Get 50% Discount Offer 26 Days

Recommended Services
Supported Scripts
WordPress
Hubspot
Joomla
Drupal
Wix
Shopify
Magento
Typeo3
25 Netstat Commands for Linux Network Management

Managing the network on a linux system is an important task for administrators and developers. One of the most effective tools for this job is netstat. This article will cover what netstat is, why it’s important, and 25 useful netstat commands that you can use for monitoring and managing your VPS network. The commands are organized from beginner to advanced to help users of all levels.

What is Netstat?

Netstat (short for network statistics) is a command-line tool that displays detailed information about network connections, routing tables, and many network interface statistics. It provides insights into the current state of your server’s network and can be used for troubleshooting, monitoring, and analyzing network performance.

Why should you use Netstat?

Netstat is valuable for administrators who need to:

  • Monitor network connections and activity on a server.
  • Identify which ports are open and which services are listening.
  • Troubleshoot network-related issues.
  • Track real-time network performance.
  • Diagnose security vulnerabilities or unauthorized connections.

How to Install netstat on Your VPS

Before you begin, you need to make sure netstat is installed. It is part of the net-tools package, which may need to be pre-installed on modern Linux distributions. Follow these installation commands based on your distribution:

Installation on Ubuntu

sudo apt update
Running sudo apt update to prepare for netstat installation on Ubuntu
sudo apt install net-tools

Installation on Rocky Linux / AlmaLinux

sudo dnf install net-tools

Once installed, you can start using netstat commands to manage your network.

Basic Netstat Commands

1. Display All Active Connections

netstat -a

This command shows all active network connections and listening ports. Using this tool provides insights into TCP and UDP connections and offers a clear overview of the services currently active on your VPS. It is a great way to start tracking network activity.

Using netstat -a to display all active network connections and listening ports

2. Show Only TCP Connections

To show only TCP connections on a system, use:

netstat -at

This command filters the network status output to focus solely on active TCP connections, excluding any unrelated protocols. It is very valuable for monitoring services that rely on the TCP protocol, including web servers (HTTP/HTTPS), Secure Shell (SSH), and other data transfer services. This command allows network administrators and users to quickly assess the status and activity of TCP-based communications, to see what active connections are present, and to resolve problems with inaccessible service. This targeted view simplifies network analysis and checks that critical connections are monitored.

Using netstat -at to display only active TCP connections on the system

3. Display UDP Connections

To display only active UDP connections on a system, you can use

netstat -au

This command is useful for filtering network status output, specifically highlighting all ongoing UDP-based communication, which can include services like DNS lookups and streaming media. UDP (User Datagram Protocol) operates without establishing a direct connection, making it important to monitor real-time applications where speed is prioritized over reliability. By utilizing netstat -au, administrators can verify if critical UDP services are running as expected on a Virtual Private Server (VPS) and identify any connections that could indicate performance or security issues.

Using netstat -au to display only active UDP connections on the system

4. Display Network Statistics

netstat -s

netstat -s is a command that gives you a network statistics summary by protocol. They are used to dispel data concerning the network activity: in total, the number of received and sent packets, the number of packet errors, and protocol-specific information for TCP, UDP, and ICMP. With this command, administrators can assess traffic patterns, possess data regarding packet loss and whatnot, and learn about the network performance in general. Because it’s especially great for troubleshooting network problems and keeping track of activities, as well as reporting on the health of network communications on a system. The summary is helpful for network management as well as for troubleshooting.

Using netstat -s to display comprehensive network statistics by protocol

5. List Listening Ports

netstat -l
Using netstat -l to list all listening ports on the system

The netstat -lt command is used to display all listening TCP sockets, showing services that are ready to accept incoming connections. This command is useful for identifying which ports are actively awaiting connections, helping in network diagnostics, and ensuring that crucial services are functioning correctly. 

netstat -lt   # TCP listening ports
Using netstat -lt to list all active TCP listening ports on the system

netstat -lu will list all active UDP listening ports for monitoring. Using these commands, system administrators can verify the availability of services like HTTP, HTTPS, FTP, and SSH to client connections to provide better control over server operations and server network security by monitoring which open ports are available.

netstat -lu   # UDP listening ports

Detailed Network Information

6. Display Process ID (PID) and Program Name

netstat -p
Using netstat -p to display PID and program name for network connections

The netstat -p command shows active connections, the PID (Process ID), and the names of the programs running their associated programs. Admins, however, desperately need this feature in order to trace the processes generating a particular network connection back to them. With the list of PIDs, users can tell what applications are talking to what network actions, which can be used for network problem troubleshooting, resource management on servers, and determining Unauthorized or odd applications.

