues. The tool is particularly valuable in environments where administrators need to inspect listening services, protocol statistics, and local communication via Unix domain sockets, with options tailored to display process identifiers (PIDs) and numeric addresses for precise diagnostics. A common command for identifying active listening TCP ports and associated processes is netstat -tlnp, where -t specifies TCP, -l filters for listening sockets, -n shows numeric ports and addresses without name resolution, and -p reveals the PID and program name owning each socket. This is essential for verifying services like web servers; for instance, running the command might output lines such as:

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1234/nginx

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1234/nginx

Here, PID 1234 corresponds to the process listening on port 80, helping administrators confirm that the HTTP service is operational or detect unauthorized listeners during security audits. For UDP-related diagnostics, such as investigating broadcast or issues in network applications, netstat -u -an lists all UDP sockets in numeric format, showing bound addresses and states without resolving hostnames. An example output could include:

udp 0 0 0.0.0.0:123 0.0.0.0:* udp 0 0 224.0.0.251:5353 0.0.0.0:*

udp 0 0 0.0.0.0:123 0.0.0.0:* udp 0 0 224.0.0.251:5353 0.0.0.0:*

This reveals UDP endpoints like NTP (port 123) or mDNS (port 5353), allowing users to pinpoint misconfigurations in broadcast traffic or firewall blocks affecting delivery. To examine the numerically for firewall verification—ensuring routes align with or pf rules—netstat -rn displays kernel information without hostname lookups. Typical output might show:

Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0

This helps confirm default gateways and interface assignments, crucial for diagnosing why traffic might be dropped by firewall policies. Monitoring protocol errors often involves netstat -s | [grep](/page/Grep) errors, which prints per-protocol statistics and filters for error counters like failures or retransmits. For example, in TCP statistics, it might highlight "retransmigs: 5" or UDP "bad checksums: 2," aiding script-based alerting for network anomalies in automated troubleshooting setups. On distributions, netstat is provided by the net-tools package, which may need explicit installation via package managers like apt or yum if not present by default. Additionally, including the -x option displays Unix domain sockets for analysis; an example output could be:

unix 2 [ ] STREAM CONNECTED 5678 /tmp/.X11-unix/X0

unix 2 [ ] STREAM CONNECTED 5678 /tmp/.X11-unix/X0

This reveals local socket paths, useful for debugging application internals without network involvement. Note that while netstat remains functional, modern alternatives like from offer enhanced performance for similar tasks.

Windows Systems

On Windows systems, netstat integrates closely with the TCP/IP protocol stack to provide detailed insights into network activity, including active connections, listening ports, and associated processes, which aids in connectivity issues and monitoring . The command supports protocol-specific filtering and process identification, distinguishing it from implementations on other platforms through features like executable binding and elevated privilege requirements for certain outputs. The netstat -an -p TCP command displays all active TCP connections in numerical format, including connection states such as TIME_WAIT, which indicates ports temporarily reserved after closure to handle potential delayed packets. This output lists local and foreign addresses with ports, helping administrators identify lingering connections that might contribute to resource exhaustion in high-traffic environments. For instance, excessive TIME_WAIT states can signal port exhaustion when the system's ephemeral port range is depleted. To associate network activity with specific processes, netstat -b reveals the executable names involved in each connection or listening , requiring administrator privileges for execution due to access restrictions on information. This option is particularly useful for security audits, as it maps traffic to applications like or third-party services, enabling quick identification of unauthorized or anomalous behavior. For performance monitoring, netstat -e -s combines Ethernet interface statistics—such as bytes and packets sent or received—with per-protocol breakdowns for TCP, UDP, ICMP, and IP, offering a comprehensive view of network utilization. Administrators often use this to assess overall throughput and detect bottlenecks, for example, by observing packet discard rates in the IP statistics section. The netstat -rn command outputs the IP routing table in numerical format, displaying active routes including persistent ones configured via the route add command, which helps in diagnosing routing misconfigurations or gateway issues. This reveals default gateways, network routes, and interface metrics without symbolic name resolution.

Limitations

Deprecation Status

In Linux distributions, netstat has been deprecated since around 2011 due to the unmaintained status of the net-tools package, with major vendors recommending alternatives starting from releases like Red Hat Enterprise Linux (RHEL) 7 in 2014 and Ubuntu 17.04 onward. The ss command from the iproute2 suite is preferred for its superior performance and native support for IPv6 features, as netstat's method of scanning files in /proc/net is inefficient compared to ss's direct use of kernel socket statistics via Netlink. As of 2025, netstat is not installed by default in most major Linux distributions, including Ubuntu 24.04, Fedora 43, and RHEL 10, though it remains available for installation via package managers like apt or dnf for legacy compatibility. On Windows, netstat continues to be fully supported as of and 2025, with no official deprecation announced by . However, for scripting and automation purposes, recommends the Get-NetTCPConnection cmdlet in , which provides similar TCP connection details with enhanced integration for modern administrative tasks. In BSD variants like and on macOS, netstat remains a standard, actively maintained utility with no formal deprecation, as evidenced by its inclusion and updates in FreeBSD 14.3 documentation as of 2025. It is often supplemented by tools such as nettop for real-time network monitoring on macOS or for listing open files and sockets, but continues to serve as a core command-line option for displaying network connections and statistics.

