• Choose a category
• All
• Classic-Fiction

Here, we discuss the four most common uses of netstat:

• Monitoring the status of network connections

• Inspecting interface configuration information

• Examining the routing table

• Getting operational statistics for various network protocols

Monitoring the status of network connections

With no arguments, netstat displays the status of active TCP and UDP ports. Inactive (“listening”) servers waiting for connections aren’t normally shown; they can be seen with netstat -a.3

The output looks like this:

% netstat -a

Active Internet connections (including servers)

Proto Recv-Q Send-Q Local Address Foreign Address (state)

tcp4 0 0 *.6013 *.* LISTEN

tcp46 0 0 *.6013 *.* LISTEN

tcp4 0 0 nimi.ssh xor.com.4105 ESTABLISHED

tcp4 0 20 nimi.ssh xor.com.1612 ESTABLISHED

tcp4 0 0 *.13500 *.* LISTEN

tcp4 0 0 nimi.ssh 135.197.2.114.883 ESTABLISHED

tcp4 0 0 nimi.1599 xor.com.telnet ESTABLISHED

tcp4 0 0 *.ssh *.* LISTEN

tcp46 0 0 *.ssh *.* LISTEN

tcp4 0 0 nimi.ssh 135.197.2.114.776 ESTABLISHED

tcp4 0 0 *.cvsup *.* LISTEN

udp4 0 0 *.syslog *.*

udp4 0 0 *.ntalk *.*

...

The preceding example was run on the host nimi. It shows several inbound SSH connections, an outbound telnet connection, and a bunch of ports listening for other connections. Also of note are the lines showing the protocol as tcp46, which are services running on IPv6.

Addresses are shown as hostname.service, where the service is a port number. For well-known services, netstat shows the port symbolically, using the mapping defined in /etc/services. You can obtain numeric addresses with the -n option. Remember, if your DNS is broken, netstat will be painful to use without the -n flag.

Send-Q and Recv-Q show the sizes of the send and receive queues for the connection on the local host; the queue sizes on the other end of a TCP connection might be different. They should tend toward 0 and at least not be consistently nonzero. Of course, if you are running netstat over a network terminal, the send queue for your connection will probably never be 0.

The connection state has meaning only for TCP; UDP is a connectionless protocol. The most common states you’ll see are ESTABLISHED for currently active connections, LISTEN for servers waiting for connections (not normally shown without -a), and TIME_WAIT for connections in the process of closing.

This display is primarily useful for debugging higher-level problems once you have determined that basic networking facilities are working correctly. It lets you verify that servers are set up correctly and facilitates the diagnosis of certain types of miscommunication, particularly with TCP. For example, a connection that stays in state SYN_SENT identifies a process that is trying to contact a nonexistent or inaccessible network server.

If netstat shows a lot of connections in the SYN_WAIT condition, your host is probably unable to handle the number of connections being requested. This inadequacy may be due to kernel tuning limitations or even to malicious flooding.

See Chapter 12 for more information about kernel tuning.

Inspecting interface configuration information

netstat -i shows the status of network interfaces. For example, here is output from netstat -i on the Solaris machine evolve:

% netstat -i

Name Mtu Net/Dest Ipkts Ierrs Opkts Oerrs Collis

lo0 8232 loopback 11650 0 11650 0 0

hme0 1500 evolve 16438 0 18356 0 110

hme1 1500 evolve-bl 94852 7 379410 13 487

This host has two network interfaces: one for regular traffic and a “backlan” connection called evolve-bl. Ipkts and Opkts report the number of packets that have been received and transmitted on each interface since the machine was booted. Ierrs and Oerrs show the number of input and output errors; many different types of errors are counted in these buckets, and it is normal for a few to show up.

Errors should be less than 1% of the associated packets. If your error rate is high, compare the rates of several neighboring machines. A large number of errors