What is netstat and how to inspect connections

· Category: Networking

Short answer

Netstat displays active network connections, listening ports, routing tables, and interface statistics. Modern Linux systems prefer ss for better performance.

Steps

  1. List all connections: Run netstat -an or ss -tunap to view TCP and UDP sockets.

  2. Show listening ports: Use netstat -tlnp or ss -tlnp to see which services are waiting for connections.

  3. Find process names: Add the -p flag to map ports to process IDs and program names.

  4. View routing table: Use netstat -r or ip route to inspect how traffic is routed.

  5. Filter by protocol: Append -t for TCP, -u for UDP, or -x for Unix sockets.

Tips

  • Use ss on Linux; it is faster and more detailed than netstat.
  • Combine with grep to find specific ports or IPs quickly.
  • Run with sudo to see processes owned by other users.

Common issues

  • Ports in TIME_WAIT consuming resources.
  • Unexplained listening ports indicating unauthorized services.
  • Interpreting CLOSE_WAIT as an active connection rather than a cleanup state.