Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

netstat

News Routing Recommended Links Reference Solaris Networking Reference Static Routing Default Route
      Quiz Horror Stories Unix History Humor Etc

The netstat command is used to query the routing table of the local host and that status of TCP/IP networking. In Solaris the command is located in the /usr/bin directory.  In Linux in /bin. Options are pretty much common (which is a rare thing :-)

When used with the -i option, netstat displays the state of the Ethernet interfaces, with -r option it displayed routing information and with -s option statistical information:

One of the more useful options is:

        netstat -pa

The -p options tells it to try to determine what program has the socket open, which is often very useful info. For example, someone nmap's their system and wants to know what is using port 666 for example. Running netstat -pa will show you the daemon running on that tcp port.

One of the most twisted, but useful invocations is:

netstat -a -n|grep -E "^(tcp)"| cut -c 68-|sort|uniq -c|sort -n

This will show you a sorted list of how many sockets are in each connection state. For example:

      9  LISTEN      
     21  ESTABLISHED 

The exact syntax of this command is Unix flavor dependent. In general, it can provide information on:

Typical usage

Displaying the Routing Table

netstat with the -r option displays the kernel routing table in the way similar to parameters supplied to the route command. For example on Red Hat linux 5.6 nestat -rn will display:

# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
99.89.234.138  44.29.2.1      255.255.255.255 UGH       0 0          0 eth1
10.201.44.100  44.29.1.3      255.255.255.255 UGH       0 0          0 eth0
44.29.129.2    44.29.1.3      255.255.255.255 UGH       0 0          0 eth0
10.201.13.251  10.193.5.1     255.255.255.255 UGH       0 0          0 eth1
64.44.240.26   44.29.2.1      255.255.255.255 UGH       0 0          0 eth1
99.89.234.134  44.29.2.1      255.255.255.255 UGH       0 0          0 eth1
64.44.240.27   44.29.2.1      255.255.255.255 UGH       0 0          0 eth1
44.29.129.0    44.29.2.1      255.255.255.0   UG        0 0          0 eth1
44.29.2.0      0.0.0.0        255.255.255.0   U         0 0          0 eth1
44.29.1.0      0.0.0.0        255.255.255.0   U         0 0          0 eth0
10.193.5.0     0.0.0.0        255.255.255.0   U         0 0          0 eth1
10.201.145.0   44.29.2.1      255.255.255.0   UG        0 0          0 eth1
69.254.0.0     0.0.0.0        255.255.0.0     U         0 0          0 eth0
10.0.0.0       10.193.5.1     255.0.0.0       UG        0 0          0 eth1
127.0.0.0      0.0.0.0        255.0.0.0       U         0 0          0 lo
0.0.0.0        10.193.5.1     0.0.0.0         UG        0 0          0 eth1

The -n option suppresses resolution of hostnames and displays all IPs in numeric form,  rather than the symbolic host and network names.

The second column shows the gateway to which the routing entry points. If no gateway is used, an asterisk is printed  with -n option and 0.0.0.0  with the -rn option.

The third column shows the generality of the route, i.e., the network mask for this route. Routing table displayed by netstat is sorted in reverse length of the netmask order. Host routes have netmask 255.255.255.255 and displayed first.

When given an IP address to find a suitable route for, the kernel iterates through each entry of the routing table taking the bitwise AND of the address and the genmask before comparing it to the target of the route.

The fourth column displays the following flags that describe the route:

The next three columns show the MSS, Window and irtt that will be applied to TCP connections established via this route. The MSS is the Maximum Segment Size and is the size of the largest datagram the kernel will construct for transmission via this route. The Window is the maximum amount of data the system will accept in a single burst from a remote host. The acronym irtt stands for initial round trip time. The TCP protocol ensures that data is reliably delivered between hosts by retransmitting a datagram if it has been lost. The TCP protocol keeps a running count of how long it takes for a datagram to be delivered to the remote end, and an acknowledgement to be received so that it knows how long to wait before assuming a datagram needs to retransmitted; this process is called the round-trip time. The initial round-trip time is the value that the TCP protocol will use when a connection is first established. For most network types, the default value is okay, but for some slow networks, notably certain types of amateur packet radio networks, the time is too short and causes unnecessary retransmission. The irtt value can be set using the route command. Values of zero in these fields mean that the default is being used.

Finally, the last field displays the network interface that this route will use.

Displaying Interface Statistics

When invoked with the -i flag, netstat displays statistics for the network interfaces currently configured.

netstat -i
Kernel Interface table
Iface   MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500   0 90999751      0      0      0  507641      0      0      0 BMRU
eth1       1500   0 70789700      0      0      0  88102544    0      0      0 BMRU
eth1:vip1  1500   0     - no statistics available -                        BMRU
lo         6436   0    65636      0      0      0  65636       0      0      0 LRU
	

If the -a option is also given, it prints all interfaces present in the kernel, not only those that have been configured currently.

The MTU and Met fields show the current MTU and metric values for that interface. The RX and TX columns show how many packets have been received or transmitted error-free (RX-OK/TX-OK) or damaged (RX-ERR/TX-ERR); how many were dropped (RX-DRP/TX-DRP); and how many were lost because of an overrun (RX-OVR/TX-OVR).

The last column shows the flags that have been set for this interface. These characters are one-character versions of the long flag names that are printed when you display the interface configuration with ifconfig:

Displaying Connections

netstat supports a set of options to display active or passive sockets. The options -t, -u, -w, and -x show active TCP, UDP, RAW, or Unix socket connections. If you provide the -a flag in addition, sockets that are waiting for a connection (i.e., listening) are displayed as well. This display will give you a list of all servers that are currently running on your system.

Using the -a flag by itself will display all sockets from all families.


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News

[May 29, 2021] How to monitor Socket connections using ss command

May 25, 2021 | www.2daygeek.com

ss (socket statistics) is a command line tool that monitors socket connections and displays the socket statistics of the Linux system. It can display stats for PACKET sockets, TCP sockets, UDP sockets, DCCP sockets, RAW sockets, Unix domain sockets, and much more.

This replaces the deprecated netstat command in the latest version of Linux. The ss command is much faster and prints more detailed network statistics than the netstat command.

If you are familiar with the netstat command, it will be easier for you to understand the ss command as it uses similar command line options to display network connections information.

Refer the following link to see other network command tutorials.

1) List all socket connections

The basic ss command without any arguments, which displays all the socket or network connections as shown below:

$ ss

Understanding the output header:

The default output shows thousands of lines at once and part of the output will be not visible on the terminal, so use the "less' command for page-wise reporting.

$ ss | less

Netid State      Recv-Q  Send-Q            Local Address:Port            Peer Address:Port           
u_seq ESTAB      0       0                        @0000d 54585                      * 54586          
u_seq ESTAB      0       0                        @0000e 54587                      * 54588          
u_seq ESTAB      0       0                        @0000f 55132                      * 55133          
u_seq ESTAB      0       0                        @00010 55134                      * 55135          
u_str ESTAB      0       0                             * 439093                     * 442955         
u_str ESTAB      0       0                             * 260423                     * 260424         
u_seq ESTAB      0       0                             * 153096                     * 153095         
u_str ESTAB      0       0                             * 57451                      * 57450          
u_str ESTAB      0       0                             * 55382                      * 49033          
u_str ESTAB      0       0                             * 41956                      * 41957          
u_seq ESTAB      0       0                             * 41936                      * 41935          
u_str ESTAB      0       0            /run/user/1000/bus 39750                      * 35633
2) View all socket connections

List all listening and non-listening sockets connections on your Linux system, run:

$ ss -a
3) View all listening socket

Display only listening sockets connections on your Linux system, run:

$ ss -l

Netid          State           Recv-Q          Send-Q         Local Address:Port                         Peer Address:Port           
nl             UNCONN          0               0                       rtnl:chrome/3578                              *               
nl             UNCONN          0               0                       rtnl:kernel                                   *               
nl             UNCONN          0               0                       rtnl:chrome/3618                              *               
nl             UNCONN          0               0                       rtnl:mission-control/2102                     *               
nl             UNCONN          0               0                       rtnl:atom/3381                                *               
nl             UNCONN          0               0                       rtnl:goa-daemon/2107                          *               
nl             UNCONN          0               0                       rtnl:firefox/2979                             *               
nl             UNCONN          0               0                       rtnl:evolution-calen/2207                     *               
nl             UNCONN          0               0                       rtnl:nscd/1262                                *               
nl             UNCONN          0               0                       rtnl:gnome-software/2229                      *               
nl             UNCONN          0               0                       rtnl:avahi-daemon/1184                        *               
nl             UNCONN          0               0                       rtnl:evolution-addre/2329                     *               
nl             UNCONN          0               0                       rtnl:wpa_supplicant/1547                      *
4) Display TCP socket connections

Display only TCP sockets connections on your Linux system, run:

https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7730570141079407&output=html&h=280&slotname=3265433976&adk=708086233&adf=3690472008&pi=t.ma~as.3265433976&w=336&lmt=1621992982&psa=0&format=336x280&url=https%3A%2F%2Fwww.2daygeek.com%2Flinux-ss-command-monitor-socket-network-connections%2F&flash=0&wgl=1&uach=WyJXaW5kb3dzIiwiMTAuMCIsIng4NiIsIiIsIjkwLjAuODE4LjY2IixbXV0.&dt=1621992982495&bpp=1&bdt=213&idt=98&shv=r20210517&cbv=%2Fr20190131&ptt=9&saldr=aa&abxe=1&prev_fmts=728x90%2C336x280&correlator=1670244224942&frm=20&pv=1&ga_vid=1530848990.1621992982&ga_sid=1621992983&ga_hid=972479207&ga_fc=0&u_tz=-240&u_his=1&u_java=0&u_h=1080&u_w=1920&u_ah=1040&u_aw=1920&u_cd=24&u_nplug=3&u_nmime=4&adx=392&ady=3179&biw=1903&bih=937&scr_x=0&scr_y=0&eid=182982000%2C182982200&oid=3&pvsid=3028194719633990&pem=410&wsm=1&ref=https%3A%2F%2Fwww.linuxtoday.com%2F&eae=0&fc=640&brdim=1920%2C0%2C1920%2C0%2C1920%2C0%2C1920%2C1040%2C1920%2C937&vis=1&rsz=%7C%7CleEbr%7C&abl=CS&pfx=0&fu=0&bc=31&ifi=3&uci=a!3&btvi=1&fsb=1&xpc=G9W7JNxJPC&p=https%3A//www.2daygeek.com&dtd=100

$ ss -t

State        Recv-Q   Send-Q                              Local Address:Port                                                Peer Address:Port                   
 ESTAB        0        0                                    192.168.43.4:38658                                              142.250.183.2:https                  
 ESTAB        0        0                                    192.168.43.4:47464                                            142.250.182.227:https                  
 ESTAB        0        0                                    192.168.43.4:40184                                              34.102.149.62:https                  
 ESTAB        0        0                                    192.168.43.4:34546                                              23.211.105.67:https                  
 ESTAB        0        0                                    192.168.43.4:41188                                              52.37.132.164:https                  
 ESTAB        0        0                                    192.168.43.4:34548                                              23.211.105.67:https                  
 ESTAB        0        0                                    192.168.43.4:57118                                             142.250.196.34:https                  
 ESTAB        0        0                                    192.168.43.4:59392                                               35.244.159.8:https                  
 ESTAB        0        0                                    192.168.43.4:49948                                               94.237.76.92:ssh                    
 ESTAB        0        0                                    192.168.43.4:52680                                              142.250.77.34:https

By default the "t" option reports only the tcp sockets that are "established" or CONNECTED", and doesn't report the tcp sockets that are "LISTENING". Use the "-a' option together with "-t', if you want to view them all at once.

$ ss -ta

State        Recv-Q   Send-Q                              Local Address:Port                                                Peer Address:Port                   
 LISTEN       0        128                                       0.0.0.0:ssh                                                      0.0.0.0:*                      
 LISTEN       0        5                                       127.0.0.1:ipp                                                      0.0.0.0:*                      
 LISTEN       0        100                                     127.0.0.1:smtp                                                     0.0.0.0:*                      
 LISTEN       0        10                                        0.0.0.0:daap                                                     0.0.0.0:*                      
 ESTAB        0        0                                    192.168.43.4:38658                                              142.250.183.2:https                  
 ESTAB        0        0                                    192.168.43.4:47464                                            142.250.182.227:https                  
 ESTAB        0        0                                    192.168.43.4:40184                                              34.102.149.62:https                  
 ESTAB        0        0                                    192.168.43.4:45086                                             182.161.72.132:https                  
 ESTAB        0        0                                    192.168.43.4:41188                                              52.37.132.164:https                  
 ESTAB        0        0                                    192.168.43.4:59392                                               35.244.159.8:https                  
 ESTAB        0        0                                    192.168.43.4:49948                                               94.237.76.92:ssh
4-a) Display UDP socket connections
$ ss -ua

