Netstat is one of the most useful Linux network diagnostic commands. This in-depth reference guide will teach you how to leverage netstat for troubleshooting connectivity issues, monitoring sockets/connections, analyzing packet statistics, and more.
Contents
- Established Connections
- Listening Ports and Services
- Process and Port Mappings
- Network Interface Details
- Routing Tables and Network Flows
- Continuous Monitoring and Baselines
- Kernel Socket Statistics
- TCP Performance and Errors
- Alternative Tools – ss, ip, lsof
- Network Troubleshooting Flowcharts
Established Connections
View all active connections with the -at
and -n
options:
netstat -nat
This shows both TCP and UDP connections and resolves hostnames/ports by default. Some key points:
- Source and destination addresses and ports
- Connection state – ESTABLISHED, CLOSE_WAIT
- RX/TX queue sizes
- Interface
Filter by specific IPs or connection states:
netstat -nat | grep 192.168
netstat -nat | grep EST
Identifying connections by process:
netstat -nap
The -p
shows the PID/process name owning each socket. Useful for linking connections to processes.
Listening Ports and Services
Finding listening TCP/UDP sockets with -l
:
netstat -l
This shows all sockets in LISTEN state, awaiting new connections.
Again, combining with -p
maps ports to processes:
netstat -lp
Verify exactly what ports/services you have open and listening on the server.
Process and Port Mappings
Another approach is listing sockets by process first with -ap
, then grepping for the PID or port:
netstat -ap | grep nginx
netstat -ap | grep :80
This method can help identify all sockets and connections tied to a particular process.
Network Interface Details
Get configured interfaces with the -i
option:
netstat -i
Important fields here include:
- MTU – Maximum Transmission Unit
- RX/TX metrics – packets/bytes sent/received
- Errors – missed packets, overruns, frame errors
- Drops – due to limited buffer space
- Flags – UP, BROADCAST, RUNNING
Monitor these counters over time to detect interface issues.
Routing Tables and Network Flows
View kernel IP routing tables with -r
:
netstat -r
This shows for a given target network:
- Gateway/router
- Genmask (subnet mask)
- Flags – UG (route usable)
- Interface traffic will egress
Confirm routing is correctly sending traffic out the intended interfaces.
Complement with traceroute
to validate connectivity path for target IPs.
Continuous Monitoring and Baselines
For intermittent issues like apparent connectivity loss or crashes, use -c
for continuous netstat output:
netstat -c
This dumps the output every second until interrupted, showing connections dropping or processes exiting in real-time.
-c
is especially useful paired with filters, for example watching state changes on a particular connection:
netstat -apc | grep mysql
It‘s also helpful for establishing baseline metrics on socket counts, packet loss, errors over time. Sudden deviations from norm could indicate problems.
Kernel Socket Statistics
Netstat gathers various IP, ICMP, TCP, UDP counters directly from the kernel.
Get this wide-ranging socket data with -s
:
netstat -s
Sections to pay attention to:
TCP metrics:
- connection opens/closures
- timeouts
- packet retransmits
- errors like bad checksums
UDP:
- input/output packet counters
- receive buffer errors
ICMP:
- input/output
- type counters like echo requests
IP:
- total packets/bytes
- drops
These give a high-level health check of kernel networking in different areas.
TCP Performance and Errors
By default netstat shows limited TCP metrics. Adding -t
exposes advanced counters:
netstat -st
Additional details provided:
- Packet loss events and recovery
- Retransmits
- Times waited in TIME_WAIT
- Errors like connection resets
- Congestion control state
- Out-of-order packet scenarios
Monitor these TCP performance numbers for client-server connectivity troubleshooting.
Metrics like loss recovery, fast retransmits indicate network or endpoint issues.
Alternative Tools – ss, ip, lsof
The ss
command provides functionality similar to netstat for socket reporting:
ss -tupna
In many cases, ss may perform better than netstat with fewer flags needed.
The ip
tool combines IP address management, routing info, and statistics. Useful particularly for containers/VMs communicating over virtual NICs and bridges.
And lsof
prints open files and sockets filtered by process:
lsof -iTCP -a -p nginx
Network Troubleshooting Flowcharts
Below find diagnostic steps for common connectivity and network service issues using netstat and related Linux tools:
[Link to graphics detailing troubleshooting flowcharts]Scenarios include:
- Web server troubleshooting
- Database server troubleshooting
- General connectivity issues
- Traffic routing failures
- Performance diagnosis
The flowcharts provide an effective methodology combining CLI tools like netstat, ping, traceroute, iptables, tcpdump for network checks.
Conclusion
Netstat remains one of the most versatile Linux networking commands even with newer tools emerging. Mastering netstat unlocks critical visibility into network communications, open ports, active connections, and kernel performance.
This guide provided a comprehensive reference for practical netstat usage in Linux network and server troubleshooting. The examples, metrics, and paired tools should equip you to diagnose most common connectivity and throughput issues.