Netstat is a valuable utility for network administrators that can be used to list all the network connections on a given system or server. Not only can it list active connections, but it can also show what network services are awaiting connections. A simple example would be a web server. In this case, netstat would show that port 80 is listening for incoming connections.
I found a cool way to utilize netstat while troubleshooting a lot of unexpected connections being made to a DNS server I was managing. Netstat in its most basic form will show all connections with the 'a' option, but in order to see the connections that were being made, I had to be a bit more specific. I ended using a few more options and pulling out all the established connections:
netstat -atnp | grep ESTABLISHED
So what is this doing? Let's take a look at the man page:
-a: shows the state of all sockets
-t: shows tcp connections
-n: prevents domain names from being resolved
-p: shows the PID and name of the program to which each socket belongs
This command gave me the information I needed but I was having to run it again and again to get an updated list of connections. At this point I employed the use of another little utility called watch. Believe it or not, it can be used to watch the output of another utility by executing it at periodic intervals. Like so:
watch -dn0 "netstat -atnp | grep ESTABLISHED"
Here I'm using the 'd' option to highlight differences and the 'n' option to set the interval to zero. A zero interval updates continuously. By doing this, I was able to see all the connections being established to the DNS server in a live fashion.