The netstat command is used to query the routing table of the local host and
that status of TCP/IP networking. In Solaris the command is located in the
/usr/bin directory. In Linux in /bin.
Options are pretty much common (which is a rare thing :-)
When used with the -i option, netstat displays the state of the Ethernet interfaces,
with -r option it displayed routing information and with -s option statistical information:
netstat -i # the state of the Ethernet
interfaces
netstat -r # displays routing info
netstat -s # statistical information
One of the more useful options is:
netstat -pa
The -p options tells it to try to determine what program
has the socket open, which is often very useful info. For example,
someone nmap's their system and wants to know what is using
port 666 for example. Running netstat -pa will show you the daemon running on that tcp port.
One of the most twisted, but useful invocations is:
netstat -a -n|grep -E "^(tcp)"| cut -c 68-|sort|uniq -c|sort -n
This will show you a sorted list of how many sockets are
in each connection state. For example:
9 LISTEN
21 ESTABLISHED
The exact syntax of this command is Unix flavor dependent. In general, it can
provide information on:
Active TCP connections at this local host.
State of all TCP/IP servers on this local host and the sockets used by them.
Devices and links used by TCP/IP.
The IP routing tables (gateway tables) in use at this local host.
Typical usage
netstat -r
The -r switch is probably the most commonly used and displays TCP the routing table.
netstat -rn same but without hostname lookup
netstat -punta
List externally connected processes:
netstat with the -r option displays the kernel routing
table in the way similar to parameters supplied to the route command. For example
on Red Hat linux 5.6 nestat -rn will display:
The -n option suppresses resolution of hostnames and displays all IPs in numeric form, rather than the symbolic host and network names.
The second column shows the gateway to which the routing entry points. If no
gateway is used, an asterisk is printed with -n option and 0.0.0.0 with
the -rn option.
The third column shows the generality of the route, i.e., the network mask
for this route. Routing table displayed by netstat is sorted in reverse length of
the netmask order. Host routes have netmask 255.255.255.255 and displayed first.
When given an IP address to find a suitable route for, the kernel iterates through
each entry of the routing table taking the bitwise AND of the address and the genmask
before comparing it to the target of the route.
The fourth column displays the following flags that describe the route:
G -- The route uses a gateway.
U -- The interface to be used is up.
H -- Only a single host can be reached through the route.
In this case Genmask column is always 255.255.255.255
D -- This route is dynamically created. It is set if the table
entry has been generated by a routing daemon like gated or by an ICMP redirect
message
M -- This route is set if the table entry was modified by an ICMP
redirect message.
! -- The route is a reject route and datagrams will be dropped.
The next three columns show the MSS, Window and irtt that will be applied to
TCP connections established via this route. The MSS is the Maximum Segment Size
and is the size of the largest datagram the kernel will construct for transmission
via this route. The Window is the maximum amount of data the system will accept
in a single burst from a remote host. The acronym irtt stands for initial round
trip time. The TCP protocol ensures that data is reliably delivered between hosts
by retransmitting a datagram if it has been lost. The TCP protocol keeps a running
count of how long it takes for a datagram to be delivered to the remote end, and
an acknowledgement to be received so that it knows how long to wait before assuming
a datagram needs to retransmitted; this process is called the round-trip time. The
initial round-trip time is the value that the TCP protocol will use when a connection
is first established. For most network types, the default value is okay, but for
some slow networks, notably certain types of amateur packet radio networks, the
time is too short and causes unnecessary retransmission. The irtt value can be set
using the route command. Values of zero in these fields mean that the default is
being used.
Finally, the last field displays the network interface that this route will use.
Displaying Interface Statistics
When invoked with the -i flag, netstat displays statistics for the network
interfaces currently configured.
If the -a option is also given, it prints all interfaces present in the kernel,
not only those that have been configured currently.
The MTU and Met fields show the current MTU and metric values for that interface.
The RX and TX columns show how many packets have been received or transmitted error-free
(RX-OK/TX-OK) or damaged (RX-ERR/TX-ERR); how many were dropped (RX-DRP/TX-DRP);
and how many were lost because of an overrun (RX-OVR/TX-OVR).
The last column shows the flags that have been set for this interface. These
characters are one-character versions of the long flag names that are printed when
you display the interface configuration with ifconfig:
B A broadcast address has been set.
L This interface is a loopback device.