Additionally, the netstat -ap command extends the capabilities of netstat -p by not only displaying active connections with their associated process IDs (PIDs) and program names but also including both listening and non-listening sockets in its output. This wide-picture view is also of use for administrators because then they can see which processes are hooked to open ports as well as the ones that have to be connected, giving them a full picture of network activity on the system. This tool is invaluable in providing a detailed analysis with the ability to monitor all running services, detect potential issues, and troubleshoot connectivity problems. The security of the process is increased through the use of netstat -ap.

netstat -ap

7. Show the Routing Table

netstat -r

A worthwhile rule is that the netstat -r command gives a detailed insight into routed systems. It shows us how the data packets are managed, where they are being sent through the network, and what gateway, netmask, flags, and interface to use. It gives network administrators something to look through when experiencing routing issues or when the correct network data flows should be going. In a complex VPS environment, it helps verify a correct routing configuration and diagnose connectivity problems by showing default routes with specific paths for data.

8. Display Network Interfaces

netstat -i command is used to show detailed statistics of each network interface of the system. It brings valuable data on packet transmission and reception like the number of packets received (RX-OK), the number of packets transmitted (TX-OK), packet errors, and dropped. This process is used to diagnose network performance problems and check network interface reliability.

netstat -i
Using netstat -i to display statistics for each network interface

By adding the -e option (as in netstat -ie), users can access extended information that includes dropped packets, errors, and more comprehensive metrics on data flow. It is critical for identifying potential issues, like packet loss or transmission errors on specific interfaces, when monitoring VPS performance and connectivity.

netstat -ie

9. Real-Time Monitoring of Connections

The watch netstat -at command is highly effective for real-time monitoring of active TCP connections; by combining the watch with netstat -at, the output refreshes at regular intervals (default is every 2 seconds), enabling continuous observation of network activity. This command displays the current state of each TCP connection, such as LISTEN, ESTABLISHED, or TIME_WAIT, along with the associated local and foreign addresses. It is important and practical for tracking dynamic network changes, diagnosing network issues, and verifying connection states during troubleshooting. It’s invaluable for system administrators overseeing server health and detecting potential connection anomalies in a VPS environment.

watch netstat -at
Using watch netstat -at for real-time monitoring of active TCP connections

Combining the watch with netstat updates the output every two seconds. This real-time view is practical for observing live network activity during troubleshooting.

Monitoring and Security

10. Filter Established Connections

netstat -at | grep ESTABLISHED

One simple practice of filtering and displaying only active TCP connections on your system is the netstat -at | grep ESTABLISHED command. This tool gives administrators a view into ongoing sessions and tracks user activity, as well as lets them know when connections to various services are healthy and responsive. However, for a VPS with continuous tracking of user sessions, this is a very rewarding technique for security and performance oversight. Isolating established connections lets you quickly see which services are (or are not) active. It confirms when and if crucial apps are staying within safe, stable connections to users or external services.

Using netstat -at | grep ESTABLISHED to filter active TCP connections

11. Monitor a Specific Port

netstat -an | grep ':80'

The netstat -an | grep ‘:80’ command helps monitor the activity of a specific port by filtering results to display connections associated with port 80, commonly used for HTTP traffic. By replacing:80 with any port number, you can track traffic for other important services like SSH (22) or HTTPS (443). It is crucial for administrators who need to make sure specific services are running and accessible or to identify suspicious connections that could indicate a potential security issue.

Using netstat -an | grep ':80' to monitor activity on a specific port

12. Display IPs and Ports in Numeric Format

netstat -n

It displays IP addresses and port numbers in their numeric format rather than resolving them into host names by netstat -n. This command skips the DNS lookup step, so IP addresses can be identified faster and simply with port numbers helpful when you have network data to process with time restrictions or when you deal with ‘raw’ and perfect IP information. It is a very useful feature if you are trying to debug network performance or trying to fix connection problems in the VPS environment.

