1NETSTAT(8) Linux System Administrator's Manual NETSTAT(8)
2
6 netstat - Print network connections, routing tables, interface statis‐
7 tics, masquerade connections, and multicast memberships
8
11 netstat [address_family_options] [--tcp|-t] [--udp|-u] [--udplite|-U]
12 [--sctp|-S] [--raw|-w] [--listening|-l] [--all|-a] [--numeric|-n]
13 [--numeric-hosts] [--numeric-ports] [--numeric-users] [--symbolic|-N]
14 [--extend|-e[--extend|-e]] [--timers|-o] [--program|-p] [--verbose|-v]
15 [--continuous|-c] [--wide|-W] [delay]
16 netstat {--route|-r} [address_family_options]
18 [--extend|-e[--extend|-e]] [--verbose|-v] [--numeric|-n]
19 [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c]
20 [delay]
21 netstat {--interfaces|-I|-i} [--all|-a] [--extend|-e] [--verbose|-v]
23 [--program|-p] [--numeric|-n] [--numeric-hosts] [--numeric-ports]
24 [--numeric-users] [--continuous|-c] [delay]
25 netstat {--groups|-g} [--numeric|-n] [--numeric-hosts]
27 [--numeric-ports] [--numeric-users] [--continuous|-c] [delay]
28 netstat {--masquerade|-M} [--extend|-e] [--numeric|-n]
30 [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c]
31 [delay]
32 netstat {--statistics|-s} [--tcp|-t] [--udp|-u] [--udplite|-U]
34 [--sctp|-S] [--raw|-w] [delay]
35 netstat {--version|-V}
37 netstat {--help|-h}
39 address_family_options:
41 [-4|--inet] [-6|--inet6] [--proto‐
43 col={inet,inet6,unix,ipx,ax25,netrom,ddp, ... } ] [--unix|-x]
44 [--inet|--ip|--tcpip] [--ax25] [--x25] [--rose] [--ash] [--ipx]
45 [--netrom] [--ddp|--appletalk] [--econet|--ec]
46
49 This program is obsolete. Replacement for netstat is ss. Replacement
50 for netstat -r is ip route. Replacement for netstat -i is ip -s link.
51 Replacement for netstat -g is ip maddr.
52
55 Netstat prints information about the Linux networking subsystem. The
56 type of information printed is controlled by the first argument, as
57 follows:
58 (none)
60 By default, netstat displays a list of open sockets. If you don't
61 specify any address families, then the active sockets of all configured
62 address families will be printed.
63 --route , -r
65 Display the kernel routing tables. See the description in route(8) for
66 details. netstat -r and route -e produce the same output.
67 --groups , -g
69 Display multicast group membership information for IPv4 and IPv6.
70 --interfaces=iface , -I=iface , -i
72 Display a table of all network interfaces, or the specified iface.
73 --masquerade , -M
75 Display a list of masqueraded connections.
76 --statistics , -s
78 Display summary statistics for each protocol.
79
81 --verbose , -v
82 Tell the user what is going on by being verbose. Especially print some
83 useful information about unconfigured address families.
84 --wide , -W
86 Do not truncate IP addresses by using output as wide as needed. This is
87 optional for now to not break existing scripts.
88 --numeric , -n
90 Show numerical addresses instead of trying to determine symbolic host,
91 port or user names.
92 --numeric-hosts
94 shows numerical host addresses but does not affect the resolution of
95 port or user names.
96 --numeric-ports
98 shows numerical port numbers but does not affect the resolution of host
99 or user names.
100 --numeric-users
102 shows numerical user IDs but does not affect the resolution of host or
103 port names.
104 --protocol=family , -A
107 Specifies the address families (perhaps better described as low level
108 protocols) for which connections are to be shown. family is a comma
109 (',') separated list of address family keywords like inet, inet6, unix,
110 ipx, ax25, netrom, econet, and ddp. This has the same effect as using
111 the --inet|-4, --inet6|-6, --unix|-x, --ipx, --ax25, --netrom, and
112 --ddp options.
113 The address family inet (Iv4) includes raw, udp, udplite and tcp proto‐
115 col sockets.
116 -c, --continuous
118 This will cause netstat to print the selected information every second
119 continuously.
120 -e, --extend
122 Display additional information. Use this option twice for maximum
123 detail.
124 -o, --timers
126 Include information related to networking timers.
127 -p, --program
129 Show the PID and name of the program to which each socket belongs.
130 -l, --listening
132 Show only listening sockets. (These are omitted by default.)
133 -a, --all
135 Show both listening and non-listening (for TCP this means established
136 connections) sockets. With the --interfaces option, show interfaces
137 that are not up
138 -F
140 Print routing information from the FIB. (This is the default.)
141 -C
143 Print routing information from the route cache.
144 delay
146 Netstat will cycle printing through statistics every delay seconds.
147
149 Active Internet connections (TCP, UDP, UDPLite, raw)
150 Proto
151 The protocol (tcp, udp, udpl, raw) used by the socket.
152 Recv-Q
154 Established: The count of bytes not copied by the user program con‐
155 nected to this socket. Listening: Since Kernel 2.6.18 this column con‐
156 tains the current syn backlog.
157 Send-Q
159 Established: The count of bytes not acknowledged by the remote host.
160 Listening: Since Kernel 2.6.18 this column contains the maximum size of
161 the syn backlog.
162 Local Address
164 Address and port number of the local end of the socket. Unless the
165 --numeric (-n) option is specified, the socket address is resolved to
166 its canonical host name (FQDN), and the port number is translated into
167 the corresponding service name.
