Netstat flags define exactly which network information the command displays and how it is grouped. By combining different flags, you can focus on protocol type, connection state, or program ownership to troubleshoot specific behavior.
This guide explains common netstat flags, their practical use cases, and how to interpret the output securely and efficiently.
| Flag | Protocol | Direction | Default Display | Typical Use Case |
|---|---|---|---|---|
| -a | All | Listening + Established | No | Show all sockets, including servers waiting for connections |
| -n | Numeric | Address display | No | Show IP and port numbers instead of resolving names |
| -p | Program | Process ownership | No | Display PID and program name, requires elevated permissions |
| -t | TCP | Protocol filter | Optional | Limit output to TCP connections only |
| -u | UDP | Protocol filter | Optional | Limit output to UDP connections only |
| -l | Listening | Server sockets | No | Show only sockets actively waiting for incoming connections |
| -o | Timer | Timers info | No | Display timer information for established connections |
| -e | Extended | Statistics | No | Show network interface statistics and packet errors |
Using Netstat Flags for Diagnostic Tasks
Filtering by Protocol with -t and -u
When you only want TCP traffic, use -t to exclude UDP and other protocols from the output. The -u flag works similarly for UDP, which is helpful when diagnosing a specific transport layer issue without noise.
Resolving Names Versus Numeric Output
The -n flag prevents netstat from performing DNS lookups, which keeps results fast and avoids failures when name resolution is unavailable. Use this option in scripts or on busy systems where speed matters more than hostnames.
Inspecting Active Services with -a and -l
Listing All Sockets in One View
The -a flag shows both listening sockets and established connections, giving you a full picture of network activity. This is useful during security reviews or when confirming that a service is reachable on the expected port.
Focusing on Server Sockets with -l
By combining -l with protocol flags like -t or -u, you can list only the ports on which applications are actively waiting for new connections. This simplifies service discovery and reduces output clutter.
Understanding Program Ownership with -p
Identifying Which Process Owns a Socket
The -p flag adds the PID and program name to each row, so you can immediately see which application is using a particular port. On many systems you must run netstat as root or with elevated privileges to see process details for all users.
Advanced Insights with -n, -o, and -e
Numeric Timing and Interface Statistics
Using -o shows timer values for keepalive and retransmission, which helps analyze flapping connections. The -e flag adds interface counters, useful for spotting packet loss or interface errors without switching to separate tools.
Key Takeaways for Effective Troubleshooting
- Combine flags like -tlnp to focus on TCP listening sockets with program ownership
- Use -n to avoid slow or unreliable name resolution during rapid diagnostics
- Leverage -o and -e to correlate connection states with interface health
- Remember that -p often requires elevated permissions for full process visibility
- Practice mixing flags such as -a, -l, and protocol selectors for precise workflows
FAQ
Reader questions
Which netstat flags should I use to quickly check if a service is listening on the correct port?
Use netstat -tlnp for TCP or -ulnp for UDP. The -l flag shows only listening sockets, -n keeps output numeric for speed, and -p identifies the program so you can confirm the right service.
How can I see established connections without resolving hostnames or service names?
Run netstat -tnp or -unp depending on protocol. The -n flag disables DNS and service name resolution, giving you faster output and avoiding lookup failures while you troubleshoot connectivity.
What flags help me find which process is using a particular socket?
Add -p to your command, such as netstat -tlnp or netstat -ulnp. This displays the PID and program name, but on many systems you need elevated permissions to see process details for all users.
How do timer information and interface statistics improve my diagnosis?
Use -o to review kernel timers for keepalive and retransmission, and -e to view packet and interface error counters. Together they help identify performance issues, packet loss, or unstable connections.