M All packets are received (promiscuous mode).
O ARP is turned off for this interface.
P This is a point-to-point connection.
R Interface is running.
U Interface is up.
Displaying Connections
netstat supports a set of options to display active or passive sockets.
The options -t, -u, -w, and -x show active TCP, UDP, RAW, or Unix socket connections.
If you provide the -a flag in addition, sockets that
are waiting for a connection (i.e., listening) are displayed as well.
This display will give you a list of all servers that are currently running
on your system.
Using the -a flag by itself will display all sockets from all families.
Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMP,
and IP protocols. The -s parameter can be used to specify a set of protocols.
# netstat -s
Ip:
2461 total packets received
0 forwarded
0 incoming packets discarded
2431 incoming packets delivered
2049 requests sent out
Icmp:
0 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
1 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 1
Tcp:
159 active connections openings
1 passive connection openings
4 failed connection attempts
0 connection resets received
1 connections established
2191 segments received
1745 segments send out
24 segments retransmited
0 bad segments received.
4 resets sent
Udp:
243 packets received
1 packets to unknown port received.
0 packet receive errors
281 packets sent
9. Showing Statistics by TCP Protocol
Showing statistics of only TCP protocol by using option netstat -st .
# netstat -st
Tcp:
2805201 active connections openings
1597466 passive connection openings
1522484 failed connection attempts
37806 connection resets received
1 connections established
57718706 segments received
64280042 segments send out
3135688 segments retransmited
74 bad segments received.
17580 resets sent
10. Showing Statistics by UDP Protocol
# netstat -su
Udp:
1774823 packets received
901848 packets to unknown port received.
0 packet receive errors
2968722 packets sent
11. Displaying Service name with PID
Displaying service name with their PID number, using option netstat -tp will display
"PID/Program Name".
# netstat -tp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.0.2:ssh 192.168.0.1:egs ESTABLISHED 2179/sshd
tcp 1 0 192.168.0.2:59292 www.gov.com:http CLOSE_WAIT 1939/clock-applet
12. Displaying Promiscuous Mode
Displaying Promiscuous mode with -ac switch, netstat print the selected information or
refresh screen every five second. Default screen refresh in every second.
Finding un-configured address families with some useful information.
# netstat --verbose
netstat: no support for `AF IPX' on this system.
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.
19. Finding Listening Programs
Find out how many listening programs running on a port.
# netstat --statistics --raw
Ip:
62175683 total packets received
52970 with invalid addresses
0 forwarded
Icmp:
875519 ICMP messages received
destination unreachable: 901671
echo request: 8
echo replies: 16253
IcmpMsg:
InType0: 83
IpExt:
InMcastPkts: 117
That's it, If you are looking for more information and options about netstat command, refer
netstat manual docs or use man netstat command to know all the information. If we've missed
anything in the list, please inform us using our comment section below. So, we could keep
updating this list based on your comments.
ss (socket statistics) is a command line tool that monitors socket connections and displays the socket statistics of the Linux
system. It can display stats for PACKET sockets, TCP sockets, UDP sockets, DCCP sockets, RAW sockets, Unix domain sockets, and much
more.
This replaces the deprecated netstat command in the latest version of Linux. The ss command is much faster and prints more detailed
network statistics than the netstat command.
If you are familiar with the netstat command, it will be easier for you to understand the ss command as it uses similar command
line options to display network connections information.
Refer the following link to see other network command tutorials.
The basic ss command without any arguments, which displays all the socket or network connections as shown below:
$ ss
Understanding the output header:
Netid: Type of socket. Common types are TCP, UDP, u_str (Unix stream), and u_seq (Unix sequence).
State: State of the socket. Common states are ESTAB (established), UNCONN (unconnected), LISTEN (listening), CLOSE-WAIT, and
SYN-SENT.
Recv-Q: Number of received packets in the queue.
Send-Q: Number of sent packets in the queue.
Local Address:Port "" Address of local machine and port.
Peer Address:Port "" Address of remote machine and port.
The default output shows thousands of lines at once and part of the output will be not visible on the terminal, so use the "less'
command for page-wise reporting.
By default the "t" option reports only the tcp sockets that are "established" or CONNECTED", and doesn't report the tcp sockets
that are "LISTENING". Use the "-a' option together with "-t', if you want to view them all at once.
