netsock — A Terminal Socket Monitor Written in Go
netstat was deprecated years ago. ss works, but it scrolls past you and requires iproute2. Both give you a wall of text with no immediate signal about what matters. I wanted something that answered a simple question at a glance: what’s listening on this machine, and how exposed is it?
That’s netsock.
How Do You Build and Run netsock?
cd netsock
go build -o netsock .
./netsock
Requires Go 1.21+. No third-party packages. The binary is self-contained.
What Does netsock Display?
netsock splits the display into three sections, refreshed every 2 seconds:
TCP LISTENING — ports your machine is actively waiting for inbound connections on. For each one: IP version, port number, the address it’s bound to, a scope label (more on that below), and a resolved service name.
TCP ACTIVE CONNECTIONS — established and in-progress TCP sessions right now. Local address, remote address, connection state (color-coded), and service name.
UDP BOUND PORTS — UDP ports currently bound by the system. Deduplicated — if the same port is bound on both IPv4 and IPv6 it appears once.
At the bottom, a scope legend explains the color coding.
What Is the Scope Column and Why Does It Matter?
The scope column is what makes netsock worth having. A raw IP like 0.0.0.0 tells you something, but you have to think about it. netsock classifies every socket into one of six categories and colors them accordingly:
| Color | Label | Meaning |
|---|---|---|
| Red | INTERNET |
Bound to a public routable IP — visible beyond your network |
| Yellow | exposed |
Bound to 0.0.0.0 or :: — all interfaces, reachable on LAN |
| Green | LAN |
Bound to a private RFC1918 address only |
| Cyan | link-local |
fe80:: / 169.254.x — same physical link only |
| Cyan | multicast |
224.x / ff02:: — multicast group traffic |
| Gray | loopback |
127.0.0.1 / ::1 — this machine only, not network-visible |
The sort order matches: internet-scoped sockets float to the top of each section, loopback sinks to the bottom. The most notable things are where your eye lands first.
How Does netsock Read Socket State Without Root Access?
The kernel exposes TCP and UDP socket state in four files:
/proc/net/tcp — IPv4 TCP sockets
/proc/net/tcp6 — IPv6 TCP sockets
/proc/net/udp — IPv4 UDP sockets
/proc/net/udp6 — IPv6 UDP sockets
No root required, no external tools. The format is fixed-width text with hex-encoded addresses. A line from /proc/net/tcp looks like this:
sl local_address rem_address st tx_queue rx_queue ...
0: 0100007F:0035 00000000:0000 0A ...
The local address 0100007F:0035 is two hex fields: IP and port. The IP is a little-endian 32-bit integer — 0100007F decoded byte by byte gives 127.0.0.1. The port 0035 is 53 decimal — DNS. State 0A maps to LISTEN.
IPv6 addresses in /proc/net/tcp6 are 32 hex characters — four little-endian 32-bit words packed together. Each word is byte-swapped individually before assembling the final address.
UDP sockets show state 07 (CLOSE in kernel terminology), which netsock normalizes to UNCONN.
Does netsock Have Any External Dependencies?
The go.mod lists one module: the standard library. Four files:
main.go — main loop, signal handling, render orchestration
sock.go — parses /proc/net files — IP decoding, port resolution, scope classification
render.go — all display logic: sections, colors, column layout
sys.go — terminal size detection via ioctl
Terminal width comes from TIOCGWINSZ ioctl, re-queried every tick so resize works.
How Does netsock Relate to newtop?
netsock mirrors the structure of newtop — same philosophy: read kernel interfaces directly, render to the terminal, no dependencies. newtop covers CPU, memory, disk, and processes. netsock covers the network layer. Between the two you have a complete picture of what a Linux system is doing, built from tools you can read and modify in an afternoon.
FAQ
Q: What is netsock?
A terminal UI for monitoring open sockets on Linux. It reads /proc/net directly, requires no root access, and color-codes every socket by exposure scope — internet, LAN, loopback, and others — so you can see at a glance what’s reachable from where.
Q: How is netsock different from netstat or ss? netstat is deprecated. ss produces a scrolling wall of text with no visual hierarchy. netsock renders a structured, color-coded display sorted by exposure scope — the most network-visible sockets appear at the top, loopback at the bottom. It updates live every 2 seconds.
Q: Does netsock require root or sudo?
No. It reads from /proc/net/tcp, /proc/net/tcp6, /proc/net/udp, and /proc/net/udp6, which are readable by any user on a standard Linux system.
Q: What does the scope column mean?
It classifies each socket’s exposure: INTERNET (public IP, visible beyond your network), exposed (all interfaces, LAN-reachable), LAN (private RFC1918 address only), link-local, multicast, or loopback (this machine only). Color-coded red through gray respectively.
Q: What does netsock read from /proc/net?
Four files: /proc/net/tcp and /proc/net/tcp6 for IPv4 and IPv6 TCP sockets, /proc/net/udp and /proc/net/udp6 for UDP. Addresses are hex-encoded little-endian integers that netsock decodes into standard dotted-decimal and colon-separated IPv6 notation.
Tested on Debian/CrunchBang++. Go 1.21+. Linux only — reads /proc/net directly.