netstat command and shell pipe feature can be used to dig out more information about particular IP address connection. You can find out total established connections, closing connection, SYN and FIN bits and much more. You can also display summary statistics for each protocol using netstat.

This is useful to find out if your server is under attack or not. You can also list abusive IP address using this method.
# netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n

      1 CLOSE_WAIT
      1 established)
      1 Foreign
      3 FIN_WAIT1
      3 LAST_ACK
     17 LISTEN
    154 FIN_WAIT2
    327 TIME_WAIT

Dig out more information about a specific ip address:
# netstat -nat |grep {IP-address} | awk '{print $6}' | sort | uniq -c | sort -n

      2 LAST_ACK
      2 LISTEN
      4 FIN_WAIT1
     91 TIME_WAIT
    130 FIN_WAIT2

Busy server can give out more information:
# netstat -nat |grep | awk '{print $6}' | sort | uniq -c | sort -n

  64 FIN_WAIT_1
  65 FIN_WAIT_2

Get List Of All Unique IP Address

To print list of all unique IP address connected to server, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq
To print total of all unique IP address, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq | wc -l


Find Out If Box is Under DoS Attack or Not

If you think your Linux box is under attack, print out a list of open connections on your box and sorts them by according to IP address, enter:
# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n


You can simply block all abusive IPs using iptables or just null route them.

Get Live View of TCP Connections

You can use tcptrack command to display the status of TCP connections that it sees on a given network interface. tcptrack monitors their state and displays information such as state, source/destination addresses and bandwidth usage in a sorted, updated list very much like the top command.

Display Summary Statistics for Each Protocol

Simply use netstat -s:
# netstat -s | less
# netstat -t -s | less
# netstat -u -s | less
# netstat -w -s | less
# netstat -s


    88354557 total packets received
    0 forwarded
    0 incoming packets discarded
    88104061 incoming packets delivered
    96037391 requests sent out
    13 outgoing packets dropped
    66 fragments dropped after timeout
    295 reassemblies required
    106 packets reassembled ok
    66 packet reassembles failed
    34 fragments failed
    18108 ICMP messages received
    58 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 7173
        timeout in transit: 472
        redirects: 353
        echo requests: 10096
    28977 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 18881
        echo replies: 10096
    1202226 active connections openings
    2706802 passive connection openings
    7394 failed connection attempts
    47018 connection resets received
    23 connections established
    87975383 segments received
    95235730 segments send out
    681174 segments retransmited
    2044 bad segments received.
    80805 resets sent
    92689 packets received
    14611 packets to unknown port received.
    0 packet receive errors
    96755 packets sent
    48452 invalid SYN cookies received
    7357 resets received for embryonic SYN_RECV sockets
    43 ICMP packets dropped because they were out-of-window
    5 ICMP packets dropped because socket was locked
    2672073 TCP sockets finished time wait in fast timer
    441 time wait sockets recycled by time stamp
    368562 delayed acks sent
    430 delayed acks further delayed because of locked socket
    Quick ack mode was activated 36127 times
    32318597 packets directly queued to recvmsg prequeue.
    741479256 packets directly received from backlog
    1502338990 packets directly received from prequeue
    18343750 packets header predicted
    10220683 packets header predicted and directly queued to user
    17516622 acknowledgments not containing data received
    36549771 predicted acknowledgments
    102672 times recovered from packet loss due to fast retransmit
    Detected reordering 1596 times using reno fast retransmit
    Detected reordering 1 times using time stamp
    8 congestion windows fully recovered
    32 congestion windows partially recovered using Hoe heuristic
    19 congestion windows recovered after partial ack
    0 TCP data loss events
    39951 timeouts after reno fast retransmit
    29653 timeouts in loss state
    197005 fast retransmits
    186937 retransmits in slow start
    131433 other TCP timeouts
    TCPRenoRecoveryFail: 20217
    147 times receiver scheduled too late for direct processing
    29010 connections reset due to unexpected data
    365 connections reset due to early user close
    6979 connections aborted due to timeout

Display Interface Table

You can easily display dropped and total transmitted packets with netstat for eth0:
# netstat --interfaces eth0

Kernel Interface table
eth0       1500   0  2040929      0      0      0  3850539      0      0      0 BMRU

Other netstat related articles / tips:

  1. Get Information about All Running Services Remotely
  2. Linux / UNIX Find Out What Program / Service is Listening on a Specific TCP Port

Read following man pages for the details:
$ man netstat
$ man cut
$ man awk
$ man sed
$ man grep

Updated for accuracy.

šŸ§ Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

šŸ§ 22 comments so far... add one
CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
22 comments… add one
  • kotnik Feb 21, 2008 @ 17:48

    There’s some mean stuff here.

    Thanks for gathering it šŸ˜‰

  • Dan Jun 25, 2008 @ 10:11

    To add to what you’ve mentioned above, in order to check for DoS attacks, there may be addresses in the output of netstat that might look something like:


    So even if what I’m suggesting means writing some more code, it does the trick a little better if you ask me. So here it goes, the command for finding if you are under DoS attacks:

    netstat -atun | awk '{print $5}' | sed -n -e '/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/p' | sed 's/::ffff://' | cut -d: -f1 | sort | uniq -c | sort -n

  • Dan Jun 25, 2008 @ 11:17

    What I’ve forgot to mention in my previous post is the following, this command is useful if you are running a Linux box at home or at the office, but has some problems when run on a server, especially if it’s a web server, Apache or other, and if on it there are websites that have dynamically generated content via PHP, MySQL, PostgreSQL, etc. That’s because when having such a website there are multiple connections initiated by the “website” (via the web server software) to the database (whatever it might be) and to the PHP processor, all of this from a simple page being viewed by someone. This means that a web page might generate ~20-80 connections from one IP to the server.

