Background
netstat is one of the most important network troubleshooting tools but the syntax can be overwhelming and even non-intuitive. Combine complex syntax with subtle differences between Linux, Linux distributions, and Windows, and all of a sudden you need a reference guide otherwise you can’t use the tool. Try reaching for the tool in a crisis without a guide and troubleshooting can be really stressful.
This purpose of this article is to list a few different scenarios where you might want to use netstat.
List of Useful Netstat Commands
See what is running on port 80
# sudo netstat -tuln | grep :80 tcp6 0 0 :::80 :::* LISTEN
Shows all active TCP (-t) and UDP (-u) ports in listening (-l) mode with numeric (-n) output (to avoid name resolution).
You can skip the n:
sudo netstat -tul | grep :80
Ok, so you’ve determined tcp6 is running. But what on earth is it? Huh? tcp6 ? Here is the correct command:
# sudo netstat -tulpn | grep :80 tcp6 0 0 :::80 :::* LISTEN 889/apache2
Long story short: An LibreNMS server had both Apache2 and Nginx running for some reason. Also the usual weird issue with PHP FPM running on 7.4 and 8.1. So here was the sequence to get the server operational:
sudo netstat -tulpn | grep :80 service apache2 status service apache2 stop /etc/init.d/php7.4-fpm stop /etc/init.d/php8.1-fpm start service nginx status service nginx start service nginx status
And finally,
# systemctl disable apache2 Synchronizing state of apache2.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install disable apache2 Removed /etc/systemd/system/multi-user.target.wants/apache2.service.
For now, only a reboot will tell if the FPM problems persists.
See all TCP/UDP Connections Sorted
netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
The above output will sort all TCP and UDP connections to your server. If you are suffering from a Denial of Service (DoS) attack, you will notice that one specific IP address has a lot of connections to your server. For example, you might see that most IP addresses have one or two connections, but one specific IP has 56 connections. In this case, you probably want to see what that IP address is hitting.
A trivial way to determine what this IP is hitting is to use good old top. Press c when in top and look for websites that are busy. Then tail -f the website’s log file. A common problem when running WordPress is that xmlrpc.php is being hit repeatedly.
You can use the following firewalld command, if it’s installed, to block the IP address (replace a.b.c.d):
# firewall-cmd --add-rich-rule='rule family=ipv4 source address=a.b.c.d reject' --permanent success # service firewalld restart
Find all HTTPS / Port 443 / Website Connections
Here is another useful command, this one just to find port 443 SSL connections:
netstat -anp |grep ':443' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
Reference
See Also
How do deal with an Apache / NGINX server that’s under attack
Leave us a comment if you have any other useful netstat commands that we should list here.