NETSTAT-NAT(1) General Commands Manual NETSTAT-NAT(1)
NAME
netstat-nat — extract and filter NAT/firewall connection data
SYNOPSIS
netstat-nat [-no] [-x|-X[width]] {[-G] [-S|-D]}|[-L|-R] [-s ource]…
[-d estination]… [-g ateway]… [-p rotocol]…
[-r {src,dst,gate}{,-port}|state] [nf_conntrack]
DESCRIPTION
All network-enabled hosts track ongoing network connections, but this is
especially true of stateful firewalls and gateways (routers) which per-
form network address translation. Under Linux, this information is ac-
counted by the netfilter framework, tracking connectionless protocols
(like udp(7), icmp(7)) in addition to the connection-based ones (like
tcp(7)).
netstat-nat parses nf_conntrack (/proc/net/nf_conntrack by default, or
the standard input stream if "-"), filters it so it only has NAT connec-
tions (by default, cf. -LR), looks up the canonical names for the hosts
and ports (unless -n), and presents it in a table:
Proto NATed Address Destination Address State
icmp 10.179.163.88 tarta.nabijaczleweli.xyz
icmp 10.200.233.12 tarta.nabijaczleweli.xyz
tcp 10.32.144.39.host.securi:63770 tarta.nabijaczleweli.xyz:https TIME_WAIT
tcp 10.32.144.39.host.securi:64361 tarta.nabijaczleweli.xyz:http TIME_WAIT
tcp 10.72.217.111:33864 tarta.nabijaczleweli.xyz:5900 TIME_WAIT
tcp 10.72.217.111:39074 tarta.nabijaczleweli.xyz:5900 TIME_WAIT
tcp nabijaczleweli.nabijaczl:20985 lb-10-268-216-78-iad.git:https ESTABLISHED
tcp nabijaczleweli.nabijaczl:21047 waw07s05-in-f4.1e100.net:http TIME_WAIT
tcp nabijaczleweli.nabijaczl:20751 waw07s05-in-f14.1e100.ne:https ESTABLISHED
tcp nabijaczleweli.nabijaczl:17906 101010.pl:https ESTABLISHED
tcp 192.168.1.136:38216 lt-in-f188.1e100.net:5228 ESTABLISHED
tcp 192.168.1.136:38330 lt-in-f188.1e100.net:5228 ESTABLISHED
tcp 192.168.1.136:39972 lt-in-f188.1e100.net:5228 ESTABLISHED
tcp 192.168.1.136:40092 lt-in-f188.1e100.net:5228 ESTABLISHED
udp rozbian.nabijaczleweli.x:46115 10.158.103.58:https ASSURED
udp rozbian.nabijaczleweli.x:42560 10.69.17.108:https ASSURED
udp rozbian.nabijaczleweli.x:44786 10.140.3.34:https ASSURED
udp rozbian.nabijaczleweli.x:47079 10.140.3.34:https UNREPLIED
udp 192.168.1.185:3076 ec2-10-213-30-29.eu-cent:https ASSURED
udp tarta.nabijaczleweli.xyz:39517 ns-153.awsdns-19.com:domain
udp tarta.nabijaczleweli.xyz:16829 ns-1007.awsdns-61.net:domain
udp tarta.nabijaczleweli.xyz:46874 ns-1411.awsdns-48.org:domain
herein we can see: two ongoing incoming ICMP queries (no state avail-
able); many remote hosts are calling tarta (and it is the one to hang
up); local hosts nabijaczleweli and 192.168.1.136 are generally calling
google; that the HTTP/3 revolution is real; and that tarta is querying
some DNS servers (they didn't reply yet).
The state column can be any of
ESTABLISHED a functional ongoing connection
ASSURED similar, but for connectionless protocols
(blank) either no connection state is tracked (like in ICMP), or
waiting for remote reply (like in UDP)
UNREPLIED remote didn't reply for longer than the expected time-out
TIME_WAIT the local side of the connection was closed, delayed remote
packets are being collected before recycling
FIN_WAIT the remote side of the connection was closed, waiting for
acknowledgement (→FIN, ACK→, waiting for →FIN)
SYN_RECV a remote client started opening a connection, but didn't
acknowledge the local response (→SYN, SYN,ACK→, waiting for
→ACK)
SYN_SENT a local client started opening a connection, but remote
didn't yet accept it (SYN→, waiting for →SYN,ACK)
CLOSE TIME_WAIT because connection was closed forcibly (→RST)
the last 5 only really apply to TCP-like protocols.
