# netstat — Network Connections and Statistics at a Glance

> Practical guide to netstat — active connections, listening ports, routing table and interface statistics, with the most common option combinations.

Source: https://www.jpkc.com/db/en/cheatsheets/networking/netstat/

<!-- PROSE:intro -->
netstat is the classic tool for inspecting active connections, listening ports, the kernel routing table, and interface statistics from the command line. It runs on Linux, macOS, and Windows and ships pre-installed on many systems. On modern Linux distributions, `ss` from the `iproute2` package is the designated successor – faster and actively maintained. For quick cross-platform diagnostics, however, netstat remains the familiar first port of call.
<!-- PROSE:intro:end -->

## Connection Listing

`netstat` — Show all active connections (TCP and Unix sockets).

```bash
netstat
```

`netstat -a` — Show all connections and listening ports.

```bash
netstat -a
```

`netstat -l` — Show only listening sockets.

```bash
netstat -l
```

`netstat -t` — Show TCP connections only.

```bash
netstat -t
```

`netstat -u` — Show UDP connections only.

```bash
netstat -u
```

`netstat -x` — Show Unix domain sockets only.

```bash
netstat -x
```

`netstat -w` — Show RAW sockets.

```bash
netstat -w
```

## Display Options

`netstat -n` — Numeric output — show IP addresses and port numbers instead of names.

```bash
netstat -n
```

`netstat -p` — Show PID and program name for each connection (requires root).

```bash
sudo netstat -p
```

`netstat -e` — Show extended information (user, inode).

```bash
netstat -e
```

`netstat -o` — Show timer information.

```bash
netstat -o
```

`netstat -c` — Continuously refresh the output every second.

```bash
netstat -c
```

`netstat --wide` — Do not truncate IP addresses in output.

```bash
netstat --wide
```

## Common Combinations

`netstat -tlnp` — Show TCP listening ports with port numbers and processes. Most common usage.

```bash
sudo netstat -tlnp
```

`netstat -tulnp` — Show all TCP and UDP listening ports with processes.

```bash
sudo netstat -tulnp
```

`netstat -tanp` — Show all TCP connections with port numbers and processes.

```bash
sudo netstat -tanp
```

`netstat -anp` — Show all connections with numeric addresses and process info.

```bash
sudo netstat -anp
```

`netstat -ltpe` — Show listening TCP ports with processes and extended info.

```bash
sudo netstat -ltpe
```

## Routing Table

`netstat -r` — Show the kernel routing table.

```bash
netstat -r
```

`netstat -rn` — Show the routing table with numeric addresses (no DNS).

```bash
netstat -rn
```

## Interface Statistics

`netstat -i` — Show a table of all network interfaces with statistics.

```bash
netstat -i
```

`netstat -ie` — Show interfaces with extended info (similar to ifconfig).

```bash
netstat -ie
```

`netstat -I INTERFACE` — Show statistics for a specific interface.

```bash
netstat -I eth0
```

## Protocol Statistics

`netstat -s` — Show protocol statistics (TCP, UDP, ICMP, IP).

```bash
netstat -s
```

`netstat -st` — Show TCP statistics only.

```bash
netstat -st
```

`netstat -su` — Show UDP statistics only.

```bash
netstat -su
```

## Multicast

`netstat -g` — Show multicast group memberships.

```bash
netstat -g
```

## Practical Examples

`netstat -tlnp | grep :80` — Find which process is listening on port 80.

```bash
sudo netstat -tlnp | grep :80
```

`netstat -an | grep ESTABLISHED | wc -l` — Count established connections.

```bash
netstat -an | grep ESTABLISHED | wc -l
```

`netstat -an | grep TIME_WAIT | wc -l` — Count TIME_WAIT connections.

```bash
netstat -an | grep TIME_WAIT | wc -l
```

`netstat -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head` — Show top remote IPs by connection count.

```bash
netstat -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head
```

`netstat -an | awk '/tcp/ {print $6}' | sort | uniq -c | sort -rn` — Show count of connections by TCP state.

```bash
netstat -an | awk '/tcp/ {print $6}' | sort | uniq -c | sort -rn
```

`netstat -tulnp | grep -v 127.0.0.1 | grep -v ::1` — Show listening ports accessible from outside (not localhost-only).

```bash
sudo netstat -tulnp | grep -v 127.0.0.1 | grep -v ::1
```

<!-- PROSE:outro -->
## Conclusion

For quick diagnostics – which process is listening on port 80, how many established connections are open, what does the routing table say? – netstat is still a solid first choice. On modern Linux systems, get familiar with `ss`: it delivers the same information faster and exposes TCP-internal state that netstat hides.

## Further Reading

- [netstat – Wikipedia](https://en.wikipedia.org/wiki/Netstat) – background and history
- [netstat(8) – Linux man page](https://linux.die.net/man/8/netstat) – complete option reference
<!-- PROSE:outro:end -->

## Related Commands

- [ss](https://www.jpkc.com/db/en/cheatsheets/networking/ss/) – faster successor to netstat on modern Linux systems
- [ip](https://www.jpkc.com/db/en/cheatsheets/networking/ip/) – manage routes, addresses and network interfaces from the command line
- [iftop](https://www.jpkc.com/db/en/cheatsheets/networking/iftop/) – display network bandwidth usage per connection in real time