netstat — Network Connections and Statistics at a Glance

netstat is the classic tool for inspecting active connections, listening ports, the kernel routing table, and interface statistics from the command line. It runs on Linux, macOS, and Windows and ships pre-installed on many systems. On modern Linux distributions, ss from the iproute2 package is the designated successor – faster and actively maintained. For quick cross-platform diagnostics, however, netstat remains the familiar first port of call.

Connection Listing

netstat — Show all active connections (TCP and Unix sockets).

netstat

netstat -a — Show all connections and listening ports.

netstat -a

netstat -l — Show only listening sockets.

netstat -l

netstat -t — Show TCP connections only.

netstat -t

netstat -u — Show UDP connections only.

netstat -u

netstat -x — Show Unix domain sockets only.

netstat -x

netstat -w — Show RAW sockets.

netstat -w

Display Options

netstat -n — Numeric output — show IP addresses and port numbers instead of names.

netstat -n

netstat -p — Show PID and program name for each connection (requires root).

sudo netstat -p

netstat -e — Show extended information (user, inode).

netstat -e

netstat -o — Show timer information.

netstat -o

netstat -c — Continuously refresh the output every second.

netstat -c

netstat --wide — Do not truncate IP addresses in output.

netstat --wide

Common Combinations

netstat -tlnp — Show TCP listening ports with port numbers and processes. Most common usage.

sudo netstat -tlnp

netstat -tulnp — Show all TCP and UDP listening ports with processes.

sudo netstat -tulnp

netstat -tanp — Show all TCP connections with port numbers and processes.

sudo netstat -tanp

netstat -anp — Show all connections with numeric addresses and process info.

sudo netstat -anp

netstat -ltpe — Show listening TCP ports with processes and extended info.

sudo netstat -ltpe

Routing Table

netstat -r — Show the kernel routing table.

netstat -r

netstat -rn — Show the routing table with numeric addresses (no DNS).

netstat -rn

Interface Statistics

netstat -i — Show a table of all network interfaces with statistics.

netstat -i

netstat -ie — Show interfaces with extended info (similar to ifconfig).

netstat -ie

netstat -I INTERFACE — Show statistics for a specific interface.

netstat -I eth0

Protocol Statistics

netstat -s — Show protocol statistics (TCP, UDP, ICMP, IP).

netstat -s

netstat -st — Show TCP statistics only.

netstat -st

netstat -su — Show UDP statistics only.

netstat -su

Multicast

netstat -g — Show multicast group memberships.

netstat -g

Practical Examples

netstat -tlnp | grep :80 — Find which process is listening on port 80.

sudo netstat -tlnp | grep :80

netstat -an | grep ESTABLISHED | wc -l — Count established connections.

netstat -an | grep ESTABLISHED | wc -l

netstat -an | grep TIME_WAIT | wc -l — Count TIME_WAIT connections.

netstat -an | grep TIME_WAIT | wc -l

netstat -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head — Show top remote IPs by connection count.

netstat -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head

netstat -an | awk '/tcp/ {print $6}' | sort | uniq -c | sort -rn — Show count of connections by TCP state.

netstat -an | awk '/tcp/ {print $6}' | sort | uniq -c | sort -rn

netstat -tulnp | grep -v 127.0.0.1 | grep -v ::1 — Show listening ports accessible from outside (not localhost-only).

sudo netstat -tulnp | grep -v 127.0.0.1 | grep -v ::1

Conclusion

For quick diagnostics – which process is listening on port 80, how many established connections are open, what does the routing table say? – netstat is still a solid first choice. On modern Linux systems, get familiar with ss: it delivers the same information faster and exposes TCP-internal state that netstat hides.