ManagedCloud Servers

High performance handled and monitored by us 24/7/365. A complete solution to provide you with our in house expertise 24/7 tailored to your specific needs. We'll setup a bespoke server for your site using the latest tehnologies so you can get the most out of your hardware and get your website loading quickly and reliably. Find out more..

cPanelCloud Servers

Recommended - High performance cloud servers with no technical knowledge required. If you're hosting multiple websites already and you're looking to consolidate, or if you're looking to isolate yourself from the shared hosting environment but you don't have the time or knoweldge to manage a server, then the Managed cPanel Servers are for you. Find out more..

UnmanagedCloud Servers

Our unmanaged range gives you complete control at rock bottom prices and our cloud platform boasts super fast multipath 40Gb/s network, the latest Intel Xeon V3 CPUs and enterprise grade redundant SSDs. If you're a sysadmin look no further, we offer some of the best specification to price ratio servers available. Find out more..

Need Web Hosting? Try ours, it's fast, reliable and feature loaded with support you can depend on. From £1.60 / month.

View Plans

Netstat Command Line Tips and Tricks

Introduction

Netstat is a command line network statistics tool that is used for checking your network configuration and activity.

It displays both incoming and outgoing network connections, routing tables, network interface and network protocol statistics.

It is available on unix operating systems such as Linux, Solaris and BSD, and is available on Windows based operating systems such as Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10. Netstat is very useful tool for Network Administrator to troubleshoot network-related problems and determine network traffic performance.

Netstat is very important tool for network administrators for finding problems in the network and to determine the amount of traffic on the network as a performance measurement.

Netstat provides the following statistics:

  • The name of the protocol TCP or UDP.
  • The IP address of the local system with used port number. The name of the local system with name of the port.
  • The IP address and port number of the remote system with connected socket.
  • The possible states such as CLOSE_WAIT, ESTABLISHED, CLOSED, FIN_WAIT_1, FIN_WAIT_2, LISTEN, SYN_RECEIVED, SYN_SEND, LAST_ACK, and TIME_WAIT.

In this tutorial, we will learn some useful netstat command line tips and tricks.

Requirements

Any Linux based operating system installed on your computer or server.

Netstat Help

To list out all vailable switches of netstat command run the following command:

netstat -h

Output:

    usage: netstat [-vWeenNcCF] [] -r         netstat {-V|--version|-h|--help}
           netstat [-vWnNcaeol] [ ...]
           netstat { [-vWeenNac] -i | [-cWnNe] -M | -s }

-r, --route display routing table -i, --interfaces display interface table -g, --groups display multicast group memberships -s, --statistics display networking statistics (like SNMP) -M, --masquerade display masqueraded connections

-v, --verbose be verbose -W, --wide don't truncate IP addresses -n, --numeric don't resolve names --numeric-hosts don't resolve host names --numeric-ports don't resolve port names --numeric-users don't resolve user names -N, --symbolic resolve hardware names -e, --extend display other/more information -p, --programs display PID/Program name for sockets -c, --continuous continuous listing

-l, --listening display listening server sockets -a, --all, --listening display all sockets (default: connected) -o, --timers display timers -F, --fib display Forwarding Information Base (default) -C, --cache display routing cache instead of FIB

={-t|--tcp} {-u|--udp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom =Use '-6|-4' or '-A ' or '--'; default: inet List of possible address families (which support routing): inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25) netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP) x25 (CCITT X.25)

List All TCP and UDP Connections

To list out only tcp connections, run:

netstat -at

Output:

    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 localhost:mysql         *:*                     LISTEN     
    tcp        0      0 *:ssh                   *:*                     LISTEN     
    tcp        0      0 Node1.mshome.net:ssh    Vyom-PC.mshome.ne:36405 ESTABLISHED
    tcp6       0      0 localhost:9200          [::]:*                  LISTEN     
    tcp6       0      0 localhost:9200          [::]:*                  LISTEN     
    tcp6       0      0 [::]:http               [::]:*                  LISTEN     
    tcp6       0      0 localhost:9300          [::]:*                  LISTEN     
    tcp6       0      0 localhost:9300          [::]:*                  LISTEN     
    tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
    tcp6       0      0 [::]:https              [::]:*                  LISTEN     
    tcp6       0      0 [::]:36351              [::]:*                  LISTEN     
    tcp6       0      0 [::]:2181               [::]:*                  LISTEN

Similarly use following command to list all udp connections:

netstat -au

Output:

    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    udp        0      0 *:16305                 *:*                                
    udp        0      0 *:bootpc                *:*                                
    udp6       0      0 [::]:60495              [::]:*                             

