You can use the netstat command to list all of the active and pending TCP/IP connections between your machine and every other machine on the Internet. This command is very important if you suspect that somebody is breaking into your computer or using your computer to break into another one. netstat lets you see which machines your machine is talking to over the network. The command's output includes the host and port number of each end of the connection, as well as the number of bytes in the receive and transmit queues. If a port has a name assigned in the /etc/services file, netstat will print it instead of the port number.
Normally, the netstat command displays UNIX domain sockets in addition to IP sockets. You can restrict the display to IP sockets only by using the -f inet option.
Sample output from the netstat command looks like this:
charon% netstat -f inet Active Internet connections Proto Recv-Q Send- Q Local Address Foreign Address (state) tcp 0 0 CHARON.MIT.EDU.telnet GHOTI.LCS.MIT.ED.1300 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.telnet amway.ch.apollo..4196 ESTABLISHED tcp 4096 0 CHARON.MIT.EDU.1313 E40-008-7.MIT.ED.telne ESTABLISHED tcp 0 0 CHARON.MIT.EDU.1312 MINT.LCS.MIT.EDU.6001 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.1309 MINT.LCS.MIT.EDU.6001 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.telnet MINT.LCS.MIT.EDU.1218 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.1308 E40-008-7.MIT.ED.telne ESTABLISHED tcp 0 0 CHARON.MIT.EDU.login RING0.MIT.EDU.1023 ESTABLISHED tcp 0 0 CHARON.MIT.EDU.1030 *.* LISTEN
The first two lines of this output indicate Telnet connections between the machines GHOTI.LCS.MIT.EDUu and AMWAY.CH.APOLLO.COM and the machine CHARON.MIT.EDU . Both of these connections originated at the remote machine and represent interactive sessions currently being run on CHARON ; you can tell this because these ports are greater than 1023 and are connected to the Telnet port. (They may or may not be unnamed.) Likewise, the third Telnet connection, between CHARON and E40-008-7.MIT.EDU, originated at CHARON to the machine E40-008-7. The next two lines are connections to port 6001 (the X Window Server) on MINT.LCS.MIT.EDU. There is a Telnet from MINT to CHARON , one from CHARON to E40-008-7.MIT.EDU, and an rlogin from RINGO.MIT.EDU to CHARON . The last line indicates that a user program running on CHARON is listening for connections on port 1030. If you run netstat on your computer, you are likely to see many connections. If you use the X Window System, you may also see " UNIX domain sockets" that are the local network connections from your X clients to the X Window Server.
With the -a option, netstat will also print a list of all of the TCP and UDP sockets to which programs are listening. Using the -a option will provide you with a list of all the ports that programs and users outside your computer can use to enter the system via the network. (Unfortunately, netstat will not give you the name of the program that is listening on the socket.):
charon% netstat -a -f inet Active Internet connections Proto Recv-Q Send- Q Local Address Foreign Address (state) Previous netstat printout ... tcp 0 0 *.telnet *.* LISTEN tcp 0 0 *.smtp *.* LISTEN tcp 0 0 *.finger *.* LISTEN tcp 0 0 *.printer *.* LISTEN tcp 0 0 *.time *.* LISTEN tcp 0 0 *.daytime *.* LISTEN tcp 0 0 *.chargen *.* LISTEN tcp 0 0 *.discard *.* LISTEN tcp 0 0 *.echo *.* LISTEN tcp 0 0 *.exec *.* LISTEN tcp 0 0 *.login *.* LISTEN tcp 0 0 *.shell *.* LISTEN tcp 0 0 *.ftp *.* LISTEN udp 0 0 *.time *.* udp 0 0 *.daytime *.* udp 0 0 *.chargen *.* udp 0 0 *.discard *.* udp 0 0 *.echo *.* udp 0 0 *.ntalk *.* udp 0 0 *.talk *.* udp 0 0 *.biff *.* udp 0 0 *.tftp *.* udp 0 0 *.syslog *.* charon%