netstat -nlp
netstat -tapn
netstat -an // without resolving hostnames
netstat -a // list all connections
netstat -at // list all TCP connections
netstat -au // list all UDP connections
netstat -tnl // list only listening sockets
netstat -nlpt // list process name/pid and user id
netstat -ltpe
netstat -s // print statistics
netstat -rn // display kernel routing information
netstat -i // print network interface
netstat -g // display multi-cast groups
netstat -atnp | grep ESTA // print established connections

cnt=$(netstat -ant | awk '$4 ~ /:25$/ {print $4}' | wc -l)
if [ "$cnt" -ge "$critical" ]; then
        echo "CRITICAL $cnt";
        exit 2;
elif [ "$cnt" -ge "$warning" ]; then
        echo "WARNING $cnt";
        exit 1;
        echo "OK $cnt";
        exit 0;

To run the above code:
/usr/lib64/nagios/plugins/ 190 200

What is the purpose of the netstat command?

Displays network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.


How can we interpret the output of netstat?

The leftmost column “Proto” shows the type of the connection – tcp in this case

The column Recv-Q shows the bytes of data in the queue to be sent to the user program that established the connection. This value should be as close to 0 as possible. In busy servers this value will be more than 0 but shouldn’t be very high. A higher number may not mean much, unless you see a large number in Send-Q column, described below.

The Send-Q column denotes the bytes in the queue to be sent to the remote program, i.e. the remote program has not yet acknowledged receiving it. This should be close to 0. A large number may indicate a network bottleneck.

Local Address is source of the connection and the port number of the program.

Foreign Address is the destination host and port number.

The column State shows the status of the connection. Here are some common values. ESTABLISHED – that the connection has been established. It does not mean that any data is flowing between the end points; merely that the end points have talked to each other. CLOSED – the connection has been closed, i.e. not used now. TIME_WAIT – the connection is being closed but there are still packets in the network that are being handled. CLOSE_WAIT – the remote end has shutdown and has asked to close the connection.

What option can we use to cause netstat to output the local process information?

Use the -p:

netstat -p

What option can we use to cause netstat to display the network statistics for various interfaces?

Use the -i option:

netstat -i

This shows the different interfaces present in the server (eth0, eth8, etc.) and the metrics associated with the interface.

  1. The 'RX-OK' column shows the number of packets successfully sent (for this interface)
  2. The 'RX-ERR' columns shows number of errors.
  3. The 'RX-DRP' column shows packets dropped and had to be re-sent (either successfully or not)
  4. The 'RX-OVR' column shows packets overrun
  5. The next sets of columns (TX-OK, TX-ERR, etc.) show the corresponding stats for send data.
  6. The Flg column is a composite value of the property of the interface. Each letter indicates a specific property being present. Here is an explanation of the letters:
B – Broadcast
M – Multicast
R – Running
U – Up
O – ARP Off
P – Point to Point Connection
L – Loopback
m – Master
s - Slave

We can use the --interface (note: there are two hyphens, not one) option to display the same for a specific interface:

netstat --interface=eth0

The output is wide and is a little difficult to grasp at one shot. If you are comparing across interfaces, it makes sense to have a tabular output. However, if you want to examine the values in a more readable format, use the -e option to produce an extended output:

netstat -i -e

What option can we use to cause netstat to display IP addresses instead of host names?

Use the -n option.

What option can we use to cause netstat to display the summary statistics for each protocol?

The -s option shows the summary statistics of each protocol, rather than showing the details of each connection. This can be combined with the protocol specific flag. For instance -u shows the stats related to the UDP protocol:

netstat -s -u

What options can we use to cause netstat to display the stats for tcp?

To see the stats for tcp, use -t and for raw, -r.

What option can we use to cause netstat to display the routing table?

Use the -r option:

netstat -r

The second column of netstat output–Gateway–shows the gateway to which the routing entry points. If no gateway is used, an asterisk is printed instead. The third column–Genmask–shows the “generality” of the route, i.e., the network mask for this route. When given an IP address to find a suitable route for, the kernel steps through each of the routing table entries, taking the bitwise AND of the address and the netmask before comparing it to the target of the route.

The fourth column (produced by netstat -r), Flags, displays the following flags that describe the route:

  • G means the route uses a gateway.
  • U means the interface to be used is up (available).
  • H means only a single host can be reached through the route. For example, this is the case for the loopback entry
  • D means this route is dynamically created.
  • ! means the route is a reject route and data will be dropped.

The next three columns show the MSS, Window, and irtt that will be applied to TCP connections established via this route.

MSS stands for Maximum Segment Size – the size of the largest datagram for transmission via this route. Window is the maximum amount of data the system will accept in a single burst from a remote host for this route.

irtt stands for Initial Round Trip Time. The TCP protocol has a built-in reliability check. If a data packet fails during transmission, it’s re-transmitted. The protocol keeps track of how long the takes for the data to reach the destination and acknowledgement to be received. If the acknowledgement does not come within that timeframe, the packet is retransmitted. The amount of time the protocol has to wait before re-transmitting is set for the interface once (which can be changed) and that value is known as initial round trip time. A value of 0 means the default value is used.

What is the purpose of the ss command?

ss command is used to dump socket statistics. It allows showing information similar to netstat.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License