To list process name and pid associated to the network connections, run: Make a note, you need to run this command with sudo privilege
to view all process name and associated pid.
To view overall summary of all socket connections, run: It prints the results in a tabular format, which including the number
of TCP & UDP, IPv4 and IPv6 socket connections.
$ ss -s
Total: 1278
TCP: 35 (estab 10, closed 11, orphaned 0, timewait 2)
Transport Total IP IPv6
RAW 1 0 1
UDP 11 7 4
TCP 24 13 11
INET 36 20 16
FRAG 0 0 0
10) View extended output of socket connections
To view extended output of socket connections, run. The extended output will display the uid of the socket and socket's inode
number.
Netstat command is used to check all
incoming and outgoing connections on linux server. Using Grep command you can sort
lines which are matching pattern you defined.
AWk is very important command generally
used for scanning pattern and process it. It is powerful tool for shell scripting. Sort
is used to sort output and sort -n is for sorting output in numeric order.
Uniq -c this help to get uniq output by deleting duplicate lines
from it.
Q6. How to make netstat show name and PID of
programs?
In case you want netstat to show name of process IDs of processes to which each socket belongs, use the -p
command line option.
netstat -p
For example:
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.1.7:57318 13.70.5.200:https ESTABLISHED 3247/firefox
tcp 0 0 192.168.1.7:36732 13.76.170.95:https ESTABLISHED 3247/firefox
tcp 0 0 192.168.1.7:52050 149.154.164.224:https ESTABLISHED 3247/firefox
tcp 0 0 192.168.1.7:55974 del03s10-in-f14.1:https ESTABLISHED 3247/firefox
tcp 0 0 192.168.1.7:52074 149.154.164.224:https ESTABLISHED 3247/firefox
tcp 0 0 192.168.1.7:60590 mails11.telegram.:https ESTABLISHED 3247/firefox
tcp 0 0 192.168.1.7:52254 149.154.164.224:https ESTABLISHED 3247/firefox
tcp 0 0 192.168.2.97:45662 blog.gsmarena.com:ftp ESTABLISHED 3160/filezilla
tcp 0 0 192.168.1.7:35818 32.4a.37a9.ip4.st:https ESTABLISHED 3247/firefox
tcp 0 0 192.168.1.7:52528 52.114.32.7:https ESTABLISHED 3247/firefox
tcp 0 0 192.168.1.7:55950 del03s10-in-f14.1:https ESTABLISHED 3247/firefox
tcp 68 0 localhost:60342 ansh:netbios-ssn ESTABLISHED 2625/gvfsd-smb-brow
tcp 0 0 192.168.1.7:44974 152.195.11.6:https ESTABLISHED 3247/firefox
tcp 0 0 192.168.1.7:36730 13.76.170.95:https ESTABLISHED 3247/firefox
tcp 0 0 ansh:netbios-ssn localhost:60342 ESTABLISHED -
tcp 0 0 192.168.1.7:52732 del03s10-in-f2.1e:https ESTABLISHED 3247/firefox
tcp 0 0 192.168.1.7:60314 52.229.174.94:https ESTABLISHED 3247/firefox
tcp 0 0 192.168.1.7:53072 207.46.140.70:https ESTABLISHED 3247/firefox
tcp 0 0 192.168.1.7:34500 do-11.lastpass.co:https ESTABLISHED 3247/firefox
See the last column for PID/program name info.
Q7. How to make netstat print network statistics?
This can be done using the -s command line option.
netstat -s
In this case, the tool produces information like total packets received, discarded, delivered, and much
more. Following is an example output when the -s command line option was used.
Ip:
592215 total packets received
41 with invalid addresses
0 forwarded
0 incoming packets discarded
580699 incoming packets delivered
539118 requests sent out
627 outgoing packets dropped
482 dropped because of missing route
2 fragments failed
Icmp:
2337 ICMP messages received
6 input ICMP message failed.
ICMP input histogram:
destination unreachable: 2337
3917 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 3917
IcmpMsg:
InType3: 2337
OutType3: 3917
Tcp:
10943 active connections openings
127 passive connection openings
38 failed connection attempts
467 connection resets received
34 connections established
443643 segments received
414589 segments send out
6929 segments retransmited
428 bad segments received.
11713 resets sent
...
...
...
Q8. How to make netstat display kernel routing
table?
