How to Use netstat Command in Linux: The Legacy Tool You Still Need to Know

If you’ve ever searched for how to troubleshoot a network issue on Linux, you’ve probably stumbled across the netstat command Linux tutorials. It’s everywhere. Older Stack Overflow answers, sysadmin wikis, certification study guides. And here’s the thing: even though netstat is technically deprecated, understanding it is still valuable. I’ll walk you through exactly how to use it, when it still makes sense, and when you should reach for its modern replacement instead.

What Is the netstat Command in Linux?

The netstat command stands for network statistics. It’s a command-line tool that shows you what’s happening with your system’s network connections. Think of it as a window into your machine’s networking activity.

With netstat, you can see:

• Active TCP and UDP connections (who’s talking to your machine)
• Listening ports (what services are waiting for connections)
• Routing tables (how traffic gets from A to B)
• Network interface statistics (packet counts, errors, drops)

I remember the first time I actually needed netstat. I was running a small home server back when I was still figuring out Linux. Something was eating bandwidth, and I had no idea what. Running netstat -anp for the first time and seeing every active connection laid out with process names was like flipping on a light switch. Suddenly I could see that a forgotten Transmission daemon was seeding about forty torrents in the background. Lesson learned.

Why netstat Is Deprecated (And Why You Still See It Everywhere)

Here’s something most tutorials won’t tell you up front: netstat has been deprecated since around 2010. The net-tools package it belongs to hasn’t seen active development in years. Even the netstat man page itself states “This program is mostly obsolete.”

Get a VPS from as low as $11/year! WOW!

That’s not just a label. As one TecMint Linux expert notes:

“Unmaintained software is dangerous and poses a great security risk to Linux systems.”

So why does it keep showing up? Simple: legacy. Thousands of tutorials, scripts, and monitoring setups still reference netstat. If you work with older systems or follow documentation that hasn’t been updated, you’ll run into it constantly. It’s also worth noting that netstat isn’t alone here. Other net-tools commands like ifconfig are also deprecated in favor of the ip command.

Installing netstat on Linux

On many modern distros, netstat isn’t installed by default. You’ll need the net-tools package. Here’s how to get it.

Ubuntu/Debian Installation

sudo apt update
sudo apt install net-tools

RHEL/CentOS/Fedora Installation

sudo dnf install net-tools

Arch Linux Installation

sudo pacman -S net-tools

To check if netstat is already installed, just run which netstat or netstat --version. If you get “command not found,” install net-tools using the commands above.

Basic netstat Command Syntax

The command structure is straightforward:

netstat [options]

You can combine multiple flags in a single command. For example, netstat -tulpn combines five flags at once. Each flag filters or formats the output differently. Let me walk you through the most useful ones.

Essential netstat Commands and Examples

This is where things get practical. I use Arch btw, but these commands work the same across every distro.

Display All Active Connections (netstat -a)

netstat -a

This shows every connection on your system, including listening and non-listening sockets. Fair warning: the output can be massive. I usually combine this with grep to filter down to what I actually need.

Show Listening Ports (netstat -l)

netstat -l

This filters to only show ports actively waiting for incoming connections. It’s one of the first commands I run when setting up a new service. If your web server isn’t responding, checking whether it’s actually listening is step one. For a deeper dive on this topic, check out our guide on checking open ports in Linux.

List TCP Connections Only (netstat -t)

netstat -t

Filters output to TCP connections. Since most web traffic, SSH sessions, and database connections use TCP, this is often more useful than seeing everything at once.

List UDP Connections Only (netstat -u)

netstat -u

Shows UDP connections. Useful for DNS lookups, VPN tunnels, and streaming services. UDP traffic is less common to troubleshoot, but when you need it, you need it.

Display Numeric Addresses (netstat -n)

netstat -n

Skips DNS resolution and shows raw IP addresses and port numbers. This makes the output load much faster, especially on systems with many connections. I almost always use -n by default.

Show Process Information (netstat -p)

sudo netstat -p

Adds the PID and program name for each connection. You’ll need sudo to see processes owned by other users. This is the flag that answers “what program is using port 8080?”

View Routing Table (netstat -r)

netstat -r

Displays your system’s routing table. Similar to route or ip route. Helpful for diagnosing why traffic isn’t reaching the right gateway.

Display Network Interface Statistics (netstat -i)

netstat -i

Shows a summary of each network interface with packet counts, errors, and dropped packets. A quick way to spot hardware or driver issues.

Show Network Protocol Statistics (netstat -s)

netstat -s

Dumps detailed statistics broken down by protocol (TCP, UDP, ICMP, IP). Great for spotting retransmission issues or unusual error rates.

Real-World netstat Use Cases

Knowing the flags is one thing. Knowing when to use them is what separates troubleshooting from guessing. Here are the scenarios where I actually reach for netstat.

Finding Which Process Is Using a Port

sudo netstat -tulpn | grep :80

This is probably the most common real-world use. You’re trying to start Apache or Nginx, and it fails because something else already has port 80. This command tells you exactly what’s hogging it. You can also use the lsof command for the same purpose.

