In Linux we have various commands used to find network information, In this post we will try to discuss netstat command which is very useful to know about Linux network stat, connection, interfaces.
Although like ifconfig, this command is also obsolete and take over through ss command, But still plenty of Linux administrator/Users using this command to find out network information.
So Let’s try to take some examples to understand netstat command and its usage along with Linux network information.

List all ports

To be honest with you guys I Never used to check all ports of machines, it always require to check specific port or stat of connections. But as we might need to know complete details of all ports which is using any resource of your current machine.

#netstat -a

With above command we could find all ports all listening , established, IP, Unix etc.it could very long list in busy machines. To make more readable we can use this more or less commands with pipe like below.

netstat -a | less

   or 


netstat -a | more

TCP or UDP connection only

In netstat command we can filter type of connection further into TCP or UDP connection with simple -t or -u options with netstat command.

netstat -ta

or 

Example
netstat -ta
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 localhost.localdo:mysql 0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:5588            0.0.0.0:*               LISTEN     
tcp        0      0 localhost.localdom:smtp 0.0.0.0:*               LISTEN     
tcp        0     36 srv1:5588               b0fde5fe.bb.sky.c:37340 ESTABLISHED
tcp6       0      0 [::]:http               [::]:*                  LISTEN     
tcp6       0      0 srv1:http               srv1:48356              TIME_WAIT  
tcp6       0      0 srv1:http               webmail.ozone.bg:43246  TIME_WAIT  
tcp6       0      0 srv1:http               8.29.198.26:17993       TIME_WAIT  

In above command we asked to show all TCP connection, but if we used just -t option, it will not show listen state, will show only like Established, Time_wait etc connection.

netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0     36 srv1:5588               b0fde5fe.bb.sky.c:37340 ESTABLISHED
tcp        0      0 srv1:48356              srv1:http               ESTABLISHED
tcp6       0      0 srv1:http               srv1:48356              ESTABLISHED
tcp6       0      0 srv1:http               8.29.198.26:17993       ESTABLISHED

In same way we can ask for UDP connections as well , like below.

netstat -u

   or 

netstat -au

Show listening ports

Sometime we just need to know Listening port on machine, listen port like on which apache server is exporting a website on port 80 (default HTTP Port) or Linux machine ssh daemon is running cause it accessible on port 22 (default SSH Port). So once we start these daemons or service they occupy these ports and client can connect on these ports to these service on machine.

To view all listening ports and its details, i usually used below command.

netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address      Foreign Address     State       PID/Program name
tcp        0      0 0.0.0.0:513        0.0.0.0:*           LISTEN      5525/xinetd     
tcp        0      0 0.0.0.0:1090       0.0.0.0:*           LISTEN      -               
tcp        0      0 0.0.0.0:5666       0.0.0.0:*           LISTEN      5579/nrpe       
tcp        0      0 0.0.0.0:514        0.0.0.0:*           LISTEN      5525/xinetd     
tcp        0      0 0.0.0.0:902        0.0.0.0:*           LISTEN      5379/rpc.statd  
tcp        0      0 0.0.0.0:873        0.0.0.0:*           LISTEN      5525/xinetd     
tcp        0      0 0.0.0.0:587        0.0.0.0:*           LISTEN      5603/sendmail   
tcp        0      0 0.0.0.0:79         0.0.0.0:*           LISTEN      5525/xinetd     
tcp        0      0 0.0.0.0:111        0.0.0.0:*           LISTEN      5260/rpcbind    
tcp        0      0 0.0.0.0:22         0.0.0.0:*           LISTEN      5514/sshd       
tcp        0      0 0.0.0.0:23         0.0.0.0:*           LISTEN      5525/xinetd     
tcp        0      0 127.0.0.1:25       0.0.0.0:*           LISTEN      5603/sendmail   

In above , I used some other options (ntlp) as well which provide other details like
-n — This option is used to show port number instead of service
-t — This option is used to show TCP socket only
-l — This option is used to show listening port only
-p — This option is used to show program name which is using this port