168 Foreign Address
170 Address and port number of the remote end of the socket. Analogous to
171 "Local Address."
172 State
174 The state of the socket. Since there are no states in raw mode and usu‐
175 ally no states used in UDP and UDPLite, this column may be left blank.
176 Normally this can be one of several values:
177 ESTABLISHED
179 The socket has an established connection.
180 SYN_SENT
182 The socket is actively attempting to establish a connection.
183 SYN_RECV
185 A connection request has been received from the network.
186 FIN_WAIT1
188 The socket is closed, and the connection is shutting down.
189 FIN_WAIT2
191 Connection is closed, and the socket is waiting for a shutdown
192 from the remote end.
193 TIME_WAIT
195 The socket is waiting after close to handle packets still in the
196 network.
197 CLOSE The socket is not being used.
199 CLOSE_WAIT
201 The remote end has shut down, waiting for the socket to close.
202 LAST_ACK
204 The remote end has shut down, and the socket is closed. Waiting
205 for acknowledgement.
206 LISTEN The socket is listening for incoming connections. Such sockets
208 are not included in the output unless you specify the --listen‐
209 ing (-l) or --all (-a) option.
210 CLOSING
212 Both sockets are shut down but we still don't have all our data
213 sent.
214 UNKNOWN
216 The state of the socket is unknown.
217 User
219 The username or the user id (UID) of the owner of the socket.
220 PID/Program name
222 Slash-separated pair of the process id (PID) and process name of the
223 process that owns the socket. --program causes this column to be
224 included. You will also need superuser privileges to see this informa‐
225 tion on sockets you don't own. This identification information is not
226 yet available for IPX sockets.
227 Timer
229 (this needs to be written)
230 Active UNIX domain Sockets
232 Proto
233 The protocol (usually unix) used by the socket.
234 RefCnt
236 The reference count (i.e. attached processes via this socket).
237 Flags
239 The flags displayed is SO_ACCEPTON (displayed as ACC), SO_WAITDATA (W)
240 or SO_NOSPACE (N). SO_ACCECPTON is used on unconnected sockets if
241 their corresponding processes are waiting for a connect request. The
242 other flags are not of normal interest.
243 Type
245 There are several types of socket access:
246 SOCK_DGRAM
248 The socket is used in Datagram (connectionless) mode.
249 SOCK_STREAM
251 This is a stream (connection) socket.
252 SOCK_RAW
254 The socket is used as a raw socket.
255 SOCK_RDM
257 This one serves reliably-delivered messages.
258 SOCK_SEQPACKET
260 This is a sequential packet socket.
261 SOCK_PACKET
263 Raw interface access socket.
264 UNKNOWN
266 Who ever knows what the future will bring us - just fill in here
267 :-)
268 State
270 This field will contain one of the following Keywords:
271 FREE The socket is not allocated
273 LISTENING
275 The socket is listening for a connection request. Such sockets
276 are only included in the output if you specify the --listening
277 (-l) or --all (-a) option.
278 CONNECTING
280 The socket is about to establish a connection.
281 CONNECTED
283 The socket is connected.
284 DISCONNECTING
286 The socket is disconnecting.
287 (empty)
289 The socket is not connected to another one.
290 UNKNOWN
292 This state should never happen.
293 PID/Program name
295 Process ID (PID) and process name of the process that has the socket
296 open. More info available in Active Internet connections section writ‐
297 ten above.
298 Path
300 This is the path name as which the corresponding processes attached to
301 the socket.
302 Active IPX sockets
304 (this needs to be done by somebody who knows it)
305 Active NET/ROM sockets
307 (this needs to be done by somebody who knows it)
308 Active AX.25 sockets
310 (this needs to be done by somebody who knows it)
311
313 /etc/services -- The services translation file
314 /proc -- Mount point for the proc filesystem, which gives access to
316 kernel status information via the following files.
317 /proc/net/dev -- device information
319 /proc/net/raw -- raw socket information
321 /proc/net/tcp -- TCP socket information
323 /proc/net/udp -- UDP socket information
325 /proc/net/udplite -- UDPLite socket information
327 /proc/net/igmp -- IGMP multicast information
329 /proc/net/unix -- Unix domain socket information
331 /proc/net/ipx -- IPX socket information
333 /proc/net/ax25 -- AX25 socket information
335 /proc/net/appletalk -- DDP (appletalk) socket information
337 /proc/net/nr -- NET/ROM socket information
339 /proc/net/route -- IP routing information
341 /proc/net/ax25_route -- AX25 routing information
343 /proc/net/ipx_route -- IPX routing information
345 /proc/net/nr_nodes -- NET/ROM nodelist
347 /proc/net/nr_neigh -- NET/ROM neighbours
349 /proc/net/ip_masquerade -- masqueraded connections
351 /proc/net/snmp -- statistics
353
355 route(8), ifconfig(8), iptables(8), proc(5) ss(8) ip(8)
356
358 Occasionally strange information may appear if a socket changes as it
359 is viewed. This is unlikely to occur.
360
362 The netstat user interface was written by Fred Baumgarten
363 <dc6iq@insu1.etec.uni-karlsruhe.de>, the man page basically by Matt
364 Welsh <mdw@tc.cornell.edu>. It was updated by Alan Cox
365 <Alan.Cox@linux.org>, updated again by Tuan Hoang <tqhoang@big‐
366 foot.com>. The man page and the command included in the net-tools pack‐
367 age is totally rewritten by Bernd Eckenfels <ecki@linux.de>. UDPLite
368 options were added by Brian Micek <bmicek@gmail.com>
369net-tools 2012-09-15 NETSTAT(8)