Netstat Cheatsheet
netstat is used to list out all the network(socket) connections of a system. It is a very useful tool for checking system safety.
Flags
Here is the list of all the possible flags that we can use with the netstat
command.
-a
list all connection-n
disable DNS lookup-t
list only TCP connection-u
listen only UDP connection-l
to view only listening port-p
process details of the connection. Root privilege is needed for this option-s
print total packet received and transmitted by protocols-i
interface name-ie
to print a human-friendly version of the interface
Example of netstat
commands
netstat -a
List all the connectionnetstat -at
List only TCP connectionnetstat -au
List only UDP connectionnetstat -an
List all connections.-n
option disable DNS name lookup. So it provides faster output.netstat -an | grep ESTABLISHED
find only established connection.netstst -aple | grep ntp
to check any running program like NTP, SMTP, HTTP, etc.
Understand netstat
output
The netstat
output provides four basic columns.
Proto, Local Address, Foreign Address and State
- Proto: The name of the protocol (TCP or UDP)
- Local Address:
0.0.0.0:566
means the port(566)
is listening on all network interfaces127.0.0.1
port is only listening for connections from the PC itself. PC regularly does connect itself for IPC or administrative tasks.Public IP(226.178.2.3:4567)
It means the port is only listening for the connection from the internetLocal IP(192.168.0.1)
. Port is only listening for the connection from the local network
- Foreign Address: The IP address and port number of the remote computer.
- State:
LISTENING
The port is open and listening for inbound connectionESTABLISHED
The connection is active between the two machinesTIMED_WAIT
The connection has recently endedSYN_SEND, SYN_RECEIVED
appears during initial connection setupFIN_WAIT, CLOSE_WAIT, LAST_ACK
Appear while a connection is being closed
Wildcards: Asterisk(*
) as a wildcard means as follows:
- If the port is not yet established, the port number is shown as an asterisk(
*
) *:*
The connection can come from any IP address and originate from any port*.*
All IPv4 addresses[::]
All IPv6 addresses
Leave a comment