~/ linuxnetwork.net

Mastering `netstat`: A Comprehensive Guide to Network Diagnostics

netstat (network statistics) is a command-line utility for analyzing network connections, listening ports, routing tables, and network interface statistics. It is essential for system administrators, developers, and security analysts to troubleshoot network issues, verify service availability, and detect unauthorized connections.

While netstat has been deprecated on Linux in favor of ss and ip (from the iproute2 suite), it remains widely available and is still the standard network diagnostic tool on Windows and macOS. This guide covers netstat syntax, use cases, best practices, and operating system-specific nuances.

Table of Contents#

  1. What is netstat?
  2. Installation
  3. Basic Syntax
  4. Key Options and Usage
  5. Common Use Cases
  6. Advanced Usage & Best Practices
  7. OS-Specific Differences
  8. Alternatives to netstat
  9. Conclusion
  10. References

What is netstat?#

netstat displays:

  • Active TCP/UDP connections, including connection states such as ESTABLISHED, SYN_SENT, and LISTEN
  • Listening ports for services awaiting incoming connections
  • System routing tables that define network traffic paths
  • Network interface statistics, including bytes sent/received and error counts
  • Process IDs (PIDs) associated with connections to identify applications using specific ports

It is available on Linux, Windows, and macOS, though syntax and available options vary between platforms. On Linux, the net-tools package (which includes netstat) has been deprecated in favor of iproute2 utilities such as ss and ip.

Installation#

  • Linux: Part of the net-tools package. Many modern distributions no longer install it by default. If missing: 
    sudo apt install net-tools      # Ubuntu/Debian
sudo dnf install net-tools      # Fedora/RHEL 8+/CentOS Stream
sudo yum install net-tools      # RHEL 7/CentOS 7
  • Windows: Pre-installed (use Command Prompt or PowerShell).
  • macOS: Pre-installed (use Terminal).

Basic Syntax#

netstat [options]

Options filter output to show specific information, such as TCP-only connections, numerical addresses, or process IDs.

Key Options and Usage#

-a (All Connections)#

Shows all active TCP/UDP connections and listening server ports.

Example (Linux):

netstat -a

Output includes:

  • TCP connections with states: ESTABLISHED (active connection) and LISTEN (awaiting connections)
  • UDP connections (state column typically blank as UDP is connectionless)

-t (TCP) & -u (UDP)#

Filter output by protocol:

  • -t: Show only TCP connections
  • -u: Show only UDP connections (connectionless, so no state tracking like TCP)

Examples:

netstat -at  # All TCP connections (active + listening)
netstat -au  # All UDP connections

-n (Numerical Addresses)#

Displays IP addresses and ports as numerical values, skipping DNS lookups for faster output.

Example:

netstat -an  # All connections in numerical format

This option avoids delays from DNS resolution, which is especially critical when running netstat in scripts.

-p (Process ID)#

Shows the PID and program name associated with each connection (requires sudo privileges on Linux).

Example (Linux, run with sudo):

sudo netstat -ap  # Show PIDs for all connections

Windows equivalent: Use the -o flag to show PIDs:

netstat -ano  # Show TCP/UDP connections with PIDs

macOS note: macOS netstat does not support -p for process information; use lsof -i instead.

-r (Routing Table)#

Displays the system’s kernel routing table (output is similar to the route command).

Example:

netstat -r

Output includes:

  • Destination: Target network or host address
  • Gateway: Next-hop router address (e.g., default gateway)
  • Iface: Network interface used for the route (e.g., eth0, wlan0)

-s (Statistics)#

Shows detailed protocol statistics for TCP, UDP, ICMP, and other network protocols.

Example:

netstat -s  # Show statistics for all protocols
netstat -st  # Show TCP-only statistics

This is useful for diagnosing network issues; for example, high TCP retransmission rates indicate potential packet loss.

-l (Listening Ports)#

Shows only listening sockets for services awaiting incoming connections.

Example:

netstat -ltn  # Show TCP listening ports in numerical format

macOS note: macOS netstat does not support the -l option.

