Managing the network on a linux system is an important task for administrators and developers. One of the most effective tools for this job is netstat. This article will cover what netstat is, why it’s important, and 25 useful netstat commands that you can use for monitoring and managing your VPS network. The commands are organized from beginner to advanced to help users of all levels.
What is Netstat?
Netstat (short for network statistics) is a command-line tool that displays detailed information about network connections, routing tables, and many network interface statistics. It provides insights into the current state of your server’s network and can be used for troubleshooting, monitoring, and analyzing network performance.
Why should you use Netstat?
Netstat is valuable for administrators who need to:
- Monitor network connections and activity on a server.
- Identify which ports are open and which services are listening.
- Troubleshoot network-related issues.
- Track real-time network performance.
- Diagnose security vulnerabilities or unauthorized connections.
How to Install netstat on Your VPS
Before you begin, you need to make sure netstat is installed. It is part of the net-tools package, which may need to be pre-installed on modern Linux distributions. Follow these installation commands based on your distribution:
Installation on Ubuntu
sudo apt update
sudo apt install net-tools
Installation on Rocky Linux / AlmaLinux
sudo dnf install net-tools
Once installed, you can start using netstat commands to manage your network.
Basic Netstat Commands
1. Display All Active Connections
netstat -a
This command shows all active network connections and listening ports. Using this tool provides insights into TCP and UDP connections and offers a clear overview of the services currently active on your VPS. It is a great way to start tracking network activity.
2. Show Only TCP Connections
To show only TCP connections on a system, use:
netstat -at
This command filters the network status output to focus solely on active TCP connections, excluding any unrelated protocols. It is very valuable for monitoring services that rely on the TCP protocol, including web servers (HTTP/HTTPS), Secure Shell (SSH), and other data transfer services. This command allows network administrators and users to quickly assess the status and activity of TCP-based communications, to see what active connections are present, and to resolve problems with inaccessible service. This targeted view simplifies network analysis and checks that critical connections are monitored.
3. Display UDP Connections
To display only active UDP connections on a system, you can use
netstat -au
This command is useful for filtering network status output, specifically highlighting all ongoing UDP-based communication, which can include services like DNS lookups and streaming media. UDP (User Datagram Protocol) operates without establishing a direct connection, making it important to monitor real-time applications where speed is prioritized over reliability. By utilizing netstat -au, administrators can verify if critical UDP services are running as expected on a Virtual Private Server (VPS) and identify any connections that could indicate performance or security issues.
4. Display Network Statistics
netstat -s
netstat -s is a command that gives you a network statistics summary by protocol. They are used to dispel data concerning the network activity: in total, the number of received and sent packets, the number of packet errors, and protocol-specific information for TCP, UDP, and ICMP. With this command, administrators can assess traffic patterns, possess data regarding packet loss and whatnot, and learn about the network performance in general. Because it’s especially great for troubleshooting network problems and keeping track of activities, as well as reporting on the health of network communications on a system. The summary is helpful for network management as well as for troubleshooting.
5. List Listening Ports
netstat -l
The netstat -lt command is used to display all listening TCP sockets, showing services that are ready to accept incoming connections. This command is useful for identifying which ports are actively awaiting connections, helping in network diagnostics, and ensuring that crucial services are functioning correctly.Â
netstat -lt # TCP listening ports
netstat -lu will list all active UDP listening ports for monitoring. Using these commands, system administrators can verify the availability of services like HTTP, HTTPS, FTP, and SSH to client connections to provide better control over server operations and server network security by monitoring which open ports are available.
netstat -lu # UDP listening ports
Detailed Network Information
6. Display Process ID (PID) and Program Name
netstat -p
The netstat -p command shows active connections, the PID (Process ID), and the names of the programs running their associated programs. Admins, however, desperately need this feature in order to trace the processes generating a particular network connection back to them. With the list of PIDs, users can tell what applications are talking to what network actions, which can be used for network problem troubleshooting, resource management on servers, and determining Unauthorized or odd applications.
Additionally, the netstat -ap command extends the capabilities of netstat -p by not only displaying active connections with their associated process IDs (PIDs) and program names but also including both listening and non-listening sockets in its output. This wide-picture view is also of use for administrators because then they can see which processes are hooked to open ports as well as the ones that have to be connected, giving them a full picture of network activity on the system. This tool is invaluable in providing a detailed analysis with the ability to monitor all running services, detect potential issues, and troubleshoot connectivity problems. The security of the process is increased through the use of netstat -ap.
netstat -ap
7. Show the Routing Table
netstat -r
A worthwhile rule is that the netstat -r command gives a detailed insight into routed systems. It shows us how the data packets are managed, where they are being sent through the network, and what gateway, netmask, flags, and interface to use. It gives network administrators something to look through when experiencing routing issues or when the correct network data flows should be going. In a complex VPS environment, it helps verify a correct routing configuration and diagnose connectivity problems by showing default routes with specific paths for data.
