1. Library
  2. Computer Networks
  3. Tools and Commands
  4. Network Analysis

netstat

Updated 8 hours ago

Your computer is having conversations you don't know about. Right now, dozens of connections are open—some you initiated, some that services opened on your behalf, and possibly some you'd rather not have. netstat shows you all of them.

Every open port is a door. netstat shows you which doors exist, which are open, and who's walking through them.

The Essential Command

Forget the basic netstat command—it's nearly useless. This is what you actually want:

sudo netstat -tlnp

This shows every TCP port listening for connections, with the program responsible:

Proto  Local Address           Foreign Address    State       PID/Program
tcp    0.0.0.0:22              0.0.0.0:*          LISTEN      1234/sshd
tcp    127.0.0.1:3306          0.0.0.0:*          LISTEN      5678/mysqld
tcp    0.0.0.0:80              0.0.0.0:*          LISTEN      9012/nginx

Three services, three open doors:

  • SSH on port 22, accepting connections from anywhere (0.0.0.0)
  • MySQL on port 3306, but only from localhost (127.0.0.1)—smart
  • Nginx on port 80, accepting connections from anywhere

The flags:

  • -t: TCP only (add -u for UDP)
  • -l: Listening ports only
  • -n: Show numbers, not names (much faster—no DNS lookups)
  • -p: Show the program (requires sudo)

See Active Connections

netstat -ant

Shows every TCP connection, including who you're connected to:

Proto  Local Address              Foreign Address         State
tcp    192.168.1.100:54321        93.184.216.34:443       ESTABLISHED
tcp    192.168.1.100:22           192.168.1.200:45678     ESTABLISHED
tcp    192.168.1.100:48293        172.217.14.99:443       TIME_WAIT

Your machine is connected to two remote hosts and recently finished talking to a third.

Connection States (What They Actually Mean)

LISTEN: A door is open, waiting for someone to knock.

ESTABLISHED: Active conversation. Data is flowing.

SYN_SENT: You knocked. Waiting to see if anyone's home.

TIME_WAIT: The conversation ended, but you're waiting a moment to make sure the goodbye was heard. Normal. You'll see lots of these.

CLOSE_WAIT: The other side hung up, but your program hasn't closed the connection yet. Many of these might indicate a buggy application.

FIN_WAIT: You said goodbye, waiting for acknowledgment.

Finding Things

Is anything listening on port 80?

netstat -tlnp | grep :80

What's using port 3000?

netstat -tlnp | grep :3000

All connections to a specific IP:

netstat -an | grep 93.184.216.34

What's Firefox connected to?

netstat -anp | grep firefox

Security: Who Left the Door Open?

Find everything listening on all interfaces:

sudo netstat -tlnp | grep '0.0.0.0'

Services bound to 0.0.0.0 accept connections from anywhere on the network. Make sure that's intentional.

Find unexpected listeners:

sudo netstat -tlnp | grep -v '127.0.0.1'

Everything not bound to localhost. Review the list. Recognize every program?

Count connections by state:

netstat -ant | awk '{print $6}' | sort | uniq -c | sort -n

Routing Table

netstat -rn

Shows where packets go:

Destination     Gateway         Genmask         Iface
0.0.0.0         192.168.1.1     0.0.0.0         eth0
192.168.1.0     0.0.0.0         255.255.255.0   eth0

Default gateway is 192.168.1.1. Local traffic (192.168.1.x) goes directly out eth0.

Interface Statistics

netstat -i

Iface   MTU   RX-OK  RX-ERR  RX-DRP  TX-OK  TX-ERR  TX-DRP
eth0   1500  123456       0       0  98765       0       0

Errors and drops should be zero or near-zero. Non-zero values indicate hardware problems or network congestion.

Protocol Statistics

netstat -s

Shows packet counts, retransmissions, errors—useful for diagnosing network problems at the protocol level.

Platform Notes

Linux: Full features. On modern systems, ss is faster but netstat is more familiar.

macOS: Similar flags, but -p may not show program names.

Windows: Use netstat -ano to see process IDs, then match them in Task Manager. Use -b (as administrator) to see executable names.

netstat vs. ss

On Linux, ss is the modern replacement—faster and more powerful. The syntax is nearly identical:

ss -tlnp    # same as netstat -tlnp
ss -ant     # same as netstat -ant

netstat still matters because it works everywhere and everyone knows it.

Quick Reference

CommandShows
netstat -tlnpListening TCP ports with programs
netstat -ulnpListening UDP ports with programs
netstat -antAll TCP connections
netstat -rnRouting table
netstat -iInterface statistics
netstat -sProtocol statistics

Always use -n to avoid slow DNS lookups. Use sudo to see program names.

Frequently Asked Questions About netstat

Was this page helpful?

😔
🤨
😃