We can prepare our commands according to requirement with these options. Like

-u — Will show udp ports

netstat -nlpu
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address         Foreign Address     PID/Program name  
udp        0      0 0.0.0.0:68            0.0.0.0:*           4974/dhclient     
udp        0      0 0.0.0.0:111           0.0.0.0:*           5260/rpcbind      
udp        0      0 10.36.13.52:123       0.0.0.0:*           8284/ntpd         
udp        0      0 127.0.0.1:123         0.0.0.0:*           8284/ntpd         
udp        0      0 0.0.0.0:123           0.0.0.0:*           8284/ntpd         
udp        0      0 127.0.0.1:517         0.0.0.0:*           5525/xinetd       
udp        0      0 127.0.0.1:518         0.0.0.0:*           5525/xinetd       
udp        0      0 0.0.0.0:631           0.0.0.0:*           5055/portreserve  
udp        0      0 0.0.0.0:636           0.0.0.0:*           5055/portreserve  
udp        0      0 0.0.0.0:647           0.0.0.0:*           5055/portreserve  
udp        0      0 0.0.0.0:657           0.0.0.0:*           5566/rpc.rstatd   
udp        0      0 0.0.0.0:750           0.0.0.0:*           5055/portreserve  
udp        0      0 0.0.0.0:771           0.0.0.0:*           5260/rpcbind      
udp        0      0 0.0.0.0:783           0.0.0.0:*           5055/portreserve  
udp        0      0 0.0.0.0:847           0.0.0.0:*           5055/portreserve  
udp        0      0 127.0.0.1:891         0.0.0.0:*           5379/rpc.statd    
udp        0      0 0.0.0.0:902           0.0.0.0:*           5379/rpc.statd    
udp        0      0 0.0.0.0:1090          0.0.0.0:*           -                 
udp        0      0 0.0.0.0:49710         0.0.0.0:*           5081/rsyslogd     

In above machine we can see we were able to check various udp ports on listening mode (because we used -l option).

Multicast Group

We can see various multicast group membership information through below options.

netstat -g
IPv6/IPv4 Group Memberships
Interface       RefCnt Group
--------------- ------ ---------------------
lo              1      239.192.24.204
lo              1      224.0.0.251
lo              1      all-systems.mcast.net
eno1            1      all-systems.mcast.net
wlp2s0          1      all-systems.mcast.net
wlp2s0          3      224.0.0.251
virbr0          1      224.0.0.251
virbr0          1      all-systems.mcast.net
docker0         1      224.0.0.251
docker0         1      all-systems.mcast.net
ppp0            1      224.0.0.251
ppp0            1      all-systems.mcast.net
lo              1      ff02::fb
lo              1      ip6-allnodes
lo              1      ff01::1
eno1            1      ip6-allnodes
eno1            1      ff01::1
wlp2s0          1      ff02::fb
wlp2s0          1      ff02::1:ff05:b5e4
wlp2s0          2      ff02::1:ff96:9927
wlp2s0          1      ff02::1:ff15:7658
wlp2s0          1      ff02::1:ff41:176d
wlp2s0          1      ip6-allnodes
wlp2s0          1      ff01::1
virbr0          1      ip6-allnodes
virbr0          1      ff01::1
virbr0-nic      1      ip6-allnodes
virbr0-nic      1      ff01::1
docker0         1      ip6-allnodes
docker0         1      ff01::1
ppp0            1      ip6-allnodes
ppp0            1      ff01::1

You can use -n options to see exact IP address Output. In case you only like to see IPv4 and IPv6 (-4 and -6) like below

netstat -gn4

or 

netstat -gn6

Continuous netstat

Sometime we might need to check netstat command output many times, either we need to run it again-again. For this kind of situation we have one options in netstat (-c), which repeat with mentioned delay time or after every second.

netstat -ntp -c

Unsupported Address families

Through netstat we could find Un-configured Address families. When we run command.

netstat --verbose

It will show below text in output, which show un-configured address.

netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.

