1NETSTAT(8) Linux System Administrator's Manual NETSTAT(8)
2
6 netstat - Print network connections, routing tables, interface statis‐
7 tics, masquerade connections, and multicast memberships
8
11 netstat [address_family_options] [--tcp|-t] [--udp|-u] [--udplite|-U]
12 [--sctp|-S] [--raw|-w] [--l2cap|-2] [--rfcomm|-f] [--listening|-l]
13 [--all|-a] [--numeric|-n] [--numeric-hosts] [--numeric-ports]
14 [--numeric-users] [--symbolic|-N] [--extend|-e[--extend|-e]]
15 [--timers|-o] [--program|-p] [--verbose|-v] [--continuous|-c]
16 [--wide|-W] [delay]
17 netstat {--route|-r} [address_family_options]
19 [--extend|-e[--extend|-e]] [--verbose|-v] [--numeric|-n]
20 [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c]
21 [delay]
22 netstat {--interfaces|-I|-i} [--all|-a] [--extend|-e] [--verbose|-v]
24 [--program|-p] [--numeric|-n] [--numeric-hosts] [--numeric-ports]
25 [--numeric-users] [--continuous|-c] [delay]
26 netstat {--groups|-g} [--numeric|-n] [--numeric-hosts]
28 [--numeric-ports] [--numeric-users] [--continuous|-c] [delay]
29 netstat {--masquerade|-M} [--extend|-e] [--numeric|-n]
31 [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c]
32 [delay]
33 netstat {--statistics|-s} [--tcp|-t] [--udp|-u] [--udplite|-U]
35 [--sctp|-S] [--raw|-w] [delay]
36 netstat {--version|-V}
38 netstat {--help|-h}
40 address_family_options:
42 [-4|--inet] [-6|--inet6] [--proto‐
44 col={inet,inet6,unix,ipx,ax25,netrom,ddp,bluetooth, ... } ] [--unix|-x]
45 [--inet|--ip|--tcpip] [--ax25] [--x25] [--rose] [--ash] [--bluetooth]
46 [--ipx] [--netrom] [--ddp|--appletalk] [--econet|--ec]
47
50 This program is mostly obsolete. Replacement for netstat is ss.
51 Replacement for netstat -r is ip route. Replacement for netstat -i is
52 ip -s link. Replacement for netstat -g is ip maddr.
53
56 Netstat prints information about the Linux networking subsystem. The
57 type of information printed is controlled by the first argument, as
58 follows:
59 (none)
61 By default, netstat displays a list of open sockets. If you don't
62 specify any address families, then the active sockets of all configured
63 address families will be printed.
64 --route, -r
66 Display the kernel routing tables. See the description in route(8) for
67 details. netstat -r and route -e produce the same output.
68 --groups, -g
70 Display multicast group membership information for IPv4 and IPv6.
71 --interfaces=iface , -I=iface , -i
73 Display a table of all network interfaces, or the specified iface.
74 --masquerade, -M
76 Display a list of masqueraded connections.
77 --statistics, -s
79 Display summary statistics for each protocol.
80
82 --verbose, -v
83 Tell the user what is going on by being verbose. Especially print some
84 useful information about unconfigured address families.
85 --wide, -W
87 Do not truncate IP addresses by using output as wide as needed. This is
88 optional for now to not break existing scripts.
89 --numeric, -n
91 Show numerical addresses instead of trying to determine symbolic host,
92 port or user names.
93 --numeric-hosts
95 shows numerical host addresses but does not affect the resolution of
96 port or user names.
97 --numeric-ports
99 shows numerical port numbers but does not affect the resolution of host
100 or user names.
101 --numeric-users
103 shows numerical user IDs but does not affect the resolution of host or
104 port names.
105 --protocol=family, -A
108 Specifies the address families (perhaps better described as low level
109 protocols) for which connections are to be shown. family is a comma
110 (',') separated list of address family keywords like inet, inet6, unix,
111 ipx, ax25, netrom, econet, ddp, and bluetooth. This has the same
112 effect as using the --inet|-4, --inet6|-6, --unix|-x, --ipx, --ax25,
113 --netrom, --ddp, and --bluetooth options.
