I noticed that according to /proc/net/dev I am constantly receiving around 6Kb/s on my wireless usb interface. But I can't account for anything even close to that with the individual connections that I get with iptraf, iftop, and nethogs. Investigations with netstat, lsof, and tcpdump didn't help either. So, what else could contribute to /proc/net/dev values? I can speculate that, while only IP based traffic is reported by the applications I mentioned, /proc/net/dev probably accounts for other link-layer/internet-layer stuff too (arp? icmp? wireless management stuff?). Or maybe other transport/application protocols. Can anyone confirm this? How else would you proceed to find out: through what sockets are the 6Kb/s coming through? What processes are receiving the traffic? --- [EDIT] The 2 consistent results across all the tools: 1. the totals of Rx are around a few Kb/s - confirmed with /proc/net/dev, dstat, bmw-ng, cbm, iptraf, ifstat, gnome-system-monitor 2. no connection/packet stream justifies that - confirmed with netstat, tcpdump, iftop, nethogs, iptraf All of this with a Netgear WDNA 4100 wireless usb adapter using a custom driver from some git (the only way I got it to work). I asked the devs about it [here](https://github.com/ashaffer/rt3573sta/issues/9) . This might be malware, but I suspect the driver is simply reporting wrong totals. Nevertheless, I cannot explain what's going on for sure.

I've had this issue on several machines. Is there some way to free this blocked port? Here is an example: Let me explain. I've killed some JAVA-Process on SUSE Linux Enterprise Server 11 SP4, which had some ports open. I used the command "kill -9 " with root user. Now it is not possible to start the process again, because the port is still blocked. The application dies when the port is still open. But the process is definitively gone! When I have a look with command netstat -anop | grep -E "Sta|37941" (also with root user), I'll get the following results: Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Timer [...] tcp 0 0 172.21.63.27:42034 172.21.63.28:37941 ESTABLISHED - keepalive (2861.75/0/0) [...] It shows no PID! Before killing the process, it showed the PID of the process. Is there any way to free such a "dead" port? We are always need to restart the operating system to get the application started again. But this is really, really critical in our high-availability systems... so what to do if we need to kill the process in the future? This issue also happened on other unix operating systems in the past. Any help in solving this issue for the future would be highly appreciated. Thank you all very much in advance!

In what scenarios port being used by a process don't show up in netstat -a output? I'm running jenkins on my machine. It's listening on port 8080. I'm trying to start another process that tries to bind on same port and it fails with error that port is already in use. Now when I do netstat -a | grep 8080, it doesn't show up in output. After stopping jenkins my process successfully bound to 8080. Any clues what happening? I'm running CentOS.

I am seeing hundreds of different connections to the same ip and port scrolling by when running nethogs. Occasionally the foreign IP and port will change (not always 80, but sometimes). I've noticed that my router CPU usage jumps to 100% when these huge bursts of connections happen, so I'm fairly certain that this massive spike keeps overloading the router and essentially making my network useless for up to a full 60 seconds. Things I've tried: - sudo netstat -tulpn | grep $whateverip: nothing - sudo netstat --inet -ap | grep $whateverip: nothing - sudo lsof -i | grep $whateverport: by the time this finishes, the port and IP have changed again This may just be paranoia, but I swear it seems like every time I try to dig into more info on the connection, the port and IP change, so my command gives me nothing. Am I dealing with something evil living inside my server? Or is there some more benign explanation that I'm missing in my limited networking knowledge? Also note that this is an Ubuntu server with no UI, so it's not me chasing around someone just browsing reddit.

We have some RHEL7 Apache reverse proxies that experienced a performance degradation event. After a few hours, restarting Apache restored performance to normal levels. We are trying to determine the root cause of the outage. During said investigation, I came across the following netstat numbers that I cannot find much documentation on: * TCPRcvCoalesce * TCPAutoCorking * TCPHystartTrainCwnd Anyone can explain what these stats mean? Are they indicative of any particular issue?