Checking for Established Connections

netstat -anp | grep ESTABLISHED

Shows only active, live connections. Useful for seeing who’s currently connected to your SSH server or database.

Monitoring Network Traffic

netstat -c

The -c flag runs netstat in continuous mode, refreshing every second. It’s a basic live monitor. For deeper packet-level analysis, you’d want tcpdump for packet analysis instead.

Diagnosing Connection Issues

When things go wrong on a network, I follow a simple flow: Is the service listening? Are connections being established? Are there timeout or error states piling up? Running netstat -tulpn followed by netstat -s usually answers the first questions fast. For a more complete methodology, Red Hat’s network troubleshooting guide lays out a solid systematic approach. You can also check out our full network troubleshooting guide for Linux-specific workflows.

Understanding netstat Output

The output can look intimidating at first. Let me break it down.

Reading the Columns

When you run netstat -anp, you’ll see columns like this:

Proto  Recv-Q  Send-Q  Local Address     Foreign Address    State       PID/Program
tcp    0       0       0.0.0.0:22        0.0.0.0:*          LISTEN      1234/sshd
tcp    0       0       192.168.1.5:22    10.0.0.1:54321     ESTABLISHED 5678/sshd

• Proto: Protocol (TCP or UDP)
• Recv-Q / Send-Q: Data queued for receiving/sending (non-zero values can indicate problems)
• Local Address: Your machine’s IP and port
• Foreign Address: The remote IP and port
• State: Connection status
• PID/Program: Process ID and name (requires sudo)

Connection States Explained

The State column tells you where a connection is in its lifecycle:

• LISTEN: Waiting for incoming connections (your server is ready)
• ESTABLISHED: Active, working connection
• TIME_WAIT: Connection closed, waiting for stray packets to clear (normal, but many can indicate issues)
• CLOSE_WAIT: Remote side closed, your app hasn’t yet (often a bug)
• SYN_SENT: Connection request sent, waiting for response
• SYN_RECV: Connection request received, sending back acknowledgment
• FIN_WAIT: Waiting for the connection to fully close

If you see hundreds of CLOSE_WAIT connections piling up, that’s usually a sign your application isn’t properly closing sockets. I’ve chased that particular bug more times than I’d like to admit on my homelab Docker containers.

netstat vs ss: Why You Should Switch

Let’s be real: if you’re on a modern Linux system, you should be using ss for most tasks. Here’s why.

The ss command uses the Netlink kernel interface to gather socket data directly. netstat reads from /proc files, which involves copying data from kernel space to user space. On a busy server with thousands of open sockets, this difference matters. ss is noticeably faster.

Here’s a quick comparison of equivalent commands:

The flags are nearly identical, which makes switching easy. The Linux Foundation’s guide to ss is a great starting point if you want to dive deeper. And our own ss command guide covers everything you need for daily use.

Common netstat Flags and Options Reference

The most popular combination? netstat -tulpn. It gives you TCP and UDP listening ports with numeric addresses and process names. Commit that one to memory.

Troubleshooting Common netstat Issues

A few problems come up again and again. Here’s how to handle them.

Command Not Found

If you see bash: netstat: command not found, the net-tools package isn’t installed. Scroll back up to the installation section for your distro’s command. On newer systems, this is expected since many distros no longer include net-tools by default.

Permission Denied on -p Flag

Running netstat -p without sudo will show your own processes but hide everything else. The PID/Program column will be blank for processes owned by root or other users. Fix: run with sudo netstat -tulpn.

Empty or Unexpected Output

If netstat returns nothing, double-check your flags. Running netstat -l only shows listening sockets. If no services are listening, the output will be empty. Try netstat -a for a broader view. Also make sure you’re not accidentally filtering too aggressively with grep.

Conclusion: Learn netstat, But Embrace ss

The netstat command is one of those tools every Linux user should understand. It teaches you how network connections work, how to interpret socket states, and how to think about what’s happening under the hood. I still catch myself reaching for netstat -tulpn out of pure muscle memory sometimes.

But for day-to-day work on modern systems? Make the switch to ss. It’s faster, better maintained, and does everything netstat does. The transition is painless since the flags are almost identical.

If you’re building your Linux networking toolkit, start here and then keep going. Check out our ss command guide for the modern approach. Explore checking open ports in Linux for security auditing. And if you run into deeper issues, our network troubleshooting guide has you covered.

Open a terminal and try both netstat -tulpn and ss -tulpn side by side. Compare the output. You’ll see why the community has moved on, but you’ll also understand why knowing netstat still matters.

Alexa Velinxs

I'm Alexa Velinxs, a cryptocurrency trading expert passionate about demystifying digital assets for both beginners and seasoned investors. Through my writing, I share actionable strategies, market insights, and practical tips to help you navigate the crypto landscape with confidence. Let's explore the future of finance together.

See Full Bio