Checking the Number of Open HTTP Connections With Netstat

Last updated: March 18, 2024

Reviewed by: Eric Martin

1. Overview

As Linux users, there will be times when we need to check the number of connections to our services on the server. Knowing such information is useful for planning system scaling and being able to determine whether our services are under DOS attack or not. We use the netstat command to check connection numbers on the server.

In this tutorial, we’ll learn about HTTP and how to use netstat to check the number of open HTTP connections.

2. HTTP

HTTP, short for Hypertext Transfer Protocol, is an application layer for exchanging documents over the web. It runs on the TCP/IP suite of protocols, which is a set of rules that enable devices to communicate on a network. Moreover, HTTP was designed for communication between web browsers and servers, giving users a way to interact with web resources by sending and receiving hypertext messages.

Additionally, HTTP is a stateless protocol. This means that although multiple requests are over the same HTTP connection to the server, the current request is not aware of the activities of the previous requests. The server considers these multiple requests as separate requests, and each one must have a full response.

This design was intentional to minimize the time spent on re-establishing a connection for each request. By default, a web server listens on port 80 for HTTP connections. However, other system administrators change the default port to another for various reasons.

3. netstat

netstat is a combination of two words: network and statistics. It’s a command line tool that we use for monitoring network connections, both incoming and outgoing. It also displays routing tables, per-protocol statistics, interface statistics, and other information.

netstat is available on most Unix-like operating systems and Windows operating systems. It’s a useful tool for network troubleshooting and performance. In particular, having knowledge about incoming and outgoing connections helps fight against disproportionate traffic and malicious network connections.

3.1. List All Connections

We use the -a option to display all ports and connections regardless of their state or protocol:

$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp        0      0 192.168.238.129:bootpc  192.168.238.254:bootps  ESTABLISHED
raw6       0      0 [::]:ipv6-icmp          [::]:*                  7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  3      [ ]         DGRAM      CONNECTED     15330    /run/systemd/notify
unix  2      [ ACC ]     STREAM     LISTENING     15333    /run/systemd/private

Firstly, the Active Internet connections section lists the connected external connections and local sockets listening for remote connection requests. Let’s have a closer look at what each column represents:

  • Proto: This tells us the protocol of the connection. Usually, the protocol is either TCP or UDP. However, there are other sockets that we use in the network stack.
  • Recv-Q: This indicates the bytes in the queue for that socket, which it needs to read.
  • Send-Q: The count of bytes not acknowledged by the remote host. If both the Recv-Q and Send-Q are at 0, this means that the applications on both sides of the connection and the network between them are okay.
  • Local Address: The address and the port number of the local end of the socket.
  • Foreign Address: The address and the port number of the remote end of the socket.
  • State: The state of the local socket. There are several states for a socket, including:
    • ESTABLISHED: A working connection has been established between the two endpoints, allowing data to be transferred.
    • SYN-SENT: This socket has made a connection request and is waiting for the remote host to accept.
    • CLOSING: The socket is waiting for a termination connection request acknowledgment from the remote connection.

Secondly, the Active UNIX domain sockets section shows the connected and listening internal connections. In other words, these are the connections established within the computer between different processes and applications. Let’s examine the meaning of each of these columns:

  • Proto: Indicates the protocol used by the socket. It will be ‘unix’.
  • RefCnt: This is the Reference Count. It shows the number of processes attached to this socket.
  • Flags: This is usually set to ACC for SO_ACCEPTON. This means the socket is waiting for a connection request. Other flags are SO_WAITDATA, displayed by W, and SO_NOSPACE, displayed by N. SO_WAITDATA means there is data that the socket needs to read, while SO_NOSPACE means there is no space to write data to the socket.
  • Type: This is the socket type. The possible types are:
    • STREAM: This is a stream socket. The communication between the endpoints is reliable. As a result, the packets will arrive in order.
    • DGRAM: This socket is in Datagram mode. This is a connectionless network socket. Hence, the packets arrive out of order and might not arrive at the receiving computer.
  • State: Indicates the state of the network. These states are:
    • FREE: This socket is not allocated.
    • LISTENING: The socket is in the process of listening for incoming connection requests.
    • CONNECTING: The socket is about to establish a connection.
    • CONNECTED: A connection has been established with another application, and the socket is able to transmit.
    • DISCONNECTING: The socket is disconnecting.
  • I-Node: Unix sockets are files. Therefore, the I-Node field points to the metadata of the socket.
  • Path: The path of the socket file.

3.2. List Only HTTP Connections

We can use the netstat command with grep to list all the open HTTP connections. The -n option shows the numerical addresses and port numbers instead of trying to determine the symbolic host, port, or username:

$ netstat -an | grep :80 
tcp        0      0 127.0.0.1:51730         127.0.0.1:80            TIME_WAIT
tcp        0      0 127.0.0.1:51714         127.0.0.1:80            TIME_WAIT
tcp6       0      0 :::80                   :::*                    LISTEN

The grep command searches for the given string pattern, :80, in the netstat output and displays the lines that match the pattern.

Alternatively, we can grep for the HTTP protocol in the case that the web server is running on a different port other than 80:

$ netstat -a | grep http    
tcp        0      0 localhost:47996         localhost:http          TIME_WAIT
tcp        0      0 localhost:47982         localhost:http          TIME_WAIT
tcp        0      0 192.168.238.129:60532   93.184.220.29:http      TIME_WAIT
tcp        0      0 192.168.238.129:36772   mba01s09-in-f10.1:https TIME_WAIT
tcp        0      0 192.168.238.129:60546   93.184.220.29:http      TIME_WAIT

4. Conclusion

In this article, we learned about the HTTP protocol and the netstat tool. We also looked at checking the number of open HTTP connections using netstat.

Comments are open for 30 days after publishing a post. For any issues past this date, use the Contact form on the site.