netstat

netstat is the most frequently used commands for network analysis and troubleshooting in Linux.

Common Options

-a (all) Show all sockets, including both listening and non-listening sockets
-t (tcp) Show TCP sockets
-u (udp) Show UDP sockets
-n Show addresses as numerical format
-l Show sockets that are in listening status

-p Show pid and process name
-r Show routing table info
-e Show extension info, e.g. uid
-s Statistic for all protocols
-c Execute netstat command at a interval

The output format

Proto Recv-Q Send-Q Local-Address Foreign-Address State PID/ProgramName

Here is a list of some common situations that netstat can be very useful:

1. List all processes with tcp sockets that are in listening

$ netstat -nltp | less

2. Check whether a process is listening a port

$ netstat -nltp | grep process_name

3. Show all ports that a process are using

$ netstat -ap | grep process_name

4. Show statistic info of TCP and UDP

$ netstat -st

or

$ netstat -su

5. Show all network interfaces

$ netstat -i

or
$ netstat -ie  # will display extended information

One thing need to be noted is that netstat will only list the processes belong to the current account,
if we want to query processes of other accounts, we should use sudo.

Examples

Real world IP/TCP Analysis of netstat command

1. View connections to our service

we can use it to view all connections to a specific service and find the IP that has the most connections to our service.
e.g. we have ssh service open on port 22, and we want to see from which ip has most connections, we can do this:

$ netstat -nat | grep "192.168.1.15:22" |awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -20 

18 221.136.168.36
3 154.74.45.242
2 78.173.31.236
2 62.183.207.98
2 192.168.1.14
2 182.48.111.215

2. Show statistic infomation of all Status

$ netstat -nat |awk '{print $6}'|sort|uniq -c|sort -rn

143 ESTABLISHED
1 FIN_WAIT1
1 Foreign
1 LAST_ACK
36 LISTEN
6 SYN_SENT
113 TIME_WAIT
1 established

Alternative solutions:

$ netstat -n | awk '/^tcp/ {++S[$NF]};END {for(a in S) print a, S[a]}'
$ netstat -n | awk '/^tcp/ {++state[$NF]}; END {for(key in state) print key,"\t",state[key]}'
$ netstat -n | awk '/^tcp/ {++arr[$NF]};END {for(k in arr) print k,"\t",arr[k]}'
$ netstat -n |awk '/^tcp/ {print $NF}'|sort|uniq -c|sort -rn
$ netstat -ant | awk '{print $NF}' | grep -v '[a-z]' | sort | uniq -c

3. Get the process’s pid according to its binding port

$ netstat -ntlp | grep 80 | awk '{print $7}' | cut -d/ -f1

4. Get the top 20 ip who has most connections to the service

$ netstat -anlp|grep 80|grep tcp|awk '{print $5}'|awk -F: '{print $1}'|sort|uniq -c|sort -nr|head -n20

or

$ netstat -ant |awk '/:80/{split($5,ip,":");++A[ip[1]]}END{for(i in A) print A[i],i}' |sort -rn|head -n20

5. Find the IPs that has most time_wait state

$netstat -n|grep TIME_WAIT|awk '{print $5}'|sort|uniq -c|sort -rn|head -n20

6. Find the IPs that has most SYN connection state

$ netstat -an | grep SYN | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | sort -nr | more

7. Check how many active PHP-CGI processes

$ netstat -anp | grep php-cgi | grep ^tcp | wc -l

8. Check the amount of memory that PHP-CGI has used

$ total=0; for i in `ps -C php-cgi -o rss=`; do total=$(($total+$i)); done; echo "PHP-CGI Memory usage: $total kb"