NOTE: Netstat has recently been deprecated in favor of ss and ip route, now part of the net-tools package. For more specific information on ss and ip route, please see this knowledgebase article!
Reviewing the man pages for netstat in our CentOS 6 installation, we find that netstat has the following options;
Options
--verbose , -v
Tell the user what is going on by being verbose. Especially print some useful information about unconfigured address families.--numeric , -n
Show numerical addresses instead of trying to determine symbolic host, port or user names.--numeric-hosts
shows numerical host addresses but does not affect the resolution of port or user names.--numeric-ports
shows numerical port numbers but does not affect the resolution of host or user names.--numeric-users
shows numerical user IDs but does not affect the resolution of host or port names.--protocol=family , -A
Specifies the address families (perhaps better described as low level protocols) for which connections are to be shown. family is a comma (',') separated list of address family keywords like inet, unix, ipx, ax25, netrom, and ddp. This has the same effect as using the --inet, --unix (-x), --ipx, --ax25, --netrom, and --ddp options.The address family inet includes raw, udp and tcp protocol sockets.
-c, --continuous
This will cause netstat to print the selected information every second continuously.-e, --extend
Display additional information. Use this option twice for maximum detail.-o, --timers
Include information related to networking timers.-p, --program
Show the PID and name of the program to which each socket belongs.-l, --listening
Show only listening sockets. (These are omitted by default.)-a, --all
Show both listening and non-listening (for TCP this means established connections) sockets. With the --interfaces option, show interfaces that are not marked-f
Print routing information from the FIB. (This is the default.)-c
Print routing information from the route cache.-Z --context
If SELinux enabled print SELinux context.-T --notrim
Stop trimming long addresses.delay
Netstat will cycle printing through statistics every delay seconds. UP.
In this specific knowledgebase, we'll discuss figuring out whether a standard Apache web server is up and running on ports 80 and 443. Our standard Apache web server has been installed on CentOS 6 using yum, and an SSL host has been configured on the default vHost as well.
Let's first ensure that apache is actually running.
On CentOS 5/6:
On Ubuntu 12/14:root@web01 [~]# service httpd status
httpd (pid 14770) is running...
Now that we have determined that Apache is indeed running, we'll proceed with our netstat testing. In the above listed options we'll want to pay close attention to a couple options specifically. The option '-l', the option '-p' and the option '-t' are all useful here. -l tells netstat to show us specifically the sockets that are listening. The -p tells netstat to show us the PID of the process in question associated to the port. The -t tells netstat to ONLY show us TCP based connections - which is perfect, given we know exactly what kind of connection HTTP and HTTPS traffic is going to be.root@web01:~$ service apache2 status
* apache2 is running
The output of the command on CentOS 6:
As you can see from the highlighted text above, we've found that http and https are indeed listening TCP sockets on our linux server. We could search for just the string "http" as well, using grep. Grep will be covered in another knowledgebase article, but here is an example:root@web01[~]# netstat -tlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:autodesk-nlm *:* LISTEN 29241/cpdavd - acce
tcp 0 0 *:imaps *:* LISTEN 29084/dovecot
tcp 0 0 *:infowave *:* LISTEN 10376/cpsrvd (SSL)
tcp 0 0 localhost:43234 *:* LISTEN 3009/mms
tcp 0 0 localhost:decbsrv *:* LISTEN 20036/cPhulkd - pro
tcp 0 0 *:pop3s *:* LISTEN 29084/dovecot
tcp 0 0 *:radsec *:* LISTEN 10376/cpsrvd (SSL)
tcp 0 0 *:gnunet *:* LISTEN 10376/cpsrvd (SSL)
tcp 0 0 *:eli *:* LISTEN 10376/cpsrvd (SSL)
tcp 0 0 *:submission *:* LISTEN 28689/exim
tcp 0 0 *:memcache *:* LISTEN 2032/memcached
tcp 0 0 *:pop3 *:* LISTEN 29084/dovecot
tcp 0 0 localhost:783 *:* LISTEN 31134/spamd-dormant
tcp 0 0 *:imap *:* LISTEN 29084/dovecot
tcp 0 0 *:nbx-ser *:* LISTEN 10376/cpsrvd (SSL)
tcp 0 0 *:http *:* LISTEN 11398/httpd
tcp 0 0 *:nbx-dir *:* LISTEN 10376/cpsrvd (SSL)
tcp 0 0 *:urd *:* LISTEN 28689/exim
tcp 0 0 *:ftp *:* LISTEN 29507/pure-ftpd (SE
tcp 0 0 *:ssh *:* LISTEN 5579/sshd
tcp 0 0 *:smtp *:* LISTEN 28689/exim
tcp 0 0 *:https *:* LISTEN 11398/httpd
tcp 0 0 *:tsrmagt *:* LISTEN 29241/cpdavd - acce
tcp 0 0 *:tpcsrvr *:* LISTEN 29241/cpdavd - acce
tcp 0 0 *:idware-router *:* LISTEN 29241/cpdavd - acce
tcp 0 0 *:imaps *:* LISTEN 29084/dovecot
tcp 0 0 *:pop3s *:* LISTEN 29084/dovecot
tcp 0 0 *:mysql *:* LISTEN 21643/mysqld
tcp 0 0 *:submission *:* LISTEN 28689/exim
tcp 0 0 *:memcache *:* LISTEN 2032/memcached
tcp 0 0 *:pop3 *:* LISTEN 29084/dovecot
tcp 0 0 localhost:783 *:* LISTEN 31134/spamd-dormant
tcp 0 0 *:imap *:* LISTEN 29084/dovecot
tcp 0 0 localhost:7984 *:* LISTEN 29887/java
tcp 0 0 *:http *:* LISTEN 11398/httpd
tcp 0 0 *:urd *:* LISTEN 28689/exim
tcp 0 0 *:sd *:* LISTEN 3061/acronisagent
tcp 0 0 *:ftp *:* LISTEN 29507/pure-ftpd (SE
tcp 0 0 *:munin *:* LISTEN 26774/perl
tcp 0 0 *:ssh *:* LISTEN 5579/sshd
tcp 0 0 localhost:8984 *:* LISTEN 29887/java
tcp 0 0 *:smtp *:* LISTEN 28689/exim
tcp 0 0 *:https *:* LISTEN 11398/httpd
root@web01 [~]# netstat -tlp | grep -i http
tcp 0 0 *:http *:* LISTEN 14770/httpd
tcp 0 0 *:https *:* LISTEN 14770/httpd
tcp 0 0 *:http *:* LISTEN 14770/httpd
tcp 0 0 *:https *:* LISTEN 14770/httpd
