In the era of Kubernetes, cloud-native architectures, and microservices, many engineers focus on high-level abstractions. But when a production server starts behaving unexpectedly, a service fails to bind to a port, or suspicious network activity appears, experienced engineers often turn to one of the most fundamental networking tools available:
netstat
Despite being considered a legacy utility on some modern Linux distributions, netstat remains one of the most valuable commands for understanding what's happening on a system in real time.
Why Netstat Still Matters
Tools come and go, but networking fundamentals remain unchanged.
Whether you're a:
- Linux Administrator
- DevOps Engineer
- Site Reliability Engineer (SRE)
- Security Analyst
- Cloud Engineer
Understanding network connections at the operating system level is a critical skill.
Netstat provides visibility into:
- Active network connections
- Listening ports
- Routing tables
- Network interface statistics
- Protocol-level activity
When applications fail, netstat often reveals the root cause within seconds.
1. Viewing All Active Connections
netstat -a
This command displays:
- TCP connections
- UDP connections
- Listening sockets
- Established sessions
Example output:
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 server:443 client:51234 ESTABLISHED
This immediately tells you:
- Which services are listening
- Which clients are connected
- The current state of each connection
2. Finding Open Listening Ports
netstat -l
Every open port represents an exposed service.
During infrastructure audits, this command helps answer a critical question:
What services are actually reachable from the network?
Many security incidents start with forgotten services listening on unexpected ports.
3. Displaying TCP Listening Services
netstat -lt
Example:
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
From a quick glance, you can identify:
- SSH
- HTTP
- HTTPS
running on the server.
4. Viewing UDP Services
netstat -lu
Unlike TCP, UDP does not establish persistent connections.
This command is useful for identifying services such as:
- DNS
- DHCP
- NTP
- Syslog
Understanding UDP listeners is essential when troubleshooting service discovery and time synchronization issues.
5. Identifying Which Process Owns a Port
One of the most useful commands in production environments:
netstat -tulpn
Example:
Proto Local Address PID/Program name
tcp 0.0.0.0:80 1245/nginx
tcp 0.0.0.0:3306 2210/mysqld
This instantly reveals:
- Port 80 → Nginx
- Port 3306 → MySQL
When an application fails to start because a port is already in use, this command is often the fastest way to identify the culprit.
6. Investigating a Specific Port
Suppose your application cannot bind to port 8080.
netstat -tulpn | grep 8080
Output:
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 3521/java
Now you know exactly which process owns the port.
No guesswork required.
7. Analyzing Network Interfaces
netstat -i
Example:
Iface MTU RX-OK TX-OK
eth0 1500 152345 130987
This provides insight into:
- Packet transmission
- Interface errors
- Network throughput
- Hardware-level issues
A useful command when diagnosing networking bottlenecks.
8. Viewing the Routing Table
netstat -rn
Example:
Destination Gateway Genmask
0.0.0.0 10.0.0.1 0.0.0.0
The routing table determines how traffic leaves the server.
Misconfigured routes can cause:
- Connectivity failures
- Asymmetric routing
- Unexpected latency
Understanding routing is one of the hallmarks of a strong infrastructure engineer.
9. Security and Incident Response
One of the most overlooked uses of netstat is threat hunting.
Display all active TCP connections:
netstat -antp
Focus on established sessions:
netstat -antp | grep ESTABLISHED
Questions worth asking:
- Why is this server communicating with that IP?
- Is this connection expected?
- Does this process belong here?
Many security investigations begin with network visibility.
Understanding TCP Connection States
A mature engineer doesn't just read netstat output—they understand connection behavior.
| State | Meaning |
|---|---|
| LISTEN | Waiting for incoming connections |
| ESTABLISHED | Active connection |
| TIME_WAIT | Connection recently closed |
| CLOSE_WAIT | Remote side closed connection |
| SYN_SENT | Connection initiation in progress |
| SYN_RECV | Handshake underway |
A large number of TIME_WAIT or CLOSE_WAIT connections can indicate application-level problems that may impact performance.
Netstat vs SS
Modern Linux distributions often recommend:
ss -tulpn
because it is faster and more efficient.
However, experienced engineers know both tools.
Real-world environments still contain:
- Legacy servers
- Older distributions
- Long-running enterprise systems
Knowing netstat remains valuable.
Final Thoughts
Junior engineers use netstat to check ports.
Intermediate engineers use it to troubleshoot services.
Senior engineers use it to understand system behavior.
Security engineers use it to investigate threats.
Infrastructure architects use it to visualize communication patterns across systems.
Netstat is not just a command—it is a window into the live network state of a machine.
"Logs tell you what happened. Metrics tell you what changed. Netstat tells you what is happening right now."
Top comments (0)