8. Display Network Interfaces
netstat -i command is used to show detailed statistics of each network interface of the system. It brings valuable data on packet transmission and reception like the number of packets received (RX-OK), the number of packets transmitted (TX-OK), packet errors, and dropped. This process is used to diagnose network performance problems and check network interface reliability.
netstat -i
By adding the -e option (as in netstat -ie), users can access extended information that includes dropped packets, errors, and more comprehensive metrics on data flow. It is critical for identifying potential issues, like packet loss or transmission errors on specific interfaces, when monitoring VPS performance and connectivity.
netstat -ie
9. Real-Time Monitoring of Connections
The watch netstat -at command is highly effective for real-time monitoring of active TCP connections; by combining the watch with netstat -at, the output refreshes at regular intervals (default is every 2 seconds), enabling continuous observation of network activity. This command displays the current state of each TCP connection, such as LISTEN, ESTABLISHED, or TIME_WAIT, along with the associated local and foreign addresses. It is important and practical for tracking dynamic network changes, diagnosing network issues, and verifying connection states during troubleshooting. It’s invaluable for system administrators overseeing server health and detecting potential connection anomalies in a VPS environment.
watch netstat -at
Combining the watch with netstat updates the output every two seconds. This real-time view is practical for observing live network activity during troubleshooting.
Monitoring and Security
10. Filter Established Connections
netstat -at | grep ESTABLISHED
One simple practice of filtering and displaying only active TCP connections on your system is the netstat -at | grep ESTABLISHED command. This tool gives administrators a view into ongoing sessions and tracks user activity, as well as lets them know when connections to various services are healthy and responsive. However, for a VPS with continuous tracking of user sessions, this is a very rewarding technique for security and performance oversight. Isolating established connections lets you quickly see which services are (or are not) active. It confirms when and if crucial apps are staying within safe, stable connections to users or external services.
11. Monitor a Specific Port
netstat -an | grep ':80'
The netstat -an | grep ‘:80’ command helps monitor the activity of a specific port by filtering results to display connections associated with port 80, commonly used for HTTP traffic. By replacing:80 with any port number, you can track traffic for other important services like SSH (22) or HTTPS (443). It is crucial for administrators who need to make sure specific services are running and accessible or to identify suspicious connections that could indicate a potential security issue.
12. Display IPs and Ports in Numeric Format
netstat -n
It displays IP addresses and port numbers in their numeric format rather than resolving them into host names by netstat -n. This command skips the DNS lookup step, so IP addresses can be identified faster and simply with port numbers helpful when you have network data to process with time restrictions or when you deal with ‘raw’ and perfect IP information. It is a very useful feature if you are trying to debug network performance or trying to fix connection problems in the VPS environment.
13. Identify Connection States
netstat -tuln
The netstat -tuln command provides a clear overview of all listening TCP and UDP ports, displaying their current states, such as LISTEN or ESTABLISHED. The -t and -u flags filter the output to show TCP and UDP connections, respectively, while the -l option lists only those that are actively listening for connections. The -n flag makes sure that the output displays in numeric form, bypassing DNS resolution for faster results. It is highly useful for administrators seeking to identify which services are currently accepting connections or are actively engaged, offering insight into network readiness and activity across a VPS.
14. Detect Half-Open Connections
netstat -at | grep SYN_SENT
This command helps identify half-open connections in the SYN_SENT state, which occur when a connection has been initiated but not completed. It is useful for diagnosing potential network issues, such as stalled connections or signs of an SYN flood attack—a type of DoS attack where an attacker sends many SYN requests without completing the handshake. Regularly checking for half-open connections can help network administrators spot unusual patterns and reinforce the network’s defense against such vulnerabilities.
Advanced Filtering and Troubleshooting
15. Filter by IP Address
netstat -an | grep '192.168.1.1'
This command filters connections based on some client or server IP address, allowing you to tidy down communications from one such client or server. By replacing 192.168.1.1 with any address you desire, you gain insight into network interactions involving that endpoint and, more importantly, for troubleshooting suspicious activity, verifying connection to critical servers, or verifying that particular IPs are actively engaged in legitimate traffic. Again, this can be used to target debug output and increase correlation for analysis on a VPS.
16. Identify Open Ports
netstat -tuln | grep LISTEN
This command is a very good way to see available open and listening ports in your system. This command is useful to administrators to focus only on listening ports while viewing which services are currently active for incoming connections. The flags used here provide important details: -p to print clear PID and port information for the specified process, t for TCP, u for UDP, l to list listening ports, and n to show numeric IPs and ports. It is absolutely vital to securing network services and can quickly identify open ports that may be required to be restricted to limit the system to unauthorized access or attacks. To keep the open ports regular, make sure that services that are important only to the server should be exposed, not the whole network.
17. Find Non-Root Program Connections
netstat -ap | grep -v 'root'
It filters out network connections and processes that the root user doesn’t own. This feature can be useful when detecting user-specific programs that are consuming network resources, leading to the determination of the suspect or illegal network activities. Administrators can review the connections to non-root users and see whether network services are running in the context of standard user accounts or whether potentially rogue processes are utilizing the network, both of which might lead to security holes. By focusing on this approach, they are able to handle a VPS more tightly, maintaining more locking security monitoring and resource management to keep network activity on par with what they expect.
