netstat (network statistics) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface (network interface controller or software-defined network interface) and network protocol statistics. This command is also used to monitor network traffic/services and it is very helpful under critical situation like DDoS attack.
In this post I have described the some useful options of the netstat command related to network traffic monitoring. For a detailed description of all netstat options, refer to the netstat man page.
1. Show all active tcp connection
>netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.0.0.53:443 1.9.99.169:11878 ESTABLISHED
tcp 0 0 127.0.0.1:8807 127.0.0.1:40623 TIME_WAIT
tcp 0 0 10.0.0.53:443 10.0.0.244:40349 TIME_WAIT
tcp 0 0 10.0.0.53:443 122.108.41.63:51532 ESTABLISHED
tcp 0 0 10.0.0.53:443 93.161.106.118:49711 FIN_WAIT2
tcp 0 0 10.0.0.53:443 174.120.146.138:56400 TIME_WAIT
2. Filter all active tcp connection to specific port
>netstat -ant | grep {port-number}
>netstat -ant | grep 443
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.0.0.53:443 10.0.0.244:57812 TIME_WAIT
tcp 0 0 10.0.0.53:443 180.191.13.157:56346 FIN_WAIT2
tcp 0 0 10.0.0.53:443 194.219.45.50:54375 ESTABLISHED
tcp 0 0 10.0.0.53:443 10.0.0.244:56596 TIME_WAIT
tcp 0 741 10.0.0.53:443 217.33.135.226:61330 ESTABLISHED
tcp 0 0 10.0.0.53:443 10.0.0.244:59475 TIME_WAIT
tcp 0 0 10.0.0.53:443 10.0.0.244:57851 TIME_WAIT
3. Number of all active tcp connection to specific port
>netstat -ant | grep {port-number} | wc -l
>netstat -ant | grep 443 | wc -l
114
4. Number of all active mysql tcp connection
>netstat -ant | grep {port-number} | wc -l
>netstat -ant | grep 3306 | wc -l
15
5. State count for all tcp connection
>netstat -ant | awk ‘{print $6}’ | sort | uniq -c | sort -n
>netstat -ant | awk '{print $6}' | sort | uniq -c | sort -n
1 CLOSE_WAIT
1 CLOSING
1 Foreign
1 LAST_ACK
1 SYN_RECV
1 established)
5 FIN_WAIT2
10 LISTEN
71 ESTABLISHED
117 TIME_WAIT
6. State count for specific tcp connection
>netstat -ant | grep {port-number} | awk ‘{print $6}’ | sort | uniq -c | sort -n
>netstat -ant | grep :443 | awk '{print $6}' | sort | uniq -c | sort -n
1 CLOSE_WAIT
2 LISTEN
3 FIN_WAIT2
27 ESTABLISHED
64 TIME_WAIT
7. Foreign Address connection count for all tcp connection
>netstat -ant | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
>netstat -ant | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
1 101.50.80.171
1 101.63.216.66
1 207.115.103.90
2 90.203.216.55
3 112.198.82.170
8. Foreign Address connection count for specific tcp connection
>netstat -ant | grep {port-number} | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
>netstat -ant | grep :443 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
1 94.71.138.82
1 96.57.59.60
2 182.189.164.85
2 93.219.159.69
3 113.210.130.115
Senior Technical Consultant - Solution Architect - JAVA
The Technical Blog of Farooq Sheikh 
Leave a comment