Netstat Cheat Sheet
Netstat is an incredibly useful command that everyone should be familiar with. Even if you use it on a regular basis you may not necessarily remember every option. Thats why we built this netstat cheat sheet.
Netstat Cheat Sheet
NOTE - You may need either sudo or root access. We're assuming you're running Linux although you could be using OSX, Windows, BSD, or something else.| netstat -nlptue | All Listening ports with PID and extended info |
| netstat | Active connections |
| netstat -a | All connections |
| netstat -at | All TCP connections |
| netstat -au | All UDP connections |
| netstat -tnl | Listening TCP ports |
| netstat -unl | Listening UDP ports |
| netstat -s | Display statistics |
| netstat -st | Display TCP statistics |
| netstat -su | Display UDP statistics |
| netstat -r | Show routing table |
| netstat -rn | Show routing table, don't resolve hosts |
| netstat -i | Show network interfaces |
| netstat -ie | Show network interfaces extended info |
| netstat -M | Show masqueraded connections |
Common / Important Switches
NOTE - The default without "-a/-l" is to only list active connections and not inactive or listening connectins.| -a | All sockets, listening/active/inactive, up and down interfaces |
| -l | Listening |
| -t | TCP |
| -u | UDP |
| -n | Numeric, no host or port lookup |
| -F | DNS lookup where possible |
| -c | Continuous output |
| -p | Show PID for associated process |
| -e | Extended information |
Image Version of the Netstat Cheat Sheet
Just in case you wanted this cheat sheet as an image, here it is:
Tips
Number of connections on port 80:
netstat -an |grep :80 |wc -l
Connections Per Remote IP:
netstat -antu | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -n
Show foreign IPs with a high number of connections to port 80:
netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head</td></tr>
Shown unique IPs connected to port 80:
netstat -tn 2>/dev/null | grep ':80 ' | awk '{print $5}' |sed -e 's/::ffff://' | cut -f1 -d: | sort | uniq -c | sort -rn | head
Netstat -a
We’re going to get a bit off track here but lets talk about the exact command “netstat -a”. We decided to cover this command in detail because apparently people are searching for this command exactly. By default net netstat command will show you active connections. When you specify the “-a” flag it tells it to show you all connections. This includes active, listening, etc. It is worth noting that you will also see things like unix sockets and stuff, not just TCP and UDP connections.
You can run this command as follows:
netstat -a
Netstat -an
By default netstat will try to resolve hostnames and port names. Often times this is messy looking and just isn’t useful. You can use “netstat -an” to disable resolving of ports and hosts. You would run it as follows:
netstat -an
Netstat -ano
Adding the “-o” flag will include networking timer related information. You would run the command like this:
netstat -ano
References