Get Detailed Information About Particular IP address Connections Using netstat Command

by on February 21, 2008 · 22 comments· LAST UPDATED December 16, 2008

in , ,

netstat command and shell pipe feature can be used to dig out more information about particular IP address connection. You can find out total established connections, closing connection, SYN and FIN bits and much more. You can also display summary statistics for each protocol using netstat.

This is useful to find out if your server is under attack or not. You can also list abusive IP address using this method.
# netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
Output:

      1 CLOSE_WAIT
      1 established)
      1 Foreign
      3 FIN_WAIT1
      3 LAST_ACK
     13 ESTABLISHED
     17 LISTEN
    154 FIN_WAIT2
    327 TIME_WAIT

Dig out more information about a specific ip address:
# netstat -nat |grep {IP-address} | awk '{print $6}' | sort | uniq -c | sort -n

      2 LAST_ACK
      2 LISTEN
      4 FIN_WAIT1
     14 ESTABLISHED
     91 TIME_WAIT
    130 FIN_WAIT2

Busy server can give out more information:
# netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c | sort -n
Output:

  15 CLOSE_WAIT
  37 LAST_ACK
  64 FIN_WAIT_1
  65 FIN_WAIT_2
1251 TIME_WAIT
3597 SYN_SENT
5124 ESTABLISHED

Get List Of All Unique IP Address

To print list of all unique IP address connected to server, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq
To print total of all unique IP address, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq | wc -l
Output:

449

Find Out If Box is Under DoS Attack or Not

If you think your Linux box is under attack, print out a list of open connections on your box and sorts them by according to IP address, enter:
# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
Output:

    1 10.0.77.52
      2 10.1.11.3
      4 12.109.42.21
      6 12.191.136.3
.....
...
....
    13 202.155.209.202
     18 208.67.222.222
     28 0.0.0.0
    233 127.0.0.1

You can simply block all abusive IPs using iptables or just null route them.

Get Live View of TCP Connections

You can use tcptrack command to display the status of TCP connections that it sees on a given network interface. tcptrack monitors their state and displays information such as state, source/destination addresses and bandwidth usage in a sorted, updated list very much like the top command.

Display Summary Statistics for Each Protocol

Simply use netstat -s:
# netstat -s | less
# netstat -t -s | less
# netstat -u -s | less
# netstat -w -s | less
# netstat -s

Output:

Ip:
    88354557 total packets received
    0 forwarded
    0 incoming packets discarded
    88104061 incoming packets delivered
    96037391 requests sent out
    13 outgoing packets dropped
    66 fragments dropped after timeout
    295 reassemblies required
    106 packets reassembled ok
    66 packet reassembles failed
    34 fragments failed
Icmp:
    18108 ICMP messages received
    58 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 7173
        timeout in transit: 472
        redirects: 353
        echo requests: 10096
    28977 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 18881
        echo replies: 10096
Tcp:
    1202226 active connections openings
    2706802 passive connection openings
    7394 failed connection attempts
    47018 connection resets received
    23 connections established
    87975383 segments received
    95235730 segments send out
    681174 segments retransmited
    2044 bad segments received.
    80805 resets sent
Udp:
    92689 packets received
    14611 packets to unknown port received.
    0 packet receive errors
    96755 packets sent
TcpExt:
    48452 invalid SYN cookies received
    7357 resets received for embryonic SYN_RECV sockets
    43 ICMP packets dropped because they were out-of-window
    5 ICMP packets dropped because socket was locked
    2672073 TCP sockets finished time wait in fast timer
    441 time wait sockets recycled by time stamp
    368562 delayed acks sent
    430 delayed acks further delayed because of locked socket
    Quick ack mode was activated 36127 times
    32318597 packets directly queued to recvmsg prequeue.
    741479256 packets directly received from backlog
    1502338990 packets directly received from prequeue
    18343750 packets header predicted
    10220683 packets header predicted and directly queued to user
    17516622 acknowledgments not containing data received
    36549771 predicted acknowledgments
    102672 times recovered from packet loss due to fast retransmit
    Detected reordering 1596 times using reno fast retransmit
    Detected reordering 1 times using time stamp
    8 congestion windows fully recovered
    32 congestion windows partially recovered using Hoe heuristic
    19 congestion windows recovered after partial ack
    0 TCP data loss events
    39951 timeouts after reno fast retransmit
    29653 timeouts in loss state
    197005 fast retransmits
    186937 retransmits in slow start
    131433 other TCP timeouts
    TCPRenoRecoveryFail: 20217
    147 times receiver scheduled too late for direct processing
    29010 connections reset due to unexpected data
    365 connections reset due to early user close
    6979 connections aborted due to timeout

Display Interface Table

You can easily display dropped and total transmitted packets with netstat for eth0:
# netstat --interfaces eth0
Output:

Kernel Interface table
Iface       MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500   0  2040929      0      0      0  3850539      0      0      0 BMRU

Other netstat related articles / tips:

  1. Get Information about All Running Services Remotely
  2. Linux / UNIX Find Out What Program / Service is Listening on a Specific TCP Port

Read following man pages for the details:
$ man netstat
$ man cut
$ man awk
$ man sed
$ man grep

Updated for accuracy.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 22 comments… read them below or add one }

1 kotnik February 21, 2008 at 5:48 pm

There’s some mean stuff here.