State              Recv-Q              Send-Q                                                    Local Address:Port                                           Peer Address:Port               
 UNCONN             0                   0                                                          192.168.43.4:46312                                               0.0.0.0:*                  
 UNCONN             0                   0                                                           224.0.0.251:mdns                                                0.0.0.0:*                  
 UNCONN             0                   0                                                           224.0.0.251:mdns                                                0.0.0.0:*                  
 UNCONN             0                   0                                                               0.0.0.0:mdns                                                0.0.0.0:*                  
 UNCONN             0                   0                                                               0.0.0.0:47347                                               0.0.0.0:*                  
 UNCONN             0                   0                                                          192.168.43.4:56078                                               0.0.0.0:*                  
 ESTAB              0                   0                                                    192.168.43.4%wlan0:bootpc                                         192.168.43.1:bootps             
 UNCONN             0                   0                                                                  [::]:mdns                                                   [::]:*                  
 UNCONN             0                   0                                [2402:3a80:462:e78:e4ca:8bb:a7ae:8888]:40157                                                  [::]:*                  
 UNCONN             0                   0                                                                  [::]:48993                                                  [::]:*                  
 UNCONN             0                   0                                [2402:3a80:462:e78:e4ca:8bb:a7ae:8888]:33353                                                  [::]:*                  
 ESTAB              0                   0                                [2402:3a80:462:e78:e4ca:8bb:a7ae:8888]:33597                            [2404:6800:4009:809::2004]:https
4-b) Display UNIX socket connections
$ ss -xa

Netid State  Recv-Q Send-Q                                  Local Address:Port                                 Peer Address:Port                                
 u_str LISTEN 0      128                       /run/systemd/journal/stdout 13825                                           * 0                                   
 u_str LISTEN 0      128                               /tmp/.ICE-unix/1989 36552                                           * 0                                   
 u_dgr UNCONN 0      0                         /run/systemd/journal/socket 13827                                           * 0                                   
 u_str LISTEN 0      5                               /tmp/.esd-1000/socket 40072                                           * 0                                   
 u_str LISTEN 0      1                                   /tmp/.X11-unix/X0 37262                                           * 0                                   
 u_str LISTEN 0      128                       /run/user/1000/keyring/.ssh 514311                                          * 0                                   
 u_str LISTEN 0      128                              @/tmp/.ICE-unix/1989 36551                                           * 0                                   
 u_str LISTEN 0      10                          /run/mcelog/mcelog-client 28958                                           * 0                                   
 u_str LISTEN 0      128                              /var/run/nscd/socket 29728                                           * 0                                   
 u_str LISTEN 0      1                                  @/tmp/.X11-unix/X0 37261                                           * 0
4-c) Display RAW socket connections
$ ss -wa

State                    Recv-Q                   Send-Q                                     Local Address:Port                                           Peer Address:Port                   
 UNCONN                   0                        0                                                      *:ipv6-icmp                                                 *:*
5) Print only listening TCP socket connections

To print only listening TCP socket connections, run:

$ ss -ltn

State                     Recv-Q                    Send-Q                                       Local Address:Port                                       Peer Address:Port                   
 LISTEN                    0                         128                                                0.0.0.0:22                                              0.0.0.0:*                      
 LISTEN                    0                         5                                                127.0.0.1:631                                             0.0.0.0:*                      
 LISTEN                    0                         100                                              127.0.0.1:25                                              0.0.0.0:*                      
 LISTEN                    0                         10                                                 0.0.0.0:3689                                            0.0.0.0:*                      
 LISTEN                    0                         128                                                   [::]:22                                                 [::]:*                      
 LISTEN                    0                         5                                                    [::1]:631                                                [::]:*                      
 LISTEN                    0                         100                                                  [::1]:25                                                 [::]:*                      
 LISTEN                    0                         10                                                    [::]:3689                                               [::]:*
6) List IPv4 and Ipv6 socket connections

To display only IPv4 socket connections, run:

$ ss -4

Netid               State                    Recv-Q               Send-Q                                  Local Address:Port                                 Peer Address:Port                
 udp                 ESTAB                    0                    0                                  192.168.43.4%wlan0:bootpc                               192.168.43.1:bootps              
 tcp                 ESTAB                    0                    0                                        192.168.43.4:41188                               52.37.132.164:https               
 tcp                 ESTAB                    0                    0                                        192.168.43.4:59392                                35.244.159.8:https               
 tcp                 ESTAB                    0                    0                                        192.168.43.4:49948                                94.237.76.92:ssh                 
 tcp                 CLOSE-WAIT               1                    0                                        192.168.43.4:50232                              35.244.247.133:https               
 tcp                 ESTAB                    0                    0                                        192.168.43.4:51714                               142.250.77.34:https               
 tcp                 ESTAB                    0                    0                                        192.168.43.4:51724                               142.250.77.34:https               
 tcp                 ESTAB                    0                    0                                        192.168.43.4:56566                               13.227.129.99:https               
 tcp                 ESTAB                    0                    0                                        192.168.43.4:48470                              142.250.183.98:https               
 tcp                 ESTAB                    0                    0                                        192.168.43.4:56718                               216.58.196.66:https

To list only IPv4 listening TCP socket connections, run:

$ ss -tl4

State                     Recv-Q                    Send-Q                                       Local Address:Port                                       Peer Address:Port                   
 LISTEN                    0                         128                                                0.0.0.0:ssh                                             0.0.0.0:*                      
 LISTEN                    0                         5                                                127.0.0.1:ipp                                             0.0.0.0:*                      
 LISTEN                    0                         100                                              127.0.0.1:smtp                                            0.0.0.0:*                      
 LISTEN                    0                         10                                                 0.0.0.0:daap                                            0.0.0.0:*

For IPv6, run:

https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-7730570141079407&output=html&h=184&slotname=5150237910&adk=3227626808&adf=587896717&pi=t.ma~as.5150237910&w=735&fwrn=4&lmt=1621992996&rafmt=11&psa=0&format=735x184&url=https%3A%2F%2Fwww.2daygeek.com%2Flinux-ss-command-monitor-socket-network-connections%2F&flash=0&wgl=1&uach=WyJXaW5kb3dzIiwiMTAuMCIsIng4NiIsIiIsIjkwLjAuODE4LjY2IixbXV0.&dt=1621992982496&bpp=1&bdt=214&idt=101&shv=r20210517&cbv=%2Fr20190131&ptt=9&saldr=aa&abxe=1&cookie=ID%3D978f749437e7819d-22708b627e7a0028%3AT%3D1621992981%3AS%3DALNI_MY13eSRitp4LepWeDwTwXyjwdeREg&prev_fmts=728x90%2C336x280%2C336x280%2C300x600%2C345x280%2C0x0&nras=1&correlator=1670244224942&frm=20&pv=1&ga_vid=1530848990.1621992982&ga_sid=1621992983&ga_hid=972479207&ga_fc=0&rplot=4&u_tz=-240&u_his=1&u_java=0&u_h=1080&u_w=1920&u_ah=1040&u_aw=1920&u_cd=24&u_nplug=3&u_nmime=4&adx=392&ady=6594&biw=1903&bih=937&scr_x=0&scr_y=2895&eid=182982000%2C182982200&oid=3&psts=AGkb-H9VxlsClLEA5oM4jzsUHdzBWHbU9rn3W2K7M9EOxzB2KoPU-IRemT72ux9sbPY-uxfMuQ5UycbfFQ%2CAGkb-H-eNAW05xqOhehFq2PjIRsx7AgHO8qmWMS-Kjv3XuH1h-sgRizEkzx-8eZ6_rldekRb7niSwlf44MA%2CAGkb-H-x8SRukWZnetyugYrxhDpXzEA7Po1HMx2e0AXO0lqBXf587C5R4oOm_LPtS0p9IVc---INB_7BUYaxrA%2CAGkb-H-De9aQ5VF3PKA1I_er1DvW3TNuqMQybo3dw75IRjolm2tis4g5GY885CVkNbugu7x8QZcfqnbkXTrRvQ%2CAGkb-H-qNUbHeI8A7E6X2Bx2Yq33kk_fyi1F0aaZzO5VYHVXV6lENKWAp0N5W2CCmga8H-lN5dOsHwJU7xk&pvsid=3028194719633990&pem=410&wsm=1&ref=https%3A%2F%2Fwww.linuxtoday.com%2F&eae=0&fc=896&brdim=1920%2C0%2C1920%2C0%2C1920%2C0%2C1920%2C1040%2C1920%2C937&vis=1&rsz=%7Cm%7CpeEbr%7Cp&abl=XS&pfx=0&fu=128&bc=31&ifi=4&uci=a!4&btvi=3&fsb=1&xpc=HGY50pEdeJ&p=https%3A//www.2daygeek.com&dtd=14265

$ ss -6
$ ss -tl6
7) Print process name and pid with ss command

To list process name and pid associated to the network connections, run: Make a note, you need to run this command with sudo privilege to view all process name and associated pid.

$ sudo ss -ltp

[sudo] password for root: 
 State             Recv-Q             Send-Q                         Local Address:Port                         Peer Address:Port                                                              
 LISTEN            0                  128                                  0.0.0.0:ssh                               0.0.0.0:*                users:(("sshd",pid=1338,fd=3))                   
 LISTEN            0                  5                                  127.0.0.1:ipp                               0.0.0.0:*                users:(("cupsd",pid=1260,fd=7))                  
 LISTEN            0                  100                                127.0.0.1:smtp                              0.0.0.0:*                users:(("master",pid=1630,fd=13))                
 LISTEN            0                  10                                   0.0.0.0:daap                              0.0.0.0:*                users:(("rhythmbox",pid=16209,fd=18))            
 LISTEN            0                  128                                     [::]:ssh                                  [::]:*                users:(("sshd",pid=1338,fd=4))                   
 LISTEN            0                  5                                      [::1]:ipp                                  [::]:*                users:(("cupsd",pid=1260,fd=6))                  
 LISTEN            0                  100                                    [::1]:smtp                                 [::]:*                users:(("master",pid=1630,fd=14))                
 LISTEN            0                  10                                      [::]:daap                                 [::]:*                users:(("rhythmbox",pid=16209,fd=19))
8) Show timer information of socket connections

To show how long the socket connection is alive, run:

me marginwidth=

$ ss -tn -o

State           Recv-Q       Send-Q                                      Local Address:Port                                        Peer Address:Port                                          
 ESTAB           0            0                                            192.168.43.4:41188                                      52.37.132.164:443        timer:(keepalive,9min54sec,0)      
 ESTAB           0            0                                            192.168.43.4:59392                                       35.244.159.8:443                                           
 ESTAB           0            0                                            192.168.43.4:50678                                       103.43.90.19:443        timer:(keepalive,9.512ms,0)        
 ESTAB           0            0                                            192.168.43.4:49948                                       94.237.76.92:22         timer:(keepalive,38min,0)          
 ESTAB           0            0                                            192.168.43.4:36528                                     182.161.72.130:443                                           
 ESTAB           0            0                                            192.168.43.4:48704                                     142.250.192.66:443                                           
 ESTAB           0            0                                            192.168.43.4:38544                                        103.43.89.4:443        timer:(keepalive,8sec,0)           
 ESTAB           0            517                                          192.168.43.4:57978                                     182.161.72.137:443        timer:(on,288ms,0)
9) Print summary statistics

To view overall summary of all socket connections, run: It prints the results in a tabular format, which including the number of TCP & UDP, IPv4 and IPv6 socket connections.

$ ss -s

Total: 1278
TCP:   35 (estab 10, closed 11, orphaned 0, timewait 2)
Transport Total     IP        IPv6
RAW       1         0         1        
UDP       11        7         4        
TCP       24        13        11       
INET      36        20        16       
FRAG      0         0         0
10) View extended output of socket connections

To view extended output of socket connections, run. The extended output will display the uid of the socket and socket's inode number.

$ ss -lte

State              Recv-Q             Send-Q                           Local Address:Port                           Peer Address:Port                                                         
 LISTEN             0                  128                                    0.0.0.0:ssh                                 0.0.0.0:*                 ino:27515 sk:4dc <->                       
 LISTEN             0                  5                                    127.0.0.1:ipp                                 0.0.0.0:*                 ino:30778 sk:4dd <->                       
 LISTEN             0                  100                                  127.0.0.1:smtp                                0.0.0.0:*                 ino:34118 sk:4de <->                       
 LISTEN             0                  10                                     0.0.0.0:daap                                0.0.0.0:*                 uid:1000 ino:442177 sk:586 <->             
 LISTEN             0                  128                                       [::]:ssh                                    [::]:*                 ino:27517 sk:4f3 v6only:1 <->              
 LISTEN             0                  5                                        [::1]:ipp                                    [::]:*                 ino:30777 sk:4f4 v6only:1 <->              
 LISTEN             0                  100                                      [::1]:smtp                                   [::]:*                 ino:34119 sk:4f5 v6only:1 <->              
 LISTEN             0                  10                                        [::]:daap                                   [::]:*                 uid:1000 ino:442178 sk:587 v6only:1 <->
11) Display memory usage of socket connections

To view how much memory is consumed by a socket connection, run:

$ ss -ltm

State            Recv-Q           Send-Q                     Local Address:Port                       Peer Address:Port                                                                       
 LISTEN           0                128                              0.0.0.0:ssh                             0.0.0.0:*              
      skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)           
 LISTEN           0                5                              127.0.0.1:ipp                             0.0.0.0:*              
      skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)           
 LISTEN           0                100                            127.0.0.1:smtp                            0.0.0.0:*              
      skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)           
 LISTEN           0                10                               0.0.0.0:daap                            0.0.0.0:*              
      skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)           
 LISTEN           0                128                                 [::]:ssh                                [::]:*              
      skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)           
 LISTEN           0                5                                  [::1]:ipp                                [::]:*              
      skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)           
 LISTEN           0                100                                [::1]:smtp                               [::]:*              
      skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)           
 LISTEN           0                10                                  [::]:daap                               [::]:*              
      skmem:(r0,rb131072,t0,tb16384,f0,w0,o0,bl0,d0)
12) Filter Connections with ss command

The ss command allows advanced filtering that can be used to filter specific connections or stat or port or address or service, etc,.

