Linux command to list which ports are open and listening

This post is about a Linux command to list which ports are open and listening & can be useful many times to debug troubleshoot network issues.

Netstat is very useful utility for debugging network issues on linux. The following information can be obtained from netstat : route tables, ports open closed, interface details, Adress families as TCP, UDP & Unix domain sockets.

Well, to understand the output of the command can be a bit complex if you have not used it before.

netstat needs to be run from root user. Below is the first example to see what program is listening to which port or socket using “-p” switch.

To see all of the TCP ports being listened to on the system, and by what program, use:

# netstat -l --tcp -p
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address    State       PID/Program name
tcp        0      0 *:ssh                       *:*                LISTEN      1666/sshd
tcp        0      0 localhost.localdomain:smtp  *:*                LISTEN      1841/sendmail: acce
tcp        0      0 *:mysql                     *:*                LISTEN      1807/mysqld
tcp        0      0 *:http                      *:*                LISTEN      1873/httpd
tcp        0      0 *:https                     *:*                LISTEN      1873/httpd

Above results show sshd is listening on port 22 (netstat will display the port name from /etc/services unless you use the “-n” switch), on all interfaces.
While other service Sendmail is listening to port 25 on only the loopback interface (127.0.0.1), and Apache is listening to ports 80 and 443, while MySQL is listening to port 3306 on all available network interfaces.

From this you can determine the services that are running and ports they are listening on.
Same can be done for UDP also as below:

# netstat -l --udp -p -n
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address    State       PID/Program name
udp        0      0 0.0.0.0:68                  0.0.0.0:*                      1292/dhclient
udp        0      0 192.168.250.52:123          0.0.0.0:*                      1679/ntpd
udp        0      0 127.0.0.1:123               0.0.0.0:*                      1679/ntpd
udp        0      0 0.0.0.0:123                 0.0.0.0:*                      1679/ntpd
udp        0      0 0.0.0.0:42022               0.0.0.0:*                      1292/dhclient
udp        0      0 ::1:123                     :::*                           1679/ntpd
udp        0      0 fe80::226:18ff:fe7b:123     :::*                           1679/ntpd
udp        0      0 :::123                      :::*                           1679/ntpd
udp        0      0 :::15884                    :::*                           1292/dhclient

Above result shows, netstat will display anything listening to IPv4 or IPv6 addresses.
Netstat also can tell you active connections as below:

# netstat --tcp -p
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address             Foreign Address        State  PID/Program name
tcp   0      0 wrk.myhost.com:53231    wrk2.myhost.com:ssh         ESTABLISHED 3333/ssh
tcp   0      0 wrk.myhost.com:44401    iy-in-f113.1e100.net:http   TIME_WAIT   -
tcp   1      0 wrk.myhost.com:51848    204.203.18.161:http         CLOSE_WAIT  2729/clock-applet
tcp   0      0 wrk.myhost.com:821      srv.myhost.com:nfs          ESTABLISHED -
tcp   0      0 wrk.myhost.com:59028    iy-in-f101.1e100.net:http   TIME_WAIT   -
tcp   0      0 wrk.myhost.com:37120    dns.myhost.com:ldap         ESTABLISHED 1658/sssd_be
tcp   0      0 wrk.myhost.com:ssh      laptop.myhost.com:52286     ESTABLISHED 3274/sshd: joe [

From above, it shows that first connection is an outbound SSH connection (originating from port 53231, destined for port 22). Also some outbound HTTP connections from the GNOME clock-applet, as well as outbound authentication requests from SSSD, and outbound NFS are seen. Last entry is about a inbound SSH connection.

-i switch lists down  a list of network interfaces and number of packets transmitted through them:

# netstat -i
Kernel Interface table
Iface       MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500   0    60755      0      0      0    40332      0      0      0 BMRU
lo        16436   0      149      0      0      0      149      0      0      0 LRU

To see a continuous ouput of netstat as a watchdog service use “-c”, will display all network services currently running refreshing every 1 second. This is a good way to observe  connections being opened and other network transmissions happening using which ports and services.

Other uses include :  netstat -r shows a kernel routing table, similar to route -n and netstat -ie shows interface information identical to ifconfig.
Netstat is very useful Linux command to list which ports are open and listening when you are troubleshooting or debugging a issue related to network for a service.

This entry was posted in Linux and tagged . Bookmark the permalink.