Mihai Varzaru

A connection is a communication link between 2 endpoints on the internet/network. Each endpoint is on a computer that is connected to the network. One of the computers is your own local computer, the other is usually the remote server you are connecting to. The endpoints that connect to servers are called clients. Sometimes the local endpoint or both endpoints act as a server (see client-server model). A computer usually has multiple active endpoints with both client and server roles. An endpoint can be connected to multiple remote endpoints. It does not need to be connected (when listening). There is an entry in the connections list, referred as socket, for each connection and for each listening endpoint. An endpoint is "uniquely" defined by the protocol, IP address and port. The connection is "uniquely" defined by the protocol, local IP address, local port, remote IP address and remote port.

On each port (each local endpoint), there is an application instance that receives and processes data. It also sends data to the connected endpoints from the same port. An application instance can have multiple endpoints and connections. In the connections list, local endpoint entries that do not have a connected remote endpoint (listening; remote address "*", "any") are used for receiving incoming connections in the case of TCP, or any data packets in the case of UDP. Sometimes, the application instance (process) may be closed and the operating system is still tracking connections to that endpoint for technical purposes (ex: TIME_WAIT).

Communication can be done with any remote endpoint that is visible through the physical network interface identified by the local IP address (see ifconfig) and is allowed by the firewall. A local IP address of '*' means that the application listens or communicates on all interfaces. TCP endpoints need to be successfully connected (ESTABLISHED state) in order to transfer data. UDP endpoints can send and receive data without being formally connected. UDP endpoints can communicate with multiple peers and have some application defined notion of connection, while displaying a single listening endpoint entry (this is a common usage style for UDP). For TCP all peers and connections of an endpoint are visible. Formally connected local endpoint entries can receive data only from the connected remote endpoint. For TCP sending is also limited to the connected endpoint.

See sockets for more details. See notes 1 and 2 for clarifications and exceptions to the simplified description above.

Netactview uses the term connection for all entries in the displayed list. This is not technically correct, although it is a common and tolerated generalization. See note 3 for details.

Netactview shows a subset of the connections information that aims to be a relevant summary, hiding by default some technical details that are less often important. The information is organized in a list of connections, with each entry having the same networking information columns. The columns are:

  • Protocol: shows the internet protocol used by the connection. The possible values are tcp (IPv4 TCP), udp (IPv4 UDP), tcp6 (IPv6 TCP), udp6 (IPv6 UDP).
  • Local Host: shows the name of the computer you are connecting from. Your computer may have an internet visible name, but more commonly it is a standard name (localhost) or the computer name chosen at the operating system installation. See hostname for details.
  • Local Address: shows the IP address of the computer you are connecting from. If you have more than one network card/interface you will have an IP address for each network card/interface you have and each supported IP protocol (IPv4, IPv6). There are also loopback addresses, virtual interfaces or multicast addresses. If an application listens on all local interfaces for a protocol the address is displayed as * (any).
  • Local Port: shows the port number that is used by the application instance endpoint as a service address for receiving or sending data to other computers. For outbound connections (local client application) the local port is usually a random number chosen by the operating system from a specific range. For listening endpoints and inbound connections (local server application) the local port number is usually a standard service port.
  • State: shows the TCP state of the connection. Active TCP connections are usually in the ESTABLISHED (successfully connected) state. TCP endpoints that allow other computers to connect to the current one are in the LISTEN state. UDP endpoints show less state information and can communicate with an empty state and without any visible remote address. Netactview uses the same state strings as netstat.
  • Remote Address: shows the IP address of the computer/server you are connecting to. Many large web sites have multiple IP addresses. There can be multiple small web sites on a single IP address. The listening endpoints do not have a remote address (displayed as *, "any").
  • Remote Port: shows the port number to which the client application is connecting to on the server. Usually, standard server applications/services are listening on specific ports. Websites you browse usually respond on port 80 (http). Bank websites use the secure port 443 (https). You can look at a large list of standard ports on wikipedia. If local services, like ssh or remote desktop, are enabled the remote port is a client port and the current computer is the server. For some network services the conceptual client can also use a server endpoint (ex: ftp data transfer port in active mode).
  • Remote Host: shows the internet name of the computer/server you are connecting to (or a remote client of a local service, or a peer). This name is related to the name of the websites you are navigating on but, usually, not exactly the same. Sometimes the remote host name does not have anything in common with the name of the website you are visiting. Whois can be used to get details on a specific host. Online whois and ip location websites may offer more details on the remote computer than the operating system whois tool.
  • Pid: shows the process ID for the application that is using that connection on your computer. The process ID is used to uniquely identify instances of applications you start. If you start an application multiple times you may have more processes for that application.
  • Program: shows the name of the application as known by the operating system. This is usually the public application name. There are exceptions. For example, 'Net Activity Viewer' has the program name 'netactview'.
  • Command: shows the command used to start the application that uses the connection. Some processes modify their startup command to show a descriptive string or for various technical reasons.