This can be done using the -r command line option.
netstat -r
Following is the output produced in my case:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default 192.168.1.1 0.0.0.0 UG 0 0 0 wlx18a6f713679b
link-local * 255.255.0.0 U 0 0 0 wlx18a6f713679b
192.168.1.0 * 255.255.255.0 U 0 0 0 wlx18a6f713679b
Note that netstat -r and route -e produce the same output.
Below is description of each commands :: Netstat command
is used to check all incoming and outgoing connections on linux server.
Using Grep command you can sort lines which are matching pattern
you defined. AWk is very important command
generally used for scanning pattern and process it. It is powerful tool
for shell scripting. Sort is used to sort output and
sort -n is for sorting output in numeric order. Uniq
-c this help to get uniq output by deleting duplicate
lines from it.
Using Netstat For Surveillance And Troubleshooting
Two of the fundamental aspects of Linux system security and troubleshooting
are knowing what services are running, and what connections and services are
available. We're all familiar with ps for viewing active services.
netstat goes a couple of steps further, and displays all available
connections, services, and their status. It shows one type of service that
ps does not: services run from inetd or xinetd, because inetd/xinetd
start them up on demand. If the service is available but not active, such as
telnet, all you see in ps is either inetd or xinetd:
$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 *:ipp *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 192.168.1.5:32851 nest.anthill.echid:ircd ESTABLISHED
udp 0 0 *:ipp *:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 1065 /tmp/ksocket-carla/klaunchertDCh2b.slave-socket
unix 2 [ ACC ] STREAM LISTENING 1002 /tmp/ssh-OoMGfFm666/agent.666
unix 2 [ ACC ] STREAM LISTENING 819 private/smtp
Your total output will probably run to a couple hundred lines. (A fun and
quick way to count lines of output is netstat -a | wc -l.) You
can ignore everything under "Active UNIX domain sockets." Those are local inter-process
communications, not network connections. To avoid displaying them at all, do
this:
$ netstat --inet -a
This will display only network connections, both listening and established.
Already netstat has earned its keep--both the telnet and smtp services
are running. This is bad, because I don't want to have either a telnet or smtp
server running on this machine. So now I know I need to turn them off, and re-configure
my startup files so they won't start at boot.
How do you know what services you want running? That is a mondo subject for
another day, and an important one. For example, if your system has been compromised,
this is one place to find evidence of a Trojan horse or other malware phoning
home. In this example, ipp is Internet Printing Protocol, which belongs
to CUPS (Common Unix Printing System.) If you want your printer to work, this
needs to be here. The connection on 192.168.1.5:32851 is my active IRC (Internet
Relay Chat) connection. Refer to your /etc/services file to learn
more about TCP and UDP ports, and the services assigned to them.
What It Means
"Proto" is short for protocol, which is either TCP or UDP. "Recv-Q" and "Send-Q"
mean receiving queue and sending queue. These should always be zero; if they're
not you might have a problem. Packets should not be piling up in either queue,
except briefly, as this example shows:
tcp 0 593 192.168.1.5:34321 venus.euao.com:smtp ESTABLISHED
That happened when I hit the "check mail" button in KMail; a brief queuing
of outgoing packets is normal behavior. If the receiving queue is consistently
jamming up, you might be experiencing a denial-of-service attack. If the sending
queue does not clear quickly, you might have an application that is sending
them out too fast, or the receiver cannot accept them quickly enough.
"Local address" is either your IP and port number, or IP and the name of
a service. "Foreign address" is the hostname and service you are connected to.
The asterisk is a placeholder for IP addresses, which of course cannot be known
until a remote host connects. "State" is the current status of the connection.
Any TCP state can be displayed here, but these three are the ones you want to
see:
LISTEN- waiting to receive a connection
ESTABLISHED- a connection is active
TIME_WAIT- a recently terminated connection;
this should last only a minute or two, then change back to LISTEN. The socket
pair cannot be re-used as long the TIME_WAIT state persists.
UDP is stateless, so the "State" column is always blank.
A socket pair is both sides of a TCP/IP connection, like this example for
a locally-attached printer:
localhost:ipp localhost:34493 ESTABLISHED
Or a telnet connection to a remote server:
192.168.1.5:34437 65.106.57.106.pt:telnet ESTABLISHED
A socket is any hostname-port combination, or IP address-port.
