NetStat Commands - Cheatsheet

The first list in the output displays active established internet connections on the computer. The following details are in the columns:

  • Proto – Protocol of the connection (TCP, UDP).
  • Recv-Q – Receive queue of bytes received or ready to be received.
  • Send-Q – Send queue of bytes ready to be sent.
  • Local address Address details and port of the local connection. An asterisk (*) in the host indicates that the server is listening and if a port is not yet established.
  • Foreign address– Address details and port of the remote end of the connection. An asterisk (*) appears if a port is not yet established.
  • State State of the local socket, most commonly ESTABLISHED, LISTENING, CLOSED or blank*.*

The second list shows all the active “Unix Domain” open sockets with the following details:

  • Proto – Protocol used by the socket (always unix).
  • RefCnt – Reference count of the number of attached processes to this socket.
  • Flags – Usually ACC or blank.
  • Type – The socket type.
  • State – State of the socket, most often CONNECTED, LISTENING or blank.
  • I-Node – File system inode (index node) associated with this socket.
  • Path – System path to the socket.

For advanced usage, expand the netstat command with options:

netstat [options]

Or list the options one by one:

netstat [option 1] [option 2] [option 3]

The netstat options enable filtering of network information.

Note: If the network is slow, test the network speed.

List All Ports and Connections

To list all ports and connections regardless of their state or protocol, use:

netstat -a

The output lists established connections along with servers that are open or listening.

List All TCP Ports

List all TCP ports by running:

netstat -at

List All UDP Ports

List all UDP ports with:

netstat -au

List Only Listening Ports

To return a list of only listening ports for all protocols, use:

netstat -l

List TCP Listening Ports

List all listening TCP ports with:

netstat -lt

List UDP Listening Ports

Return only listening UDP ports by running:

netstat -lu

List UNIX Listening Ports

To list UNIX listening ports, use:

netstat -lx

Note: Scan for open ports with nmap as an alternative.

Display Statistics by Protocol

Display statistics for all ports regardless of the protocol with:

netstat -s

Statistics are also filterable by protocol.

List Statistics for TCP Ports

List statistics for TCP ports only with:

netstat -st

List Statistics for UDP Ports

To list statistics for UDP ports only, use:

netstat -su

List Network Interface Transactions

To see transactions of MTU, receiving and transferring packets in the kernel interface table, use:

netstat -i

Display Extended Kernel Interface Table

Add the option -e to netstat -i to extend the details of the kernel interface table:

netstat -ie

Display Masqueraded Connections

For displaying masqueraded connections, use:

netstat -M

Display PID

Display the PID/Program name related to a specific connection by adding the -p option to netstat. For example, to view the TCP connections with the PID/Program name listed, use:

netstat -tp

Find Listening Programs

Find all listening programs with:

netstat -lp

Display Kernel IP Routing Table

Display the kernel IP routing table with:

netstat -r

Display IPv4 and IPv6 Group Membership

Display group membership for IPv6/IPv4 with:

netstat -g

Print netstat Info Continuously

Add the -c option to the netstat command to print information every second:

netstat -c

For example, to print the kernel interface table continuously, run:

netstat -ic

Find Unconfigured Address Families

List addresses without support on the system with:

netstat --verbose

The information is found at the end of the output:

Display Numerical Addresses, Host Addresses, Port Numbers, and User IDs

By default, addresses, port numbers, and user IDs are resolved into human-readable names when possible. Knowing the unresolved port number is important for tasks such as SSH port forwarding.

Display Numerical Addresses
Show numerical addresses with:

netstat -n

Display Numerical Host Addresses
To show only host addresses as numerical, run:

netstat --numeric-hosts

Display Numerical Port Numbers
Show only ports as numerical with:

netstat --numeric-ports

Display Numerical User Ids
To display numerical user IDs, use:

netstat --numeric-users

Find a Process That Is Using a Particular Port

Make use of the grep command to filter the data from netstat. To find a process that is using a particular port number, run:

netstat -an | grep ':[port number]'

For example:

netstat -an | grep ':80'

List All netstat Commands

There are many netstat options available. Access the list of all the available commands and a short description using:

netstat -h