13

In the same vein as the "Useful Command-line" questions (for Windows, Linux, and Mac) , I think it would be handy to have "useful ways to use utility x" questions. Man pages tell you what parameters do, but not necessarily why you would use them, what the result means, what useful things the command does that you'd never know without extensive experimentation, or how to get the answer you really want.

I'd like to know about netstat. It would appear that I should be able to figure which processes are using bandwidth, and, indeed, how fast the system is using bandwidth. It also looks useful for detecting unwanted connections (likely virii), and it gives all sorts of routing information (that I only had to play with when trying to make a Sharp Zaurus PDA use TCP/IP over USB.) In other words, it sounds like a gold mine, and I was hoping some of you would share nuggets of information you've found.

Please include the version of netstat and your OS in your reply. It would be nice to see some sample output and know what it means. I've marked this question as community wiki, and I hope you'll do the same in your answers, so that other people, knowing a different OS, can put down a near equivalent command if they know, in the same answer, and then we can vote on which answers are the most useful.

Clinton Blackmore
  • 3,510
  • 6
  • 35
  • 61

14 Answers14

4

Show local listening TCP/UDP ports, and the process they belong to:

sudo netstat -tulpn
cmcginty
  • 1,263
  • 15
  • 24
3

Netstat routing tables

[This was tested on Mac OS X 10.5.7. I suspect the result is nearly the same on all platforms, as it was indicated to work on Solaris.]

netstat -r 

will give you a routing table.

netstat -nr

is the same, but will give you raw IPs instead of looking up machine names. Its output looks like this (only longer):

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.40.250     UGSc       19        1    en1
127                127.0.0.1          UCS         0        0    lo0
127.0.0.1          127.0.0.1          UH          1     3140    lo0
169.254            link#5             UCS         0        0    en1
169.254.33.92      127.0.0.1          UHS         0        0    lo0
192.168.40         link#5             UCS        11        0    en1
192.168.40.1       0:17:f2:ca:a0:94   UHLW        0        0    en1   1150
...

Internet6:
Destination                             Gateway                         Flags      Netif Expire
::1                                     link#1                          UHL         lo0
fe80::%lo0/64                           fe80::1%lo0                     Uc          lo0
fe80::1%lo0                             link#1                          UHL         lo0
fe80::%en0/64                           link#4                          UC          en0
...
ff02::/32                               link#7                          UC          en2
ff02::/32                               link#8                          UC          en3

Columns:

Destination and Gateway: The destination is an address (or address range) we might want to send information to. All data sent to that destination will go to the associated gateway. The gateway knows where to send the data to for its next 'hop' on the journey. If we wish to send data to a destination that has no entry in the routing table, it will go through the default gateway.

Flags: The man/info page lists all the flags. Here are what the settings on my default gateway mean:

UGSc
U       - RTF_UP           Route usable
 G      - RTF_GATEWAY      Destination requires forwarding by intermediary
  S     - RTF_STATIC       Manually added
   c    - RTF_PRCLONING    Protocol-specified generate new routes on use

That's curious that it claims to be manually added, as it came over DHCP.

Refs: "The refcnt field gives the current number of active uses of the route. Connection oriented protocols normally hold on to a single route for the duration of a connection while connectionless protocols obtain a route while sending to the same destination." (Man page)

Use: "The use field provides a count of the number of packets sent using that route."

Netif: "The interface entry indicates the network interface utilized for the route."

On my Mac,

  • lo0 is the loopback interface.
  • en0 is ethernet.
  • en1 is wireless.
  • en2 and en3 are used by a virtual machine.

Expire: From a manpage for a different version of netstat: "Displays the time (in minutes) remaining before the route expires."

Bohemian
  • 181
  • 6
Clinton Blackmore
  • 3,510
  • 6
  • 35
  • 61
2

In windows:

c:>netstat -a | find /c "TCP"
68

Shows number of TCP/IP connections. Useful if you are troubleshooting high network systems that are running out of TCP ports and need to increase MaxUserPorts.

Christopher_G_Lewis
  • 3,647
  • 21
  • 27
2

Check CommandLineFu's Netstat Page for some useful ways to use netstat in bash.

andyhky
  • 2,652
  • 1
  • 25
  • 26
2

Rate of Transmission/Reception

On the Mac [OS X 10.5.7]:

netstat -i -w 10

[See chuck's answer for notes about use on Solaris and Linux.]

The output looks like so:

            input        (Total)           output
   packets  errs      bytes    packets  errs      bytes colls
       794     0    1166796        763     0      50358     0
       789     0    1167773        765     0      52542     0
       792     0    1166548        765     0      51174     0
       796     0    1167262        598     0      40152     0
       929     0    1278561        846     0      65625     0
       563     0     815570        530     0      36828     0
        32     0       4360          1     0        774     0
         9     0        705          0     0        684     0
         9     0        631          0     0          0     0

This shows how many packets and bytes were transferred in a given interval of time. (10 seconds in this example). I was connected to youtube and was downloading over 1 MB every interval, until I closed the browser tab and the rate bottomed out.

This could prove useful if you are waiting for an upload or download to finish. Monitor the rate, and when it drops dramatically, you know it is done.

