~ ~/security ~/security/networking

Exploring Netstat

Network connections, routing tables, interfaces, statistics, et cetera

Netstat is an insanely powerful monitoring tool when used with combinations of arguments. The man page contains the list of accepted arguments. However, it has been obsoleted by "ip" and "ss".

1) From the man page, "By default, netstat displays a list of open sockets". Running the netstat command without any arguments on my Linux machine,

[~] netstat  
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State     
tcp        0      0 user:41236              si-in-f188.1e10:hpvroom ESTABLISHED
tcp        0      0 user:46348              bom05s15-in-f10.1:https ESTABLISHED
tcp        0      0 user:51426              https-111-119-15-:https ESTABLISHED
udp        0      0 user:bootpc             _gateway:bootps         ESTABLISHED
udp        0      0 user:53693              bom07s24-in-f10.1:https ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ]         DGRAM                    27060    /run/user/1000/systemd/notify
unix  2      [ ]         DGRAM                    27806    /run/wpa_supplicant/wlan0

...

2) Get summary statistics for each protocol(UDP, TCP, ICMP, IP), using the statistics flag(--statistics or simply -s)

~] netstat -s           
Ip:
    Forwarding: 2
    491672 total packets received
    0 forwarded
    0 incoming packets discarded
    485413 incoming packets delivered
    166022 requests sent out
    1 outgoing packets dropped
Icmp:
    0 ICMP messages received
    0 input ICMP message failed
    ICMP input histogram:
    8 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 8
IcmpMsg:
        OutType3: 8
Tcp:
    663 active connection openings

...

3) Displaying the kernel routing(--route or -r flag) table

[~] netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         _gateway        0.0.0.0         UG        0 0          0 wlan0
10.0.2.0        0.0.0.0         255.255.255.0   U         0 0          0 virbr1
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 wlan0
192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0 virbr0

4) Finally, combining different flags
I will run netstat -upv, where

u->UDP internet connections,

p->associated PID/program name,

v->verbose mode

[~] netstat -upv
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
udp        0      0 user:48202              bom07s35-in-f3.1e:https ESTABLISHED 15877/chrome --type
udp        0      0 user:bootpc             _gateway:bootps         ESTABLISHED -