Continuous Capture, "Borken" DNS, and Interface Checking
Because all these things change often, how do you capture the changes? Run
netstat continuously with the -c flag and record the
output:
$ netstat --inet -a -c > netstat.txt
Then check email, start and stop services, surf the web, log in to a telnet
BBS and play Legend of the Red Dragon; then review your capture file to see
what it all looks like.
If netstat is taking too long, or not resolving a hostname at
all, give it the -n flag to turn off DNS lookups:
$ netstat --inet -an
netstat can help diagnose NIC problems. Use the -i
flag when you're troubleshooting a flakey connection, and you suspect your NIC:
You should see large numbers in the RX-OK (received OK) and TX-OK (transmitted
OK) columns, and very low numbers in all the others. If you are seeing a lot
of RX-ERRs or TX-ERRs, suspect the NIC or the patch cable. This is what the
flags mean:
B = broadcast address
L = loopback device
M = promiscuous mode
R = interface is running
U = interface is up
The netstat command displays the contents of certain network-related
data structures in various formats, depending on the options you select.
The netstat command has the several forms shown in the SYNOPSIS
section, above, listed as follows:
The first form of the command (with no required arguments) displays
a list of active sockets for each protocol.
The second, third, and fourth forms (-g, -p,
and -s options) display information from various network
data structures.
The fifth form (-m option) displays STREAMS memory
statistics.
The sixth form (-i option) shows the state of the
interfaces.
The seventh form (-r option) displays the routing
table.
The eighth form (-M option) displays the multicast
routing table.
The ninth form (-D option) displays the state of DHCP
on one or all interfaces.
These forms are described in greater detail below.
With no arguments (the first form), netstat displays connected
sockets for PF_INET, PF_INET6, and PF_UNIX, unless
modified otherwise by the -f option.
Options
-a
Show the state of all sockets, all routing table entries, or all interfaces,
both physical and logical. Normally, listener sockets used by server processes
are not shown. Under most conditions, only interface, host, network, and
default routes are shown and only the status of physical interfaces is shown.
-faddress_family
Limit all displays to those of the specified address_family.
The value of address_family can be one of the following:
inet
For the AF_INET address family showing IPv4 information.
inet6
For the AF_INET6 address family showing IPv6 information.
unix
For the AF_UNIX address family.
-ffilter
With -r only, limit the display of routes to those
matching the specified filter. A filter rule consists of a keyword:value
pair. The known keywords and the value syntax are:
af:{inet|inet6|unix|number}
Selects an address family. This is identical to -faddress_family and both syntaxes are supported.
{inif|outif}:{name|ifIndex|any|none}
Selects an input or output interface. You can specify the interface
by name (such as hme0) or by ifIndex number (for example,
2). If any is used, the filter matches all routes
having a specified interface (anything other than null). If none
is used, the filter matches all routes having a null interface. Note
that you can view the index number (ifIndex) for an interface
with the -a option of
ifconfig(1M).
{src|dst}:{ip-address[/mask]|any|none}
Selects a source or destination IP address. If specified with a
mask length, then any routes with matching or longer (more specific)
masks are selected. If any is used, then all but addresses
but 0 are selected. If none is used, then address 0 is selected.
flags:[+ -]?[ABDGHLMSU]+
Selects routes tagged with the specified flags. By default, the
flags as specified must be set in order to match. With a leading
+, the flags specified must be set but others are ignored. With
a leading -, the flags specified must not be set and others
are permitted.
You can specify multiple instances of -f to specify
multiple filters. For example:
The preceding command displays routes within network 10.0.0.0/8, with
mask length 8 or greater, and an output interface of either hme0
or hme1, and excludes all other routes.
-g
Show the multicast group memberships for all interfaces. If the -v option is included, source-specific membership information
is also displayed. See DISPLAYS, below.
-i
Show the state of the interfaces that are used for IP traffic. Normally
this shows statistics for the physical interfaces. When combined with the
-a option, this will also report information for the logical
interfaces. See
ifconfig(1M).
-m
Show the STREAMS memory statistics.
-n
Show network addresses as numbers. netstat normally displays
addresses as symbols. This option may be used with any of the display formats.
-p
Show the net to media tables. See DISPLAYS, below.
-r
Show the routing tables. Normally, only interface, host, network, and
default routes are shown, but when this option is combined with the -a option, all routes will be displayed, including cache.
