Networking

Obtaining network information with netstat

Vincent Danen offers some tips for getting the most network information possible from the netstat utility as a root user.

One of the best utilities on Linux for network troubleshooting is a very simple one: netstat. Netstat can provide a lot of information, such as network connections, routing tables, interface statistics, and more. It displays information on various address families, such as TCP, UDP, and UNIX domain sockets.

Of course, all of this can also make it a daunting tool to use if you have never used it before.

While netstat is useful as a regular user, to get the most out of it, it will need to be run by the root user. For instance, to determine what program is listening to a port or socket (the -p switch), you must have sufficient root privileges.

To see all of the TCP ports being listened to on the system, and by what program, use:

# netstat -l --tcp -p
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address    State       PID/Program name
tcp        0      0 *:ssh                       *:*                LISTEN      1666/sshd
tcp        0      0 localhost.localdomain:smtp  *:*                LISTEN      1841/sendmail: acce
tcp        0      0 *:mysql                     *:*                LISTEN      1807/mysqld
tcp        0      0 *:http                      *:*                LISTEN      1873/httpd
tcp        0      0 *:https                     *:*                LISTEN      1873/httpd

From the above, you can see that sshd is listening to port 22 (netstat will display the port name from /etc/services unless you use the "-n" switch), on all interfaces. Sendmail is listening to port 25 on only the loopback interface (127.0.0.1), and Apache is listening to ports 80 and 443, while MySQL is listening to port 3306 on all available network interfaces. This gives you an idea of what services are running, and what ports they are listening to; this is one way to determine if something is running that shouldn't be, or isn't running when it should be.

The same can be done for UDP, again, to make sure that nothing is listening for active connections that shouldn't be:

# netstat -l --udp -p -n
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address    State       PID/Program name
udp        0      0 0.0.0.0:68                  0.0.0.0:*                      1292/dhclient
udp        0      0 192.168.250.52:123          0.0.0.0:*                      1679/ntpd
udp        0      0 127.0.0.1:123               0.0.0.0:*                      1679/ntpd
udp        0      0 0.0.0.0:123                 0.0.0.0:*                      1679/ntpd
udp        0      0 0.0.0.0:42022               0.0.0.0:*                      1292/dhclient
udp        0      0 ::1:123                     :::*                           1679/ntpd
udp        0      0 fe80::226:18ff:fe7b:123     :::*                           1679/ntpd
udp        0      0 :::123                      :::*                           1679/ntpd
udp        0      0 :::15884                    :::*                           1292/dhclient

As you can see from the above, netstat will display anything listening to IPv4 or IPv6 addresses.

Netstat isn't restricted to telling you what is listening to ports; it can also tell you active connections, like this:

# netstat --tcp -p
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address             Foreign Address        State  PID/Program name
tcp   0      0 wrk.myhost.com:53231    wrk2.myhost.com:ssh         ESTABLISHED 3333/ssh
tcp   0      0 wrk.myhost.com:44401    iy-in-f113.1e100.net:http   TIME_WAIT   -
tcp   1      0 wrk.myhost.com:51848    204.203.18.161:http         CLOSE_WAIT  2729/clock-applet
tcp   0      0 wrk.myhost.com:821      srv.myhost.com:nfs          ESTABLISHED -
tcp   0      0 wrk.myhost.com:59028    iy-in-f101.1e100.net:http   TIME_WAIT   -
tcp   0      0 wrk.myhost.com:37120    dns.myhost.com:ldap         ESTABLISHED 1658/sssd_be
tcp   0      0 wrk.myhost.com:ssh      laptop.myhost.com:52286     ESTABLISHED 3274/sshd: joe [

From the above, you can see that the first connection is an outbound SSH connection (originating from port 53231, destined for port 22). You can also see some outbound HTTP connections from the GNOME clock-applet, as well as outbound authentication requests from SSSD, and outbound NFS. The last entry shows an inbound SSH connection.

The -i switch provides a list of network interfaces and the number of packets transmitted:

# netstat -i
Kernel Interface table
Iface       MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500   0    60755      0      0      0    40332      0      0      0 BMRU
lo        16436   0      149      0      0      0      149      0      0      0 LRU

An interesting "watchdog" use of netstat is with the -c switch, which will print a continuous listing of whatever you have asked it to display, refreshing every second. This is a good way to observe changes that are happening (connections being opened, etc.).

Finally, you can use netstat in place of other commands: netstat -r shows a kernel routing table, similar to route -n and netstat -ie shows interface information identical to ifconfig.

Netstat can provide a lot of information that can be very useful in tracking down various network related problems, or just to keep an eye on the system, making sure that no unauthorized programs are listening for incoming network connections. Keep in mind that netstat tells you what is actively listening or connected; it cannot tell you if a firewall is blocking that port. So while a service might be noted as listening, it may not actually be accessible. Netstat doesn't provide the entire picture, but it can certainly help provide useful clues.

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

1 comments
public_domain
public_domain

sometimes when our internet access seems slow i will go to the router - that guards our internet server - to see the log activity. it would be easier for me to shell in and run netstat if netstat would also catch that activity - like a single ip over 10sec hitting p25. havent tried it nor the -c switch. how might i nail this down? (ps. always good info here. thanks)