Exploring Network Statistics with ‘netstat’

0
1124

netstat is generally used to find the various network connections a machine has, but has other functionalities too. It may be considered obsolete by some, but can be a handy tool when network issues have to be debugged.

‘netstat’, also known as network statistics, is most commonly used for displaying current network connections in devices/machines. However, it can also be used for printing the routing table, network card statistics, etc, of the machines.

In Linux, netstat is obsolete and hence it is recommended to use a combination of ss and ip cli utilities. That being said, it is still shipped by default with major Linux distributions, and is also a cross-platform tool available in BSD systems, MacOS and even Windows. So it’s a good tool to keep in your toolset.

Understanding netstat output
While using a browser, you will definitely have a bunch of network connections. netstat is generally used to find all the network connections a machine has.

> netstat | head
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 arya:54960 a104-113-212-245.:https ESTABLISHED
tcp 0 0 arya:54958 a104-113-212-245.:https ESTABLISHED
tcp 0 0 arya:40910 52.98.58.34:https ESTABLISHED
tcp 0 0 arya:38398 52.114.159.60:https ESTABLISHED
tcp 0 0 arya:55748 13.69.109.131:https ESTABLISHED
tcp 0 0 arya:48510 52.98.59.18:https ESTABLISHED
tcp 0 0 arya:44802 lb-140-82-113-26-:https ESTABLISHED
tcp 0 0 arya:46554 ec2-65-1-252-10.a:https ESTABLISHED

The meaning of the individual columns in the output above is as follows.

Column name  Description
Proto The protocol used by the socket; e.g., TCP, UDP
Recv-Q Recv-Q If the connection has already been established, as is the case with the above output, then it refers to the count of bytes that are not copied by the user program that is connected to this socket
Send-Q Refers to the count of bytes not acknowledged by the remote host in this established connection state
Local address Address and port number of the local end of the socket
Foreign address Address and port number of the remote end of the socket
State State of the socket: Listen, Established, etc.

In the above output, you can see the various values in the ‘foreign address’ column. These are the different IP addresses the local machine is speaking to. We can also find out the process that initiated the above socket connections via the –program or -p option:

> netstat -p | head
(Not all processes can be identified; non-owned process info will not be shown, you should have the root access to view all of them.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 arya:40620 51.105.71.137:https ESTABLISHED 2049/chrome --type=

tcp 0 0 arya:34078 a104-96-204-135.d:https ESTABLISHED 2049/chrome --type=

tcp 0 0 arya:36442 52.113.206.194:https ESTABLISHED 2049/chrome --type=

tcp 0 0 arya:36440 52.113.206.194:https ESTABLISHED 2049/chrome --type=

tcp 0 0 arya:35088 52.114.133.162:https ESTABLISHED 2049/chrome --type=

tcp 0 0 arya:48510 52.98.59.18:https ESTABLISHED 2049/chrome --type=

tcp 0 0 arya:44802 lb-140-82-113-26-:https ESTABLISHED 2049/chrome --type=

tcp 0 0 arya:46554 ec2-65-1-252-10.a:https ESTABLISHED 2049/chrome --type=

Though a warning is given that not all processes could be identified, the output does seem to have program names in it. The name ‘arya’ under ‘local address’ is the host name in this instance. If you wanted to display IPs, you could use -n or –numeric instead:

> netstat -pn | head
(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.3.107:40826 13.232.113.235:443 ESTABLISHED 2049/chrome --type=
tcp 0 0 192.168.3.107:51168 140.82.112.25:443 ESTABLISHED 2049/chrome --type=
tcp 0 0 192.168.3.107:48510 52.98.59.18:443 ESTABLISHED 2049/chrome --type=
tcp 0 0 192.168.3.107:46554 65.1.252.10:443 ESTABLISHED 2049/chrome --type=
tcp 0 0 192.168.3.107:35838 13.107.6.171:443 ESTABLISHED 2049/chrome --type=
tcp 0 0 192.168.3.107:60932 52.114.40.56:443 ESTABLISHED 2049/chrome --type=
tcp 0 0 192.168.3.107:35130 13.126.138.201:443 ESTABLISHED 2049/chrome --type=
tcp 0 0 192.168.3.107:45854 52.114.159.213:443 ESTABLISHED 2049/chrome --type=

In this case, it can be confirmed that the local IP address is 192.168.3.107.

> ip a show eno1
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 94:c6:91:a6:33:df brd ff:ff:ff:ff:ff:ff
altname enp0s31f6
inet 192.168.3.107/24 brd 192.168.3.255 scope global dynamic noprefixroute eno1
valid_lft 69032sec preferred_lft 58232sec
inet6 fe80::96c6:91ff:fea6:33df/64 scope link noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::4ed1:9a96:4747:eb59/64 scope link noprefixroute
valid_lft forever preferred_lft forever

One of my favourite use cases for using netstat is to see which of the ports from my machine are being exposed locally to my LAN or the Internet. You can use -l to just list the listening sockets and couple it with -t to filter the TCP protocol.

> netstat -nlt --program
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -

As in this case we are unable to see the program name, we can elevate our permission using sudo to get the result.

> sudo netstat -nlt --program
[sudo] password for sibi:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1110/sshd: /nix/sto
tcp6 0 0 :::22 :::* LISTEN 1110/sshd: /nix/sto

You can see that it’s the SSH daemon that has opened the port on 22. You can even remove the -n option so that it prints the name of the port.

> sudo netstat -lt --program
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 1110/sshd: /nix/sto
tcp6 0 0 [::]:ssh [::]:* LISTEN 1110/sshd: /nix/sto

The 0.0.0.0 at the local address indicates that it is listening on all the network interfaces (your network card, 127.0.0.1, etc). If this was 127.0.0.1, it would mean that connections are from the machine itself, and not from the network or Internet, are being listened to. If the local network IP (192.168.3.107 in this case) is displayed, it means that connections will be allowed from the local network as well.

In fact, you can make a program listen to your local network and use netstat to confirm it:

> python3 -m http.server --bind 192.168.3.107
Serving HTTP on 192.168.3.107 port 8000 (http://192.168.3.107:8000/) …
Verification can be done on another terminal session:

> sudo netstat -lnt --program
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1110/sshd: /nix/sto
tcp 0 0 192.168.3.107:8000 0.0.0.0:* LISTEN 21410/python3
tcp6 0 0 :::22 :::* LISTEN 1110/sshd: /nix/sto

Looking further
While netstat is obsolete, learning it is still valuable because of the ubiquitous nature of this tool. Having a good grasp of how to read its output will be quite handy when networking issues have to be debugged. With various functionalities, netstat has a wide scope and can be used to view even the routing table (which is usually done by IP r):

> netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.3.1 0.0.0.0 UG 0 0 0 eno1
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 wlp0s20f3
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 wlp0s20f3
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlp0s20f3
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 wlp0s20f3
192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eno1

The manual page is given under ‘References’ to understand the other functionalities that netstat provides. If you are comfortable reading its output, you will be better equipped to debug your networking problems.

LEAVE A REPLY

Please enter your comment!
Please enter your name here