List All Connections

To list out all the current tcp and udp port connections, run the following command:

netstat -a

Output:

    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 localhost:mysql         *:*                     LISTEN     
    tcp        0      0 *:ssh                   *:*                     LISTEN     
    tcp        0      0 Node1.mshome.net:ssh    Vyom-PC.mshome.ne:36405 ESTABLISHED
    tcp6       0      0 localhost:9200          [::]:*                  LISTEN     
    tcp6       0      0 localhost:9200          [::]:*                  LISTEN     
    tcp6       0      0 [::]:http               [::]:*                  LISTEN     
    tcp6       0      0 localhost:9300          [::]:*                  LISTEN     
    tcp6       0      0 localhost:9300          [::]:*                  LISTEN     
    tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
    tcp6       0      0 [::]:https              [::]:*                  LISTEN     
    tcp6       0      0 [::]:36351              [::]:*                  LISTEN     
    tcp6       0      0 [::]:2181               [::]:*                  LISTEN     
    udp        0      0 *:16305                 *:*                                
    udp        0      0 *:bootpc                *:*                                
    udp6       0      0 [::]:60495              [::]:*                             
    Active UNIX domain sockets (servers and established)
    Proto RefCnt Flags       Type       State         I-Node   Path
    unix  2      [ ACC ]     STREAM     LISTENING     7945     /var/run/dbus/system_bus_socket
    unix  2      [ ACC ]     SEQPACKET  LISTENING     7480     /run/udev/control
    unix  2      [ ACC ]     STREAM     LISTENING     9796     /var/run/mysqld/mysqld.sock
    unix  2      [ ACC ]     STREAM     LISTENING     7146     @/com/ubuntu/upstart
    unix  7      [ ]         DGRAM                    8099     /dev/log
    unix  2      [ ACC ]     STREAM     LISTENING     9126     /var/run/acpid.socket
    unix  2      [ ACC ]     STREAM     LISTENING     9531     flaskproject.sock

The above command shows you all connections from different protocols like tcp, udp and unix sockets.

List All Listening Ports

To list out all listening port, run the following command:

netstat -l

Output:

    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 localhost:mysql         *:*                     LISTEN     
    tcp        0      0 *:ssh                   *:*                     LISTEN     
    tcp6       0      0 localhost:9200          [::]:*                  LISTEN     
    tcp6       0      0 localhost:9200          [::]:*                  LISTEN     
    tcp6       0      0 [::]:http               [::]:*                  LISTEN     
    tcp6       0      0 localhost:9300          [::]:*                  LISTEN     
    tcp6       0      0 localhost:9300          [::]:*                  LISTEN     
    tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
    tcp6       0      0 [::]:https              [::]:*                  LISTEN     
    tcp6       0      0 [::]:36351              [::]:*                  LISTEN     
    tcp6       0      0 [::]:2181               [::]:*                  LISTEN     
    udp        0      0 *:16305                 *:*                                
    udp        0      0 *:bootpc                *:*                                
    udp6       0      0 [::]:60495              [::]:*

List All TCP Listening Ports

To list only tcp listening ports run the following command:

netstat -lt

Output:

    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 localhost:mysql         *:*                     LISTEN     
    tcp        0      0 *:ssh                   *:*                     LISTEN     
    tcp6       0      0 localhost:9200          [::]:*                  LISTEN     
    tcp6       0      0 localhost:9200          [::]:*                  LISTEN     
    tcp6       0      0 [::]:http               [::]:*                  LISTEN     
    tcp6       0      0 localhost:9300          [::]:*                  LISTEN     
    tcp6       0      0 localhost:9300          [::]:*                  LISTEN     
    tcp6       0      0 [::]:ssh                [::]:*                  LISTEN     
    tcp6       0      0 [::]:https              [::]:*                  LISTEN     
    tcp6       0      0 [::]:36351              [::]:*                  LISTEN     
    tcp6       0      0 [::]:2181               [::]:*                  LISTEN

List All UDP Listening Port

To list only udp listening port run the following command:

netstat -lu

Output:

    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    udp        0      0 *:16305                 *:*                                
    udp        0      0 *:bootpc                *:*                                
    udp6       0      0 [::]:60495              [::]:*

List All Unix Listening Port

You can list all listening Unix port by running the following command:

netstat -lx

Output:

    Active UNIX domain sockets (only servers)
    Proto RefCnt Flags       Type       State         I-Node   Path
    unix  2      [ ACC ]     STREAM     LISTENING     7945     /var/run/dbus/system_bus_socket
    unix  2      [ ACC ]     SEQPACKET  LISTENING     7480     /run/udev/control
    unix  2      [ ACC ]     STREAM     LISTENING     9796     /var/run/mysqld/mysqld.sock
    unix  2      [ ACC ]     STREAM     LISTENING     7146     @/com/ubuntu/upstart
    unix  2      [ ACC ]     STREAM     LISTENING     9126     /var/run/acpid.socket
    unix  2      [ ACC ]     STREAM     LISTENING     9531     flaskproject.sock

Display Network Information

You can print out the information about the network interfaces by running the following command:

netstat -i

Output:

    Kernel Interface table
    Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
    eth0       1500 0      1051      0      0 0           649      0      0      0 BMRU
    lo        65536 0        65      0      0 0            65      0      0      0 LRU

The above command displays information in a very raw format. To get more information run the following command:

netstat -ie

Output:

    Kernel Interface table
    eth0      Link encap:Ethernet  HWaddr 08:00:27:6c:2d:a6  
              inet addr:192.168.137.91  Bcast:192.168.137.255  Mask:255.255.255.0
              inet6 addr: fe80::a00:27ff:fe6c:2da6/64 Scope:Link
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:573 errors:0 dropped:0 overruns:0 frame:0
              TX packets:403 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:56080 (56.0 KB)  TX bytes:62412 (62.4 KB)

lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:65 errors:0 dropped:0 overruns:0 frame:0 TX packets:65 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:6364 (6.3 KB) TX bytes:6364 (6.3 KB)

##Displaying RAW Network Statistics You can use the following command to display the raw network statistics:

netstat --statistics --raw

Output:

    Ip:
        72893 total packets received
        0 forwarded
        0 incoming packets discarded
        72888 incoming packets delivered
        83458 requests sent out
        8 outgoing packets dropped
        16 dropped because of missing route
    Icmp:
        493 ICMP messages received
        0 input ICMP message failed.
        ICMP input histogram:
            destination unreachable: 493
        927 ICMP messages sent
        0 ICMP messages failed
        ICMP output histogram:
            destination unreachable: 927
    IcmpMsg:
            InType3: 493
            OutType3: 927
    UdpLite:
    IpExt:
        InNoRoutes: 4
        InMcastPkts: 161
        OutMcastPkts: 177
        InBcastPkts: 366
        OutBcastPkts: 355
        InOctets: 36976311
        OutOctets: 10651904
        InMcastOctets: 21555
        OutMcastOctets: 22195
        InBcastOctets: 60984
        OutBcastOctets: 57358
        InNoECTPkts: 72893

Display IPv4 and IPv6 Information

To display both IPv4 and IPv6 information, run the following command:

netstat -g

Output:

    IPv6/IPv4 Group Memberships
    Interface       RefCnt Group
    --------------- ------ ---------------------
    lo              1      all-systems.mcast.net
    eth0            1      all-systems.mcast.net
    lo              1      ip6-allnodes
    lo              1      ff01::1
    eth0            1      ff02::1:ff6c:2da6
    eth0            1      ip6-allnodes
    eth0            1      ff01::1

Print Netstat Information Continuously

To print netstat command output continuously, run the following command:

netstat -c

Output:

    Active Internet connections (w/o servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 Node1.mshome.net:ssh    Vyom-PC.mshome.ne:36405 ESTABLISHED
    Active UNIX domain sockets (w/o servers)
    Proto RefCnt Flags       Type       State         I-Node   Path
    unix  7      [ ]         DGRAM                    8099     /dev/log
    unix  3      [ ]         STREAM     CONNECTED     7464     @/com/ubuntu/upstart
    unix  3      [ ]         DGRAM                    7520     
    unix  3      [ ]         DGRAM                    7519     
    unix  2      [ ]         STREAM     CONNECTED     10686    
    unix  3      [ ]         STREAM     CONNECTED     8526     @/com/ubuntu/upstart
    unix  2      [ ]         DGRAM                    9115     
    unix  3      [ ]         STREAM     CONNECTED     8003     @/com/ubuntu/upstart
    unix  2      [ ]         DGRAM                    8259     
    unix  3      [ ]         STREAM     CONNECTED     7923     
    unix  2      [ ]         DGRAM                    11466    
    unix  3      [ ]         STREAM     CONNECTED     8004     
    unix  3      [ ]         STREAM     CONNECTED     8279     /var/run/dbus/system_bus_socket
    unix  2      [ ]         STREAM     CONNECTED     10008    
    unix  3      [ ]         STREAM     CONNECTED     7459     
    unix  2      [ ]         DGRAM                    11060    
    unix  2      [ ]         STREAM     CONNECTED     10966    
    unix  3      [ ]         STREAM     CONNECTED     8413     
    unix  2      [ ]         DGRAM                    11176    
    unix  3      [ ]         STREAM     CONNECTED     7962     
    unix  3      [ ]         STREAM     CONNECTED     7963     
    unix  3      [ ]         STREAM     CONNECTED     8005     /var/run/dbus/system_bus_socket
    unix  2      [ ]         STREAM     CONNECTED     9799     
    unix  3      [ ]         STREAM     CONNECTED     8278     