Using netstat -n to display IPs and ports in numeric format

13. Identify Connection States

netstat -tuln

The netstat -tuln command provides a clear overview of all listening TCP and UDP ports, displaying their current states, such as LISTEN or ESTABLISHED. The -t and -u flags filter the output to show TCP and UDP connections, respectively, while the -l option lists only those that are actively listening for connections. The -n flag makes sure that the output displays in numeric form, bypassing DNS resolution for faster results. It is highly useful for administrators seeking to identify which services are currently accepting connections or are actively engaged, offering insight into network readiness and activity across a VPS.

Using netstat -tuln to display all listening TCP and UDP ports with states

14. Detect Half-Open Connections

netstat -at | grep SYN_SENT
Using netstat -at | grep SYN_SENT to detect half-open connections

This command helps identify half-open connections in the SYN_SENT state, which occur when a connection has been initiated but not completed. It is useful for diagnosing potential network issues, such as stalled connections or signs of an SYN flood attack—a type of DoS attack where an attacker sends many SYN requests without completing the handshake. Regularly checking for half-open connections can help network administrators spot unusual patterns and reinforce the network’s defense against such vulnerabilities.

Advanced Filtering and Troubleshooting

15. Filter by IP Address

netstat -an | grep '192.168.1.1'
Using netstat -an | grep '192.168.1.1' to filter connections by IP address

This command filters connections based on some client or server IP address, allowing you to tidy down communications from one such client or server. By replacing 192.168.1.1 with any address you desire, you gain insight into network interactions involving that endpoint and, more importantly, for troubleshooting suspicious activity, verifying connection to critical servers, or verifying that particular IPs are actively engaged in legitimate traffic. Again, this can be used to target debug output and increase correlation for analysis on a VPS.

16. Identify Open Ports

netstat -tuln | grep LISTEN
Using netstat -tuln | grep LISTEN to identify all open listening ports

This command is a very good way to see available open and listening ports in your system. This command is useful to administrators to focus only on listening ports while viewing which services are currently active for incoming connections. The flags used here provide important details: -p to print clear PID and port information for the specified process, t for TCP, u for UDP, l to list listening ports, and n to show numeric IPs and ports. It is absolutely vital to securing network services and can quickly identify open ports that may be required to be restricted to limit the system to unauthorized access or attacks. To keep the open ports regular, make sure that services that are important only to the server should be exposed, not the whole network.

17. Find Non-Root Program Connections

netstat -ap | grep -v 'root'
Using netstat -ap | grep -v 'root' to find non-root program connections

It filters out network connections and processes that the root user doesn’t own. This feature can be useful when detecting user-specific programs that are consuming network resources, leading to the determination of the suspect or illegal network activities. Administrators can review the connections to non-root users and see whether network services are running in the context of standard user accounts or whether potentially rogue processes are utilizing the network, both of which might lead to security holes. By focusing on this approach, they are able to handle a VPS more tightly, maintaining more locking security monitoring and resource management to keep network activity on par with what they expect.

18. Locate High-Traffic Services

netstat -at | sort
Using netstat -at | sort to locate high-traffic services and connections

The command allows administrators to sort the output of network connections, which makes it easier to identify which services are handling the most connections. By sorting the results, you can quickly pinpoint which services or ports are frequently accessed, which is particularly useful during performance evaluations and load monitoring. This insight helps manage server resources, optimize service configurations, and identify potential areas for scaling up infrastructure. In a VPS environment, which services are most utilized helps prioritize resource allocation and manage traffic patterns to maintain optimal performance and reliability.

Logging and Output Customization

19. Save Netstat Output to a File

netstat -s > /tmp/netstat_report.txt

Users can save the detailed output of the network statistics to a file, thus providing a safe way to get a network statistics snapshot to be used as a reference or report. Network administrators can save the data for analysis, comparisons over time, or documentation by redirecting output to a file. It is useful particularly when trying to troubleshoot recurring network problems or when trying to generate reports on network performance or usage. It can be used to view the saved output later on using tools like Cat and Less, or it can be used to import them into an analysis software for continued examination. This practice serves for comprehensive network monitoring as well as for efficient problem-solving in a VPS environment.

