Provided by: netstat-nat_2a-1_amd64 
NAME
netstat-nat — extract and filter NAT/firewall connection data
SYNOPSIS
netstat-nat [-no] [-x|-X[width]] {[-G] [-S|-D]}|[-L|-R] [-s ource]… [-d estination]… [-g ateway]…
[-p rotocol]… [-r {src,dst,gate}{,-port}|state] [nf_conntrack]
DESCRIPTION
All network-enabled hosts track ongoing network connections, but this is especially true of stateful
firewalls and gateways (routers) which perform network address translation. Under Linux, this
information is accounted by the netfilter framework, tracking connectionless protocols (like udp(7),
icmp(7)) in addition to the connection-based ones (like tcp(7)).
netstat-nat parses nf_conntrack (/proc/net/nf_conntrack by default, or the standard input stream if "-"),
filters it so it only has NAT connections (by default, cf. -LR), looks up the canonical names for the
hosts and ports (unless -n), and presents it in a table:
Proto NATed Address Destination Address State
icmp 10.179.163.88 tarta.nabijaczleweli.xyz
icmp 10.200.233.12 tarta.nabijaczleweli.xyz
tcp 10.32.144.39.host.securi:63770 tarta.nabijaczleweli.xyz:https TIME_WAIT
tcp 10.32.144.39.host.securi:64361 tarta.nabijaczleweli.xyz:http TIME_WAIT
tcp 10.72.217.111:33864 tarta.nabijaczleweli.xyz:5900 TIME_WAIT
tcp 10.72.217.111:39074 tarta.nabijaczleweli.xyz:5900 TIME_WAIT
tcp nabijaczleweli.nabijaczl:20985 lb-10-268-216-78-iad.git:https ESTABLISHED
tcp nabijaczleweli.nabijaczl:21047 waw07s05-in-f4.1e100.net:http TIME_WAIT
tcp nabijaczleweli.nabijaczl:20751 waw07s05-in-f14.1e100.ne:https ESTABLISHED
tcp nabijaczleweli.nabijaczl:17906 101010.pl:https ESTABLISHED
tcp 192.168.1.136:38216 lt-in-f188.1e100.net:5228 ESTABLISHED
tcp 192.168.1.136:38330 lt-in-f188.1e100.net:5228 ESTABLISHED
tcp 192.168.1.136:39972 lt-in-f188.1e100.net:5228 ESTABLISHED
tcp 192.168.1.136:40092 lt-in-f188.1e100.net:5228 ESTABLISHED
udp rozbian.nabijaczleweli.x:46115 10.158.103.58:https ASSURED
udp rozbian.nabijaczleweli.x:42560 10.69.17.108:https ASSURED
udp rozbian.nabijaczleweli.x:44786 10.140.3.34:https ASSURED
udp rozbian.nabijaczleweli.x:47079 10.140.3.34:https UNREPLIED
udp 192.168.1.185:3076 ec2-10-213-30-29.eu-cent:https ASSURED
udp tarta.nabijaczleweli.xyz:39517 ns-153.awsdns-19.com:domain
udp tarta.nabijaczleweli.xyz:16829 ns-1007.awsdns-61.net:domain
udp tarta.nabijaczleweli.xyz:46874 ns-1411.awsdns-48.org:domain
herein we can see: two ongoing incoming ICMP queries (no state available); many remote hosts are calling
tarta (and it is the one to hang up); local hosts nabijaczleweli and 192.168.1.136 are generally calling
google; that the HTTP/3 revolution is real; and that tarta is querying some DNS servers (they didn't
reply yet).
The state column can be any of
ESTABLISHED a functional ongoing connection
ASSURED similar, but for connectionless protocols
(blank) either no connection state is tracked (like in ICMP), or waiting for remote reply (like in
UDP)
UNREPLIED remote didn't reply for longer than the expected time-out
TIME_WAIT the local side of the connection was closed, delayed remote packets are being collected
before recycling
FIN_WAIT the remote side of the connection was closed, waiting for acknowledgement (→FIN, ACK→,
waiting for →FIN)
SYN_RECV a remote client started opening a connection, but didn't acknowledge the local response
(→SYN, SYN,ACK→, waiting for →ACK)
SYN_SENT a local client started opening a connection, but remote didn't yet accept it (SYN→, waiting
for →SYN,ACK)
CLOSE TIME_WAIT because connection was closed forcibly (→RST)
the last 5 only really apply to TCP-like protocols.