114 The address family inet (Iv4) includes raw, udp, udplite and tcp proto‐
116 col sockets.
117 The address family bluetooth (Iv4) includes l2cap and rfcomm protocol
119 sockets.
120 -c, --continuous
122 This will cause netstat to print the selected information every second
123 continuously.
124 -e, --extend
126 Display additional information. Use this option twice for maximum
127 detail.
128 -o, --timers
130 Include information related to networking timers.
131 -p, --program
133 Show the PID and name of the program to which each socket belongs.
134 -l, --listening
136 Show only listening sockets. (These are omitted by default.)
137 -a, --all
139 Show both listening and non-listening (for TCP this means established
140 connections) sockets. With the --interfaces option, show interfaces
141 that are not up
142 -F
144 Print routing information from the FIB. (This is the default.)
145 -C
147 Print routing information from the route cache.
148 delay
150 Netstat will cycle printing through statistics every delay seconds.
151
153 Active Internet connections (TCP, UDP, UDPLite, raw)
154 Proto
155 The protocol (tcp, udp, udpl, raw) used by the socket.
156 Recv-Q
158 Established: The count of bytes not copied by the user program con‐
159 nected to this socket. Listening: Since Kernel 2.6.18 this column con‐
160 tains the current syn backlog.
161 Send-Q
163 Established: The count of bytes not acknowledged by the remote host.
164 Listening: Since Kernel 2.6.18 this column contains the maximum size of
165 the syn backlog.
166 Local Address
168 Address and port number of the local end of the socket. Unless the
169 --numeric (-n) option is specified, the socket address is resolved to
170 its canonical host name (FQDN), and the port number is translated into
171 the corresponding service name.
172 Foreign Address
174 Address and port number of the remote end of the socket. Analogous to
175 "Local Address".
176 State
178 The state of the socket. Since there are no states in raw mode and usu‐
179 ally no states used in UDP and UDPLite, this column may be left blank.
180 Normally this can be one of several values:
181 ESTABLISHED
183 The socket has an established connection.
184 SYN_SENT
186 The socket is actively attempting to establish a connection.
187 SYN_RECV
189 A connection request has been received from the network.
190 FIN_WAIT1
192 The socket is closed, and the connection is shutting down.
193 FIN_WAIT2
195 Connection is closed, and the socket is waiting for a shutdown
196 from the remote end.
197 TIME_WAIT
199 The socket is waiting after close to handle packets still in the
200 network.
201 CLOSE The socket is not being used.
203 CLOSE_WAIT
205 The remote end has shut down, waiting for the socket to close.
206 LAST_ACK
208 The remote end has shut down, and the socket is closed. Waiting
209 for acknowledgement.
210 LISTEN The socket is listening for incoming connections. Such sockets
212 are not included in the output unless you specify the --listen‐
213 ing (-l) or --all (-a) option.
214 CLOSING
216 Both sockets are shut down but we still don't have all our data
217 sent.
218 UNKNOWN
220 The state of the socket is unknown.
221 User
223 The username or the user id (UID) of the owner of the socket.
224 PID/Program name
226 Slash-separated pair of the process id (PID) and process name of the
227 process that owns the socket. --program causes this column to be
228 included. You will also need superuser privileges to see this informa‐
229 tion on sockets you don't own. This identification information is not
230 yet available for IPX sockets.
231 Timer
233 TCP timer associated with this socket. The format is timer(a/b/c). The
234 timer is one of the following values:
235 off There is no timer set for this socket.
237 on The retransmission timer is active for the socket.
239 keepalive
241 The keepalive timer is active for the socket.
242 timewait
244 The connection is closing and the timewait timer is active for
245 the socket.
246 The values in the brackets:
248 a Timer value.
250 b Number of retransmissions sent.
252 c Number of keepalives sent.