List process name, pid and user id

If you want to know the process name and pid which has opened that port or connection., run the following command:

netstat -nlpt

Output:

    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
    tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1158/mysqld     
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      859/sshd        
    tcp6       0      0 ::1:9200                :::*                    LISTEN      1610/java       
    tcp6       0      0 127.0.0.1:9200          :::*                    LISTEN      1610/java       
    tcp6       0      0 :::80                   :::*                    LISTEN      1966/apache2    
    tcp6       0      0 ::1:9300                :::*                    LISTEN      1610/java       
    tcp6       0      0 127.0.0.1:9300          :::*                    LISTEN      1610/java       
    tcp6       0      0 :::22                   :::*                    LISTEN      859/sshd        
    tcp6       0      0 :::443                  :::*                    LISTEN      1966/apache2    
    tcp6       0      0 :::36351                :::*                    LISTEN      857/java        
    tcp6       0      0 :::2181                 :::*                    LISTEN      857/java

You can also list process name with uid by running the following command:

netstat -ltpe

Output:

    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
    tcp        0      0 localhost:mysql         *:*                     LISTEN      mysql      9795        1158/mysqld     
    tcp        0      0 *:ssh                   *:*                     LISTEN      root       9183        859/sshd        
    tcp6       0      0 localhost:9200          [::]:*                  LISTEN      elasticsearch 11013       1610/java       
    tcp6       0      0 localhost:9200          [::]:*                  LISTEN      elasticsearch 11012       1610/java       
    tcp6       0      0 [::]:http               [::]:*                  LISTEN      root       10775       1966/apache2    
    tcp6       0      0 localhost:9300          [::]:*                  LISTEN      elasticsearch 10968       1610/java       
    tcp6       0      0 localhost:9300          [::]:*                  LISTEN      elasticsearch 10965       1610/java       
    tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      root       9190        859/sshd        
    tcp6       0      0 [::]:https              [::]:*                  LISTEN      root       10779       1966/apache2    
    tcp6       0      0 [::]:36351              [::]:*                  LISTEN      zookeeper  9801        857/java        
    tcp6       0      0 [::]:2181               [::]:*                  LISTEN      zookeeper  10017       857/java

The above command is very useful to get the username/uid owning that particular process. It is also contains the username and inode of the process. This is a very useful command for network administrators.

Disable Reverse DNS Lookup for Faster Output

When you run the netstat command, it tries to find out the hostname of each ip address in the connection by doing a reverse dns lookup, this will slows down the output. If you need to know only ip address then ignore the hostname lookup by running the following command:

netstat -ant

Output:

    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
    tcp        0      0 192.168.137.91:22       192.168.137.130:36405   ESTABLISHED
    tcp6       0      0 ::1:9200                :::*                    LISTEN     
    tcp6       0      0 127.0.0.1:9200          :::*                    LISTEN     
    tcp6       0      0 :::80                   :::*                    LISTEN     
    tcp6       0      0 ::1:9300                :::*                    LISTEN     
    tcp6       0      0 127.0.0.1:9300          :::*                    LISTEN     
    tcp6       0      0 :::22                   :::*                    LISTEN     
    tcp6       0      0 :::443                  :::*                    LISTEN     
    tcp6       0      0 :::36351                :::*                    LISTEN     
    tcp6       0      0 :::2181                 :::*                    LISTEN     

Verify DDOS Attacks

To display all active internet connections to the server, run the following command:

netstat -na

Output:

    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State      
    tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN     
    tcp        0      0 0.0.0.0:3000            0.0.0.0:*               LISTEN     
    tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN     
    tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN     
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
    tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN     
    tcp        0      0 10.0.3.1:53             0.0.0.0:*               LISTEN     
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
    tcp        0    181 192.168.43.4:51550      74.125.200.105:443      ESTABLISHED
    tcp        0      0 192.168.137.130:48314   162.243.43.181:80       ESTABLISHED
    tcp        0      0 192.168.137.130:48307   162.243.43.181:80       ESTABLISHED
    tcp        0      0 192.168.137.130:48311   162.243.43.181:80       TIME_WAIT  
    tcp        0   3130 192.168.43.4:33282      74.125.200.94:443       FIN_WAIT1  
    tcp        0    354 192.168.137.130:46685   52.84.105.226:80        ESTABLISHED
    tcp        0      0 192.168.137.130:33093   75.126.153.202:80       ESTABLISHED
    tcp        0      0 192.168.137.130:33101   75.126.153.202:80       ESTABLISHED
    tcp        0      1 192.168.137.130:52242   74.125.130.95:80        FIN_WAIT1  
    tcp        0      0 192.168.137.130:48308   162.243.43.181:80       ESTABLISHED
    tcp        0      0 192.168.137.130:50452   192.0.73.2:80           TIME_WAIT  
    tcp        0      0 192.168.137.130:33076   75.126.153.202:80       TIME_WAIT  
    tcp        0      0 192.168.137.130:52236   74.125.130.95:80        ESTABLISHED
    tcp        0    178 192.168.43.4:51551      74.125.200.105:443      FIN_WAIT1  
    tcp        0      1 192.168.43.4:52630      162.243.43.181:80       LAST_ACK   
    tcp        0      1 192.168.43.4:52623      162.243.43.181:80       LAST_ACK   
    tcp        0      0 192.168.137.130:48315   162.243.43.181:80       ESTABLISHED
    tcp        0      0 192.168.137.130:33079   75.126.153.202:80       TIME_WAIT  
    tcp        0      1 192.168.137.130:52241   74.125.130.95:80        FIN_WAIT1  
    tcp        0      0 192.168.137.130:33077   75.126.153.202:80       TIME_WAIT  
    tcp        0      1 192.168.137.130:33098   75.126.153.202:80       FIN_WAIT1  
    tcp        0      0 192.168.137.130:48320   162.243.43.181:80       ESTABLISHED
    tcp        0      0 192.168.137.130:48318   162.243.43.181:80       ESTABLISHED
    tcp        0      0 192.168.137.130:52237   74.125.130.95:80        ESTABLISHED
    tcp        0      1 192.168.137.130:33096   75.126.153.202:80       FIN_WAIT1  
    tcp        0      0 192.168.137.130:49134   216.58.199.163:80       TIME_WAIT  
    tcp        0    480 192.168.43.4:52622      162.243.43.181:80       FIN_WAIT1  
    tcp        0      1 192.168.137.130:52238   74.125.130.95:80        FIN_WAIT1  
    tcp        0      0 192.168.137.130:50459   192.0.73.2:80           TIME_WAIT  
    tcp        0      0 192.168.137.130:49135   216.58.199.163:80       TIME_WAIT  
    tcp        0      1 192.168.137.130:49130   216.58.199.163:80       LAST_ACK   
    tcp        0      1 192.168.43.4:52595      162.243.43.181:80       FIN_WAIT1  
    tcp        0      0 192.168.137.130:48309   162.243.43.181:80       TIME_WAIT  
    tcp        0      1 192.168.43.4:52626      162.243.43.181:80       LAST_ACK   
    tcp        0      0 192.168.137.130:46686   52.84.105.226:80        ESTABLISHED
    tcp        0      1 192.168.137.130:33100   75.126.153.202:80       FIN_WAIT1  
    tcp        0      0 192.168.137.130:50458   192.0.73.2:80           ESTABLISHED
    tcp        0      0 192.168.137.130:33078   75.126.153.202:80       ESTABLISHED

To display only active connections to the server on port 80, run the following command:

sudo netstat -an | grep :80 | sort

Output:

    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
    tcp        0      1 192.168.137.130:39239   52.222.135.39:80        LAST_ACK   
    tcp        0      1 192.168.137.130:48354   162.243.43.181:80       LAST_ACK   
    tcp        0    587 192.168.137.130:33127   75.126.153.202:80       LAST_ACK   
    tcp6       0      0 :::80                   :::*                    LISTEN     

If you want to find out how many active SYNC_REC are occurring on the server, run the following command:

sudo netstat -n -p | grep SYN_REC | sort -u

You can also detect a single flood by allowing you to recognize many connections coming from one IP by running the following command:

sudo netstat -n -p|grep SYN_REC | wc -l

To list out all the unique IP addresses of the attacker that is sending SYN_REC connections, run the following command:

sudo netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

To calculate and count the number of connections each IP address makes to the server, run the following command:

sudo netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

TO list out the number of connections the IPs are connected to the server using TCP or UDP protocol, run the following command:

sudo netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr

You can also list out only ESTABLISHED connections instead of all connections, and displays the connections count for each IP by running the following command:

sudo netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1

Need Web Hosting? Try ours, it's fast, reliable and feature loaded with support you can depend on. From £1.60 / month.

View Plans