If you already understand the basic concepts, the linux networking man pages may be accessible and are more technically accurate than this documentation or wikipedia:


  • netstat: the standard tool in linux to display network connections
    • netactview is roughly equivalent with the commands: "netstat -patu" and "netstat -patun"
    • see the output section of the netstat man page
  • ss - socket statistics: a tool intended to replace netstat as the standard socket statistics tool

Concepts and API (some C programming knowledge is required for understanding):

  • socket manual: linux socket interface
    • the socket (endpoint for communication) is a core concept in networking
    • the communication endpoint meaning associated with the socket is different from the protocol, IP, port endpoint concept described above; in relation with that concept the socket is an endpoint instance
    • there can be multipe sockets for a port, including multiple sockets that look identical from a networking perspective
    • a kernel socket may be shared by more processes
    • the netactview commonly used term for a socket visible in the connections list is "connection"; more precise terms used are "connection list entry", "local endpoint entry" or "local endpoint instance"
    • the socket manual has references to the rest of the linux networking API documentation
  • socket function manual: the socket() C API function
    • out of the possible domains netactview shows AF_INET (IPv4) and AF_INET6 (IPv6) sockets
    • out of the possible "types" and "protocols" netactview shows TCP (*, SOCK_STREAM, 0) and UDP (*, SOCK_DGRAM, 0) sockets
  • ip manual: linux IPv4 protocol implementation
  • tcp manual: linux TCP protocol implementation
  • udp manual: linux UDP protocol implementation


  1. The communication endpoints can be both on the same computer. A common technique for some applications to offer a local only networking service is to listen only on the loopback interface (addresses, 127.* or ::1). Some applications use internet protocol (IP) sockets for local inter process communication purposes that have nothing to do with networking.
  2. While "normally" just an application instance listens on one port (possibly bound to multiple interfaces and protocols), technically there can be 2 or more applications that listen on the same port. If the listening sockets (endpoint instances) also have the same protocol and interface address the unique endpoint definition above does not really hold anymore (unless strictly limiting it to a networking perspective). In this case the listening applications are shown as distinct endpoint instances that look identical, except for the process information. This situation can happen for IP multicast sockets, but it is not limited to multicast. Having more applications listening on the same port used to be very rare but was lately made common by a popular browser that listens on multicast dns along with the avahi system service.
  3. Netactview uses the term connection in a more generic way. All entries displayed in the interface are called connections. Some of them are just connection points and are not connected to anything yet. This generalization has widespread use in networking, but when explicitly referring to the listening connection points more common terms are "listening ports" or "listening sockets". Technically, just TCP has connections, UDP is a connectionless protocol. While the UDP protocol does not have an explicit connection concept, it does have service addresses (IP + port) as basic connectivity information, it can use the connect() function, and applications tend to implement some basic functions related with the connection concept on top of UDP that are similar but simpler than the heavy TCP connections. However, multicast UDP transmissions probably can't be called connections at all.
    A linguistically and technically correct term to use for all entries in the list is sockets, but socket is a very technical concept (see man 7 socket) and not particularly intuitive. "Local endpoint instances" may be technically correct, but it can be misleading when generally used, because "endpoint" is a very generic word. A search for "view network connections" is more popular and has more relevant results than a search for "view network local endpoints" or a search for "view network sockets" (on google, 2015-03).


Wiki: Main_Page