With -L or (R) on tarta the table looks very similar (-nX21 added as well), but loopback connections also
appear:
Proto Source Address Destination Address State
tcp [::1]:49118 [::1]:9928 TIME_WAIT
tcp [::1]:50624 [::1]:80 ESTABLISHED
tcp 10.221.132.191:35862 192.168.1.250:5900 TIME_WAIT
tcp 127.0.0.1:34030 127.0.0.1:8213 TIME_WAIT
tcp 127.0.0.1:52476 127.0.1.1:3493 ESTABLISHED
tcp 10.176.163.40:51167 192.168.1.250:443 TIME_WAIT
tcp 10.62.134.22:23178 192.168.1.250:80 SYN_RECV
tcp 10.62.134.22:47444 192.168.1.250:80 SYN_RECV
udp 127.0.0.1:42738 127.0.0.1:323
udp 127.0.0.1:44850 127.0.0.1:5353
udp 127.0.0.1:46444 127.0.0.1:53 ASSURED
udp 192.168.1.144:20407 192.168.1.250:53
udp 192.168.1.146:59266 192.168.1.250:53
udp 192.168.1.204:35989 192.168.1.250:53
udp 192.168.1.250:23225 10.46.8.231:53
udp 192.168.1.250:11300 10.11.28.69:53
udp 192.168.1.250:51413 10.116.123.52:6881 ASSURED
(Public addresses were anonymised as 10/8 in both tables; both tables heavily abridged.)
OPTIONS
-n Don't try to resolve IP addresses to hostnames nor port numbers to service names
(hosts(5), services(5)) — just normalise them.
-o Don't output the table header line.
-x Widen the table: addresses are 40 instead of 30 columns wide.
-X Widen the table: address columns are the width of a fully-specified ipv6(7)
address + port (like [fc00:e355:e73f:b463:a28e:529d:7838:65be]:34012).
-Xwidth Widen the table: address columns use the given width.
-G (also -N) Add a Gateway Address column between the source and destination columns — this is the
outside-facing address of the node performing NAT.
-S Only show connections this node facilitates from its local network to the outside world
(SNAT — source NAT). Overrides -D.
-D Only show connections this node facilitates to its local network from the outside world
(DNAT — destination NAT). Overrides -S.
By default, the table is filtered as-if -S and -D were used additively instead of subtractively.
-L Only show direct connections made by this node (and any of its configured addresses).
This still includes hosts outside the local network. Disables -SDG. Overrides -R.
-R Only show non-NAT connections that don't involve this node('s addresses) at all (This
is most likely because their destinations are broadcast addresses.) Disables -SDG.
Overrides -L.
-s source,… Hide connections that don't originate from sources (parsed as an address or looked up
in DNS (getaddrinfo(3)); comma- or whitespace-separated, or specify multiple times).
-d destination,… Hide connections that aren't targeting destinations (likewise).
-g gateway,… Hide connections that aren't going through gateways (likewise).
-p protocol,… Hide connections that aren't formed by these layer 4 protocols (like UDP, TCP, or ICMP)
(case-insensitive; likewise).
-r {src,dst,gate}{,-port}|state
Sort the output by the given column (after partitioning by L4 protocol):
src source address (this is the default)
dst destination address
src-port source port
dst-port destination port
state connection state
gate gateway address
gate-port gateway port
ties are then broken in this order. Everything is sorted lexicographically (as a
string), before address/port→name lookup (unless disabled by -n).
FILES
/proc/net/nf_conntrack: Contains the current netfilter connections. This is usually only readable by
root.
ENVIRONMENT VARIABLES
NETSTAT_NAT_LOCAL_ADDRS: If set, contains a comma- or whitespace-separated list of addresses to be
considered local. This supersedes any real sysem state (for use with nf_conntrack backups).
EXIT STATUS
1 if nf_conntrack couldn't be opened or a source, destination, or gateway didn't exist.
SEE ALSO
conntrack(8) provides a read-write interface to this table.
getaddrinfo(3), getifaddrs(3), getnameinfo(3), hosts(5), services(5)
netstat-nat-ng 2a-1 September 18, 2024 NETSTAT-NAT(1)