6.5 Diagnostic Tools

6.5 Diagnostic Tools

netstat is one of the most basic network service debugging tools, telling you what ports are open and whether any programs are listening on ports. For example, if you want to view all open TCP ports, run this command:

netstat -t

Table 6-2 lists the netstat options.

Table 6-2: netstat Options




Prints TCP port information


Prints UDP port information


Prints listening ports


Prints every active port


Disables name lookups (useful if DNS isn't working)

Being able to list open and listening ports is good, but our good old friend lsof can go one step further.

6.5.1 lsof

In Section 4.8.1 you saw how lsof can track open files, but lsof can also list the programs currently using or listening to ports. For a complete list, run this command:

lsof -i

The output should look something like this:

portmap   520 daemon    3u  IPv4    150       UDP *:sunrpc
portmap   520 daemon    4u  IPv4    151       TCP *:sunrpc (LISTEN)
inetd     522   root    4u  IPv4    188       TCP *:discard (LISTEN)
inetd     522   root    5u  IPv4    189       UDP *:discard
inetd     522   root    6u  IPv4    190       TCP *:daytime (LISTEN)
inetd     522   root    7u  IPv4    191       UDP *:daytime
inetd     522   root    8u  IPv4    192       TCP *:time (LISTEN)
inetd     522   root    9u  IPv4    193       UDP *:time
inetd     522   root   11u  IPv4    195       TCP *:auth (LISTEN)
sshd      853   root    3u  IPv4    696       TCP *:ssh (LISTEN)
X         900   root    1u  IPv4    791       TCP *:6000 (LISTEN)

If you're looking for one port in particular (that is, if you know that a process is using a particular port and you want to know what that process is), use this version of the command:

lsof -i :port

The full syntax is

lsof -i protocol@host:port

protocol, @host, and :port are all optional. Specifying any of these parameters filters the lsof output accordingly. As with most other network utilities, host and port can be either names or numbers.

You can disable host-name resolution with the -n option. Finally, lsof -P forces numeric port listings.


If you don't have lsof on your system, you can run netstat -p to get the processes associated with ports. This is a Linux-specific netstat feature, but lsof is still far more flexible.

6.5.2 tcpdump

If you need to know what's happening on your network, tcpdump puts your network interface card into promiscuous mode and reports on every packet that crosses the wire.

tcpdump with no arguments produces output resembling the following sample, which includes an ARP request and Web connection:

tcpdump: listening on eth0
20:36:25.771304 arp who-has mikado.example.com tell duplex.example.com
20:36:25.774729 arp reply mikado.example.com is-at 0:2:2d:b:ee:4e
20:36:25.774796 duplex.example.com.48455 > mikado.example.com.www: S
3200063165:3200063165(0) win 5840 <mss 1460,sackOK,timestamp 38815804[|tcp]>
20:36:25.779283 mikado.example.com.www > duplex.example.com.48455: S
3494716463:3494716463(0) ack 3200063166 win 5792 <mss 1460,sackOK,timestamp
4620[|tcp]> (DF)
20:36:25.779409 duplex.example.com.48455 > mikado.example.com.www: . ack 1 win
5840 <nop,nop,timestamp 38815805 4620> (DF)
20:36:25.779787 duplex.example.com.48455 > mikado.example.com.www: P
1:427(426) ack 1 win 5840 <nop,nop,timestamp 38815805 4620> (DF)
20:36:25.784012 mikado.example.com.www > duplex.example.com.48455: . ack 427
win 6432 <nop,nop,timestamp 4620 38815805> (DF)
20:36:25.845645 mikado.example.com.www > duplex.example.com.48455: P
1:773(772) ack 427 win 6432 <nop,nop,timestamp 4626 38815805> (DF)
20:36:25.845732 duplex.example.com.48455 > mikado.example.com.www: . ack 773
win 6948 <nop,nop,timestamp 38815812 4626> (DF)

9 packets received by filter
0 packets dropped by kernel

You can tell tcpdump to be more specific by adding some filtering arguments. You can filter based on source and destination hosts, networks, Ethernet addresses, protocols at many different layers in the network model, and much more. Among the many packet protocols that tcpdump recognizes are ARP, RARP, ICMP, TCP, UDP, IP, IPv6, AppleTalk, and IPX packets. For example, if you want tcpdump to output only TCP packets, run this command:

tcpdump tcp

If you want to see Web packets and UDP packets, use this command:

tcpdump udp or port 80

In the preceding examples, tcp, udp, and port 80 are called primitives. The most important primitives are in Table 6-3:

Table 6-3: tcpdump Primitives


Packet Specification


TCP packets


UDP packets

port port

TCP and/or UDP packets to/from port port

host host

Packets to or from host

net network

Packets to or from network

As you saw in the example, or is an operator. Other operators include and and !; you may use parentheses for grouping. If you're going to do any serious work with tcpdump, make sure that you read the manual page, especially the section that describes the primitives.


Use good judgment when using tcpdump. The output shown earlier in this section includes only packet TCP (transport layer) and IP (Internet layer) header information, but you can also make tcpdump print the entire packet contents. Even though many network operators make it far too easy to look at their network packets, it doesn't mean that you should. Don't snoop around on networks other than the ones you own, unless you happen to be in the espionage business and understand the risks of having sensitive wiretapped data.

If you find that you need to do a lot of packet sniffing, you should probably consider a GUI alternative to tcpdump named Ethereal.

6.5.3 Netcat

If you need more flexibility in connecting to a remote host than a command such as telnet host port allows, use netcat (or nc). Netcat can connect to remote TCP/UDP ports, specify a local port, listen on ports, scan ports, redirect standard I/O to and from network connections, and more.

To open a TCP connection to a port, run this command:

netcat host port

netcat does not terminate until the other side of the connection ends the connection. This can confuse you if you redirect standard input to netcat. You can end the connection at any time by pressing CONTROL-C.

To listen on a port, run this command:

netcat -l -p port


There are two versions of netcat. The somewhat quirky original has just one executable name, nc, with a final version number of around 1.10. However, there is a newer GNU version using the name netcat, though the current version numbers are lower than the original. The new version includes several improvements, not the least of which is a manual page.

The netcat utility is very specific in its treatment of the network connection; in particular, it does not like to exit until the network connection has terminated. If this behavior doesn't suit your application (in particular, if you'd like the program and network connection to terminate based on the standard input stream), try the sock program instead.