Learn through the super-clean Baeldung Pro experience:
>> Membership and Baeldung Pro.
No ads, dark-mode and 6 months free of IntelliJ Idea Ultimate to start with.
1. Introduction
netstat, a part of the older net-tools package, has long been a staple in the toolkit of network administrators and IT professionals. It provides critical information about network connections, routing tables, and interface statistics.
However, as technology evolves, we need more sophisticated and specialized tools to handle complex network environments. As a result, netstat has been deprecated in favor of newer tools. Many modern Linux distributions no longer install net-tools by default. However, it is often still available in the repositories, and we can manually install it if necessary.
In this tutorial, we’ll explore various modern alternatives to netstat, highlighting their features and use cases and explaining why they might be better suited for today’s networking needs.
2. What Is netstat?
netstat, short for “network statistics,” is a command-line tool that provides a snapshot of the network connections, routing tables, and various network interface statistics on a system. It’s available on most operating systems, including Windows, Linux, and macOS, making it a widely accessible tool for network troubleshooting and monitoring.
As its name implies, netstat is primarily used for troubleshooting network issues, monitoring active connections, assessing network performance, auditing open ports, and analyzing network traffic.
While netstat is a powerful tool, it has its limitations. These include a lack of real-time monitoring, limited protocol support, and a complex output that can be challenging to interpret. Additionally, it doesn’t offer deep packet inspection, making it less suitable for detailed network analysis.
Despite being deprecated, netstat is still functional and can be used for many tasks, though newer alternatives are preferred.
Therefore, let’s look at some of the modern alternatives to netstat.
3. ss (Socket Statistics)
ss, or Socket Statistics, is a powerful utility that offers detailed insights into socket information. Unlike netstat, it provides more granular data and faster performance, particularly for large numbers of connections.
ss can display information about TCP, UDP, RAW, and Unix sockets. It can show detailed statistics, including packet counts, connection states, etc., ss is particularly useful for diagnosing socket-related issues, such as identifying open sockets, monitoring socket performance, and troubleshooting connectivity problems. Also, it provides better support for IPv6.
Moreover, ss is faster and more efficient than netstat, offering more detailed information about sockets. As a simple example, we can check all the TCP connections on a Linux system using the command:
$ ss -at
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 192.168.1.10:ssh *:*
ESTAB 0 0 192.168.1.10:ssh 192.168.1.100:55555 This will display a list of all the TCP connections along with their state and other relevant details.
ss is optimized and faster than netstat since it retrieves socket information from the kernel directly, resulting in faster output, especially when there are many connections. Moreover, it doesn’t perform DNS lookups unless explicitly requested.
On the other hand, netstat shows additional details, such as protocol type, which is redundant when we filter specifically for TCP using option -t. Also, the output can be more verbose, including resolved hostnames unless we add the -n option to avoid DNS lookups:
$ netstat -at
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 192.168.1.10:ssh 192.168.1.5:52345 ESTABLISHED
tcp6 0 0 [::]:443 [::]:* LISTENMoreover, netstat has limited support for some modern networking features, especially those related to IPv6 and advanced TCP settings. As ss offers more advanced capabilities, it may eventually replace netstat for handling socket-related tasks.
4. nmap (Network Mapper)
nmap is a versatile and widely used network scanning tool that goes beyond the capabilities of netstat.
We can perform host discovery, port scanning, service enumeration, and even vulnerability detection using nmap. Also, it’s essential for network security audits, penetration testing, and discovering network services.
While netstat provides information about existing connections, Nmap can discover new hosts and services on a network.
As an example, to scan all TCP ports on the local machine and display which ports are open, we can run the command:
$ nmap -sT localhost
Starting Nmap 7.91 ( https://nmap.org ) at 2024-08-19 21:29 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00026s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
3306/tcp open mysql
This will also provide details about the services running on those ports. Thus, nmap goes a step further by providing insights into the service associated with each port. This is useful for auditing network services and checking for vulnerabilities.