I have a Solaris 10 box which has limited tools and commands installed in comparison to Linux distros. In addition, the tools that can be used such as grep and netstat don't have the same options and flags too. I have some services running on ports that I would like to investigate. As an example, an SSH server running on a port that is not 22. I want to be able to locate the configuration file in order to modify changes (disable weak ciphers etc.). However, when I search the entire file system for sshd.conf - I am only able to find the configuration for the default SSH server on port 22. Could anyone give me any tips on how I could locate the config file for this unique service. I have already attempted `find / -name "sshd.conf" and other possible variations but with no success. The next approach I would like to try is using tools such as netstat and svcs. I can tell that the service is running with nmap -p 5555 [ip] and also ssh [ip] -p 5555. I can also see the service is listening with netstat -an | grep "5555". However, I am unable to match it to a service listed in svcs -a. If I were able to match it with a service in svcs -a and then use svcs -x [FMRI] (for more details) - it doesn't give me the config file from where parameters are being read from - only the log file. So TL;DR: How can I locate a service's configuration file if I know the FMRI or can't map the service to an FMRI. Perhaps more simply, how can I use the output of netstat and identify what the actual service is that is listening on the device? I would imagine this would be asked often for security audits and such.

OS is Debian. I'm running nginx as a webserver. I am not running Wordpress. Logging is enabled in the http block with: access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; Seeing hundreds of connections in iftop from my webserver at port 443 to 191-242.x.x.alivenet.com.br, for a few hundred different ips. The strange things are: * None of the ip addresses listed by iftop show up in my nginx logs, which I have been retaining since server creation. * These connections show up in iftop even if nginx isn't running. How is that possible? I tried stopping nginx, then confirmed with netstat that nothing is listening on ports 80 or 443, but I still see hundreds of these connections listed in iftop. How can iftop show these connections if nothing is listening on those ports? I even tried disabling nginx and then rebooting my server, but they still show up. * lsof -a -i4 -i6 -itcp doesn't show any of these connections somehow. * In nethogs, I see a line: ? root :443-191.242.x.x:. Running as root? Question mark for the pid? This seems absolutely crazy to me. Does this mean there is some process running on my system that somehow isn't assigned a pid, running as root, somehow listening on port 443 despite nginx supposedly currently using that port, that's sending traffic to one of these Brazilian ips? What exactly is going on here? Do I need to be concerned? Has my server been hacked? What else should I check to confirm the server is ok? Do I need to block these ips via iptables? How do I separate hack attempts from legitimate web server traffic? (ie, someone in Brazil is trying to visit my website) How can nethogs not show a pid? How can iftop show connetions on ports that aren't listening? How can these connections not show up in the nginx logs?

On my Ubuntu server, I find it very useful that netstat -tulpn also shows the username connected to sshd (apparently, this username printing is specifically for sshd) - unfortunately, this printout is also truncated:

$ sudo netstat -tulpn | grep 'PID\|user1'
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:12345           0.0.0.0:*               LISTEN      1620557/sshd: user1
tcp6       0      0 :::12345                :::*                    LISTEN      1620557/sshd: user1

In the above example, full username is user1234, but due to truncation, I can only read user1. Even more unfortunately, I learned that this truncation is hardcoded in netcat in https://unix.stackexchange.com/questions/212096/netstat-output-line-width-limit/772314#772314 : > Unfortunately the width of the PID/Program name column in netstat is hardcoded with [#define PROGNAME_WIDTH 20](https://sourceforge.net/p/net-tools/code/ci/master/tree/netstat.c#l110) so there is no way of getting the full output from netstat directly. Also you end up with 19 characters and a space at the end. The same answer also recommends: > In today's linux one can use sudo ss -natp to get the full info formatted a bit differently but with the full name: ... unfortunately, ss does not print the username of the user connected to sshd as netstat does:

$ sudo ss -tulpn | grep user1
$

$ sudo ss -tulpn | grep 12345
tcp     LISTEN   0        128              0.0.0.0:12345          0.0.0.0:*      users:(("sshd",pid=1620557,fd=10))

tcp     LISTEN   0        128                 [::]:12345             [::]:*      users:(("sshd",pid=1620557,fd=11))

So, how can I get an output identical or similar to the output of netstat -tulpn, but which prints the full usernames connected to sshd? My netstat version is:

$ netstat --version
net-tools 2.10-alpha
Fred Baumgarten, Alan Cox, Bernd Eckenfels, Phil Blundell, Tuan Hoang, Brian Micek and others
+NEW_ADDRT +RTF_IRTT +RTF_REJECT +FW_MASQUERADE +I18N +SELINUX
AF: (inet) +UNIX +INET +INET6 +IPX +AX25 +NETROM +X25 +ATALK +ECONET +ROSE -BLUETOOTH
HW:  +ETHER +ARC +SLIP +PPP +TUNNEL -TR +AX25 +NETROM +X25 +FR +ROSE +ASH +SIT +FDDI +HIPPI +HDLC/LAPB +EUI64

What's the easiest way to find an unused local port? Currently I'm using something similar to this: port=$RANDOM quit=0 while [ "$quit" -ne 1 ]; do netstat -a | grep $port >> /dev/null if [ $? -gt 0 ]; then quit=1 else port=expr $port + 1 fi done It feels awfully roundabout, so I'm wondering if there's a more simple path such as a builtin that I've missed.

Can anyone explain for me what each option in Flg means? [root@apple ~]# netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 110512 0 0 0 6660 0 0 0 BMRU eth1 1500 0 110713 0 0 0 4533 0 0 0 BMRU eth2 1500 0 733 0 0 0 17 0 0 0 BMRU lo 16436 0 45 0 0 0 45 0 0 0 LRU And are there any more?

I am using chromium browser (chrome) with pepperflashplugin in Debian. I have noticed, chromium/pepperflashplugin opens a listening port on my public interface 0.0.0.0:5353 as seen with netstat: netstat -lptun Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 0.0.0.0:5353 0.0.0.0:* 13971/libpepflashpl I have been using Firefox (Iceweasel) before and I have never seen browser/flash-plugin to open ports. Indeed, I have never seen any client application opening listening ports on 0.0.0.0. **Why is chromium doing this?** **Is this necessary ?** **Can I disable this?** **Can I start chromium with pepperflashplugin disabled ?**

When trying to see port clashes within my system, many websites online recommend using **/etc/services** or **ss -tunl** to see port info I am noticing **/etc/services** is providing different information to **-ss** on most occasions. Output comparison examples sudo cat /etc/services ftp 21/udp ftp 21/sctp ssh 22/tcp ssh 22/udp ssh 22/sctp telnet 23/tcp telnet 23/udp smtp 25/tcp versus ss -tunl Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:46670 0.0.0.0:* udp UNCONN 0 0 [::]:5353 [::]:* udp UNCONN 0 0 [::]:38838 [::]:* Is **/etc/services** a static data file and should only be used as a guide, not an true reflection of what the real port configuration of the system is. Where does **ss** program gather this port data, and how can I modify/delete some of the ports, either through **ss** or another program?

When executing netstat, I find that the command's output width is limited regardless of the console size, in contrast with other commands such as ps that seem to get adjusted. So for example: $ sudo netstat -natp | grep sshd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1454/sshd tcp 0 48 xx.xx.xx.xx:22 xx.xx.xx.xx:44182 ESTABLISHED 1147/sshd: wtower [ tcp6 0 0 :::22 :::* LISTEN 1454/sshd You can notice that the line width of the second output is short (ends at [). Is there any way so I get the proper output from netstat? *UPDATE*: The package version is net-tools_1.60-24.1ubuntu2_i386 running on Ubuntu Server 12.04.5 LTS. Unfortunately redirecting to file produces the same output. At any console size the output is the above. At smaller sizes it just wraps each line, but *still* the output is the same, shortened.

I have a WSL2 instance with Ubuntu 22.04. I have installed microk8s and enabled the local registry. The local Registry in microk8s listens on node port 32000. I can access this registry in WSL on both localhost and WSL instance IP. But if I run netstat -an there is none listening on port 32000. I tried a tip to list iptables rules, but nothing mentioning port 32000. I can start netcat -l -s -p 32000 just as none is using it. If I then curl -v :32000 I get a response from microk8s registry, not netcat. If I now run netstat, it lists netcat listening on port 32000. How is this possible? How can curl connect to this port no one is listening on (according to netstat)? How can I open this port for listening using netcat while registry obviously is already listening on it?

System: - Ubuntu 20.04.06 - net-tools 2.10-alpha - grep (GNU grep) 3.4 If I run netstat without sudo I see port information and no process information. This is expected as process information requires elevated privileges.

$ netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:43445         0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:41933         0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:42649         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:46059         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:45983         0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:5001            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:5433            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:5432            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:34903         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:37257         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:37081         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:38445         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:38335         0.0.0.0:*               LISTEN      -
tcp6       0      0 ::1:3350                :::*                    LISTEN      -
tcp6       0      0 ::1:631                 :::*                    LISTEN      -
tcp6       0      0 :::2377                 :::*                    LISTEN      -
tcp6       0      0 :::3389                 :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
tcp6       0      0 :::25                   :::*                    LISTEN      -
tcp6       0      0 :::111                  :::*                    LISTEN      -
tcp6       0      0 :::443                  :::*                    LISTEN      -
tcp6       0      0 :::7946                 :::*                    LISTEN      -
tcp6       0      0 :::5001                 :::*                    LISTEN      -
tcp6       0      0 :::5433                 :::*                    LISTEN      -
tcp6       0      0 :::5432                 :::*                    LISTEN      -
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -
udp        0      0 0.0.0.0:111             0.0.0.0:*                           -
udp        0      0 0.0.0.0:631             0.0.0.0:*                           -
udp        0      0 0.0.0.0:4789            0.0.0.0:*                           -
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           -
udp        0      0 0.0.0.0:43294           0.0.0.0:*                           -
udp6       0      0 :::52206                :::*                                -
udp6       0      0 :::111                  :::*                                -
udp6       0      0 :::5353                 :::*                                -
udp6       0      0 :::7946                 :::*                                -

But if I try to send that output to grep I get an error that I need sudo priv. Why? None of the process information was shown on stdout, why would grep change that?

$ netstat -tulpn | grep 8080
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)

**TROUBLESHOOTING:** - This does not happen if I dont include -p (i.e. netstat -tuln | grep 8080) - This does not happen if I use smaller grep string (i.e. netstat -tulpn | grep 8) - Using ss does not show the same problem (i.e. ss -tulpn | grep 8080) What is going on here? Note: Yes I know netstat is deprecated and I should use ss instead, I am just curious why this behavior is happening.

On old 43BSD... netstat -f unix Active UNIX domain sockets Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr 801ca38c dgram 0 0 8008b5c0 0 0 0 /dev/log 801cc10c stream 0 0 8008e690 0 0 0 /dev/printer Address #socket address type #type: stream or dgram Inode #Inode? Conn #sockets connections Refs #? Nextref #? Addr #socket file Anyone know what does it mean "Refs" and "Nextref". As I know Refs is referred to routing, but in sockets there is no routing as I know.

How do i close a port listening on a local host in CentOS7? So far I have used the below command to find the process id sudo netstat -tlpn | grep 5601 Then, used the below command to kill the process but it starts up with new process id. sudo kill -SIGTERM 29565 Please help.

There is an old post about line truncation in netstat (Netstat output line width limit ) but my question is a bit different. I'm using netstat (net-tools 2.10) on Debian 12. My primary use is to list listening ports, e.g. netstat -tunlpWee I find the PID/Program name column to been too narrow. Is there a way to widen this? Option -T is unsupported. Option -W (--wide) does not help as this only affects IP addresses. Option -e is about "additional information," not "wider information." At this point, I see my only option to be to wrap netstat in a script and leverage ps to get a broader "program name." Unless ... I'm missing something obvious. UPDATE: Thanks, davidt930. That's disappointing. I came up with this solution:

#!/usr/bin/env bash
# show applications using ports
# use sudo to get the process name
# The "PID/Program name" as returned by netstat(8) is too narrow for my tastes.
# Therefore, I wrap netstat's output in a series of calls to ps(1) to get
# broader application details, i.e. the full command line.

PPWID=20
data=
while IFS= read -r ln ; do
  [ -z "$data" ] && {
    echo "$ln"
    [ "${ln/PID\/Program name/}" != "$ln" ] && data=Y || :
    continue
  } || :
  static="${ln:0:-$PPWID}"
  program="${ln:0-$PPWID}"
  [ "${program:0:1}" = "-" ] && command="(need privileges)" || {
    pid=${program%%/*}
    command=$(ps -o command -p $pid | tail -1)
  }
  echo "${static}${command}"
done< <(netstat -tunlpWee)

It's a tad fragile as it relies on netstat keeping the PID/Program name column fixed at 20.

