~/ linuxnetwork.net

Mastering Netstat: Your Guide to Network Statistics & Diagnostics

Netstat (Network Statistics) is a command-line tool available on most operating systems (Windows, Linux, Unix, macOS) that provides critical insights into network connections, routing tables, interface statistics, and protocol metrics. Originally part of 4.2BSD in 1983, netstat remains a widely used utility for system administrators, network engineers, and security analysts for monitoring, troubleshooting, and analyzing network activity. On Linux, netstat is part of the net-tools package and is considered mostly obsolete in favor of ss and iproute2, though it is still included in many distributions. This guide explores netstat’s functionality, practical applications, and modern alternatives.

Table of Contents#

  1. Understanding Netstat Fundamentals
  2. Common Netstat Command Options
  3. Practical Usage Examples
  4. Interpreting Netstat Output
  5. Security & Performance Best Practices
  6. Limitations & Modern Alternatives
  7. Conclusion
  8. References

Understanding Netstat Fundamentals#

Netstat displays real-time network data categorized into four key areas:

  • Active Connections: TCP/UDP connections (local/remote IPs, ports, state).
  • Listening Ports: Services awaiting incoming connections.
  • Interface Statistics: Packet counts, errors (bytes in/out, collisions).
  • Routing Tables: Paths used by the OS to direct network traffic.

How Netstat Works#

Netstat reads data directly from the OS kernel’s networking stack:

  • /proc/net/tcp and /proc/net/udp (Linux)
  • Kernel structures via syscalls (Windows/macOS)

Common Netstat Command Options#

OptionDescriptionOS Support
-aShow all connections/listening portsAll
-tTCP connections onlyLinux
-uUDP connections onlyLinux
-nDisplay numerical addresses/ports (no DNS)All
-pShow PID/program name (requires root on Linux); on Windows/macOS, specifies protocolLinux: PID/name (root); Windows/macOS: protocol
-lListening ports onlyLinux
-oShow owning process IDWindows
-rDisplay routing tableAll
-sPer-protocol statistics (TCP, UDP, ICMP, etc.)All
-eExtended information (Linux); Ethernet statistics (Windows)All
-cContinuous output (refresh periodically)Linux
-WWide output (do not truncate addresses)Linux

Practical Usage Examples#

1. List All Active Connections#

netstat -a

Use Case: Inventory open ports and active sessions.
Best Practice: Combine with -n for faster output (avoids DNS lookups):

netstat -an

2. Identify Listening TCP Ports & Associated Processes#

# Linux (requires root for process information with -p)
sudo netstat -tulnp
 
# macOS (use lsof to view process information)
netstat -an | grep LISTEN
lsof -i -P | grep LISTEN
 
# Windows
netstat -ano | findstr LISTENING

Output Example:

Proto Recv-Q Send-Q Local Address    Foreign Address State  PID/Program  
tcp   0      0      0.0.0.0:443      0.0.0.0:*       LISTEN   1054/nginx

Security Tip: Verify unexpected listening ports (e.g., unknown service on port 4444).

3. Monitor Network Interface Traffic#

netstat -i

Output:

Kernel Interface table
Iface   MTU Met  RX-OK RX-ERR RX-DRP RX-OVR  TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0    1500 0   12456      0      0 0        9876      0      0      0 BMRU

Diagnostics: High RX-ERR/TX-ERR indicates packet corruption or NIC issues.

4. Detect Suspicious Connections#

# Find established connections on unusual ports
netstat -atnp | grep ESTABLISHED | grep -v ':80\|:443'

Security Practice: Regular scans for unauthorized connections (e.g., port 6667/IRC).

5. Continuous HTTP Connection Monitoring#

# Linux-specific
netstat -cnt | grep :80

Sample Output (refreshes every second):

Active Internet connections (w/o servers)
tcp 0 0 192.168.1.5:51002   104.18.35.1:80  ESTABLISHED

Interpreting Netstat Output#

Key Connection States:#

StateMeaning
LISTENPort is open and accepting connections.
ESTABLISHEDActive bidirectional connection.
SYN_SENTClient attempting to connect (sent SYN).
SYN_RECVConnection request received from the network.
FIN_WAIT1Socket closed; connection is shutting down.
FIN_WAIT2Connection closed; waiting for shutdown from remote end.
TIME_WAITConnection closed, but socket waiting for lingering packets (2MSL).
CLOSE_WAITRemote end closed; local app hasn't released the socket.
LAST_ACKRemote end shut down; waiting for final acknowledgement.
CLOSINGBoth sides shut down, but not all data sent yet.
CLOSEDSocket is not in use.

