edit-icon download-icon

Check system port occupation on a Linux instance by using netstat

Last Updated: Dec 15, 2017

Check port availability by using netstat

In Linux, you can run the netstat command to check which ports are available in the current system, and the processes and users of these ports. See the following table for the parameters of the netstat command:

Parameter Description
-t Displays the TCP ports.
-u Displays the UDP ports.
-l Displays the listener socket.
-p Displays the process identifier and program name. Each socket/port belongs to one program.
-n Displays active TCP connections, with IP addresses and port numbers expressed numerically.

Regular netstat command combinations

Command Description
netstat -na Displays all active network connections.
We use this command together with other Linux commands, such as grep, wc and sort, to analyze system connection status, check the number of connections, and determine whether the server is attacked or not.
netstat -an | grep :80 | sort Displays and ranks all network connections to HTTP Port 80. We use port 80 to monitor the Web service. If the same IP address has multiple connections, it may have single-point traffic attacks.
netstat -n -p|grep SYN_REC | wc -l Collects statistics on the number of active SYNC_REC connections in the current server. Normally, the value is small (smaller than 5).
When DDoS attacks, the value is great. Note that in some servers with high concurrency, the value is also large.
netstat -n -p | grep SYN_REC | sort -u Lists IP addresses connected.
netstat -n -p | grep SYN_REC | awk '{print $5}' | awk -F: '{print $1}' Lists the IP addresses of all connection nodes sending the SYN_REC.
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n Calculates the number of connections from each host to the local machine.
netstat -anp |grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n Lists the number of IP addresses of UDP or TCP connections to the local machine.
netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr Checks the ESTABLISHED connection and list the number of connections from each IP address.
netstat -plan|grep :80|awk {'print $5'}|cut -d: -f 1|sort|uniq -c|sort -nk 1 Lists the IP addresses connected to Port 80 of the local machine and the number of connections. We use Port 80 to process HTTP webpage requests.
netstat -antp | awk '$4 ~ /:80$/ {print $4" "$5}' | awk '{print $2}'|awk -F : {'print $1'} | uniq -c | sort -nr | head -n 10 Displays top 10 IP addresses with most connections to Port 80, and displays the number of connections from each IP address. If the same IP address has multiple connections, it may have single-point traffic attacks.

To stop a port in Use

  1. Run the following command to check the process, take port 9000 as an example:
    1. netstat -antp | grep 9000
    RunTheCommand
  2. Close the process with PID 1070 according to the result.
Thank you! We've received your feedback.