18. Locate High-Traffic Services
netstat -at | sort
The command allows administrators to sort the output of network connections, which makes it easier to identify which services are handling the most connections. By sorting the results, you can quickly pinpoint which services or ports are frequently accessed, which is particularly useful during performance evaluations and load monitoring. This insight helps manage server resources, optimize service configurations, and identify potential areas for scaling up infrastructure. In a VPS environment, which services are most utilized helps prioritize resource allocation and manage traffic patterns to maintain optimal performance and reliability.
Logging and Output Customization
19. Save Netstat Output to a File
netstat -s > /tmp/netstat_report.txt
Users can save the detailed output of the network statistics to a file, thus providing a safe way to get a network statistics snapshot to be used as a reference or report. Network administrators can save the data for analysis, comparisons over time, or documentation by redirecting output to a file. It is useful particularly when trying to troubleshoot recurring network problems or when trying to generate reports on network performance or usage. It can be used to view the saved output later on using tools like Cat and Less, or it can be used to import them into an analysis software for continued examination. This practice serves for comprehensive network monitoring as well as for efficient problem-solving in a VPS environment.
20. Customize Output with AWK
netstat -an | awk '{print $1, $4, $5}'
AWK is a Text processing tool that allows you to customize what is output by using it in the netstat command. This approach makes it possible for administrators to pull and show only certain columns of data, simplifying a particular type of analysis. In this example, $4 is the local address and $5 is the foreign address, $1 is meant to be the protocol. The output can be tailored such that specific network details can be more clearly focused without distracting clutter, which aids in immediate diagnoses of network status. AWK with netstat allows you to create a simple, easy-to-read data view on a narrow file structure, which is great for efficient troubleshooting or monitoring in a VPS environment.
21. Combine grep and awk for Precision
netstat -atn | grep ':22' | awk '{print $5}'
These are a powerful combination that filters and refines the netstat output. In this example, grep is used to filter connections on port 22 (commonly associated with SSH), awk extracts and displays the fifth column (remote IP address usually), while awk extracts and displays the fifth column. This quick and easy approach is convenient for auditing SSH connections on the server to identify incoming connections and their sources. Monitoring security using such targeted analysis is important to monitor security and make sure that only authorized users can access critical services on a VPS and, thereby, in real time, help threat detection and analysis.
Specialized Commands
22. Monitor Protocol-Specific Usage
netstat -s | grep -E 'Tcp|Udp'
It is useful in the analysis of particular usage statistics of TCP and UDP protocols. This chart is very useful for network admins who want to determine what protocol is the most used on a VPS to help set up network services or adjust for performance. netstat with the -s flag will give you detailed statistics on how many packet counts, retransmissions, and errors for certain protocols. Integration of grep −E facilitates the display of only the necessary protocol packets by filtering out the output of the protocol information, enabling network monitoring, analysis, or troubleshooting of network health for instances based upon your protocol health.
23. Display IPv6 Traffic
netstat -A inet6
This command is used to display active IPv6 connections. It is very relevant for environments configured for dual-stack (both IPv4 and IPv6) operations. By using this command, administrators can monitor IPv6 traffic, ensuring that connectivity and data flow are working correctly for IPv6-based services. This feature helps diagnose configuration issues and confirm that all network protocols are functioning as expected, which is particularly useful as more systems migrate to or include IPv6 compatibility.
24. Show Packet Statistics
netstat -i | awk '{print $1, $3, $7}'
This command will probe packet statistics by interface, including the number of received (RX-OK) and number of transmitted (TX-OK) packets. Such customized outputs help to determine the interface responsible for high traffic handling or experiencing packet loss and inform with what remedial measures to take, including tweaking network configurations or increasing bandwidth. Knowing this is crucial when trying to keep a stable, stable VPS with a good network.
25. Combine Netstat with SS for In-Depth Analysis
ss -s; netstat -s
The combination of the output of ss (socket statistics) and netstat provides a detailed analysis of network performance and can be used to get it using the command: ss -s; netstat -s. The socket details for the ss command and the protocol statistics offered by netstat -s. Incorporating these two gives one a complete picture of the details of socket level and usage of the protocol; this provides a means to diagnose the details of network conditions to facilitate more comprehensive troubleshooting and performance optimization. By working with this dual-layer analysis, administrators are able to address connection-specific issues as well as general network health properly.
Conclusion
Knowing and using netstat commands can transform how you monitor and manage network activity on your VPS. These 25 commands equip you with the tools needed to troubleshoot, secure, and optimize your network connections. Regular use of these commands will improve your ability to maintain server reliability and security.
About the writer
This article was written by Vinayak Baranwal, For more insightful content or collaboration opportunities, feel free to connect with Vinayak on LinkedIn through the provided link.