On the other hand, we can only list the active internet connections using the netstat command:
$ netstat -an
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.0.102:22 192.168.0.5:40001 ESTABLISHED
5. ip (iproute2)
The ip command is a part of the iproute2 package, a modern replacement for many older networking tools, including netstat.
ip handles IP addresses, routes, and tunnels. It also provides detailed information and configuration options for network interfaces. Thus, it’s ideal for configuring and troubleshooting network interfaces, managing IP addresses, and viewing routing tables.
ip offers more comprehensive control and information about network interfaces and routing than netstat.
For example, to display detailed information about all network interfaces, including (both IPv4 and IPv6) IP addresses, link status, and interface-specific statistics, we can use:
$ ip addrWhile we can get similar details using the netstat command:
$ netstat -ieHowever, it displays basic details about IP addresses (IPv4 only), MAC addresses, and interface status. Also, it’s less readable.
6. iftop (Interface TOP)
iftop is a real-time console-based network bandwidth monitoring tool. It’s useful for monitoring real-time network traffic, identifying bandwidth hogs, and troubleshooting network performance issues.
iftop displays bandwidth usage on an interface by host. Additionally, it shows a detailed view of incoming and outgoing traffic.
While netstat provides a snapshot of connections, iftop offers real-time bandwidth usage monitoring.
To see the real-time bandwidth usage for the eth0 interface, we can run:
$ iftop -i eth0
10.0Mb 20.0Mb 30.0Mb 40.0Mb
192.168.0.102 => 192.168.0.103 2.45Mb 2.53Mb 2.57Mb
<= 1.32Mb 1.35Mb 1.40MbThis allows us to see which hosts use the most bandwidth at any given time. This is extremely helpful when diagnosing network slowdowns or high traffic volumes.
7. lsof (List Open Files)
lsof is a versatile tool that can list open files and the processes that opened them, including network connections. It can display open files, network connections, and associated processes.
lsof is valuable for identifying which processes use network connections, troubleshooting file descriptor leaks, and monitoring system activity.
Unlike netstat, lsof provides more detailed information about the processes associated with network connections.
For example, running the following command will display all processes that are using port 80, typically identifying the processes running web services:
$ lsof -i :80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx 1234 root 4u IPv4 654321 0t0 TCP *:http (LISTEN)This shows that the process nginx with PID 1234 is listening on port 80.
While netstat can show open network connections and ports, it generally does not display the process name or PID unless used with specific options such as -p, which may not always be available on all systems. It focuses more on the connection statistics such as IP addresses, ports, etc.
$ netstat -antp
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1234/nginx8. tcpdump And Wireshark
tcpdump is a command-line packet analyzer that captures network packets for analysis. It captures packets on a network interface and allows detailed filtering of captured data.
Thus, it’s useful for capturing network traffic for later analysis, troubleshooting network issues, and monitoring network performance. It offers more detailed packet capture and filtering capabilities compared to netstat.
Let’s see an example:
$ sudo tcpdump -i eth0 port 443
22:42:56.789123 IP 192.168.0.102.443 > 192.168.0.5.50000: Flags [P.], seq 1:21, ack 1, win 512, length 20
16:45:12.345678 IP 192.168.1.10.54321 > 172.217.10.174.443: Flags [S], seq 1:23, ack 1, win 65535, length 0 This command is particularly useful for monitoring secure web traffic (HTTPS), allowing us to capture packets related to web communication on port 443. By examining the flags, sequence numbers, and acknowledgment numbers, we can troubleshoot issues like dropped packets, slow connections, or incomplete handshakes.
Moreover, we can analyze the encrypted traffic flow to check for unusual behavior or detect potential security issues. However, we should note that we won’t be able to see the actual contents of the packets since HTTPS encrypts the data payload.
Finally, we can also use Wireshark, a renowned network protocol analyzer, for deep packet inspection capabilities. It captures and analyzes network packets, providing detailed protocol information and decoding. Additionally, Wireshark provides a GUI interface that shows all the captured network traffic and displays it in real-time with detailed packet-level information.
9. Conclusion
In this article, we looked at some modern alternatives to netstat, their usage, and examples.
These alternatives offer enhanced features and real-time insights, making them invaluable for today’s network administrators. Each tool has strengths and use cases suitable for various aspects of network monitoring, security, and troubleshooting.