12-a) Filtering socket connections by socket states
Syntax: ss [option] [state] [name of the socet state]

To display all tcp sockets that are in "listening" state, run:

$ ss -lt state established

Recv-Q                 Send-Q                                                          Local Address:Port                                                  Peer Address:Port                  
 0                      0                                                                192.168.43.4:39008                                                142.250.192.2:https                 
 0                      0                                                                192.168.43.4:41188                                                52.37.132.164:https                 
 0                      0                                                                192.168.43.4:59392                                                 35.244.159.8:https                 
 0                      0                                                                192.168.43.4:49948                                                 94.237.76.92:ssh                   
 0                      0                                                                192.168.43.4:48704                                               142.250.192.66:https                 
 0                      0                                                                192.168.43.4:51714                                                142.250.77.34:https

The other common state can be:

  • listening
  • closed
  • syn-sent
  • syn-recv
  • fin-wait-1
  • time-wait
  • close-wait
  • connected
  • synchronized
12-b) Filtering socket connections by port number
Syntax:
ss [option] dport = :[port number]
ss [option] sport = :[port number]
ss [option] '( dport = :[port number] or sport = :[port number] )'

To filter sockets based on the port number, run. For instance, to filter ssh service, you can run the following commands as needed.

$ ss -at dport = :22

State                    Recv-Q                    Send-Q                                       Local Address:Port                                        Peer Address:Port                   
 ESTAB                    0                         0                                             192.168.43.4:49948                                       94.237.76.92:ssh
$ ss -lt sport = :22

State                     Recv-Q                    Send-Q                                       Local Address:Port                                       Peer Address:Port                   
 LISTEN                    0                         128                                                0.0.0.0:ssh                                             0.0.0.0:*                      
 LISTEN                    0                         128                                                   [::]:ssh                                                [::]:*
$ ss -at dst :22

State                    Recv-Q                    Send-Q                                       Local Address:Port                                        Peer Address:Port                   
 ESTAB                    0                         0                                             192.168.43.4:49948                                       94.237.76.92:ssh
$ ss -at src :22

State                     Recv-Q                    Send-Q                                       Local Address:Port                                       Peer Address:Port                   
 LISTEN                    0                         128                                                0.0.0.0:ssh                                             0.0.0.0:*                      
 LISTEN                    0                         128                                                   [::]:ssh                                                [::]:*
$ ss -at '( dport = :22 or sport = :22 )'

State                    Recv-Q                    Send-Q                                       Local Address:Port                                        Peer Address:Port                   
 LISTEN                   0                         128                                                0.0.0.0:ssh                                              0.0.0.0:*                      
 ESTAB                    0                         0                                             192.168.43.4:49948                                       94.237.76.92:ssh                    
 LISTEN                   0                         128                                                   [::]:ssh                                                 [::]:*

To filter multiple ports at once, run:

$ ss -nt '( dst :443 or dst :22 )'

State                 Recv-Q            Send-Q                                                Local Address:Port                                                  Peer Address:Port           
 ESTAB                 0                 0                                                      192.168.43.4:41188                                                52.37.132.164:443            
 ESTAB                 0                 0                                                      192.168.43.4:44970                                                 103.43.90.20:443            
 ESTAB                 0                 0                                                      192.168.43.4:59392                                                 35.244.159.8:443            
 ESTAB                 0                 0                                                      192.168.43.4:43254                                                  34.95.69.49:443            
 SYN-SENT              0                 1                                                      192.168.43.4:58884                                               182.161.72.137:443            
 ESTAB                 0                 0                                                      192.168.43.4:49948                                                 94.237.76.92:22             
 CLOSE-WAIT            1                 0                                                      192.168.43.4:50232                                               35.244.247.133:443
12-c) Filtering socket connections by service name

Similarly you can filter sockets connections based on the service name, run.

$ ss -at dport = :ssh

State                    Recv-Q                    Send-Q                                       Local Address:Port                                        Peer Address:Port                   
 ESTAB                    0                         0                                             192.168.43.4:49948                                       94.237.76.92:ssh
$ ss -lt sport = :ssh

State                     Recv-Q                    Send-Q                                       Local Address:Port                                       Peer Address:Port                   
 LISTEN                    0                         128                                                0.0.0.0:ssh                                             0.0.0.0:*                      
 LISTEN                    0                         128                                                   [::]:ssh                                                [::]:*
$ ss -at dst :https

State                Recv-Q            Send-Q                                                Local Address:Port                                                  Peer Address:Port            
 ESTAB                0                 0                                                      192.168.43.4:45084                                                 103.43.90.20:https           
 ESTAB                0                 0                                                      192.168.43.4:45076                                                 103.43.90.20:https           
 ESTAB                0                 0                                                      192.168.43.4:41188                                                52.37.132.164:https           
 ESTAB                0                 0                                                      192.168.43.4:59392                                                 35.244.159.8:https           
 ESTAB                0                 0                                                      192.168.43.4:43254                                                  34.95.69.49:https
$ ss -at src :ssh

 State                     Recv-Q                    Send-Q                                       Local Address:Port                                       Peer Address:Port                   
 LISTEN                    0                         128                                                0.0.0.0:ssh                                             0.0.0.0:*                      
 LISTEN                    0                         128                                                   [::]:ssh                                                [::]:*
$ ss -at '( dport = :ssh or sport = :ssh )'

State                    Recv-Q                    Send-Q                                       Local Address:Port                                        Peer Address:Port                   
 LISTEN                   0                         128                                                0.0.0.0:ssh                                              0.0.0.0:*                      
 ESTAB                    0                         0                                             192.168.43.4:49948                                       94.237.76.92:ssh                    
 LISTEN                   0                         128                                                   [::]:ssh                                                 [::]:*
$ ss -at '( dst :https or dst :ssh )'

