For our Blog Visitor only Get Additional 3 Month Free + 10% OFF on TriAnnual Plan YSBLOG10
Grab the Deal
youstable-blog-sidebar

Netstat Command in Linux Explained With Examples in 2026

Sanjeet Chauhan 6 min read

The netstat command in Linux displays active network connections, listening ports, interface statistics, routing tables, and protocol metrics. It’s a diagnostic tool that helps you see which services are bound to which ports, who is connected, and how traffic flows across your system useful for troubleshooting, security audits, and performance tuning.

If you’ve ever needed a quick, clear view of what’s happening on your Linux network stack, the netstat command in Linux is a classic go to. In this guide, I’ll explain netstat in simple terms, show practical examples you can copy paste, and share real world tips from managing production servers and hosting environments.

We’ll cover installation, essential options, how to read outputs, and when to use netstat versus the modern ss command. Whether you manage a VPS, dedicated server, or a local workstation, the steps below will help you solve problems fast and safely.

What is the netstat Command in Linux?

netstat (network statistics) is a command line tool from the net tools package. It shows sockets (TCP/UDP), the processes using them, listening ports, routing information, and interface stats. While netstat is considered legacy and replaced by tools like ss and ip, it remains widely used and available on many servers.

netstat is part of net tools. If you see “command not found,” install it using your package manager.

# Debian/Ubuntu
sudo apt update && sudo apt install -y net-tools

# RHEL/CentOS/AlmaLinux/Rocky
sudo yum install -y net-tools
# or
sudo dnf install -y net-tools

# Fedora
sudo dnf install -y net-tools

# openSUSE
sudo zypper install -y net-tools

On newer distributions, ss provides similar and often faster functionality. Still, netstat remains handy for quick checks and legacy scripts.

Basic Syntax and Common Options

Basic usage pattern:

netstat [options]

Useful options you’ll use often:

  • -t: TCP sockets
  • -u: UDP sockets
  • -l: Listening sockets
  • -n: Show numeric addresses/ports (skip DNS)
  • -p: Show PID/program name (use sudo)
  • -a: All sockets (listening + non listening)
  • -r: Routing table (use -rn for numeric)
  • -i: Interface statistics
  • -s: Per-protocol statistics
  • -c: Continuous output (repeat every second)

netstat Command in Linux: Practical Examples

1) Show All Listening Ports (TCP and UDP)

See which services are listening and on which ports. Add sudo to show the owning process.

sudo netstat -tulnp

What to look for: The Local Address column shows IP:Port (0.0.0.0 means all IPv4 interfaces; ::: means all IPv6). The PID/Program name confirms which service owns the port.

2) Find Which Process Is Using a Specific Port

When a service won’t start because the port is already in use, identify the culprit quickly.

sudo netstat -tulnp | grep ':80'

Replace 80 with your target port (e.g., 443, 3306, 6379). Stop or reconfigure the conflicting service.

3) List All Active Connections (Established, Time Wait, etc.)

Get a complete picture of current socket states to diagnose traffic surges or slowdowns.

netstat -anp

Filter to established TCP sessions:

netstat -ant | grep ESTABLISHED

4) Watch Connections in Real Time

Use -c to refresh continuously. Useful during traffic spikes or after deploying firewall rules.

sudo netstat -tulnp -c

5) Show the Routing Table

Confirm gateways, subnets, and routes when debugging connectivity between networks or VPCs.

netstat -rn

-r shows routes, -n prevents DNS lookups for speed and clarity.

6) Interface Statistics (Errors, Drops, MTU)

Identify problematic NICs by checking input/output errors and dropped packets.

netstat -i

For extended stats on many distros, use:

netstat -ie

7) Protocol Level Statistics (TCP, UDP, ICMP)

Spot retransmissions, failed connections, or UDP issues impacting application performance.

netstat -s

Combine with grep to isolate a protocol:

netstat -s | grep -i tcp -A 10

8) Show UNIX Domain Sockets

Many services communicate locally via UNIX sockets (e.g., Docker, systemd, databases).

sudo netstat -ax --unix

9) Display the Program Name Owning Each Socket

Attach connections to processes for faster diagnostics. Requires root privileges.

sudo netstat -plant

-p shows PID/Program, -l listens, -a all, -n numeric, -t TCP. Adjust to your needs.