These states are defined in RFC 793 and RFC 9293. See the IANA Port Assignments for registered port information.

Critical Statistics Metrics:#

  • RX/TX Errors: Hardware/driver issues or network congestion.
  • Dropped Packets (RX-DRP/TX-DRP): Buffer overflows or misconfigurations.
  • TIME_WAIT Accumulation: May exhaust available ports; enable net.ipv4.tcp_tw_reuse or adjust ephemeral port range.

Security & Performance Best Practices#

  1. Audit Listening Services Regularly:

    # Linux
netstat -tuln
 
# macOS
netstat -an | grep LISTEN
 
# Windows
netstat -ano | findstr LISTENING

    Disable unnecessary services to reduce attack surface.

  2. Detect Port Scanners: High SYN_RECV states suggest SYN flood attacks.

  3. Monitor for Backdoors: Hunt for unexpected ESTABLISHED connections at odd hours:

    # Linux
netstat -anp | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort -u
 
# macOS (use lsof to view process information)
netstat -an | grep ESTABLISHED
lsof -i | grep ESTABLISHED
 
# Windows
netstat -ano | findstr ESTABLISHED

  4. TCP Performance Tuning: Investigate TIME_WAIT sockets:

    netstat -n | grep TIME_WAIT | wc -l

    If > 10,000, consider adjusting:

    sysctl net.ipv4.tcp_max_tw_buckets=20000
sysctl net.ipv4.tcp_tw_reuse=1

  5. Least Privilege Principle: Run netstat as non-root unless -p (process info) is required.

Limitations & Modern Alternatives#

Netstat Shortcomings:

  • Marked as obsolete on Linux (the netstat man page states: "This program is mostly obsolete").
  • Part of the net-tools package, which is no longer actively maintained.
  • Resolves hostnames by default (use -n to disable DNS lookups for faster output).
  • Slower than ss on busy servers because it does not use the netlink interface.

Modern Replacements:#

  1. ss (Linux) — The primary replacement for netstat. Uses netlink for faster queries and shows more TCP state information: 
    ss -tunap  # Faster and more detailed than netstat
  2. ip (Linux) — Replaces netstat -r (routing) and netstat -i (interface stats): 
    ip route       # replaces netstat -r
ip -s link     # replaces netstat -i
ip maddr       # replaces netstat -g
  3. lsof (Cross-Platform): 
    lsof -i  # Lists processes with open network sockets
  4. Get-NetTCPConnection (PowerShell): 
    Get-NetTCPConnection | Where-Object {$_.State -eq 'Established'}

Netstat to ss Command Equivalents#

netstat Commandss EquivalentDescription
netstat -ass -aShow all sockets
netstat -atss -tTCP connections only
netstat -auss -uUDP connections only
netstat -lss -lListening sockets only
netstat -ltss -ltListening TCP ports
netstat -pss -pShow process using socket
netstat -anss -nNumeric output (no DNS)
netstat -tulnpss -tulnpListening TCP/UDP with PIDs
netstat -rip routeRouting table
netstat -iip -s linkInterface statistics

Conclusion#

Netstat is a timeless diagnostic Swiss Army knife, but understanding its context, output, and limitations ensures effective network analysis. While alternatives like ss offer performance gains, netstat’s cross-platform availability makes it indispensable for quick checks. Combine it with tools like Wireshark for deep packet analysis or SIEM solutions for enterprise monitoring. Remember: persistent anomalies often indicate deeper issues—correlate netstat data with other telemetry for decisive action.

References#

  1. netstat(8) — Linux manual page
  2. Microsoft Docs: netstat
  3. RFC 793: Transmission Control Protocol
  4. RFC 9293: Transmission Control Protocol (TCP)
  5. Deprecated Linux Command Replacements — Red Hat
  6. IANA Service Name and Port Number Registry
  7. An Introduction to the ss Command — Linux Foundation
2026-04