-s
Show per-protocol statistics. When used with the -M
option, show multicast routing statistics instead. When used with the
-a option, per-interface statistics will be displayed,
when available, in addition to statistics global to the system. See DISPLAYS,
below.
-v
Verbose. Show additional information for the sockets, STREAMS memory
statistics, routing table, and multicast group memberships.
-Iinterface
Show the state of a particular interface. interface can be
any valid interface such as hme0 or eri0. Normally, the
status and statistics for physical interfaces are displayed. When this option
is combined with the -a option, information for the logical
interfaces is also reported.
-M
Show the multicast routing tables. When used with the -s
option, show multicast routing statistics instead.
-Pprotocol
Limit display of statistics or state of all sockets to those applicable
to protocol. The protocol can be one of ip, ipv6,
icmp, icmpv6, icmp, icmpv6, igmp,
udp, tcp, rawip. rawip can also be specified
as raw. The command accepts protocol options only as all lowercase.
-D
Show the status of DHCP configured interfaces.
-R
This modifier displays extended security attributes for sockets and
routing table entries. The -R modifier is available only
if the system is configured with the Solaris Trusted Extensions feature.
With -r only, this option displays the routing entries'
gateway security attributes. See
route(1M)
for more information on security attributes.
When displaying socket information using the first form of the commmand,
this option displays additional information for Multi-Level Port(MLP) sockets.
This includes:
The label for the peer if the the socket is connected.
The following flags can be appended to the socket's "State" output:
P
The socket is a MLP on zone-private IP addresses.
S
The socket is a MLP on IP addresses shared between zones.
Operands
interval
Display statistics accumulated since last display every interval
seconds, repeating forever, unless count is specified. When invoked
with interval, the first row of netstat output shows statistics
accumulated since last reboot.
The following options support interval: -i,
-m, -s and -Ms. Some
values are configuration parameters and are just redisplayed at each interval.
count
Display interface statistics the number of times specified by count,
at the interval specified by interval.
DISPLAYS
Active Sockets (First Form)
The display for each active socket shows the local and remote address,
the send and receive queue sizes (in bytes), the send and receive windows
(in bytes), and the internal state of the protocol.
The symbolic format normally used to display socket addresses is either:
hostname.port
when the name of the host is specified, or
network.port
if a socket address specifies a network but no specific host.
The numeric host address or network number associated with the socket
is used to look up the corresponding symbolic hostname or network name in
the hosts or networks database.
If the network or hostname for an address is not known, or if the
-n option is specified, the numerical network address
is shown. Unspecified, or "wildcard", addresses and ports appear as an asterisk
(*). For more information regarding the Internet naming conventions,
refer to
inet(7P)
and
inet6(7P).
For SCTP sockets, because an endpoint can be represented by multiple
addresses, the verbose option (-v) displays the list of
all the local and remote addresses.
TCP Sockets
The possible state values for TCP sockets are as follows:
BOUND
Bound, ready to connect or listen.
CLOSED
Closed. The socket is not being used.
CLOSING
Closed, then remote shutdown; awaiting acknowledgment.
CLOSE_WAIT
Remote shutdown; waiting for the socket to close.
ESTABLISHED
Connection has been established.
FIN_WAIT_1
Socket closed; shutting down connection.
FIN_WAIT_2
Socket closed; waiting for shutdown from remote.
IDLE
Idle, opened but not bound.
LAST_ACK
Remote shutdown, then closed; awaiting acknowledgment.
LISTEN
Listening for incoming connections.
SYN_RECEIVED
Initial synchronization of the connection under way.
SYN_SENT
Actively trying to establish connection.
TIME_WAIT
Wait after close for remote shutdown retransmission.
SCTP Sockets
The possible state values for SCTP sockets are as follows:
CLOSED
Closed. The socket is not being used.
LISTEN
Listening for incoming associations.
ESTABLISHED
Association has been established.
COOKIE_WAIT
INIT has been sent to the peer, awaiting acknowledgment.
COOKIE_ECHOED
State cookie from the INIT-ACK has been sent to the peer, awaiting
acknowledgement.
SHUTDOWN_PENDING
SHUTDOWN has been received from the upper layer, awaiting
acknowledgement of all outstanding DATA from the peer.
SHUTDOWN_SENT
All outstanding data has been acknowledged in the SHUTDOWN_SENT
state. SHUTDOWN has been sent to the peer, awaiting acknowledgement.
