Bash Network Status (netstat)

Common netstat Commands

netstat -a

netstat -tuln

netstat -tulnp

netstat -s

🔹 Show All Connections

The netstat -a command displays a comprehensive list of all active network connections and listening ports on your system. This includes connections for both TCP and UDP protocols, showing their current state—such as ESTABLISHED, LISTEN, TIME_WAIT, or CLOSE_WAIT. The output details local and remote addresses (IP and port), the state of the connection, and the protocol used. This broad view is the first step in network diagnostics, helping you identify unknown connections, check for services that shouldn't be running, or confirm that a required service is actively listening.

# Show all connections
netstat -a

# Show all TCP connections
netstat -at

# Show all UDP connections
netstat -au

🔹 Display Listening Ports

To see only the ports where services are actively waiting for incoming connections, use netstat -l. This filters the output to show sockets in the LISTEN state. You can refine this further by protocol: combine with -t for TCP listening ports, -u for UDP, or -tu for both. Adding -n prevents hostname resolution, showing raw IP addresses and speeding up the output. This command is essential for security audits, verifying firewall rules, and ensuring your web server, database, or SSH daemon is correctly bound to the expected ports.

# Show listening TCP and UDP ports
netstat -tuln

# Show only TCP listening ports
netstat -tln

# Show only UDP listening ports
netstat -uln

🔹 Show Programs Using Ports

The netstat -p option (often combined with others like -tulpn) reveals the program or process ID (PID) associated with each network socket. This requires root (sudo) privileges to see information for processes owned by other users. It's an invaluable troubleshooting tool: instantly identify which application is listening on port 80 (e.g., Apache or Nginx), find the process causing a "port already in use" error, or detect unauthorized software making network connections. This links network activity directly to running software on your system.

# Show programs with listening ports (requires sudo)
sudo netstat -tulnp

# Show all connections with programs
sudo netstat -anp

# Find specific port usage
sudo netstat -tulnp | grep :80

🔹 Network Statistics

Use netstat -s to display detailed network statistics and error counters for each protocol (TCP, UDP, ICMP, IP). This output shows high-level metrics like total packets sent and received, errors, dropped packets, retransmissions, and connection failures. Analyzing these statistics helps diagnose complex network performance issues: high retransmission rates may indicate packet loss, a large number of resets could point to misconfigured services, and error counts help identify faulty network hardware. It provides a quantitative overview of your system's network health.

# Show all protocol statistics
netstat -s

# Show TCP statistics only
netstat -st

# Show UDP statistics only
netstat -su

🔹 Routing Table

The command netstat -r (or route -n) displays the kernel's IP routing table, a map for all network traffic leaving your system. It shows destination networks, the gateway (next-hop router) to reach them, the network mask, and the network interface (like eth0 or wlan0) to use. The default route (destination 0.0.0.0) is particularly important as it's the path for all traffic not matching a more specific rule. Understanding this table is crucial for troubleshooting connectivity problems, configuring multi-homed systems, or verifying VPN routes.

# Show routing table
netstat -r

# Show routing table with numeric addresses
netstat -rn

# Detailed routing information
netstat -rnv

🔹 Continuous Monitoring

For real-time network monitoring, use the netstat -c option to continuously refresh the connection display every second. This live view allows you to watch as new connections are established (changing from LISTEN to ESTABLISHED), see connections close, and monitor traffic patterns dynamically. It's perfect for observing the immediate impact of launching a web service, tracking active sessions to a server, or debugging transient network issues. Press Ctrl+C to stop the continuous output. This turns a static snapshot into an active monitoring tool.

# Continuously show connections
netstat -c

# Monitor listening ports continuously
netstat -tulnc

# Watch specific protocol
netstat -tc

🔹 Filter by State

You can filter netstat output for specific connection states by piping it to grep. For example, netstat -atn | grep ESTABLISHED shows only active TCP connections, while netstat -atn | grep LISTEN shows listening ports (similar to -l). Other useful states include TIME_WAIT (connections in the graceful closure process), SYN_SENT (outgoing connection attempts), and CLOSE_WAIT (indicating a remote close your app hasn't handled). Filtering helps isolate issues, like a buildup of TIME_WAIT sockets which can exhaust available ports.

# Show only established connections
netstat -an | grep ESTABLISHED

# Show only listening ports
netstat -an | grep LISTEN

# Show connections in TIME_WAIT state
netstat -an | grep TIME_WAIT

# Count connections by state
netstat -an | grep ESTABLISHED | wc -l

🔹 Modern Alternative: ss Command

The ss (socket statistics) command is the modern, high-performance replacement for netstat, now recommended on most Linux distributions. Part of the iproute2 package, ss is significantly faster because it reads kernel socket information directly from /proc. It uses very similar options (e.g., ss -tulpn) and provides more detailed and accurate information, especially for large numbers of connections. While netstat is still available for compatibility, ss offers better filtering, more TCP state information, and is the preferred tool for network diagnostics and scripting in contemporary Linux environments.

# Show listening ports (like netstat -tuln)
ss -tuln

# Show all connections with programs
ss -tulnp

# Show established connections
ss -t state established

# Show statistics
ss -s