    Hope I don’t get too cryptic in this but there’s some explaining to do. These multiple connections generated by the access to one web page remain in a TIME_WAIT state usually for 60 seconds, value established on most Linux distros by the /proc/sys/net/ipv4/tcp_fin_timeout entry. This means that one page generates 20-80 connections, which remain active (by netstat they are shown in a TIME_WAIT state) for 60 seconds. Now picture accessing 5-6 pages in such a website (say it’s a shopping website and your searching through categories of products), this would generate well in excess of 120-480 connections from the same IP address, thus appearing that you are being attacked, flooded, etc. If you have a software running on the server to prevent flooding, it might be “smart” enough to figure it out on it’s own that it isn’t attacked. But if you as an individual are running the command, then you should take notice of the things said here, for it might fool you into thinking something else than what’s actually taking place.

    One solution would be to add to the command the option for:

    sed -n -e '/ESTABLISHED/p'

    Which would scan only for connections that are in an ESTABLISHED state. A high count here would probably mean you should start taking action.

    And the entire command which scans for established connections:

    netstat -atun | awk '{print $5}' | sed -n -e '/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/pĆ¢ā‚¬ā„¢ | sed -n -e '/ESTABLISHED/p' | sed Ć¢ā‚¬ā„¢s/::ffff://Ć¢ā‚¬ā„¢ | cut -d: -f1 | sort | uniq -c | sort -n

    • Pan Aug 12, 2010 @ 12:58

      we can use below also:

      netstat -atun | grep ESTABLISHED | awk ‘{print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’ |sort | uniq -c | sort -n

  • steven hulme Aug 30, 2008 @ 8:22

    My netstat box will only open for 5 seconds and will not accept anytype of command ?.

  • Gaurav Dec 16, 2008 @ 13:34

    One small correction for the command
    netstat –interfaces=eth0 ( original )
    netstat –interfaces eth0 ( suggested )

    For the copy paste user only .. others can read syntax.

  • Phil F Jun 16, 2009 @ 11:57

    One note about “grep {IP-address}”: The dot (.) is a wildcard to grep, so “grep” would also match 132.135.x.x.

    I generally use fgrep when I don’t want any regex matching. You could also escape the dots with a backslash, or use grep -F.

  • dj Jul 1, 2009 @ 16:41

    Get list of unique IP address. Add NR > 2 to awk and that’ll eliminate the netstat titles.
    Like: netstat -nat | awk ‘NR>2 { print $5}’ | cut -d: -f1 | sed -e ‘/^$/d’ | uniq

  • muthu Jul 3, 2009 @ 6:23

    nice article

  • Allyson Aug 30, 2009 @ 20:11

    Great job! I just have one small question. Is there a certian netstat command that I can use for to find an IP address?

  • astha goyal Feb 25, 2010 @ 4:12

    can we block packets in c++???
    if yes,then how???

  • Juda Apr 23, 2011 @ 10:52

    This is very good article , i reallay like to read it,
    please note that you can reduce the timeout of TCP_WAIT2 it will reduce the amont of open conneciton on the server significaly

  • mb Jul 3, 2011 @ 12:32

    netstat –interfaces eth0 -> netstat –interfaces=eth0

  • kiran Nov 14, 2011 @ 10:38

    how can I get the netstat to run like top command which give the live connections statistics.
    Do we have any script which makes this working or any inbuild switch in netstat can do it?

    any idea?


  • kiran Nov 14, 2011 @ 10:43

    netstat -atulpn -o 2
    DO u think that will help

  • maedox Dec 5, 2011 @ 9:35

    watch -n 1 -d ‘netstat -atulpn -o 2 | egrep “LISTEN|ESTABLISHED”‘

  • Anuj Aggarwal Apr 7, 2012 @ 10:27

    Hi Vivek,

    This article is very good. Can you please suggest similar utilities for SCTP protocol as these doesn’t work for sctp.

  • Oleg Mar 1, 2013 @ 9:27

    Thank you for post!

  • edward Aug 20, 2013 @ 13:48

    non of these commands work for anything.. ove tried them in even trhee diffrent combinations

    • maedox Aug 22, 2013 @ 7:56

      There’s nothing wrong with the commands. What operating system are you on?

  • edward Aug 22, 2013 @ 9:35

    i got windows xp.. i have tried some of these and nothing happens.. i have learned about using the command prompt thing last yr for the netstat but i never knew of any of these commands.. but what i need is some thing to givea read out of the ip.s when i am connected to certain people and i can use them to tell me where they are at actaully and other things.. the way it is now nowmally it does not show or explain which numbers are or are not

    • maedox Aug 22, 2013 @ 10:21

      That explains it. These commands are for operating systems based on Linux, not for Windows. Actually this whole website is for Linux, so you’re in the wrong place. šŸ˜‰

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum