List of Useful Netstat Commands


netstatis one of the most useful commands when troubleshooting a network but the syntax can be completely overwhelming. Combine complex syntax with subtle differences between Linux, Linux distributions, and Windows, and all of a sudden you need a handy reference otherwise you can’t use the tool. This purpose of this article is to list a few different scenarios where you might want to use netstat.

List of Useful Netstat Commands

See all TCP/UDP Connections Sorted

netstat -anp |grep 'tcp\|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

The above output will sort all TCP and UDP connections to your server. If you are suffering from a Denial of Service (DoS) attack, you will notice that one specific IP address has a lot of connections to your server. For example, you might see that most IP addresses have one or two connections, but one specific IP has 56 connections. In this case, you probably want to see what that IP address is hitting.

A trivial way to determine what this IP is hitting is to use good old top. Press c when in top and look for websites that are busy. Then tail -f the website’s log file. A common problem when running WordPress is that xmlrpc.php is being hit repeatedly.

You can use the following firewalld command, if it’s installed, to block the IP address (replace a.b.c.d):

# firewall-cmd --add-rich-rule='rule family=ipv4 source address=a.b.c.d reject' --permanent
# service firewalld restart

Find all HTTPS / Port 443 / Website Connections

Here is another useful command, this one just to find port 443 SSL connections:

netstat -anp |grep ':443' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head


See Also

How do deal with an Apache / NGINX server that’s under attack

Leave us a comment if you have any other useful netstat commands that we should list here.

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top