254 Active UNIX domain Sockets
256 Proto
257 The protocol (usually unix) used by the socket.
258 RefCnt
260 The reference count (i.e. attached processes via this socket).
261 Flags
263 The flags displayed is SO_ACCEPTON (displayed as ACC), SO_WAITDATA (W)
264 or SO_NOSPACE (N). SO_ACCECPTON is used on unconnected sockets if
265 their corresponding processes are waiting for a connect request. The
266 other flags are not of normal interest.
267 Type
269 There are several types of socket access:
270 SOCK_DGRAM
272 The socket is used in Datagram (connectionless) mode.
273 SOCK_STREAM
275 This is a stream (connection) socket.
276 SOCK_RAW
278 The socket is used as a raw socket.
279 SOCK_RDM
281 This one serves reliably-delivered messages.
282 SOCK_SEQPACKET
284 This is a sequential packet socket.
285 SOCK_PACKET
287 Raw interface access socket.
288 UNKNOWN
290 Who ever knows what the future will bring us - just fill in here
291 :-)
292 State
294 This field will contain one of the following Keywords:
295 FREE The socket is not allocated
297 LISTENING
299 The socket is listening for a connection request. Such sockets
300 are only included in the output if you specify the --listening
301 (-l) or --all (-a) option.
302 CONNECTING
304 The socket is about to establish a connection.
305 CONNECTED
307 The socket is connected.
308 DISCONNECTING
310 The socket is disconnecting.
311 (empty)
313 The socket is not connected to another one.
314 UNKNOWN
316 This state should never happen.
317 PID/Program name
319 Process ID (PID) and process name of the process that has the socket
320 open. More info available in Active Internet connections section writ‐
321 ten above.
322 Path
324 This is the path name as which the corresponding processes attached to
325 the socket.
326 Active IPX sockets
328 (this needs to be done by somebody who knows it)
329 Active NET/ROM sockets
331 (this needs to be done by somebody who knows it)
332 Active AX.25 sockets
334 (this needs to be done by somebody who knows it)
335
337 /etc/services -- The services translation file
338 /proc -- Mount point for the proc filesystem, which gives access to
340 kernel status information via the following files.
341 /proc/net/dev -- device information
343 /proc/net/raw -- raw socket information
345 /proc/net/tcp -- TCP socket information
347 /proc/net/udp -- UDP socket information
349 /proc/net/udplite -- UDPLite socket information
351 /proc/net/igmp -- IGMP multicast information
353 /proc/net/unix -- Unix domain socket information
355 /proc/net/ipx -- IPX socket information
357 /proc/net/ax25 -- AX25 socket information
359 /proc/net/appletalk -- DDP (appletalk) socket information
361 /proc/net/nr -- NET/ROM socket information
363 /proc/net/route -- IP routing information
365 /proc/net/ax25_route -- AX25 routing information
367 /proc/net/ipx_route -- IPX routing information
369 /proc/net/nr_nodes -- NET/ROM nodelist
371 /proc/net/nr_neigh -- NET/ROM neighbours
373 /proc/net/ip_masquerade -- masqueraded connections
375 /sys/kernel/debug/bluetooth/l2cap -- Bluetooth L2CAP information
377 /sys/kernel/debug/bluetooth/rfcomm -- Bluetooth serial connections
379 /proc/net/snmp -- statistics
381
383 route(8), ifconfig(8), iptables(8), proc(5) ss(8) ip(8)
384
386 Occasionally strange information may appear if a socket changes as it
387 is viewed. This is unlikely to occur.
388
390 The netstat user interface was written by Fred Baumgarten
391 <dc6iq@insu1.etec.uni-karlsruhe.de>, the man page basically by Matt
392 Welsh <mdw@tc.cornell.edu>. It was updated by Alan Cox
393 <Alan.Cox@linux.org>, updated again by Tuan Hoang <tqhoang@big‐
394 foot.com>. The man page and the command included in the net-tools pack‐
395 age is totally rewritten by Bernd Eckenfels <ecki@linux.de>. UDPLite
396 options were added by Brian Micek <bmicek@gmail.com>
397net-tools 2014-10-07 NETSTAT(8)