Intro to Netstat!

Netstat (NETwork STATistics) is a command-line tool that provides information about your network configuration and activity.

To display the routing table:

#netstat -rn
-r: Kernel routing tables.
-n: Shows numerical addresses instead of trying to determine hosts.

Kernel IP routing table
Destination
192.168.1.0
0.0.0.0 Gateway
0.0.0.0
192.168.1.1 Genmask
255.255.255.0
0.0.0.0 Flags
U
UG MSS
0
0 Window
0
0 irtt
0
0 Iface
eth1
eth1
To display the quick interfaces statistics:

#netstat -i
-i: Interface

Kernel Interface table
Iface
ath0
eth0
eth1
lo MTU
1500
1500
1500
16436 Met
0
0
0
0 RX-OK
0
0
1156
225 RX-ERR
250
0
0
0 RX-DRP
0
0
0
0 RX-OVR
0
0
0
0 TX-OK
0
0
568
225 TX-ERR
0
0
0
0 TX-DRP
0
0
0
0 TX-OVR
0
0
0
0 FLG
BMRU
BMU
BMRU
LRU
To display the extended interfaces statistics:

#netstat -ie
-i: Interface
-e: Extended information

Kernel Interface table
eth0 Link encap:Ethernet HWaddr AA:00:11:22:33:44
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:169

eth1 Link encap:Ethernet HWaddr AA:00:11:22:33:44
inet addr:192.168.1.101 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::a100:0aa:aa00:a01/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1212 errors:0 dropped:0 overruns:0 frame:0
TX packets:580 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:216479 (211.4 KiB) TX bytes:56987 (55.6 KiB)
Interrupt:201 Memory:dfcff000-dfcfffff

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:238 errors:0 dropped:0 overruns:0 frame:0
TX packets:238 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8688 (8.4 KiB) TX bytes:8688 (8.4 KiB)

Note that "netstat -ie" is equivalent to "ifconfig -a".

To display all the opened network sockets:

#netstat -uta
-u: UDP
-t: TCP
-a: All

Active Internet connections (servers and established)
Proto
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp6
udp Recv-Q
0
0
0
0
0
0
0
0
0
0
0 Send-Q
0
0
0
0
0
0
0
0
0
0
0 Local Address
localhost:48898
localhost:39524
localhost:mysql
localhost:ipp
192.168.1.101:49041
localhost:39524
192.168.1.101:43706
192.168.1.101:43704
localhost:53920
*:www
*:bootpc Foreign Address
*:*
*:*
*:*
*:*
lm-in-f104.google.c:www
localhost:53920
fk-in-f104.google.c:www
fk-in-f104.google.c:www
localhost:39524
*:*
*:* State
LISTEN
LISTEN
LISTEN
LISTEN
CLOSE_WAIT
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
LISTEN
The listening state sockets are included in the output only if you specify the --listening (-l) or --all (-a) option.

The possible socket states are as follows:
(taken from the "man netstat" page)

ESTABLISHED:
SYN_SENT:
SYN_RECV:
FIN_WAIT1:
FIN_WAIT2:

TIME_WAIT:
CLOSED:
CLOSE_WAIT:
LAST_ACK:

LISTEN:

CLOSING:
UNKNOWN: The socket has an established connection.
The socket is actively attempting to establish a connection.
A connection request has been received from the network.
The socket is closed, and the connection is shutting down.
Connection is closed, and the socket is waiting for a shutdown from the remote end.
The socket is waiting after close to handle packets still in the network.
The socket is not being used.
The remote end has shut down, waiting for the socket to close.
The remote end has shut down, and the socket is closed. Waiting for acknowledgement.
The socket is listening for incoming connections. Such sockets are not included in the output unless you specify the --listening (-l) or --all (-a) option.
Both sockets are shut down but we still don�t have all our data sent.
The state of the socket is unknown.
To display all the opened network sockets (extended informations):

#netstat -aute
-a: All
-u: UDP
-t: TCP
-e: Extended

Active Internet connections (servers and established)
Proto
tcp
tcp
tcp
tcp
tcp
tcp
tcp
tcp6
udp Recv-Q
0
0
0
0
0
0
0
0
0 Send-Q
0
0
0
0
0
0
0
0
0 Local Address
localhost:48898
localhost:39524
localhost:mysql
localhost:ipp
localhost:39524
localhost:53920
192.168.1.101:42745
*:www
*:bootpc Foreign Address
*:*
*:*
*:*
*:*
localhost:53920
localhost:39524
lm-in-f147.google.c:www
*:*
*:* State
LISTEN
LISTEN
LISTEN
LISTEN
ESTABLISHED
ESTABLISHED
ESTABLISHED
LISTEN
User
hplip
hplip
mysql
root
hplip
hplip
po
root
dhcp Inode
12383
12321
12635
12447
12324
12389
15781
13141
14513
To display all the listening state sockets:

#netstat -lt
-t: TCP
-l: Listening state sockets

Active Internet connections (only servers)
Proto
tcp
tcp
tcp
tcp
tcp6 Recv-Q
0
0
0
0
0 Send-Q
0
0
0
0
0 Local Address
localhost:48898
localhost:39524
localhost:mysql
localhost:ipp
*:www Foreign Address
*:*
*:*
*:*
*:*
*:* State
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
To display the summary statistics for each protocol

#netstat -s
-s: Summary statistics for each protocol.

Ip:
604 total packets received
1 with invalid addresses
0 forwarded
0 incoming packets discarded
485 incoming packets delivered
507 requests sent out
Icmp:
0 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
0 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
Tcp:
21 active connections openings
4 passive connection openings
0 failed connection attempts
0 connection resets received
3 connections established
351 segments received
388 segments send out
0 segments retransmited
0 bad segments received.
2 resets sent
Udp:
119 packets received
0 packets to unknown port received.
0 packet receive errors
119 packets sent
TcpExt:
5 TCP sockets finished time wait in fast timer
21 delayed acks sent
Quick ack mode was activated 10 times
31 packets directly queued to recvmsg prequeue.
15765 of bytes directly received from prequeue
105 packet headers predicted
17 packets header predicted and directly queued to user
36 acknowledgments not containing data received
11 predicted acknowledgments
0 TCP data loss events

Your suggestions are highly welcomed!
Thanks