How to find out Active Connections or which Ports are open/listening on Linux

While managing a server or your home desktop, sometimes you might want to check out which ports are currently being used by which applications, what all TCP/UDP connections are active at the moment or other similar cases. There are two basic command line tools present in almost all the Linux/UNIX based systems - netstat and lsof, that might help you out with such queries.

Before starting it would be good to know about these two commands.

  • Netstat is used to display network connections, routing tables and a whole bunch of network and interface stats.
  • lsof on the other hand is used to list out open files. So, if you want to find out what all files are currently open just run lsof.  And since in Linux "Everything is a File", we can use lsof to print network connections too.

Lets start learning by resolving common queries.

How to display a list of open ports?

This can be done using both netstat and lsof.

[shredder12]$ netstat -n -A inet

-n is used to display numeric addresses instead of trying to determine symbolic hostnames

-A is used to define the address family we are concerned with. Here its internet connections on IPv4 network, so inet(user inet6 for IPv6 connections).

[shredder12]$ lsof -i

How to display a list of Active connections?

In case you noticed the output of the command mentioned above, they actually show the active connections.

[shredder12]$ netstat -n -A  inet

[shredder12]$ lsof -i

How to display a list of listening ports?

Use the --listen flag with netstat to get a list.

[shredder12]$ netstat --listen -A inet

How to display a list of active TCP or UDP connections?

With netstat, we can use the flag -t to denote TCP connections only.

[shredder12]$ netstat -n -A inet -t

similarly, -u for UDP connections.

The -i flag of lsof provides a lot of configurable options. Use the following command to filter out TCP connections.

[shredder12]$ lsof -i4TCP

Please note no space between i4 and TCP. This means TCP connections on IPv4 network. Similary one can use i6 for IPv6 and UDP for udp connections.

How to find out all the ports being used by a single application or process using PID?

With netstat option -p you can even list out the program a port/socket is associated with. So, lets run -p with our active connections command and grep the pid.

[shredder12]$ netstat -A inet -n -p | grep 1413

You can find out the PID of a process using ps or pgrep.

[shredder12]$ ps -e | grep firefox

[shredder12]$ pgrep firefox

How to find out all the files being used by a program or application using PID?

Since we are concerned with files, lsof comes into play here. Here the -p option used along with the PID to catch the files associated with that process.

[shredder12]$ lsof -i4TCP -a -p 1413

The -a flag is used to tell lsof to AND the result of all the options used.

I hope this will help you out. If you want something to be added/modified/removed from here or have any other query just leave a comment

4 Comments

ditatompel (not verified)
May 18th, 2010 03:45 am
hi.. im using backtrack, this is also can be use for checking the established connection.

[user]@bt:~$ netstat -an | grep ESTABLISHED | awk '{print $5}' | awk -F: '{print $1}' | sort | uniq -c | awk '{ printf("%s\t%s\t",$2,$1) ; for (i = 0; i < $1; i++) {printf("*")}; print "" }'

Just want to share, hope can be useful.. =)
Tom Kha Gai (not verified)
June 2nd, 2010 09:42 am
For a graphical program see netactview on Sourceforge.net.
Anon Linuxer (not verified)
September 6th, 2010 04:57 pm
hi, if i am using "netstat -a" command, can you tell me specifically which line could be the IP or computer name was connected on me?.. thanks..
ditatompel (not verified)
September 7th, 2010 12:36 am
The netstat -a command is to show the state of all sockets.
Look up at Foreign Address, that's the IP or computer name was connected to you.
Look up at Session States status in netstat output, usually you may get:
  • LISTEN = accepting connections
  • ESTABLISHED = connection up and passing data
  • CLOSE_WAIT = TCP; remote endpoint has shut down; the kernel is waiting for the application to close the socket
  • TIME_WAIT = TCP; socket is waiting after closing for any packets left on the network
  • CLOSED = socket is not being used
  • CLOSING = TCP; our socket is shut down; remote endpoint is shut down; not all data has been sent

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <img> <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <h1> <h2> <h3> <h4> <h5> <h6> <p> <br>
  • You may post code using <code>...</code> (generic) or <?php ... ?> (highlighted PHP) tags.
  • Image links with 'rel="lightbox"' in the <a> tag will appear in a Lightbox when clicked on.

More information about formatting options

Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.