netstat Network Stats

netstat cheatsheet — list listening ports, active connections, routing table. netstat -tulpn, netstat -an, netstat -rn. Find what's listening on which port.

4 min read

What it is

netstat is a command-line utility for displaying network connections, routing tables, interface statistics, masquerade connections, and multicast memberships. You reach for it when you need to see what ports are open, which processes are listening on them, and general network activity.

Installation

Linux: netstat is usually pre-installed on most Linux distributions. If not, it’s part of the net-tools package.

sudo apt update && sudo apt install net-tools  # Debian/Ubuntu
sudo yum install net-tools                   # CentOS/Fedora
sudo dnf install net-tools                   # Fedora 22+

macOS: netstat is pre-installed on macOS.

Windows: netstat is pre-installed on Windows. You can run it from cmd.exe or PowerShell.

Commands / Usage

Viewing Network Connections

List all active TCP connections:
```
netstat -t
```
Shows all TCP connections, including listening and established states.
List all active UDP connections:
```
netstat -u
```
Shows all UDP connections.
List all active TCP and UDP connections:
```
netstat -tu
```
Combines TCP and UDP output.
List all listening ports (TCP and UDP):
```
netstat -l
```
Shows only ports that are actively listening for incoming connections.
List all listening TCP ports:
```
netstat -lt
```
List all listening UDP ports:
```
netstat -lu
```
Display port numbers instead of service names:
```
netstat -n
```
Prevents DNS lookups and service name resolution, making output faster and showing raw port numbers (e.g., 80 instead of http).
Combine options to see all listening ports numerically:
```
netstat -ltun
```
This is a very common combination to see exactly which ports are open and listening, without name resolution.
Show the process ID (PID) and program name associated with each connection:
```
netstat -p
```
Requires root/administrator privileges to see PIDs for all processes.
Combine options to see all listening ports with PIDs:
```
netstat -ltup
```
Show established connections:
```
netstat -t -e
```
The -e flag shows extended information, including the user who owns the socket.
Show all connections (listening and non-listening) with PIDs and numerical output:
```
netstat -antp
```

Viewing Interface Statistics

Display statistics for all network interfaces:
```
netstat -i
```
Shows packets received, sent, errors, etc., for each interface.
Display statistics for all network interfaces with extended information:
```
netstat -ie
```
Includes details like MTU, network, and broadcast addresses.
Continuously update interface statistics:
```
netstat -i -c
```
Similar to watch netstat -i.

Viewing the Routing Table

Display the IP routing table:
```
netstat -r
```
Shows the kernel’s IP routing table.
Display the IP routing table with numerical addresses:
```
netstat -rn
```
Prevents hostname lookups for gateways and destinations.

Viewing Ethernet Statistics

Display Ethernet interface statistics:
```
netstat -g
```
Shows multicast group memberships for each interface.

Windows Specific Options

Display all active connections and listening ports:
```
netstat -a
```
Equivalent to netstat -l -t -u on Linux/macOS.
Display all active connections, listening ports, and the associated process IDs:
```
netstat -ano
```
The -o flag shows PIDs. This is extremely useful for identifying which application is using a specific port.
Display all connections, including foreign addresses and ports:
```
netstat -an
```
Display executable name for each connection:
```
netstat -b
```
Requires administrator privileges.
Display the interval in seconds between reshowing selected statistics:
```
netstat -c
```
For example, netstat -c 5 will refresh statistics every 5 seconds.

Common Patterns

Find which process is using a specific port (Linux/macOS):
```
sudo netstat -tulnp | grep :80
```
This command lists all listening TCP and UDP ports with their PIDs and program names, then filters the output for lines containing :80 (port 80).
Find which process is using a specific port (Windows):
```
netstat -ano | findstr :80
```
Then, use the PID found with the Task Manager or tasklist:
```
tasklist /FI "PID eq 1234"
```
(Replace 1234 with the actual PID).
Check for established connections to a specific IP address:
```
netstat -ant | grep 192.168.1.100
```
See network traffic statistics continuously:
```
watch -n 1 "netstat -i"
```
This will refresh the interface statistics every second.
List all open ports and their associated programs (requires sudo):
```
sudo netstat -tulnp
```
Check if a specific port is open and listening:
```
netstat -ltn | grep :22
```
If you see a line with 0.0.0.0:22 or :::22 (for IPv6), the port is listening.

Gotchas

Permissions for -p (Linux/macOS): To see the process information (-p) for all connections, you typically need root privileges (use sudo). Without sudo, you’ll only see PIDs for processes owned by your current user.
netstat vs ss (Linux): On modern Linux systems, ss is generally preferred over netstat. ss is faster and provides more detailed information, especially for large numbers of connections. For example, ss -tulnp is the modern equivalent of netstat -tulnp.
netstat on Windows: The Windows version of netstat has different flags than the Unix-like versions. The -b flag is particularly useful for identifying executables but requires administrator privileges.
Name Resolution Overhead: Using flags like -t, -u, -l without -n can be slow if your system has to perform many DNS lookups or service name resolutions. Always use -n if you just need numerical addresses and port numbers.
Interpreting Listening States: A line showing 0.0.0.0:<port> means the service is listening on all available IPv4 network interfaces. A line showing 127.0.0.1:<port> means it’s only listening for connections from the local machine. Similarly, :::<port> indicates listening on all IPv6 interfaces.