Uncover the infinite in IT

How Can We Help?
Table of Contents
< All Topics

Network Monitoring with netstat, ss, and iftop

Tutorial Overview

This tutorial explains how to monitor network connections, socket statistics, and real-time bandwidth usage using netstat, ss, and iftop. These tools are crucial for identifying network traffic and troubleshooting connectivity issues.

Prerequisites

  • Root or sudo access.

Steps

Step 1: Check Network Connections with netstat

  1. Install net-tools (if needed), which includes netstat:
sudo apt install net-tools -y

2. List All Active Connections:

netstat -a
  • Common columns include:
    • Proto: Protocol (e.g., TCP, UDP).
    • Local Address: Address and port of the local connection.
    • Foreign Address: Address and port of the remote connection.
    • State: Status of the connection (e.g., LISTEN, ESTABLISHED).

3. Display Listening Ports:

netstat -tuln
  • The -tuln options show TCP (-t) and UDP (-u) listening ports (-l) in numeric format (-n).

4. Check Network Statistics:

netstat -s
  • This provides detailed statistics for each protocol, useful for diagnosing network performance.

Step 2: Monitor Active Connections and Ports with ss

1. ss is a more modern alternative to netstat for checking network sockets and active connections.

2. List All Listening Sockets:

ss -tuln
  • Similar to netstat -tuln, this shows listening ports and associated protocols.

3. View Established Connections:

ss -at
  • This displays all active TCP connections.

4. Filter by Specific Port or Process:

  • To check if a specific port (e.g., 80) is open:
ss -at '( dport = :80 )'

Step 3: Monitor Real-Time Bandwidth Usage with iftop

1. Install iftop:

sudo apt install iftop -y

2. Run iftop with sudo to monitor bandwidth:

sudo iftop
  • iftop provides a real-time view of network bandwidth usage per connection.

3. Using iftop Controls:

  • Press P to toggle between sent and received data display.
  • Press T to display total bandwidth usage.
  • Press S to sort by source IP, D to sort by destination IP.
  • Press Q to quit.

4. Limit Displayed Connections by Port:

  • To show only traffic on a specific port, use:
sudo iftop -i <interface> -f 'port 80'