State                Recv-Q            Send-Q                                                Local Address:Port                                                  Peer Address:Port            
 ESTAB                0                 0                                                      192.168.43.4:41188                                                52.37.132.164:https           
 ESTAB                0                 0                                                      192.168.43.4:59392                                                 35.244.159.8:https           
 ESTAB                0                 0                                                      192.168.43.4:49948                                                 94.237.76.92:ssh             
 CLOSE-WAIT           1                 0                                                      192.168.43.4:50232                                               35.244.247.133:https           
 ESTAB                0                 0                                                      192.168.43.4:51714                                                142.250.77.34:https
$ ss -at '( dst :https or src :ssh )'

State                Recv-Q            Send-Q                                                Local Address:Port                                                  Peer Address:Port            
 LISTEN               0                 128                                                         0.0.0.0:ssh                                                        0.0.0.0:*               
 ESTAB                0                 0                                                      192.168.43.4:41188                                                52.37.132.164:https           
 ESTAB                0                 0                                                      192.168.43.4:59392                                                 35.244.159.8:https           
 CLOSE-WAIT           1                 0                                                      192.168.43.4:50232                                               35.244.247.133:https           
 ESTAB                0                 0                                                      192.168.43.4:51714                                                142.250.77.34:https
$ ss -at '( src :smtp or src :ssh )'

State                     Recv-Q                    Send-Q                                       Local Address:Port                                       Peer Address:Port                   
 LISTEN                    0                         128                                                0.0.0.0:ssh                                             0.0.0.0:*                      
 LISTEN                    0                         100                                              127.0.0.1:smtp                                            0.0.0.0:*                      
 LISTEN                    0                         128                                                   [::]:ssh                                                [::]:*                      
 LISTEN                    0                         100                                                  [::1]:smtp                                               [::]:*
12-d) Filtering socket connections by IP address

To list connections to a specific destination IP address, run:

Syntax: ss [option] dst [IP Address]

For instance, to view a list of connection established to a specific IP address, run:

$ ss -at dst 192.168.43.40

State                    Recv-Q                    Send-Q                                       Local Address:Port                                        Peer Address:Port                   
 ESTAB                    0                         0                                             192.168.43.4:49948                                       192.168.43.40:ssh
ss command man page

If you want to explore any other options that are not available in this guide, visit ss command man page.

$ man ss
or
$ ss --help
Conclusion

In this guide, we have shown you how to use ss command in Linux with several examples, including various filtering options.

If you have any questions or feedback, feel free to comment below.


[Jul 16, 2018] netstat to find ports which are in use on linux server

Another example of more or less complex pipeline using cat
Oct 02, 2008 | midnight-cafe.co.uk

Below is command to find out number of connections to each ports which are in use using netstat & cut.

netstat -nap | grep 'tcp\|udp' | awk '{print $4}' | cut -d: -f2 | sort | uniq -c | sort -n

Below is description of each commands ::

Netstat command is used to check all incoming and outgoing connections on linux server. Using Grep command you can sort lines which are matching pattern you defined.

AWk is very important command generally used for scanning pattern and process it. It is powerful tool for shell scripting. Sort is used to sort output and sort -n is for sorting output in numeric order.

Uniq -c this help to get uniq output by deleting duplicate lines from it.

[Jul 16, 2018] Listing TCP apps listening on ports

Jun 13, 2018 | www.fredshack.com

netstat -nltp

[Jun 23, 2018] Linux netstat Command Tutorial for Beginners (8 Examples) by Himanshu Arora

Jun 20, 2018 | www.howtoforge.com

How to make netstat display only tcp connections?

This you can do using the -t command line option.

netstat -t

For example, in my case, the following output was produced:

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 192.168.1.7:44236       152.195.11.6:https      ESTABLISHED
tcp        0      0 192.168.1.7:59510       mails11.telegram.:https ESTABLISHED
tcp        0      0 192.168.1.7:57318       13.70.5.200:https       ESTABLISHED
tcp        0      0 192.168.1.7:42706       maa05s05-in-f4.1e:https ESTABLISHED
tcp        0      0 192.168.1.7:51984       del03s10-in-f2.1e:https ESTABLISHED
tcp        0      0 192.168.1.7:51786       52.114.32.7:https       ESTABLISHED
tcp        0      0 192.168.1.7:52294       xx-fbcdn-shv-01-m:https ESTABLISHED
tcp        0      0 192.168.1.7:54372       del03s01-in-f2.1e:https ESTABLISHED
tcp        0      1 192.168.1.7:47788       hyperserver.semse:https SYN_SENT   
tcp        0      0 192.168.1.7:52298       xx-fbcdn-shv-01-m:https ESTABLISHED
tcp        0      0 192.168.1.7:51840       149.154.164.224:https   TIME_WAIT  
tcp        0      0 192.168.1.7:35258       del03s10-in-f1.1e:https ESTABLISHED
tcp        0      0 192.168.2.97:45662      blog.gsmarena.com:ftp   ESTABLISHED
tcp        0      0 192.168.1.7:50728       del03s10-in-f10.1:https TIME_WAIT  
tcp        0      0 192.168.1.7:56468       del03s09-in-f3.1e:https ESTABLISHED
tcp        0      0 192.168.1.7:50892       149.154.164.224:https   ESTABLISHED
tcp        0      0 192.168.1.7:45670       52.175.17.224:https     ESTABLISHED
tcp        0      0 192.168.1.7:55180       del03s10-in-f14.1:https TIME_WAIT  
tcp        0      1 192.168.1.7:47790       hyperserver.semse:https SYN_SENT   
tcp        0      0 192.168.1.7:59548       mails11.telegram.:https ESTABLISHED
tcp        0      0 192.168.1.7:35818       32.4a.37a9.ip4.st:https ESTABLISHED
tcp        0      0 192.168.1.7:50888       149.154.164.224:https   ESTABLISHED
tcp        0      0 192.168.1.7:33360       del03s10-in-f13.1:https TIME_WAIT  
tcp        0      0 192.168.1.7:52332       207.46.140.70:https     ESTABLISHED
tcp        0      0 192.168.1.7:58478       52.229.174.94:https     ESTABLISHED
tcp        0      0 192.168.1.7:54374       del03s01-in-f2.1e:https TIME_WAIT  
tcp        0      0 192.168.1.7:50216       104.24.1.68:https       TIME_WAIT  
tcp       52      0 localhost:60342         ansh:netbios-ssn        ESTABLISHED
tcp        0      0 192.168.1.7:50890       149.154.164.224:https   ESTABLISHED
tcp        0      0 192.168.1.7:55200       del03s10-in-f14.1:https TIME_WAIT  
tcp        0      0 192.168.1.7:54224       del03s01-in-f2.1e:https ESTABLISHED
tcp        0      0 ansh:netbios-ssn        localhost:60342         ESTABLISHED
tcp        0      0 192.168.1.7:55212       del03s10-in-f14.1:https TIME_WAIT  
tcp        0      1 192.168.1.7:47800       hyperserver.semse:https SYN_SENT   
tcp        0      0 192.168.1.7:45668       52.175.17.224:https     ESTABLISHED
tcp        0      0 192.168.1.7:58878       del03s10-in-f3.1e:https TIME_WAIT  
tcp        0      0 192.168.1.7:34500       do-11.lastpass.co:https ESTABLISHED
tcp        0      0 192.168.1.7:41844       a23-35-40-198.dep:https ESTABLISHED
Q4. How to make netstat display only udp connections

This you can do using the -u command line option.

netstat -u
Q5. How to make netstat show only listening sockets?