Hi I feel like this is an obvious question but I haven't been able to get a good answer so far. Given the name of the service (which I know running on localhost) is there any networking command line tool like (netstat/ss) which will tell me what port that service is running at? Ideally something like:

$ some-program --service-name='mysql' localhost
'mysql' is running at localhost:3306

I feel like there are solutions out there but non of them address it adequately. For example I have considered the following two ss commands: 1. ss -tuln with output:

Netid   State    Recv-Q   Send-Q       Local Address:Port        Peer Address:Port   Process
udp     UNCONN   0        0            127.0.0.53%lo:53               0.0.0.0:*
udp     UNCONN   0        0                  0.0.0.0:21119            0.0.0.0:*
udp     UNCONN   0        0                  0.0.0.0:37766            0.0.0.0:*
udp     UNCONN   0        0                  0.0.0.0:54399            0.0.0.0:*
udp     UNCONN   0        0                  0.0.0.0:5353             0.0.0.0:*
udp     UNCONN   0        0                     [::]:51755               [::]:*
udp     UNCONN   0        0                     [::]:5353                [::]:*
udp     UNCONN   0        0                        *:1716                   *:*
tcp     LISTEN   0        100              127.0.0.1:25               0.0.0.0:*
tcp     LISTEN   0        70               127.0.0.1:33060            0.0.0.0:*
tcp     LISTEN   0        64                 0.0.0.0:59687            0.0.0.0:*
tcp     LISTEN   0        151              127.0.0.1:3306             0.0.0.0:*

and 2. ss -tul with output:

Netid   State    Recv-Q   Send-Q      Local Address:Port         Peer Address:Port   Process
udp     UNCONN   0        0                 0.0.0.0:36308             0.0.0.0:*
udp     UNCONN   0        0                 0.0.0.0:36570             0.0.0.0:*
udp     UNCONN   0        0           127.0.0.53%lo:domain            0.0.0.0:*
udp     UNCONN   0        0                 0.0.0.0:41124             0.0.0.0:*
udp     UNCONN   0        0                 0.0.0.0:21119             0.0.0.0:*
udp     UNCONN   0        0                 0.0.0.0:37766             0.0.0.0:*
udp     UNCONN   0        0                 0.0.0.0:54399             0.0.0.0:*
udp     UNCONN   0        0                 0.0.0.0:mdns              0.0.0.0:*
udp     UNCONN   0        0                 0.0.0.0:54522             0.0.0.0:*
udp     UNCONN   0        0                    [::]:51755                [::]:*
udp     UNCONN   0        0                    [::]:mdns                 [::]:*
udp     UNCONN   0        0                       *:1716                    *:*
tcp     LISTEN   0        100             127.0.0.1:smtp              0.0.0.0:*
tcp     LISTEN   0        70              127.0.0.1:33060             0.0.0.0:*
tcp     LISTEN   0        64                0.0.0.0:59687             0.0.0.0:*
tcp     LISTEN   0        151             127.0.0.1:mysql             0.0.0.0:*

The first command's output lists the port numbers that are listening while the second command's output is able to resolve them to the services running at the ports. But I can't somehow "combine" the two outputs where I can have the port number mapped to the service running, side by side. For example the rows:

tcp     LISTEN   0        151             127.0.0.1:mysql             0.0.0.0:*

and

tcp     LISTEN   0        151              127.0.0.1:3306             0.0.0.0:*

would be "combined" to give "127.0.0.1:3306 (mysql)" or something to that effect. I only know the above mapping because I googled what the default MySQL port is. Is there a way to do this? It must be said that I am only learning to use these networking tools so any guidance is much appreciated.

On computer 10.196.111.161, I can see the following established tcp connection: [10.196.111.161]# netstat -natp | grep 7000 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp6 0 0 10.196.111.161:7000 10.196.111.180:41748 ESTABLISHED 19802/java At the same time, there is nothing reported on computer 10.196.111.180. [10.196.111.180]# netstat -nputw | grep 7000 (empty) How can I explain this? --- EDIT The client on 10.196.111.180, which connects to server 10.196.111.161, runs in a container (podman on RHEL). Why netcat is not showing connections originating in the container? Should I report details on our config files?