10) Continuous Port Monitoring During Troubleshooting

Track port binds after starting a service to ensure it actually listens on the right interface.

sudo netstat -tulnp -c | grep -E '(:80|:443)'

How to Read netstat Output (Columns Explained)

  • Proto: Protocol (tcp, udp, unix)
  • Recv-Q/Send-Q: Bytes queued to receive/send (non-zero may indicate congestion)
  • Local Address: IP and port on your machine
  • Foreign Address: Remote IP and port
  • State: Connection state (LISTEN, ESTABLISHED, TIME_WAIT, SYN_SENT, etc.)
  • PID/Program name: Owning process (requires sudo -p)

Always use -n to avoid reverse DNS lookups that slow down output and clutter results with hostnames.

netstat vs ss: Which Should You Use?

The ss command from iproute2 is the modern replacement with faster, more detailed output. However, netstat remains helpful for legacy servers and quick checks. Here’s a practical comparison:

  • Speed and scale: ss is faster on busy hosts.
  • Detail: ss exposes more TCP metrics and filters.
  • Availability: netstat may not be installed by default; ss usually is.
  • Familiarity: netstat syntax is widely known; many guides and scripts still rely on it.

Equivalent examples with ss:

# Listening ports with processes
sudo ss -tulnp

# Established TCP
ss -ant state established

# Who uses port 3306?
sudo ss -ltnp sport = :3306

Real World Use Cases (From Hosting and DevOps)

  • Web server isn’t responding: Confirm Nginx/Apache is listening on 0.0.0.0:80/443 and not just 127.0.0.1.
  • Port conflict: Identify which legacy service is holding port 25 or 8080 and stop/replace it.
  • Database connectivity: Check if MySQL/MariaDB listens on 3306 and which IPs can reach it.
  • Firewall hardening: List all listening ports and close anything unnecessary.
  • Traffic surge analysis: Count ESTABLISHED connections to spot DDoS patterns or sudden client spikes.
  • Routing issues: Verify default gateway and route specificity with netstat -rn.

Security and Privacy Considerations

  • Run with sudo only when required (e.g., -p for process names).
  • Limit who can view process to port mappings on multi user systems.
  • Use -n to avoid DNS lookups that can accidentally leak queries.
  • Regularly audit listening ports and disable unneeded services.

Troubleshooting Tips from Production

  • If netstat hangs, add -n to bypass DNS and speed up output.
  • Combine with grep, awk, or wc for quick analytics:
  • Check both IPv4 and IPv6; services may listen on ::: only.
  • When a service binds to localhost only (127.0.0.1), update its config to listen on the public IP or 0.0.0.0/::.

Is netstat Deprecated? Alternatives You Should Know

Yes, netstat (net-tools) is considered legacy. The recommended replacements are:

  • ss for sockets and connections
  • ip for addresses, routes, and interfaces
  • nmcli or systemd networkd for network management

Even so, netstat remains common in documentation and on long lived servers. Learn netstat for compatibility, and ss/ip for modern workflows.

How We Use netstat at YouStable

At YouStable, our Linux engineers regularly use netstat and ss to audit open ports, validate firewall policies, and troubleshoot customer workloads on VPS and Dedicated Servers. If you prefer not to manage low level networking, our managed hosting plans include 24/7 help with connectivity, security hardening, and performance tuning.

FAQ’s

1. What does netstat do in Linux?

netstat shows network connections, listening ports, routing tables, and protocol statistics. It helps diagnose connectivity issues, identify which processes own sockets, and audit open services.

2. How do I check open ports in Linux with netstat?

Run: sudo netstat -tulnp. This lists TCP/UDP ports in LISTEN state along with the PID/Program. Use grep to filter by a specific port, such as :80 or :3306.

3. Why is netstat not found on my server?

Many modern distros no longer install net tools by default. Install it with your package manager (e.g., sudo apt install net-tools) or use the ss command as a faster alternative.

4. What’s the difference between netstat and ss?

ss is newer, faster, and offers richer filtering and statistics. netstat is older but still widely used. For high traffic servers, ss usually performs better and is the recommended choice.

5. How can I see which process is using a port?

Use: sudo netstat -tulnp | grep ‘:PORT’. The PID/Program name column shows the owning process. You can then manage it with systemctl, kill, or by editing the service configuration.

Conclusion

The netstat command in Linux remains a reliable way to inspect connections, verify listening services, and troubleshoot routing or interface issues. For modern performance and filtering, pair it with ss and ip. Running applications on a VPS or Dedicated Server? YouStable’s experts can help you harden, monitor, and optimize your network stack 24/7.

Sanjeet Chauhan

Sanjeet Chauhan is a blogger & SEO expert, dedicated to helping websites grow organically. He shares practical strategies, actionable tips, and insights to boost traffic, improve rankings, & maximize online presence.

Leave a Comment

Your email address will not be published. Required fields are marked *

Related Articles

Scroll to Top