Caveats and Alternatives

While netstat provides valuable network diagnostics, it has several practical limitations that can hinder its effectiveness in certain scenarios. Displaying process identifiers (PIDs) associated with network connections typically requires elevated privileges, as the command accesses sensitive kernel data structures that are restricted to non-privileged users. Additionally, netstat's default behavior of performing DNS resolution on IP addresses can significantly slow down output generation, especially on systems with many connections or unreliable resolvers, often taking seconds to minutes for large result sets. Older versions of netstat, such as those in pre-2010 distributions, exhibit poor support, including truncation of long IPv6 addresses in output fields, which limits its utility for dual-stack environments. Furthermore, using the -p option to reveal details can pose risks by exposing sensitive information about running services and their PIDs, potentially aiding attackers in if the output is accessible in shared or logged environments. Modern alternatives have largely superseded netstat due to its inefficiencies and in many systems. On , the command serves as a direct replacement, leveraging the socket interface for faster data retrieval instead of scanning /proc filesystem queues; for instance, ss -tuln lists listening sockets in a format similar to netstat but includes additional details like timer states and inode numbers. The utility offers cross-platform visibility into open files and sockets, making it suitable for correlating network activity with file descriptors across and Windows systems. For active network scanning, provides comprehensive port discovery and vulnerability assessment beyond passive monitoring. On Windows, cmdlets such as Get-NetTCPConnection and Get-NetUDPEndpoint deliver equivalent functionality to netstat, with built-in filtering for TCP/UDP endpoints and process ownership without requiring external tools. In comparisons, maintains a compatible output structure to netstat while enhancing performance through direct kernel communication, avoiding the overhead of iterative file reads that can bottleneck netstat on busy systems. As of 2025, tools like can reduce execution time by up to 10 times for common queries like listing all connections, making netstat particularly unsuitable for high-frequency monitoring in resource-constrained environments such as Docker containers, where isolation and rapid polling exacerbate its scanning delays.

References

  1. https://man7.org/linux/man-pages/man8/netstat.8.html
  2. https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/netstat
  3. https://www.ibm.com/docs/ssw_aix_71/n_commands/netstat.html
  4. https://manpages.debian.org/testing/net-tools/netstat.8.en.html
  5. https://net-tools.sourceforge.io/
  6. https://www.redhat.com/en/blog/netstat
  7. https://www.ibm.com/docs/en/aix/7.2.0?topic=command-using-netstat
  8. http://roguelife.org/~fujita/COOKIES/HISTORY/4.2BSD/uchanges.pdf
  9. https://man.freebsd.org/netstat
  10. https://www2.eecs.berkeley.edu/Pubs/TechRpts/1985/CSD-85-246.pdf
  11. https://wiki.linuxfoundation.org/networking/net-tools
  12. https://lwn.net/Articles/710533/
  13. https://unix.stackexchange.com/questions/278474/why-is-netstat-deprecated
  14. https://learn.microsoft.com/en-us/powershell/module/nettcpip/get-nettcpconnection?view=windowsserver2025-ps
  15. https://docs.oracle.com/cd/E19504-01/802-5753/6i9g71m3i/index.html
  16. https://linux.die.net/man/8/netstat
  17. https://man7.org/linux/man-pages/man8/route.8.html
  18. https://man.freebsd.org/netstat(1)
  19. https://ss64.com/bash/netstat.html
  20. https://leopard-adc.pepas.com/documentation/Darwin/Reference/ManPages/man1/netstat.1.html
  21. https://www.phoenixnap.com/kb/netstat-command
  22. https://www.tecmint.com/20-netstat-commands-for-linux-network-management/
  23. https://www.howtogeek.com/513003/how-to-use-netstat-on-linux/
  24. https://opensource.com/article/22/2/linux-network-security-netstat
  25. https://www.howtoforge.com/linux-netstat-command/
  26. https://www.baeldung.com/linux/netstat-command-tutorial
  27. https://www.ibm.com/docs/en/netcoolomnibus/8.1.0?topic=scenarios-troubleshooting-objectserver-listener-errors-unix-linux
  28. https://www.tecmint.com/install-netstat-in-linux/
  29. https://www.thegeekstuff.com/2010/03/netstat-command-examples/
  30. https://www.linode.com/docs/guides/check-linux-ports-in-use/
  31. https://learn.microsoft.com/en-us/troubleshoot/windows-client/networking/tcp-ip-port-exhaustion-troubleshooting
  32. https://www.windowscentral.com/how-use-netstat-command-windows-10
  33. https://www.redhat.com/en/blog/deprecated-linux-command-replacements
  34. https://www.baeldung.com/linux/netstat-alternatives
  35. https://tecadmin.net/install-netstat-command-in-linux/
  36. https://man.freebsd.org/cgi/man.cgi?query=netstat&sektion=1
  37. https://discussions.apple.com/thread/254629530
Add your contribution
Related Hubs
User Avatar
No comments yet.