FixPedia
Linux

Netstat in Linux: How to Check Open Ports and Connections

This guide will teach you how to effectively use the netstat utility to analyze network connections in Linux. You'll learn how to find open ports, identify owning processes, filter output by protocol and interface, and interpret results for network problem diagnosis.

Updated at February 17, 2026
10-15 min
Medium
FixPedia Team
Применимо к:Ubuntu 20.04+CentOS 7+Debian 10+RHEL 8+Any Linux with net-tools package

Introduction / Why You Need This

The netstat (network statistics) command is a classic command-line utility in Linux for diagnosing and monitoring network connections. It displays routing tables, interface statistics, and most importantly—a list of all active network connections (incoming and outgoing) and ports that are in a listening state (LISTEN).

This guide will help you:

  • Quickly identify which services and applications are using network ports.
  • Find "stuck" or unexpected connections.
  • Diagnose service availability issues (e.g., why port 80 is not responding).
  • Get basic traffic information (who is communicating with whom).

Despite the emergence of more modern alternatives (such as ss), netstat remains an indispensable tool that is often already installed on a system, and its syntax is well-known to many administrators.

Requirements / Preparation

  1. Access to a Linux terminal (Ubuntu, CentOS, Debian, RHEL, Fedora, etc.).
  2. Superuser (root) privileges. Displaying process names (PID/Program name) almost always requires running with sudo.
  3. Installed net-tools package. On modern minimal installations (especially in containers), it may be missing. Installation instructions are in the first step.
  4. Basic understanding of networking concepts: what a port is, TCP/UDP protocols, connection states (LISTEN, ESTABLISHED).

Step-by-Step Instructions

Step 1: Install netstat (if missing)

Check if the command exists: which netstat. If the output is empty, install the net-tools package.

For Debian/Ubuntu and derivatives:

sudo apt update
sudo apt install net-tools

For RHEL/CentOS 7:

sudo yum install net-tools

For RHEL/CentOS 8+, Fedora, AlmaLinux, RockyLinux:

sudo dnf install net-tools

After installation, the netstat command will become available.

Step 2: View all active connections and listening ports

Run the main, most informative command:

sudo netstat -tulpn

What you will see and how to read the output:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1234/sshd
tcp6       0      0 :::80                   :::*                    LISTEN      5678/nginx: master
udp        0      0 127.0.0.1:323           0.0.0.0:*                          901/chronyd
  • Proto: Protocol (tcp, udp, tcp6, udp6).
  • Local Address: Local address and port. 0.0.0.0:22 means the service listens on all IPv4 interfaces on port 22. :::80 means it listens on all IPv6 interfaces on port 80.
  • Foreign Address: Remote address and port. 0.0.0.0:* or *:* means the connection is not with a specific remote host (LISTEN state).
  • State: Connection state. For listening ports—LISTEN. For active connections—ESTABLISHED, TIME_WAIT, etc.
  • PID/Program name: Process ID (PID) and the program name that owns the socket. The key column for diagnosis.

Step 3: Filter output by protocol or port

The full output (-tulpn) can be very lengthy. Filtering with grep will narrow the results.

Show only TCP connections (ignoring listening ports):

sudo netstat -tn

Show only UDP connections:

sudo netstat -un

Find all entries related to port 80 (HTTP) or 443 (HTTPS):

sudo netstat -tulpn | grep -E ':80|:443'

Find the process listening on a specific port (e.g., 3306 for MySQL):

sudo netstat -tulpn | grep ':3306'

The output will contain one line with the PID and program name (e.g., mysqld).

Find all connections to a specific remote IP address:

sudo netstat -tn | grep '192.168.1.100'

Step 4: Monitor connections in real-time

To observe connection dynamics (e.g., who is connecting to your SSH daemon), use the --continuous (or -c) flag.

sudo netstat -tulpn --continuous

The screen will update every few seconds. Press Ctrl+C to exit.

Step 5: Identify which process uses a specific port (practical example)

Task: Port 8080 is in use, but it's unknown which application. You need to find and possibly stop this process.

  1. Find the process:
    sudo netstat -tulpn | grep ':8080'

    Example output: tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 4321/java
  2. Analyze: Process with PID 4321 and name java is listening on port 8080 on all interfaces.
  3. (Optional) Get more information about the process:
    ps aux | grep 4321
# or
sudo lsof -i :8080
  4. If it's an unwanted process, you can stop it: sudo kill 4321 (gracefully) or sudo kill -9 4321 (forcefully).

Verification

  • Successful execution: The command sudo netstat -tulpn outputs a table with columns Proto, Local Address, State, PID/Program name. You see a list of all listening ports and active connections.
  • Practical result: You can unambiguously associate a port with a specific service (nginx, mysql, sshd, docker-proxy, etc.) using the process name (PID/Program name). You can filter the output and find information about the port or IP you need.
  • Completion criterion: You were able to answer the question "Which program is using port X?" or "What connections are currently active?" using netstat.

Possible Issues

ProblemSymptomSolution
netstat command not foundbash: netstat: command not foundInstall the net-tools package (see Step 1).
Dashes (-) in the PID/Program name columnOutput shows - instead of PID/Program nameRun the command with sudo. Without root privileges, netstat cannot determine the socket owner.
Addresses display as names (e.g., localhost:http) instead of numbersLocal Address shows localhost:http instead of 127.0.0.1:80This happens due to the missing -n flag. Use sudo netstat -tulpn (the -n flag is already in our template) or configure /etc/hosts/DNS.
IPv6 addresses are not visibleNo entries with tcp6/udp6Either there are no active IPv6 connections/listening ports on the system, or IPv6 is disabled. Check cat /proc/sys/net/ipv6/conf/all/disable_ipv6 (0 means enabled).
Output is truncated (long path names)Program name is cut off, e.g., java instead of full path /usr/lib/jvm/...Use the -W flag for wide output: sudo netstat -tulpnW. Or use ss -p, which often shows full paths.
Many lines in TIME_WAIT stateOutput is "flooded" with TIME_WAIT linesThis is a normal TCP state after a connection closes. It will disappear on its own after some time (2*MSL). Not an error unless the count grows indefinitely.

Conclusion

You have mastered a basic but powerful tool for analyzing Linux network activity. The skill to quickly determine "what is listening on a port" and "who is connected to whom" is critical for server administration, application debugging, and security. For deeper analysis and work in high-load environments, study the modern alternative—the ss command (see the related guide).

F.A.Q.

How does netstat differ from ss?
How to find the process occupying a specific port (e.g., 8080)?
Why is process information (PID/Program name) missing from netstat output?
How to save netstat output to a file for further analysis?

Hints

Install netstat (if not present)
View all active connections and listening ports
Filter output by protocol or port
Monitor connections in real-time
Identify which process uses a specific port

Did this article help you solve the problem?

FixPedia

Free encyclopedia for fixing errors. Step-by-step guides for Windows, Linux, macOS and more.

© 2026 FixPedia. All materials are available for free.

Made with for the community