This is possible by using the -l command line option.

netstat -l

For example, the following output was produced in my case:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 ansh:domain             *:*                     LISTEN     
tcp        0      0 localhost:ipp           *:*                     LISTEN     
tcp        0      0 *:microsoft-ds          *:*                     LISTEN     
tcp        0      0 *:netbios-ssn           *:*                     LISTEN     
tcp6       0      0 ip6-localhost:ipp       [::]:*                  LISTEN     
tcp6       0      0 [::]:microsoft-ds       [::]:*                  LISTEN     
tcp6       0      0 [::]:netbios-ssn        [::]:*                  LISTEN     
...
...
...
Q6. How to make netstat show name and PID of programs?

In case you want netstat to show name of process IDs of processes to which each socket belongs, use the -p command line option.

netstat -p

For example:

Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 192.168.1.7:57318       13.70.5.200:https       ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:36732       13.76.170.95:https      ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:52050       149.154.164.224:https   ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:55974       del03s10-in-f14.1:https ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:52074       149.154.164.224:https   ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:60590       mails11.telegram.:https ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:52254       149.154.164.224:https   ESTABLISHED 3247/firefox    
tcp        0      0 192.168.2.97:45662      blog.gsmarena.com:ftp   ESTABLISHED 3160/filezilla  
tcp        0      0 192.168.1.7:35818       32.4a.37a9.ip4.st:https ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:52528       52.114.32.7:https       ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:55950       del03s10-in-f14.1:https ESTABLISHED 3247/firefox    
tcp       68      0 localhost:60342         ansh:netbios-ssn        ESTABLISHED 2625/gvfsd-smb-brow
tcp        0      0 192.168.1.7:44974       152.195.11.6:https      ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:36730       13.76.170.95:https      ESTABLISHED 3247/firefox    
tcp        0      0 ansh:netbios-ssn        localhost:60342         ESTABLISHED -               
tcp        0      0 192.168.1.7:52732       del03s10-in-f2.1e:https ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:60314       52.229.174.94:https     ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:53072       207.46.140.70:https     ESTABLISHED 3247/firefox    
tcp        0      0 192.168.1.7:34500       do-11.lastpass.co:https ESTABLISHED 3247/firefox

See the last column for PID/program name info.

Q7. How to make netstat print network statistics?

This can be done using the -s command line option.

netstat -s

In this case, the tool produces information like total packets received, discarded, delivered, and much more. Following is an example output when the -s command line option was used.

Ip:
    592215 total packets received
    41 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    580699 incoming packets delivered
    539118 requests sent out
    627 outgoing packets dropped
    482 dropped because of missing route
    2 fragments failed
Icmp:
    2337 ICMP messages received
    6 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 2337
    3917 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 3917
IcmpMsg:
        InType3: 2337
        OutType3: 3917
Tcp:
    10943 active connections openings
    127 passive connection openings
    38 failed connection attempts
    467 connection resets received
    34 connections established
    443643 segments received
    414589 segments send out
    6929 segments retransmited
    428 bad segments received.
    11713 resets sent

...
...
...
Q8. How to make netstat display kernel routing table?

This can be done using the -r command line option.

netstat -r

Following is the output produced in my case:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         192.168.1.1     0.0.0.0         UG        0 0          0 wlx18a6f713679b
link-local      *               255.255.0.0     U         0 0          0 wlx18a6f713679b
192.168.1.0     *               255.255.255.0   U         0 0          0 wlx18a6f713679b

Note that netstat -r and route -e produce the same output.

[Oct 2, 2008] netstat to find ports which are in use on linux server

Another example of more or less complex pipeline using cat
midnight-cafe.co.uk

Below is command to find out number of connections to each ports which are in use using netstat & cut.

netstat -nap | grep 'tcp\|udp' | awk '{print $4}' | cut -d: -f2 | sort | uniq -c | sort -n

Below is description of each commands :: Netstat command is used to check all incoming and outgoing connections on linux server. Using Grep command you can sort lines which are matching pattern you defined. AWk is very important command generally used for scanning pattern and process it. It is powerful tool for shell scripting. Sort is used to sort output and sort -n is for sorting output in numeric order. Uniq -c this help to get uniq output by deleting duplicate lines from it.

[Sep 6, 2007] Just Barebones netstat

While trying to debug random lockups of our Oracle database server, I found a cool command to monitor the connections being served by a machine.

I already knew about netstat and netstat -c which gives the user a continuous display of the connections.

But I found another way to view the connections in real time using the watch command:

watch -d "netstat -toupe 2>/dev/null"
Pretty cool!!

[Nov 4, 2004] Using Netstat For Surveillance And Troubleshooting by Carla Schroder

LinuxPlanet

Using Netstat For Surveillance And Troubleshooting

Two of the fundamental aspects of Linux system security and troubleshooting are knowing what services are running, and what connections and services are available. We're all familiar with ps for viewing active services. netstat goes a couple of steps further, and displays all available connections, services, and their status. It shows one type of service that ps does not: services run from inetd or xinetd, because inetd/xinetd start them up on demand. If the service is available but not active, such as telnet, all you see in ps is either inetd or xinetd:

$ ps ax | grep -E 'telnet|inetd'
  520 ?            Ss         0:00 /usr/sbin/inetd

But netstat shows telnet sitting idly, waiting for a connection:

$ netstat --inet -a | grep telnet
tcp      0     0     *:telnet      *:*    LISTEN

This netstat invocation shows all activity:

$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address  Foreign Address State
tcp     0      0      *:telnet       *:*           LISTEN
tcp     0      0      *:ipp          *:*           LISTEN
tcp     0      0      *:smtp         *:*           LISTEN
tcp     0      0      192.168.1.5:32851 nest.anthill.echid:ircd     ESTABLISHED
udp     0      0      *:ipp          *:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags    Type     State       I-Node Path
unix  2      [ ACC ]  STREAM   LISTENING   1065   /tmp/ksocket-carla/klaunchertDCh2b.slave-socket
unix  2      [ ACC ]  STREAM   LISTENING   1002   /tmp/ssh-OoMGfFm666/agent.666
unix  2      [ ACC ]  STREAM   LISTENING   819    private/smtp

Your total output will probably run to a couple hundred lines. (A fun and quick way to count lines of output is netstat -a | wc -l.) You can ignore everything under "Active UNIX domain sockets." Those are local inter-process communications, not network connections. To avoid displaying them at all, do this:

$ netstat --inet -a

This will display only network connections, both listening and established. Already netstat has earned its keep--both the telnet and smtp services are running. This is bad, because I don't want to have either a telnet or smtp server running on this machine. So now I know I need to turn them off, and re-configure my startup files so they won't start at boot.