Using netstat -s > /tmp/netstat_report.txt to save output to a file

20. Customize Output with AWK

netstat -an | awk '{print $1, $4, $5}'
Using netstat -an with AWK to display specific columns for simplified output

AWK is a Text processing tool that allows you to customize what is output by using it in the netstat command. This approach makes it possible for administrators to pull and show only certain columns of data, simplifying a particular type of analysis. In this example, $4 is the local address and $5 is the foreign address, $1 is meant to be the protocol. The output can be tailored such that specific network details can be more clearly focused without distracting clutter, which aids in immediate diagnoses of network status. AWK with netstat allows you to create a simple, easy-to-read data view on a narrow file structure, which is great for efficient troubleshooting or monitoring in a VPS environment.

21. Combine grep and awk for Precision

netstat -atn | grep ':22' | awk '{print $5}'
Using netstat with grep and AWK to filter port 22 and show remote IPs

These are a powerful combination that filters and refines the netstat output. In this example, grep is used to filter connections on port 22 (commonly associated with SSH), awk extracts and displays the fifth column (remote IP address usually), while awk extracts and displays the fifth column. This quick and easy approach is convenient for auditing SSH connections on the server to identify incoming connections and their sources. Monitoring security using such targeted analysis is important to monitor security and make sure that only authorized users can access critical services on a VPS and, thereby, in real time, help threat detection and analysis.

Specialized Commands

22. Monitor Protocol-Specific Usage

netstat -s | grep -E 'Tcp|Udp'
Using netstat -s with grep -E to monitor TCP and UDP protocol usage

It is useful in the analysis of particular usage statistics of TCP and UDP protocols. This chart is very useful for network admins who want to determine what protocol is the most used on a VPS to help set up network services or adjust for performance. netstat with the -s flag will give you detailed statistics on how many packet counts, retransmissions, and errors for certain protocols. Integration of grep −E facilitates the display of only the necessary protocol packets by filtering out the output of the protocol information, enabling network monitoring, analysis, or troubleshooting of network health for instances based upon your protocol health.

23. Display IPv6 Traffic

netstat -A inet6
Using netstat -A inet6 to display active IPv6 traffic on the system

This command is used to display active IPv6 connections. It is very relevant for environments configured for dual-stack (both IPv4 and IPv6) operations. By using this command, administrators can monitor IPv6 traffic, ensuring that connectivity and data flow are working correctly for IPv6-based services. This feature helps diagnose configuration issues and confirm that all network protocols are functioning as expected, which is particularly useful as more systems migrate to or include IPv6 compatibility.

24. Show Packet Statistics

netstat -i | awk '{print $1, $3, $7}'

This command will probe packet statistics by interface, including the number of received (RX-OK) and number of transmitted (TX-OK) packets. Such customized outputs help to determine the interface responsible for high traffic handling or experiencing packet loss and inform with what remedial measures to take, including tweaking network configurations or increasing bandwidth. Knowing this is crucial when trying to keep a stable, stable VPS with a good network.

Using netstat -i with AWK to display packet statistics for each interface

25. Combine Netstat with SS for In-Depth Analysis

ss -s; netstat -s

The combination of the output of ss (socket statistics) and netstat provides a detailed analysis of network performance and can be used to get it using the command: ss -s; netstat -s. The socket details for the ss command and the protocol statistics offered by netstat -s. Incorporating these two gives one a complete picture of the details of socket level and usage of the protocol; this provides a means to diagnose the details of network conditions to facilitate more comprehensive troubleshooting and performance optimization. By working with this dual-layer analysis, administrators are able to address connection-specific issues as well as general network health properly.

Conclusion

Knowing and using netstat commands can transform how you monitor and manage network activity on your VPS. These 25 commands equip you with the tools needed to troubleshoot, secure, and optimize your network connections. Regular use of these commands will improve your ability to maintain server reliability and security.

About the writer

Vinayak Baranwal Article Author

This article was written by Vinayak Baranwal, For more insightful content or collaboration opportunities, feel free to connect with Vinayak on LinkedIn through the provided link.

Leave a Reply

Your email address will not be published. Required fields are marked *

Lifetime Solutions:

VPS SSD

Lifetime Hosting

Lifetime Dedicated Servers