With -L or (R) on tarta the table looks very similar (-nX21 added as
well), but loopback connections also appear:
Proto Source Address Destination Address State
tcp [::1]:49118 [::1]:9928 TIME_WAIT
tcp [::1]:50624 [::1]:80 ESTABLISHED
tcp 10.221.132.191:35862 192.168.1.250:5900 TIME_WAIT
tcp 127.0.0.1:34030 127.0.0.1:8213 TIME_WAIT
tcp 127.0.0.1:52476 127.0.1.1:3493 ESTABLISHED
tcp 10.176.163.40:51167 192.168.1.250:443 TIME_WAIT
tcp 10.62.134.22:23178 192.168.1.250:80 SYN_RECV
tcp 10.62.134.22:47444 192.168.1.250:80 SYN_RECV
udp 127.0.0.1:42738 127.0.0.1:323
udp 127.0.0.1:44850 127.0.0.1:5353
udp 127.0.0.1:46444 127.0.0.1:53 ASSURED
udp 192.168.1.144:20407 192.168.1.250:53
udp 192.168.1.146:59266 192.168.1.250:53
udp 192.168.1.204:35989 192.168.1.250:53
udp 192.168.1.250:23225 10.46.8.231:53
udp 192.168.1.250:11300 10.11.28.69:53
udp 192.168.1.250:51413 10.116.123.52:6881 ASSURED
(Public addresses were anonymised as 10/8 in both tables; both tables
heavily abridged.)
OPTIONS
-n Don't try to resolve IP addresses to hostnames nor
port numbers to service names (hosts(5), services(5))
— just normalise them.
-o Don't output the table header line.
-x Widen the table: addresses are 40 instead of 30
columns wide.
-X Widen the table: address columns are the width of a
fully-specified ipv6(7) address + port
(like [fc00:e355:e73f:b463:a28e:529d:7838:65be]:34012).
-Xwidth Widen the table: address columns use the given width.
-G (also -N) Add a Gateway Address column between the source and
destination columns — this is the outside-facing ad-
dress of the node performing NAT.
-S Only show connections this node facilitates from its
local network to the outside world (SNAT — source
NAT). Overrides -D.
-D Only show connections this node facilitates to its lo-
cal network from the outside world (DNAT — destination
NAT). Overrides -S.
By default, the table is filtered as-if -S and -D were used additively
instead of subtractively.
-L Only show direct connections made by this node (and
any of its configured addresses). This still includes
hosts outside the local network. Disables -SDG.
Overrides -R.
-R Only show non-NAT connections that don't involve this
node('s addresses) at all (This is most likely because
their destinations are broadcast addresses.) Disables
-SDG. Overrides -L.
-s source,… Hide connections that don't originate from sources
(parsed as an address or looked up in DNS
(getaddrinfo(3)); comma- or whitespace-separated, or
specify multiple times).
-d destination,… Hide connections that aren't targeting destinations
(likewise).
-g gateway,… Hide connections that aren't going through gateways
(likewise).
-p protocol,… Hide connections that aren't formed by these layer 4
protocols (like UDP, TCP, or ICMP) (case-insensitive;
likewise).
-r {src,dst,gate}{,-port}|state
Sort the output by the given column (after partition-
ing by L4 protocol):
src source address (this is the default)
dst destination address
src-port source port
dst-port destination port
state connection state
gate gateway address
gate-port gateway port
ties are then broken in this order. Everything is
sorted lexicographically (as a string), before ad-
dress/port→name lookup (unless disabled by -n).
FILES
/proc/net/nf_conntrack: Contains the current netfilter connections.
This is usually only readable by root.
ENVIRONMENT VARIABLES
NETSTAT_NAT_LOCAL_ADDRS: If set, contains a comma- or whitespace-sepa-
rated list of addresses to be considered local. This supersedes any
real sysem state (for use with nf_conntrack backups).
EXIT STATUS
1 if nf_conntrack couldn't be opened or a source, destination, or
gateway didn't exist.
SEE ALSO
conntrack(8) provides a read-write interface to this table.
getaddrinfo(3), getifaddrs(3), getnameinfo(3), hosts(5), services(5)
netstat-nat-ng 2a-1 September 18, 2024 NETSTAT-NAT(1)
Generated by dwww version 1.16 on Mon Mar 30 01:13:14 CEST 2026.