SHUTDOWN_RECEIVED
SHUTDOWN has been received from the peer, awaiting acknowledgement
of all outstanding DATA.
SHUTDOWN_ACK_SENT
All outstanding data has been acknowledged in the SHUTDOWN_RECEIVED
state. SHUTDOWN_ACK has been sent to the peer.
Network Data Structures (Second Through Fifth Forms)
The form of the display depends upon which of the -g,
-m, -p, or -s options
you select.
-g
Displays the list of multicast group membership.
-m
Displays the memory usage, for example, STREAMS mblks.
-p
Displays the net to media mapping table. For IPv4, the address resolution
table is displayed. See
arp(1M).
For IPv6, the neighbor cache is displayed.
-s
Displays the statistics for the various protocol layers.
The statistics use the MIB specified variables. The defined values for
ipForwarding are:
forwarding(1)
Acting as a gateway.
not-forwarding(2)
Not acting as a gateway.
The IPv6 and ICMPv6 protocol layers maintain per-interface statistics.
If the -a option is specified with the -s
option, then the per-interface statistics as well as the total sums are
displayed. Otherwise, just the sum of the statistics are shown.
For the second, third, and fourth forms of the command, you must specify
at least -g, -p, or -s.
You can specify any combination of these options. You can also specify
-m (the fifth form) with any set of the -g,
-p, and -s options. If you specify more
than one of these options, netstat displays the information for
each one of them.
Interface Status (Sixth Form)
The interface status display lists information for all current interfaces,
one interface per line. If an interface is specified using the -I
option, it displays information for only the specified interface.
The list consists of the interface name, mtu (maximum transmission
unit, or maximum packet size)(see
ifconfig(1M)),
the network to which the interface is attached, addresses for each interface,
and counter associated with the interface. The counters show the number
of input packets, input errors, output packets, output errors, and collisions,
respectively. For Point-to-Point interfaces, the Net/Dest field is the name
or address on the other side of the link.
If the -a option is specified with either the -i option or the -I option, then the output
includes names of the physical interface(s), counts for input packets and
output packets for each logical interface, plus additional information.
If the -n option is specified, the list displays the
IP address instead of the interface name.
If an optional interval is specified, the output will be continually
displayed in interval seconds until interrupted by the user or
until count is reached. See OPERANDS.
The physical interface is specified using the -I option.
When used with the interval operand, output for the -I
option has the following format:
If the input interface is not specified, the first interface of address
family inet or inet6 will be displayed.
Routing Table (Seventh Form)
The routing table display lists the available routes and the status of
each. Each route consists of a destination host or network, and a gateway
to use in forwarding packets. The flags column shows the status
of the route. These flags are as follows:
U
Indicates route is up.
G
Route is to a gateway.
H
Route is to a host and not a network.
M
Redundant route established with the -multirt
option.
S
Route was established using the -setsrc option.
D
Route was created dynamically by a redirect.
If the -a option is specified, there will be routing
entries with the following flags:
A
Combined routing and address resolution entries.
B
Broadcast addresses.
L
Local addresses for the host.
Interface routes are created for each interface attached to the local
host; the gateway field for such entries shows the address of the outgoing
interface.
The use column displays the number of packets sent using a combined
routing and address resolution (A) or a broadcast (B)
route. For a local (L) route, this count is the number of packets
received, and for all other routes it is the number of times the routing
entry has been used to create a new combined route and address resolution
entry.
The interface entry indicates the network interface utilized
for the route.
Multicast Routing Tables (Eighth Form)
The multicast routing table consists of the virtual interface table and
the actual routing table.
DHCP Interface Information (Ninth Form)
The DHCP interface information consists of the interface name, its current
state, lease information, packet counts, and a list of flags.
The states correlate with the specifications set forth in RFC 2131.
Lease information includes:
when the lease began;
when lease renewal will begin; and
when the lease will expire.
The flags currently defined include:
BOOTP
The interface has a lease obtained through BOOTP (IPv4
only).
The interface is in failure state and must be manually restarted.
Packet counts are maintained for the number of packets sent, the number
of packets received, and the number of lease offers declined by the DHCP
client. All three counters are initialized to zero and then incremented
while obtaining a lease. The counters are reset when the period of lease
renewal begins for the interface. Thus, the counters represent either the
number of packets sent, received, and declined while obtaining the current
lease, or the number of packets sent, received, and declined while attempting
to obtain a future lease.
