Using the Netstat command
The netstat (network statistics) command is a powerful command-line tool used for displaying network connections (both incoming and outgoing), routing tables, interface statistics, masquerade connections, and multicast memberships. If you manage a server, including a cPanel server, understanding netstat can be invaluable for network monitoring and troubleshooting.
Why use netstat?
You might need to use netstat for several reasons, such as:
- Troubleshooting network issues: If a service is unreachable,
netstatcan help you see if it’s listening on the correct port. - Security monitoring: You can identify active connections to your server and check for any suspicious or unauthorized activity.
- Service verification: Confirm that essential services like your web server, mail server, or database server are running and listening for connections.
- Port conflicts: Find out which process is using a specific port if another application reports that the port is already in use.
Common netstat options
The netstat command offers various options (flags) to customize its output. Here are some of the most common ones:
-t: Displays TCP connections.-u: Displays UDP connections.-n: Shows numerical addresses instead of trying to determine symbolic host, port, or user names. This can speed up the command as it avoids DNS lookups.-l: Shows only listening sockets. These are sockets waiting for incoming connections.-p: Shows the Process ID (PID) and name of the program to which each socket belongs. You usually need root or sudo privileges to see this information for all processes.-a: Shows both listening and non-listening (established) sockets.-c: Causesnetstatto print the selected information continuously every second.-r: Displays the kernel routing tables. This is similar to theroutecommand.-s: Displays summary statistics for each protocol (e.g., TCP, UDP, ICMP, IP).-i: Displays a table of all network interfaces or the specified interface.
You can often combine these options. For example, -tulnp is a very common combination.
Understanding netstat output
When you run netstat, you’ll typically see several columns of information. Here’s a breakdown of the common ones, especially when viewing active connections or listening ports:
- Proto: The protocol used by the socket (e.g., tcp, udp, tcp6, udp6).
- Recv-Q: The count of bytes not yet copied by the user program connected to this socket.
- Send-Q: The count of bytes not yet acknowledged by the remote host.
- Local Address: The IP address and port number of the local end of the socket. An address like
0.0.0.0:80means port 80 is listening on all available network interfaces.127.0.0.1:3306means port 3306 is only listening for connections from the server itself. - Foreign Address: The IP address and port number of the remote end of the socket. If the socket is listening, this often appears as
*:*or0.0.0.0:*. - State: The state of the socket. Common states include:
LISTEN: The socket is waiting for an incoming connection.ESTABLISHED: A connection is active.TIME_WAIT: The socket is waiting after closing to handle packets still in the network.CLOSE_WAIT: The remote end has shut down, waiting for the local socket to close.SYN_SENT: The socket is actively trying to establish a connection.SYN_RECV: A connection request has been received from the network.
- PID/Program name: The Process ID and the name of the program that owns the socket. This column only appears if you use the
-poption (and may require root privileges).
Practical examples
Let’s look at some practical ways you can use netstat. To run commands that require process information (-p) for all users, you might need to use sudo (e.g., sudo netstat -tulnp).
Viewing all listening TCP and UDP ports with process information
This is one of the most useful commands to see which services are running and on which ports they are listening:
netstat -tulnpBreaking it down:
-t: TCP ports-u: UDP ports-l: Listening sockets-n: Numeric addresses (faster)-p: Program name and PID
Checking specific services on a cPanel server
cPanel servers run various services. Here’s how you can check if they are listening correctly.
Apache (webserver)
Apache serves your websites on ports 80 (HTTP) and 443 (HTTPS).
netstat -tulnp | grep ':80|:443'Alternatively, you can grep for the process name (note: the process name might vary slightly depending on your operating system and Apache build):
netstat -tlpn | grep httpdnetstat -tlpn | grep apache2Exim (Mail Server)
Exim handles email and typically listens on ports 25 (SMTP), 465 (SMTPS), and 587 (Submission).
netstat -tulnp | grep ':25|:465|:587'Or, grep for the Exim process:
netstat -tlpn | grep eximMySQL/MariaDB (database Server)
Your database server usually listens on port 3306.
netstat -tulnp | grep ':3306'Or, grep for the MySQL/MariaDB process:
netstat -tlpn | grep mysqldcPanel/WHM services
cPanel, WHM, and Webmail use several ports (e.g., 2082, 2083 for cPanel; 2086, 2087 for WHM; 2095, 2096 for Webmail).
netstat -tulnp | grep -E ':2082|:2083|:2086|:2087|:2095|:2096'Finding which process is using a specific port
If you need to find out what’s using a particular port, for example, port 22 (SSH):
netstat -tulnp | grep ':22'This will show you the process (sshd in this case) listening on port 22.
Viewing active (established) network connections
To see all active TCP connections, including the source and destination IPs and ports:
netstat -tanp-t: TCP-a: All (includes listening, but here we are interested in established ones)-n: Numeric-p: Program name/PID
This is useful for seeing who is connected to your server.
Displaying the kernel routing table
To see how network traffic is routed from your server:
netstat -rFor a numeric display (which avoids hostname lookups and can be faster):
netstat -rnDisplaying network interface statistics
To view statistics for your network interfaces (like packets received/transmitted, errors, etc.):
netstat -iFor more detailed (verbose) output, you can add -e:
netstat -ieContinuously monitoring network activity
If you want to watch network connections in real-time (updated every second):
netstat -tcnpPress Ctrl+C to stop the continuous output.
Troubleshooting with netstat
netstat is a go-to tool for initial network troubleshooting steps:
- Service not accessible: If users can’t reach your website, use
netstat -tulnp | grep ':80'to check if your web server is actually listening on port 80 and on the correct IP address (e.g.,0.0.0.0:80or a specific public IP). If it’s listening only on127.0.0.1:80, it’s only accessible from the server itself. - Port already in use: If you try to start a service and get an “address already in use” error for a specific port, use
sudo netstat -tulnp | grep ':PORT_NUMBER'to find out which application is currently occupying that port. - Suspected unauthorized access or high traffic: Use
sudo netstat -tanpand examine the list of established connections. Look for an unusually large number of connections from a single IP or connections to unexpected ports.
A note on `ss`: The modern alternative
While netstat has been a staple for many years, it’s considered deprecated in many modern Linux distributions. The ss command (socket statistics) is its replacement and is generally faster and can provide more detailed information.
For example, the equivalent of netstat -tulnp using ss is:
ss -tulnpIt’s a good idea to start familiarizing yourself with ss, but netstat is still available on many systems and remains a useful tool.
Conclusion
The netstat command is an essential utility for anyone managing a server. It provides critical insights into network activity, helping you ensure your services are running correctly, troubleshoot connectivity problems, and perform basic security checks. While newer tools like ss are emerging, understanding netstat remains a valuable skill for server administration.