What is the difference between nmap and netstat?
Solution 1:
Nmap is a Network mapping tool. That means it's used to discover informations about hosts on a network (their ip, open ports, etc). Whereas Netstat is a network statistic tool used to list active connections from and to your computer. See https://en.wikipedia.org/wiki/Netstat.
Solution 2:
Nmap and netstat have lots of features that are very different from each other, but there are some that are harder to distinguish. In the "obvious differences" category, netstat can:
- show currently-active connections
- display route information
- show network interface statistics
Whereas Nmap can:
- show open ports on a remote system
- fingerprint a target's TCP/IP stack
- determine service and application version information
and many more. But of course, you can run Nmap against localhost
and it will show similar information to what netstat will show. So what is the difference?
Netstat gets its information from the OS directly. It asks the kernel for a list of all the listening ports and displays them. It can show which addresses are listening in addition to which ports and, with sufficient privilege, which process IDs.
Nmap gets its information by experiment, trying to connect to each port in turn and displaying the result of the connection attempt. This process is much slower, so by default it only tries the 1000 most-common port numbers. It can further probe each port to determine the type of service that is running, but it can't show process ID (unless you have SNMP running and use the snmp-netstat script).
So when should you use netstat?
- When you want to know what is listening on your local machine.
- When you need process or interface/address information for each port.
- When you trust the OS to give the correct answer. If you've been hacked, a rootkit can make the OS lie to netstat about what is really going on.
When should you use Nmap?
- When you want to know about open ports on a remote system.
- When you want further information about the service listening on each port.
- When you need a second opinion about listening ports. See the comment about rootkits above.