Files
/etc/default/inet_type
DEFAULT_IP setting
Attributes
See
attributes(5)
for descriptions of the following attributes:
Droms, R., RFC 2131, Dynamic Host Configuration Protocol, Network
Working Group, March 997.
Droms, R. RFC 3315, Dynamic Host Configuration Protocol for IPv6 (DHCPv6).
Cisco Systems. July 2003.
Notes
When displaying interface information, netstat honors the
DEFAULT_IP setting in /etc/default/inet_type. If it is set to
IP_VERSION4, then netstat will omit information relating
to IPv6 interfaces, statistics, connections, routes and the like.
However, you can override the DEFAULT_IP setting in /etc/default/inet_type
on the command-line. For example, if you have used the command-line to explicitly
request IPv6 information by using the inet6 address family or one of
the IPv6 protocols, it will override the DEFAULT_IP setting.
If you need to examine network status information following a kernel crash,
use the mdb(1)
utility on the
savecore(1M)
output.
The netstat utility obtains TCP statistics from the system by
opening /dev/tcp and issuing queries. Because of this, netstat
might display an extra, unused connection in IDLE state when reporting
connection status.
Previous versions of netstat had undocumented methods for reporting
kernel statistics published using the
kstat(7D)
facility. This functionality has been removed. Use
kstat(1M)
instead.
netstat restricts its output to information that is relevant to
the zone in which netstat runs. (This is true for both shared-IP
and exclusive-IP zones.)
TCP/IP command. Show network status. Print information on active sockets,
routing tables, interfaces, masquerade connections, or multicast memberships.
By default, netstat lists open sockets. When a delay is
specified, netstat will print new information every delay
seconds.
Options
The first five options (-g, -i, -M, -r, and
-s) determine what kind of information netstat should display.
-g, --groups
Show multicast group memberships.
-i, --interface[=name]
Show all network interfaces, or just the interface specified by
name.
-M, --masquerade
Show masqueraded connections.
-r, --route
Show kernel routing tables.
-s, --statistics
Show statistics for each protocol.
-a, --all
Show all entries.
-Afamily, --protocol=family
Show connections only for the specified address family.
Accepted values are inet, unix, ipx, ax25, netrom, and ddp.
Specify multiple families in a comma-separated list.
-c, --continuous
Display information continuously, refreshing once every second.
-C
Print routing information from the route cache.
-e, --extend
Increase level of detail in reports. Use twice for maximum detail.
-F
Print routing information from the forward information database (FIB).
This is the default.
-l, --listening
Show only listening sockets.
-n, --numeric
Show network addresses, ports, and users as numbers.
--numeric-hosts
Show host addresses as numbers, but resolve others.
--numeric-ports
Show ports as numbers, but resolve others.
--numeric-users
Show user ID numbers for users, but resolve others.
-N, --symbolic
Where possible, print symbolic host, port, or usernames instead of
numerical representations. This is the default behavior.
-o, --timers
Include information on network timers.
-p, --program
Show the process ID and name of the program owning the socket.
The Last but not LeastTechnology is dominated by
two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt.
Ph.D
Copyright 1996-2021 by Softpanorama Society. www.softpanorama.org
was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP)
without any remuneration. This document is an industrial compilation designed and created exclusively
for educational use and is distributed under the Softpanorama Content License.
Original materials copyright belong
to respective owners. Quotes are made for educational purposes only
in compliance with the fair use doctrine.
FAIR USE NOTICEThis site contains
copyrighted material the use of which has not always been specifically
authorized by the copyright owner. We are making such material available
to advance understanding of computer science, IT technology, economic, scientific, and social
issues. We believe this constitutes a 'fair use' of any such
copyrighted material as provided by section 107 of the US Copyright Law according to which
such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free)
site written by people for whom English is not a native language. Grammar and spelling errors should
be expected. The site contain some broken links as it develops like a living tree...
You can use PayPal to to buy a cup of coffee for authors
of this site
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or
referenced source) and are
not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society.We do not warrant the correctness
of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be
tracked by Google please disable Javascript for this site. This site is perfectly usable without
Javascript.
Created: May 16, 1996; Last modified:
July 16, 2018
