Thursday, April 27, 2023

10 Example of netstat networking command in UNIX and Linux

The netstat command is one of the most essential and useful networking command for Linux users. It is a general, all purpose network information tool which can be used to find out information about current network connections, multicast group membership, routing tables, network interface statistics and many other low-level details of the host's current network configuration. The good knowledge of netstat command is not only important from the troubleshooting perspective but also from security perspective. It gives useful security related information e.g. what network ports are currently "open" on your system and the list of current network connections and their states. 

For example, a huge list of TIMED_WAIT TCP network connection may be an indication of a Denial of Service attack because attacker in the past have taken advantage of the relatively long timeout values in TCP connections to completely exhaust the kernel memory of a system, by making thousands of TCP connections but never completing the response, and thus causing the system to hold theses thousands of TCP connections open until they finally time out.

10 ways to use netstat command in Linux 

In this article, we'll several useful examples of netstat command in Linux which will help you to troubleshoot any network issues and find out more about your process and network connections e.g. if you know port then you can find out which process is using that port and if you have process id you can find out all ports opened or used by that process, potentially finding any problematic process. 

For example, netstat -lepunt  will show you all the TCP and UDP ports being listened on the server and if you're root, you can also see the process associated with it,  user, etc.

Now, let's see more netstat examples to get a good understanding of this one of the most useful Linux networking command.

1. How to display list of network interfaces of a host
The netstat -i command display interfaces table and statistics of current machine. 

$ netstat -i 

2) How do display IP address instead of hostname in netstat output
You can run the netstat command in numeric mode by using netstat -n command line options to display IP address instead of host, port, and usernames

$ netstat -n

3) How to display process id and process name on netstat output
You can run the netstat command in program mode using netstat -p option o display the process Id or PID and process name in the output. This is very useful when you have a process id and you want to know which port is held by a given process name or PID. By using netstat -p and grep command you can find out port details for a process in Linux

$ netstat -p

This will show the PID and name of the process to which each socket belongs which can be used to identify what could be the problem. 

10 Example of netstat command in UNIX and Linux

4) How to display routing table in Linux
You can display routing table by running netstat command in routing mode e.g. by using netstat -r option. This will display the routing table in the same format of the route command in Linux

$ netstat -r

5) How do display multicast group membership of hosts
You can use netstat command to display the multicast group membership from a given host. The netstat command provides group mode i.e. netstat -g option to display all multicast groups which this host has joined. 

$ netstat -g

6) How to show all network connections from a host
You can use netstat command to display all network connections to and from a given host in Linux. You can use the netstat -a to display all network connections, here -a is for all. 

$ netstat -a

6) How to display all TCP connections
Now, if you want to filter out only TCP connections you can use the netstat command line option --tcp to only display TCP connections of current servers as shown below:

$ netstat -an --tcp

If you are familiar with various states of TCP connections e.g. ESTABLISTED, TIMED_WAIT, LISTEN, you can use grep command to further filter the output. 

for example, to find out on which port your web server is listening you can use the following combination of netstat and grep command

$ netstat -an --tcp | grep LISTEN

Since, only server process listen for traffic, this will display all the ports on which server programs are listening. 

Similarly, to find out all established TCP connection from this host you can use following command:

$ netstat -an --tcp | grep ESTABLISED

And the most important one from security point of view is filtering TCP connection from TIMED_WAIT stat. These are the connections which are opened but not completed and OS keeps them in Kernel memory until they are timed out. 

If your timeout is slightly larger than any attacker can take advantage of that fact and send thousands of TCP connection without completing them and exhausting Kernel memory. This is actually the reason of many high-profile DDOS attack in recent time. You can find out that by using netstat and grep command as shown below:

$ netstat -an --tcp | grep TIMED_WAIT

If you see too many connections in TIMED_WAIT, may be its time to revisit the TCP timeout or finding more to confirm that nobody is taking advantage of that to stage a DOS attack on your server. 

7) How do display all UDP connections
Similar to TCP filtering, netstat also gives you option to display only UDP connections by using --udp option of netstat command as shown below:

$ netstat -an --udp

8) How to display protocol statistics
You can display the protocol statistics using netstat -s command line options e.g. how many packets or messages are received, sent, discarded or delivered for common protocols e.g. IP, ICMP, TCP, and UDP etc. Here is an example of netstat command to show protocol statistics

$ netstat -s

9. How to display network details like top
You can use the netstat -c command line option to display network details in top like format, where data is keep updating in rea time. The netstat -c stands for continuous operation and it yeidls a netstat display every second until interrupted with Ctrl-C.

$ netstat -c

10) The verbose option

$ netstat -v

11) How to check if your TCP socket has KeepAlive option enabled
The TCP keep alive is one of the useful option which sends syn and ack messages even if there is no business traffic. Sometime this is required to keep connection alive and preventing tear down of idle connection on firewall and by other monitoring system. Thankfully, you can just run netstat -o to find out if your TCP connection has keepalive option set or not

$ netstat -o

This option also display timer data. 

That's all about netstat command in Linux. It is one of the most important tool that you will encounter while working in Linux. It's a good idea to become familiar with various command-line options of netstat and understand when it is appropriate to use netstat. I have used it numerous time for troubleshooting, debugging and just to find out more about our processes. If you want to learn more about netstat command in Linux, you should read Introduction to Linux command line.

Other Linux  command articles you may like

Thanks for reading this article so far. If you find these netstat command examples useful, then please share it with your friends and colleagues. If you have any questions or feedback, then please drop a note.

P. S. - If you are serious about improving your Linux skills, then I also suggest you look at these best online Linux courses from Udemy and Coursera. It's a great course for everyone, and you will definitely learn some useful tips to work better on Linux.

No comments :

Post a Comment