-e (Extended Info)#

Provides extended information depending on the operating system:

  • Linux: Shows extended connection details such as User and Inode
  • Windows: Shows Ethernet statistics including total bytes sent and received

Example (Linux):

netstat -e

-i (Interface Statistics)#

Shows network interface statistics including bytes sent/received, errors, and dropped packets (Linux/macOS):

Example (Linux/macOS):

netstat -i

Common Use Cases#

1. Check Listening Ports#

Verify if a service such as a web server is running and listening for connections:

netstat -ltn  # Show TCP listening ports in numerical format
netstat -lun  # Show UDP listening ports in numerical format

2. Troubleshoot Port Conflicts#

Identify which process is using a specific port (e.g., port 80) to resolve conflicts:

Linux:

sudo netstat -tulpn | grep :80

Windows:

netstat -ano | findstr :80  # Find PID using port 80
tasklist /FI "PID eq 1234"  # Identify process name by PID (replace 1234 with actual PID)

macOS:

sudo lsof -i :80  # Identify processes using port 80

3. Monitor Network Statistics#

Check for TCP retransmissions, which indicate potential network issues such as packet loss:

netstat -st | grep retransmits

4. Verify Routing Configuration#

Check the default gateway and network path configurations:

netstat -r

Advanced Usage & Best Practices#

  • Combine Options: Use multiple flags together to get precise output:

    netstat -tuln  # Show TCP/UDP listening ports in numerical format

  • Filter Output: Pipe results to grep (Linux/macOS) or findstr (Windows) to locate specific ports, IP addresses, or connection states:

    netstat -an | grep ESTABLISHED  # Show only active TCP connections

  • Security Auditing: Regularly review open connections to detect unexpected ESTABLISHED connections to unknown external IP addresses, which may indicate unauthorized access.

  • Scripting Best Practices: Always use the -n flag in scripts to avoid delays caused by automatic DNS resolution. On Linux, consider using ss instead — it is significantly faster and supports filtering by TCP state:

    ss -tun state established  # Faster equivalent using ss

  • Continuous Monitoring: Use the -c flag (Linux) to refresh output continuously, or specify an interval:

    netstat -c          # Continuous output (Linux)
netstat -an 5       # Refresh every 5 seconds (Windows)

OS-Specific Differences#

FeatureLinuxWindowsmacOS
Process Informationsudo netstat -apnetstat -anosudo lsof -i
Listening Portsnetstat -ltnnetstat -an | findstr LISTENINGnetstat -an | grep LISTEN
Routing Tablenetstat -r (or ip route)netstat -rnetstat -r
Extended Statisticsnetstat -e (extended connection details)netstat -e (Ethernet stats)N/A
Interface Statisticsnetstat -i (or ip -s link)N/Anetstat -i

Alternatives to netstat#

On Linux, netstat is part of the net-tools package, which has been deprecated by most major distributions (including RHEL 7+, Debian 9+, and Arch Linux) in favor of the iproute2 suite. The netstat man page itself states: "This program is obsolete. Replacement for netstat is ss."

ss (Socket Statistics) — Linux#

The primary replacement for netstat on Linux. It is faster, supports more socket types, and can filter by TCP state:

ss -tuln               # Show TCP/UDP listening ports (equivalent to netstat -tuln)
ss -tunp               # Show TCP/UDP connections with process info (equivalent to netstat -tunp)
ss -s                  # Show socket summary statistics
ss state established   # Filter by connection state

Quick comparison — netstat to ss:

Tasknetstatss
All listening TCP portsnetstat -tlnss -tln
All connections with PIDnetstat -tunapss -tunap
Routing tablenetstat -rip route
Interface statisticsnetstat -iip -s link
Multicast groupsnetstat -gip maddr

ip — Linux#

The ip command (from iproute2) replaces several netstat functions:

ip route          # Routing table (replaces netstat -r)
ip -s link        # Interface statistics (replaces netstat -i)
ip maddr          # Multicast group memberships (replaces netstat -g)

PowerShell — Windows#

Windows PowerShell provides cmdlets for more detailed network information:

Get-NetTCPConnection                  # List all TCP connections
Get-NetTCPConnection -State Listen    # List only listening TCP connections
Get-NetUDPEndpoint                    # List UDP endpoints

lsof — Cross-platform#

Shows both network connections and open file handles:

lsof -i :80       # Identify processes using port 80
lsof -i -P -n     # List all network connections without DNS resolution

Conclusion#

netstat remains a useful tool for network troubleshooting across all major operating systems, despite being deprecated on Linux. Mastering core options such as -a, -n, and -p enables you to:

  • Identify open ports and running services
  • Resolve port conflicts between applications
  • Monitor overall network health, including metrics like TCP retransmission rates

On modern Linux systems, ss and ip (from the iproute2 suite) are the recommended replacements for netstat. They are faster, support newer kernel features, and are actively maintained. However, netstat remains valuable for its cross-platform compatibility, simple syntax, and widespread availability — especially in scripts that need to work across Linux, Windows, and macOS.

References#

2026-04