netstat Command Cheat Sheet
netstat (network statistics) is a command-line tool that displays network connections, routing tables, and interface statistics.
Note: netstat is part of net-tools, which is considered deprecated in favor of ss (part of iproute2). However, netstat is still widely used and installed on many systems.
Synopsis
netstat [options]
Viewing Connections
List All Ports (Listening & Connected)
netstat -a
List Only Listening Ports (-l)
Shows ports waiting for incoming connections.
netstat -l
Show TCP Connections Only (-t)
netstat -at
Show UDP Connections Only (-u)
netstat -au
Identifying Processes
Show PID and Program Name (-p)
The most useful command. Requires sudo to see processes owned by other users.
sudo netstat -tulpn
-t: TCP
- -u: UDP
- -l: Listening
- -p: Show PID/Program name
- -n: Numeric (don't resolve hostnames/ports)
Output:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1234/sshd
Routing & Interfaces
Kernel Routing Table (-r)
Equivalent to route -n or ip route.
netstat -rn
Interface Statistics (-i)
Shows packet counts (RX/TX) and errors. Useful for diagnosing bad cables or driver issues.
netstat -i
Continuous Monitoring (-c)
Refresh the output every second.
netstat -ct
Statistics Summary (-s)
Shows summary statistics for each protocol (e.g., total TCP packets received, ICMP errors).
netstat -s
Troubleshooting Tips
"Address already in use"
If a service fails to start because the port is taken:
sudo netstat -tulpn | grep :80
Check for DDoS (SYN Floods)
Count the number of connections per IP address.
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Notes
- Numeric Output (-n): Always use
-non busy servers. Resolving hostnames (DNS) for thousands of IPs will hang the command. - Replacement: Try learning
ss(ss -tulpnworks exactly the same!).