Display Network stats

We can see network stats of various protocols like tcp,udp etc. We can see all stat with below command

netstat -s

But in case we just want to see specific protocols.

netstat -st  #Tcp protocol

netstat -su  #Udp protocol

netstat -sw   #raw

Kernel Routing Table

We can also see linux kernel routing table with -r options , this table will represent all current working routes in Linux machine.

ssirohi@jarvis:~$ netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 wlp2s0
10.0.0.0        172.29.14.30    255.0.0.0       UG        0 0          0 ppp0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 virbr0
172.16.0.0      172.29.14.30    255.240.0.0     UG        0 0          0 ppp0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 wlp2s0
192.168.123.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0
199.7.184.38    192.168.0.1     255.255.255.255 UGH       0 0          0 wlp2s0

Display long address

Sometime netstat output has long address which get trim while printing output. But we can show use -T option which display complete address while printing it.

Netstat network stats

Whenever we saw various network listing with netstat command like with -a, that would display network stats which are quit informative for us to troubleshoot or understand present condition of network.
From netstat man page, below are various network stat.

State
    The  state  of the socket. Since there are no states in raw mode and usually no states used in UDP, this column may be left blank. Normally this can be one of several
    values:

    ESTABLISHED
     The socket has an established connection.

    SYN_SENT
     The socket is actively attempting to establish a connection.

    SYN_RECV
     A connection request has been received from the network.

    FIN_WAIT1
     The socket is closed, and the connection is shutting down.

    FIN_WAIT2
     Connection is closed, and the socket is waiting for a shutdown from the remote end.

    TIME_WAIT
     The socket is waiting after close to handle packets still in the network.

    CLOSED The socket is not being used.

    CLOSE_WAIT
     The remote end has shut down, waiting for the socket to close.

    LAST_ACK
     The remote end has shut down, and the socket is closed. Waiting for acknowledgement.

    LISTEN The socket is listening for incoming connections.  Such sockets are not included in the output unless you specify the --listening (-l) or --all (-a) option.

    CLOSING
     Both sockets are shut down but we still don’t have all our data sent.

    UNKNOWN
     The state of the socket is unknown.

Netstat extend option

Sometime we need to connection owner or user who created. In netstat command we could find this thing though -e options which also display user column who owns that connections, like below

netstat -tpe 
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name    
tcp        0      0 jarvis:47278            ssirohilinux.ldn-of:ssh ESTABLISHED ssirohi    39043859   8015/ssh            
tcp        0      0 jarvis:35656            fra15s11-in-f163.:https TIME_WAIT   root       0          -                   
tcp        0      0 jarvis:34488            vpn.lonx.tower-re:https ESTABLISHED root       38830896   6733/forticlientssl 
tcp        0      0 jarvis:34020            192.0.78.23:https       ESTABLISHED ssirohi    41485398   6821/chrome         
tcp        1      0 jarvis:34486            vpn.lonx.tower-re:https CLOSE_WAIT  root       38830866   6731/forticlientssl 
tcp        0      0 jarvis:44436            ec2-3-9-202-151.e:https ESTABLISHED ssirohi    38829500   369/slack           
tcp        0      0 jarvis:49988            server-13-224-132:https ESTABLISHED ssirohi    39928311   369/slack           
tcp6       0      0 jarvis:56682            fra15s46-in-x0a.1:https ESTABLISHED ssirohi    41612299   1947/chrome-remote- 
tcp6       0      0 jarvis:39196            fra16s13-in-x03.1:https TIME_WAIT   root       0          -                   
tcp6       0      0 jarvis:36280            fra07s27-in-x200a:https ESTABLISHED ssirohi    41485963   1947/chrome-remote- 
tcp6       0      0 jarvis:38624            wl-in-xbc.1e100.ne:5228 ESTABLISHED ssirohi    38865037   6821/chrome         
tcp6       0      0 jarvis:47846            g2a02-26f0-00a1-0:https ESTABLISHED ssirohi    41486143   6821/chrome         
tcp6       0      0 jarvis:56684            fra02s19-in-x0a.1:https ESTABLISHED ssirohi    41612300   1947/chrome-remote-