netstat -nlp
netstat -tapn
netstat -an // without resolving hostnames
netstat -a // list all connections
netstat -at // list all TCP connections
netstat -au // list all UDP connections
netstat -tnl // list only listening sockets
netstat -nlpt // list process name/pid and user id
netstat -ltpe
netstat -s // print statistics
netstat -rn // display kernel routing information
netstat -i // print network interface
netstat -g // display multi-cast groups
netstat -atnp | grep ESTA // print established connections

cnt=$(netstat -ant | awk '$4 ~ /:25$/ {print $4}' | wc -l)
if [ "$cnt" -ge "$critical" ]; then
        echo "CRITICAL $cnt";
        exit 2;
elif [ "$cnt" -ge "$warning" ]; then
        echo "WARNING $cnt";
        exit 1;
        echo "OK $cnt";
        exit 0;

To run the above code:

/usr/lib64/nagios/plugins/ 190 200

The command netstat displays network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.


The leftmost column “Proto” shows the type of the connection – tcp in this case

The column Recv-Q shows the bytes of data in the queue to be sent to the user program that established the connection. This value should be as close to 0 as possible. In busy servers this value will be more than 0 but shouldn’t be very high. A higher number may not mean much, unless you see a large number in Send-Q column, described below.

The Send-Q column denotes the bytes in the queue to be sent to the remote program, i.e. the remote program has not yet acknowledged receiving it. This should be close to 0. A large number may indicate a network bottleneck.

Local Address is source of the connection and the port number of the program.

Foreign Address is the destination host and port number.

The column State shows the status of the connection. Here are some common values. ESTABLISHED – that the connection has been established. It does not mean that any data is flowing between the end points; merely that the end points have talked to each other. CLOSED – the connection has been closed, i.e. not used now. TIME_WAIT – the connection is being closed but there are still packets in the network that are being handled. CLOSE_WAIT – the remote end has shutdown and has asked to close the connection.

The -p option shows the process information as well:

netstat -p

To find out the network statistics for various interfaces, use the -i option:

netstat -i

This shows the different interfaces present in the server (eth0, eth8, etc.) and the metrics associated with the interface.

The 'RX-OK' column shows the number of packets successfully sent (for this interface)

The 'RX-ERR' columns shows number of errors.

The 'RX-DRP' column shows packets dropped and had to be re-sent (either successfully or not)

The 'RX-OVR' column shows packets overrun

The next sets of columns (TX-OK, TX-ERR, etc.) show the corresponding stats for send data.

The Flg column is a composite value of the property of the interface. Each letter indicates a specific property being present. Here is an explanation of the letters:

B – Broadcast
M – Multicast
R – Running
U – Up
O – ARP Off
P – Point to Point Connection
L – Loopback
m – Master
s - Slave

You can use the –interface (note: there are two hyphens, not one) option to display the same for a specific interface:

netstat --interface=eth0

The output is wide and is a little difficult to grasp at one shot. If you are comparing across interfaces, it makes sense to have a tabular output.

However, if you want to examine the values in a more readable format, use the -e option to produce an extended output:

netstat -i -e

If you’d rather see the output showing IP addresses instead of host names, use the -n option.

The -s option shows the summary statistics of each protocol, rather than showing the details of each connection. This can be combined with the protocol specific flag. For instance -u shows the stats related to the UDP protocol:

netstat -s -u

To see the stats for tcp, use -t and for raw, -r.

To display the routing table:

netstat -r

The second column of netstat output–Gateway–shows the gateway to which the routing entry points. If no gateway is used, an asterisk is printed instead. The third column–Genmask–shows the “generality” of the route, i.e., the network mask for this route. When given an IP address to find a suitable route for, the kernel steps through each of the routing table entries, taking the bitwise AND of the address and the netmask before comparing it to the target of the route.

The fourth column (produced by netstat -r), Flags, displays the following flags that describe the route:

  • G means the route uses a gateway.
  • U means the interface to be used is up (available).
  • H means only a single host can be reached through the route. For example, this is the case for the loopback entry
  • D means this route is dynamically created.
  • ! means the route is a reject route and data will be dropped.

The next three columns show the MSS, Window, and irtt that will be applied to TCP connections established via this route.

MSS stands for Maximum Segment Size – the size of the largest datagram for transmission via this route.

Window is the maximum amount of data the system will accept in a single burst from a remote host for this route.

irtt stands for Initial Round Trip Time. The TCP protocol has a built-in reliability check. If a data packet fails during transmission, it’s re-transmitted. The protocol keeps track of how long the takes for the data to reach the destination and acknowledgement to be received. If the acknowledgement does not come within that timeframe, the packet is retransmitted. The amount of time the protocol has to wait before re-transmitting is set for the interface once (which can be changed) and that value is known as initial round trip time. A value of 0 means the default value is used.

ss command is used to dump socket statistics. It allows showing information similar to netstat.

ss: Display Linux TCP / UDP Network and Socket Information
Get Detailed Information About Particular IP address Connections Using netstat Command

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License