Netstat

Netstat is a useful command to learn more about the configuration of your system, and can be useful when troubleshooting connectivity issues related to the Transport and IP layer. Its great for checking your networking configuration and activity. Prints information about Linux Networking subsystems, such as routing tables, interface statistics, masquerade connections, and multicast memberships.

https://www.tecmint.com/20-netstat-commands-for-linux-network-management/

$ sudo netstat -lnp | grep :80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 919/apache

The first column tells you what protocol the port is using.

The second and third columns are the receive and send queues (both are set to 0 here).

The column you want to pay attention to is the fourth column, as it lists the local address on which the host is listening. Here the 0.0.0.0:80 tells us that the host is listening on all of its IPs for port 80 traffic. If Apache were listening only on web1’s Ethernet address, you would see 10.1.2.5:80 here.

The final column will tell you which process has the port open, or what process is listening on that port. Here you can see that Apache is running and listening. If you do not see this in your netstat output, you need to start your Apache server.

To see TCP-established connections, as well as process related information, such as PID and process state:

$ sudo netstat -tnp

This will provide information about open sockets and processes listening for connections along with their current state.

$ sudo netstat -tnpl (or -u)

If you see it like tcp6 as seen below, it is indicative that it is also listening on IPv4, even though tcp6. (This is by default, AF_INET6 sockets will actually work for both IPv4 and IPv6..reference)

# netstat -tulpna | grep :80
tcp6       0      0 :::80                   :::*                    LISTEN      4848/httpd

To see default gateway of different range of addresses, for all interfaces, run:

$ netstat -rn

Reference: Networking and Routing in Linux

How to read netstat output

$ sudo netstat -ntp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 172.31.33.239:33990     52.94.238.171:443       TIME_WAIT   -                   
tcp        0      0 172.31.33.239:41012     54.239.26.26:443        TIME_WAIT   -                   
tcp        0    180 172.31.33.239:22        72.21.196.65:30282      ESTABLISHED 17005/sshd: ec2-use 
tcp        0      0 172.31.33.239:45888     54.239.25.71:443        ESTABLISHED 2274/amazon-cloudwa 
tcp        0      0 172.31.33.239:22        72.21.196.65:31807      ESTABLISHED 11817/sshd: ec2-use 
tcp        0      0 172.31.33.239:33992     52.94.238.171:443       TIME_WAIT   -

• If the port (:22) is under Local Address and the ephemeral port (:30282) is under Foreign Address, then that connection is inbound.

• If the ephemeral port (:33990) is under Local Address and the well-known port (:443) is under Foreign Address, then that connection is outbound.

How to check what's listening on a port

# sudo netstat -tulpn | grep LISTEN
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      794/systemd-resolve 
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1024/sshd           
tcp6       0      0 :::22                   :::*                    LISTEN      1024/sshd           
tcp6       0      0 :::1500                 :::*                    LISTEN      1223/java

(Alternate) You can also use lsof:

# lsof -i -P -n | grep LISTEN
systemd-r  794 systemd-resolve   13u  IPv4  16800      0t0  TCP 127.0.0.53:53 (LISTEN)
sshd      1024            root    3u  IPv4  19859      0t0  TCP *:22 (LISTEN)
sshd      1024            root    4u  IPv6  19870      0t0  TCP *:22 (LISTEN)
java      1223 aws-replication   66u  IPv6  28058      0t0  TCP *:1500 (LISTEN)