Netstat

From Postmaster Administration Wiki
Jump to: navigation, search

netstat is a network status tool used to see active network connections and services. BSD, Linux, and Windows systems all supply netstat, but its options and presentation can vary from operating system to operating system. All three systems have in common the -a (all), -n (numbers-only), and -r (routing table) options. The -a option shows all the connections, including servers, daemons, or services; without this option only active connections are shown. The -n option suppresses the lookup of IP addresses to host names and port numbers to service names; without this option the resulting display on high traffic machines can take some time to process and display, and the names are often truncated. The output can be rather lengthy, so using a pager like more(1) is recommended.


Common usage

$ netstat -na | more
...


The example below from a NetBSD server shows the connection protocol (tcp, tcp6, udp, udp6, unix/local sockets); packets in and out; and the local address, the remote address, and connection state. netstat is particularly useful for showing what local ports are in use.


NetBSD example

$ netstat -n
Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address        State
tcp        0     96  192.168.2.99.65182     82.97.10.34.22980      ESTABLISHED
Active Internet6 connections
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp6       0      0  ::1.22980              ::1.65311              ESTABLISHED
tcp6       0      0  ::1.65311              ::1.22980              ESTABLISHED
tcp6       0      0  ::1.22980              ::1.65326              ESTABLISHED
tcp6       0      0  ::1.65326              ::1.22980              ESTABLISHED
Active UNIX domain sockets
Address  Type   Recv-Q Send-Q    Inode     Conn     Refs  Nextref Addr
c2c2ab04 stream      0      0        0 c2c2a7e4        0        0 
c2c2aa14 stream      0      0 c53cac70        0        0        0 /tmp/ssh-00000992aa/agent.992
c2c2a7e4 stream      0      0        0 c2c2ab04        0        0 
c240000c stream      0      0 c3f3b634        0        0        0 /tmp/ssh-00010733aa/agent.10733
c2c2ace4 stream      0      0        0 c2c2abf4        0        0 
c2c2abf4 stream      0      0        0 c2c2ace4        0        0 
c2c2af14 stream      0      0        0 c2c2aec4        0        0 /tmp/.X11-unix/X0
c2c2aec4 stream      0      0        0 c2c2af14        0        0 -> /tmp/.X11-unix/X0
c24000fc stream      0      0        0 c2400cdc        0        0 /tmp/.X11-unix/X0
c24000ac stream      0      0        0 c2c2add4        0        0 -> /tmp/.X11-unix/X0
c2c2add4 stream      0      0        0 c24000ac        0        0 /tmp/.X11-unix/X0
c240019c stream      0      0 c2908008        0        0        0 /var/run/mdnsd/mdnsd
c24009bc stream      0      0 c28d08f4        0        0        0 /var/nmbd/unexpected
c2400a0c stream      0      0        0 c2400a5c        0        0 
...


The Linux and Windows versions of netstat also offer options to display what processes are associated with a given connection. For Linux use the -p (pid/program} option and for Windows use the -b option. This is very useful when trying to resolve conflicts between two services wanting to bind to the same port and/or look for unsuspecting hidden daemons. Under Windows, netstat is a privileged tool, so administrator rights are required to use it. On OpenBSD and NetBSD, one can use fstat to gain a similar effect: fstat | grep internet


Windows example with -b option

C:\Windows\system32>netstat -nab
Active Connections
  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:26             0.0.0.0:0              LISTENING
 [SecureCRT.exe]
  TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
 [Skype.exe]
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING
 [Skype.exe]
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:587            0.0.0.0:0              LISTENING
 [SecureCRT.exe]
  TCP    0.0.0.0:5901           0.0.0.0:0              LISTENING
 [SecureCRT.exe]
  TCP    0.0.0.0:9999           0.0.0.0:0              LISTENING
 [SecureCRT.exe]
  TCP    0.0.0.0:22590          0.0.0.0:0              LISTENING
 [SecureCRT.exe]
  TCP    0.0.0.0:44256          0.0.0.0:0              LISTENING
...