How do you know what services you want running? That is a mondo subject for another day, and an important one. For example, if your system has been compromised, this is one place to find evidence of a Trojan horse or other malware phoning home. In this example, ipp is Internet Printing Protocol, which belongs to CUPS (Common Unix Printing System.) If you want your printer to work, this needs to be here. The connection on 192.168.1.5:32851 is my active IRC (Internet Relay Chat) connection. Refer to your /etc/services file to learn more about TCP and UDP ports, and the services assigned to them.

What It Means

"Proto" is short for protocol, which is either TCP or UDP. "Recv-Q" and "Send-Q" mean receiving queue and sending queue. These should always be zero; if they're not you might have a problem. Packets should not be piling up in either queue, except briefly, as this example shows:

tcp   0   593  192.168.1.5:34321 venus.euao.com:smtp ESTABLISHED

That happened when I hit the "check mail" button in KMail; a brief queuing of outgoing packets is normal behavior. If the receiving queue is consistently jamming up, you might be experiencing a denial-of-service attack. If the sending queue does not clear quickly, you might have an application that is sending them out too fast, or the receiver cannot accept them quickly enough.

"Local address" is either your IP and port number, or IP and the name of a service. "Foreign address" is the hostname and service you are connected to. The asterisk is a placeholder for IP addresses, which of course cannot be known until a remote host connects. "State" is the current status of the connection. Any TCP state can be displayed here, but these three are the ones you want to see:

LISTEN- waiting to receive a connection
ESTABLISHED- a connection is active
TIME_WAIT- a recently terminated connection;
this should last only a minute or two, then change back to LISTEN. The socket pair cannot be re-used as long the TIME_WAIT state persists.

UDP is stateless, so the "State" column is always blank.

A socket pair is both sides of a TCP/IP connection, like this example for a locally-attached printer:

localhost:ipp               localhost:34493             ESTABLISHED

Or a telnet connection to a remote server:

192.168.1.5:34437           65.106.57.106.pt:telnet    ESTABLISHED

A socket is any hostname-port combination, or IP address-port.

Continuous Capture, "Borken" DNS, and Interface Checking

Because all these things change often, how do you capture the changes? Run netstat continuously with the -c flag and record the output:

$ netstat --inet -a -c > netstat.txt

Then check email, start and stop services, surf the web, log in to a telnet BBS and play Legend of the Red Dragon; then review your capture file to see what it all looks like.

If netstat is taking too long, or not resolving a hostname at all, give it the -n flag to turn off DNS lookups:

$ netstat --inet -an

netstat can help diagnose NIC problems. Use the -i flag when you're troubleshooting a flakey connection, and you suspect your NIC:

$ netstat -i
Kernel Interface table
Iface   MTU  Met   RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0    1500  0    28698  0      0      0     33742  0      0      0     BMRU
lo      6436 0    14     0      0      0     14     0      0      0     LRU
You should see large numbers in the RX-OK (received OK) and TX-OK (transmitted OK) columns, and very low numbers in all the others. If you are seeing a lot of RX-ERRs or TX-ERRs, suspect the NIC or the patch cable. This is what the flags mean:
B = broadcast address
L = loopback device
M = promiscuous mode
R = interface is running
U = interface is up

Resources

Linux Network Administrator's Guide, by Olaf Kirch & Terry Dawson

Recommended Links

Google matched content

Softpanorama Recommended

Top articles

Sites

Reference

Solaris Linux HP-UX AIX

Solaris

netstat(1M) - show network status (man pages section 1M System Administration Commands) - Sun Microsystems

Description

Options

Operands

DISPLAYS

Files

Attributes

See Also

Notes

SunOS 5.10 Last Revised 21 Jan 2007

Linux Netstat

netstat [options] [delay]

TCP/IP command. Show network status. Print information on active sockets, routing tables, interfaces, masquerade connections, or multicast memberships. By default, netstat lists open sockets. When a delay is specified, netstat will print new information every delay seconds.

Options

The first five options (-g, -i, -M, -r, and -s) determine what kind of information netstat should display.

-g, --groups

Show multicast group memberships.

-i, --interface[=name]

Show all network interfaces, or just the interface specified by name.

-M, --masquerade

Show masqueraded connections.

-r, --route

Show kernel routing tables.

-s, --statistics

Show statistics for each protocol.

-a, --all

Show all entries.

-A family, --protocol=family

Show connections only for the specified address family. Accepted values are inet, unix, ipx, ax25, netrom, and ddp. Specify multiple families in a comma-separated list.

-c, --continuous

Display information continuously, refreshing once every second.

-C

Print routing information from the route cache.

-e, --extend

Increase level of detail in reports. Use twice for maximum detail.

-F

Print routing information from the forward information database (FIB). This is the default.

-l, --listening

Show only listening sockets.

-n, --numeric

Show network addresses, ports, and users as numbers.

--numeric-hosts

Show host addresses as numbers, but resolve others.

--numeric-ports

Show ports as numbers, but resolve others.

--numeric-users

Show user ID numbers for users, but resolve others.

-N, --symbolic

Where possible, print symbolic host, port, or usernames instead of numerical representations. This is the default behavior.

-o, --timers

Include information on network timers.

-p, --program

Show the process ID and name of the program owning the socket.

-t, --tcp

Limit report to information on TCP sockets.

-u, --udp

Limit report to information on UDP sockets.

-v, --verbose

Verbose mode.

-w, --raw

Limit report to information on raw sockets.

Quiz

Q1. Which command (and options) will show the routing table, but will bypass hostname lookup ?

A: netstat -nr

Q2. Which command (and options) will show the state of all sockets ?

A: netstat -a



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haters Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright 1996-2020 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Created: May 16, 1996; Last modified: July 16, 2018