Note that the command above shows you all throughput on all interfaces. To scope it to a particular interface (WiFi in this example), use the -I flag, as so:

netstat -I en1 -w 10
Clinton Blackmore
  • 3,510
  • 6
  • 35
  • 61
1

Windows:

Netstat -n
(Show active TCP connections, don't slow down trying to do name resolution)

Proto  Local Address          Foreign Address        State
TCP    192.168.1.38:4853    69.59.196.212:80       ESTABLISHED

Shows active TCP connections , but no UDP activity.

Netstat -an
  (Show all connections, don't slow down trying to do name resolution)

Proto  Local Address          Foreign Address        State
TCP    0.0.0.0:80             0.0.0.0:0              LISTENING
TCP    192.168.1.38:4853    69.59.196.212:80       ESTABLISHED

Shows all active TCP connections, as well as listening TCP and UDP connections. Does not show outbound UDP activity here.

Mike
  • 649
  • 1
  • 6
  • 7
  • I'll add a comment for now, but when I have enough rep, I'll edit the answer. netstat on Mac OS X 10.5.7 equivalent -- add -p tcp so it is limited to the tcp protocoal. ie. `netstat -p tcp -n`, or `netstat -p tcp -an` – Clinton Blackmore May 22 '09 at 15:59
  • Another useful couple of switches on Windows are -o (show the owning PID of each socket) and -b (show the owning process name of each socket). Particularly handy when investigating machines you suspect have been compromised. – Murali Suriar May 22 '09 at 16:40
  • netstat -nt does the same thing (numeric and tcp only) – Jauder Ho May 23 '09 at 05:02
1

Windows

netstat -b

Display the process using the connection

1

Windows 7 (possibly since earlier, though):

netstat -ano

lists active sessions with associated PIDs

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       776
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:554            0.0.0.0:0              LISTENING       1724

or to save a step

netstat -anb

(from an elevated CMD prompt) gives the process name

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:554            0.0.0.0:0              LISTENING
 [wmpnetwk.exe]
  TCP    0.0.0.0:2048           0.0.0.0:0              LISTENING
TristanK
  • 8,953
  • 2
  • 27
  • 39
1

I'm sure I am reinventing the wheel but here is a simple Perl script to run netstat and sort the output so that the IPs currently mostly connected come out on top. This is best used with the 'watch' program for updates in 2-second intervals.

Update: significant rewrite 2013-02-11 to get rid of many problems and display hostnames

Sample output:

Distant inbound connections: 2
   85.93.216.17:772               <-- 78.141.139.10       :    1        ip-78-141-139-10.dyn.luxdsl.pt.lu     1 x ESTABLISHED
   80.90.47.155:443               <-- 78.141.139.10       :    1        ip-78-141-139-10.dyn.luxdsl.pt.lu     1 x ESTABLISHED
Distant outbound connections: 3
   80.90.63.61                    --> 80.90.63.48:25      :    2        smtp.m-plify.net                      2 x TIME_WAIT
   85.93.216.17                   --> 85.93.216.18:772    :    1        maya.m-plify.net                      1 x ESTABLISHED
Looping connections: 57 (10 duplicates)
   127.0.0.1                      --> 127.0.0.1:9355      :   20                                              1 x ESTABLISHED, 8 x TIME_WAIT, 11 x CLOSE_WAIT
   127.0.0.1                      --> 127.0.0.1:4713      :   10                                             10 x CLOSE_WAIT
   127.0.0.1                      --> 127.0.0.1:9353      :    9                                              4 x TIME_WAIT, 5 x CLOSE_WAIT
   127.0.0.1                      --> 127.0.0.1:3306      :    8                                              6 x ESTABLISHED, 1 x TIME_WAIT, 1 x CLOSE_WAIT
   127.0.0.1                      --> 127.0.0.1:5445      :    5                                              1 x ESTABLISHED, 4 x TIME_WAIT
   127.0.0.1                      --> 127.0.0.1:9354      :    2                                              2 x CLOSE_WAIT
   127.0.0.1                      --> 127.0.0.1:7998      :    1                                              1 x TIME_WAIT
   127.0.0.1                      --> 127.0.0.1:3351      :    1                                              1 x ESTABLISHED
   127.0.0.1                      --> 127.0.0.1:32000     :    1                                              1 x ESTABLISHED
David Tonhofer
  • 910
  • 1
  • 9
  • 29
0

Solaris:

netstat -nr
(displays routing table)
Milner
  • 935
  • 7
  • 17
0

From the Wicked Cool Shell Scripts book:

Script #90.1: Every 'n' minutes, grab netstats values (via crontab)

Script #90.2: Analyze the netstat running performance log, identifying important results and trends.

(Love this book - well worth buying!)

gharper
  • 5,365
  • 4
  • 28
  • 34
0

On Solaris, a lot of people are used to doing "netstat -i 1" to get a running packet count. The Linux netstat has a useless version of this feature, as it shows you the raw count and not a delta. To get similar results, do "sar -n DEV 1 0". Consider actually "LANG=C sar -n DEV 1 0 | grep interfacename" (sar puts the time with AM and PM at the beginning of the line in certain locales, so it is best to get in the habit of always running "LANG=C sar" in case you will ever parse it).

carlito
  • 2,489
  • 18
  • 12
0

On Solaris,

netstat -k

Shows a summary of various statistics. Useful for checking for errors etc.

Jauder Ho
  • 5,337
  • 2
  • 18
  • 17
0

Since noone has mentioned it yet:

netstat -s 

provides a ton of useful statistics by protocol under linux.

dmourati
  • 24,720
  • 2
  • 40
  • 69