1. Overview

A powerful command-line tool for troubleshooting issues involving network connectivity is the netstat (network statistics) command. This command is present in Linux-based operating systems as well as being available on Windows systems.

The netstat tool allows the monitoring of both inbound and outbound connections that exist between the local host and any remote resources for which there is IP connectivity. It is also capable of providing in-depth details on overall traffic activity. This is not the extent of the information that netstat is capable of conveying but delving into this additional functionality is beyond the scope of this document. This document only serves as a succinct overview on how to use netstat for day-to-day, network connectivity troubleshooting.

Example netstat output

netstat

2. Useful flags

Below is a listing of several, handy flags that can be used with the netstat command. Please note that this is not a comprehensive catalog of all of the available netstat flags. If netstat is used without any flags it will display information on all known connections (see above screenshot). In networking parlance these connections are more commonly referred to as “sockets”.

Useful netstat Flags
-a : Display all active TCP sockets and UDP listening ports
-i : Display a listing of all network interfaces on the local host
-n : Display addresses and ports in numeric form. This flag makes for a more readable and easily parsed output. This is arguably the most useful of the flags
-s : Display protocol statistics of the local host
-p : Display connections or statistics for a specific protocol

Protocol Options
tcp : TCP IP version 4(IPv4) protocol
udp : UDP IP version 4(IPv4) protocol
tcpv6 : TCP IP version 6 (IPv6) protocol
udpv6 : UDP IP version 6 (IPv6) protocol

Depending upon the OS from which you’re issuing the netstat command there will usually be either 4 columns (Windows) or 6 columns (Linux-based OS) of information displayed.

Windows netstat Columns
Proto : Protocol of the listed socket. This will be either TCP or UDP
Local Address : IP Address and port of the local host’s interface
Foreign Address : IP Address and port of the remote host’s interface
State : The current status of the listed socket. This column is only applicable to TCP connections

Most Common Socket States
LISTEN : Awaiting connection from remote host
ESTABLISHED : Active socket between local host and remote host
CLOSE : The socket is not being used
CLOSE_WAIT : The remote host has closed the socket on its end and the local host has yet to do likewise

Linux-based netstat Columns
Proto : Protocol of the listed socket
Recv-Q : Number of bytes in the Receive Queue for the listed socket
Send-Q : Number of bytes in the Send Queue for the listed socket
Local Address : IP Address and port of the local host’s interface
Foreign Address : IP Address and port of the remote host’s interface
State : The current status of the listed socket. This column is only applicable to TCP sockets

Most Common Socket States
LISTEN : Awaiting connection from remote host
ESTABLISHED : Active socket between local host and remote host
CLOSE : The socket is not being used
CLOSE_WAIT : The remote host has closed the socket on its end and the local host has yet to do likewise

3. Troubleshooting connectivity issues between Defender and Console

The netstat command can be quite useful in troubleshooting connectivity issues between Defenders and Console. Unlike ping or curl, netstat is a passive command used for monitoring and does not actively create connections or generate traffic of any sort.

It is possible to run netstat from within Defender or Console containers, by exec’ing into them.

$ docker exec -it <container> /bin/sh

When running netstat pay close attention to the status listed in the State column for any connections of interest. Seeing that there is an ESTABLISHED socket between a Local Address and Foreign Address is a good indication that connectivity is functioning as it should.

Example usage of netstat

  • Display all active TCP connections and UDP listening ports. This is accomplished by use of the “-a” flag. It displays addresses in dotted format. The “-n” flag provides an easier to understand display of IP addresses and ports. Both are displayed numerically.

    netstat -an

    netstat an
  • The following example, which can be run from within the Prisma Cloud Console or Defender containers, would provide a constantly updated display of any IPv4 TCP sockets involving port 8084. The “-anp tcp” flags provide information on all IPv4 TCP connections in numeric format, while the grep command only displays those sockets in which either the source or destination port is 8084. The watch command will update the netstat results every couple of seconds until it is manually terminated.

    watch “netstat -anp tcp | grep “:8084””

    netstat watch
  • To display a listing of all of the locally configured network interfaces, and their corresponding IP addresses, use the “-I” flag. At present, the “-i” flag is not supported by the version of netstat present in the Console and Defender containers. It should be possible to run this at the host level.

    netstat -i

    netstat i
  • In order to display detailed protocol statistics (ie. TCP, UDP, etc.), for all network interfaces, execute netstat with the “-s” flag. This command provides a copious amount of network traffic information regarding the local host. At present, the “-s” flag is not supported by the version of netstat present in the Console and Defender containers. It should be possible to run this at the host level.

    netstat -s

    netstat s