logo
eng-flag

Netstat Cheatsheet

Table of Contents

  1. Introduction
  2. Basic Usage
  3. Common Options
  4. Advanced Usage
  5. Practical Examples
  6. Troubleshooting with Netstat
  7. Netstat Alternatives
  8. Conclusion

Introduction

Netstat (network statistics) is a powerful command-line tool used for monitoring network connections and their statistics. It's available on various operating systems, including Windows, Linux, and macOS. Netstat provides valuable information about network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.

This guide will cover the basics of netstat, its common uses, advanced features, and practical examples to help you leverage this tool effectively for network diagnostics and monitoring.

Basic Usage

The simplest way to use netstat is by running it without any options:

netstat

This command displays a list of active connections on your system. However, to get more useful information, you'll often want to use netstat with various options.

Common Options

Here are some of the most commonly used netstat options:

  1. -a: Shows all connections and listening ports
  2. -n: Displays addresses and port numbers in numerical form
  3. -b: (Windows only) Shows the executable involved in creating each connection or listening port
  4. -t: Displays only TCP connections
  5. -u: Shows only UDP connections
  6. -p: Displays the PID and name of the program to which each socket belongs
  7. -r: Shows the routing table
  8. -s: Prints statistics for all protocols
  9. -i: Shows network interface statistics
  10. -c: (Linux/Unix) Continuously lists connections

Let's look at some examples:

netstat -an

This command shows all connections (-a) with numerical addresses and ports (-n).

netstat -tunp

On Linux, this displays TCP and UDP connections with numerical addresses and the associated processes.

Advanced Usage

Filtering Output

You can use grep (on Linux/Unix) or findstr (on Windows) to filter netstat output:

Linux:

netstat -an | grep ':80'

Windows:

netstat -an | findstr ":80"

These commands will show all connections on port 80.

Watching Connections in Real-time

On Linux, you can use the -c option to continuously update the display:

netstat -c

On Windows, you can achieve a similar effect using a loop:

:loop
netstat -an
timeout /t 5
cls
goto loop

Analyzing Connection States

To see the state of all TCP connections:

netstat -ant

This will show states like LISTENING, ESTABLISHED, TIME_WAIT, etc.

Practical Examples

1. Finding which process is using a specific port

Linux:

sudo netstat -tulpn | grep :80

Windows:

netstat -ano | findstr :80

2. Checking for listening ports

netstat -l

3. Displaying statistics for all protocols

netstat -s

4. Showing the routing table

netstat -r

5. Checking for possible DDoS attacks

This command shows the number of half-open connections, which could indicate a SYN flood attack:

netstat -n | grep SYN_RECV | wc -l

Troubleshooting with Netstat

Netstat is an invaluable tool for network troubleshooting. Here are some scenarios where netstat can be particularly useful:

  1. Identifying network bottlenecks: Use netstat -i to check interface statistics and identify any unusually high error counts or dropped packets.

  2. Detecting unauthorized services: Run netstat -plunt on Linux to list all listening TCP and UDP ports along with the process names. This can help identify any unexpected or potentially malicious services.

  3. Investigating high CPU usage: If a network-related process is consuming high CPU, use netstat to check its connections and identify any abnormal patterns.

  4. Troubleshooting connection issues: If an application can't connect to a server, use netstat to verify if the correct ports are open and listening.

  5. Monitoring established connections: Use netstat -ant | grep ESTABLISHED to see all current connections, which can help in understanding the network load.

Netstat Alternatives

While netstat is widely used, there are modern alternatives that provide similar or enhanced functionality:

  1. ss: A more powerful and faster replacement for netstat on Linux systems. Example: ss -tuln

  2. lsof: "List Open Files" can also be used to examine network connections. Example: lsof -i

  3. tcpdump: A powerful command-line packet analyzer. Example: tcpdump -i eth0

  4. Wireshark: A graphical network protocol analyzer that provides deep inspection of hundreds of protocols.

  5. iftop: Shows bandwidth usage on an interface by host. Example: iftop -i eth0

  6. nethogs: Groups bandwidth by process. Example: nethogs eth0

These tools can complement netstat or provide more detailed information in specific scenarios.

Conclusion

Netstat is a versatile and powerful tool for network diagnostics and monitoring. By mastering its various options and use cases, you can gain valuable insights into your system's network connections, identify issues, and troubleshoot effectively.

Remember that while netstat is available on most systems, the exact options and output format may vary between operating systems. Always consult the man pages (man netstat) or help documentation (netstat --help) for system-specific details.

As networks become increasingly complex, tools like netstat remain essential for both system administrators and network professionals. Whether you're troubleshooting a connection issue, monitoring network performance, or auditing your system's network usage, netstat provides the information you need at your fingertips.

2024 © All rights reserved - buraxta.com