Thanks for gathering it ;)

Reply

2 Dan June 25, 2008 at 10:11 am

To add to what you’ve mentioned above, in order to check for DoS attacks, there may be addresses in the output of netstat that might look something like:

:::*

So even if what I’m suggesting means writing some more code, it does the trick a little better if you ask me. So here it goes, the command for finding if you are under DoS attacks:

netstat -atun | awk '{print $5}' | sed -n -e '/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/p' | sed 's/::ffff://' | cut -d: -f1 | sort | uniq -c | sort -n

Reply

3 Dan June 25, 2008 at 11:17 am

What I’ve forgot to mention in my previous post is the following, this command is useful if you are running a Linux box at home or at the office, but has some problems when run on a server, especially if it’s a web server, Apache or other, and if on it there are websites that have dynamically generated content via PHP, MySQL, PostgreSQL, etc. That’s because when having such a website there are multiple connections initiated by the “website” (via the web server software) to the database (whatever it might be) and to the PHP processor, all of this from a simple page being viewed by someone. This means that a web page might generate ~20-80 connections from one IP to the server.

Hope I don’t get too cryptic in this but there’s some explaining to do. These multiple connections generated by the access to one web page remain in a TIME_WAIT state usually for 60 seconds, value established on most Linux distros by the /proc/sys/net/ipv4/tcp_fin_timeout entry. This means that one page generates 20-80 connections, which remain active (by netstat they are shown in a TIME_WAIT state) for 60 seconds. Now picture accessing 5-6 pages in such a website (say it’s a shopping website and your searching through categories of products), this would generate well in excess of 120-480 connections from the same IP address, thus appearing that you are being attacked, flooded, etc. If you have a software running on the server to prevent flooding, it might be “smart” enough to figure it out on it’s own that it isn’t attacked. But if you as an individual are running the command, then you should take notice of the things said here, for it might fool you into thinking something else than what’s actually taking place.

One solution would be to add to the command the option for:


sed -n -e '/ESTABLISHED/p'

Which would scan only for connections that are in an ESTABLISHED state. A high count here would probably mean you should start taking action.

And the entire command which scans for established connections:


netstat -atun | awk '{print $5}' | sed -n -e '/[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}/p’ | sed -n -e '/ESTABLISHED/p' | sed ’s/::ffff://’ | cut -d: -f1 | sort | uniq -c | sort -n

Reply

4 Pan August 12, 2010 at 12:58 pm

we can use below also:

netstat -atun | grep ESTABLISHED | awk ‘{print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’ |sort | uniq -c | sort -n

Reply

5 steven hulme August 30, 2008 at 8:22 am

My netstat box will only open for 5 seconds and will not accept anytype of command ?.

Reply

6 Gaurav December 16, 2008 at 1:34 pm

One small correction for the command
netstat –interfaces=eth0 ( original )
netstat –interfaces eth0 ( suggested )

For the copy paste user only .. others can read syntax.

Reply

7 Phil F June 16, 2009 at 11:57 am

One note about “grep {IP-address}”: The dot (.) is a wildcard to grep, so “grep 1.2.1.5″ would also match 132.135.x.x.

I generally use fgrep when I don’t want any regex matching. You could also escape the dots with a backslash, or use grep -F.

Reply

8 dj July 1, 2009 at 4:41 pm

Get list of unique IP address. Add NR > 2 to awk and that’ll eliminate the netstat titles.
Like: netstat -nat | awk ‘NR>2 { print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’ | uniq

Reply

9 muthu July 3, 2009 at 6:23 am

nice article

Reply

10 Allyson August 30, 2009 at 8:11 pm

Great job! I just have one small question. Is there a certian netstat command that I can use for to find an IP address?

Reply

11 astha goyal February 25, 2010 at 4:12 am

can we block packets in c++???
if yes,then how???

Reply

12 Juda April 23, 2011 at 10:52 am

This is very good article , i reallay like to read it,
please note that you can reduce the timeout of TCP_WAIT2 it will reduce the amont of open conneciton on the server significaly

Reply

13 mb July 3, 2011 at 12:32 pm

netstat –interfaces eth0 -> netstat –interfaces=eth0

Reply

14 kiran November 14, 2011 at 10:38 am

HI
how can I get the netstat to run like top command which give the live connections statistics.
Do we have any script which makes this working or any inbuild switch in netstat can do it?

any idea?

/kiran

Reply

15 kiran November 14, 2011 at 10:43 am

netstat -atulpn -o 2
DO u think that will help

Reply

16 maedox December 5, 2011 at 9:35 am

watch -n 1 -d ‘netstat -atulpn -o 2 | egrep “LISTEN|ESTABLISHED”‘

Reply

17 Anuj Aggarwal April 7, 2012 at 10:27 am

Hi Vivek,

This article is very good. Can you please suggest similar utilities for SCTP protocol as these doesn’t work for sctp.

Reply

18 Oleg March 1, 2013 at 9:27 am

Thank you for post!

Reply

19 edward August 20, 2013 at 1:48 pm

non of these commands work for anything.. ove tried them in even trhee diffrent combinations

Reply

20 maedox August 22, 2013 at 7:56 am

There’s nothing wrong with the commands. What operating system are you on?

Reply

21 edward August 22, 2013 at 9:35 am

i got windows xp.. i have tried some of these and nothing happens.. i have learned about using the command prompt thing last yr for the netstat but i never knew of any of these commands.. but what i need is some thing to givea read out of the ip.s when i am connected to certain people and i can use them to tell me where they are at actaully and other things.. the way it is now nowmally it does not show or explain which numbers are or are not

Reply

22 maedox August 22, 2013 at 10:21 am

That explains it. These commands are for operating systems based on Linux, not for Windows. Actually this whole website is for Linux, so you’re in the wrong place. ;-)

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , , , , , , , , , , ,

Previous post:

Next post: