UNIX System Administration Handbook - Evi Nemeth [375]
Collisions indicate a loaded network; errors often indicate cabling problems. Although a collision is a type of error, it is counted separately by netstat. The Collis column gives the number of collisions that were experienced while packets were being sent.4
Use this number to calculate the percentage of output packets (Opkts) that result in collisions. In the example above, the collision rate on interface hme0 is about 0.6% and the collision rate on interface hme1 is 0.13%. On a properly functioning network, collisions should be less than 5% of output packets, and anything over 15% indicates serious congestion problems.
netstat can also monitor a specific interface in real time, although the flags to request this behavior are different on each version of UNIX. The following commands give interface statistics at one-second intervals. The output that is shown is adapted from a FreeBSD system.
solaris% netstat -i 1
hp-ux% netstat 1
redhat% netstat -i -c
freebsd% netstat 1
input (Total) output
packets errs packets errs colls
13971549 1216 14757869 16 1431629
512 0 99 1 27
464 1 94 0 40
516 0 101 0 26
452 1 87 0 14
336 0 71 0 19
...
In this example, the collision rate is running at 20%–30%. The network is probably very slow and possibly even unusable.
netstat’s continuous mode is especially useful for tracking down the source of errors. netstat -i can alert you to the existence of problems, but it can’t tell you whether the errors came from a continuous, low-level problem or from a brief but catastrophic event. Observing the network over time under a variety of load conditions will give you a much better impression of what’s going on. Try running ping with a large ping packet size while you watch the output of netstat.
Examining the routing table
netstat -r displays the kernel’s routing table. Here is a sample from a Solaris machine with two network interfaces:
% netstat -r -n
Routing Table:
Destination Gateway Flags Ref Use Interface
192.225.44.0 192.225.44.88 U 3 1841 hme0
192.168.3.0 192.168.3.12 U 2 1317 hme1
10.0.0.0 192.168.3.252 UG 0 4 hme1
default 192.225.44.254 UG 0 91668
127.0.0.1 127.0.0.1 UH 0 543 lo0
...
Destinations and gateways can be displayed either as hostnames or as IP addresses; the -n flag requests numeric output.
The Flags characterize the route: U means up (active), G is a gateway, and H is a host route. The D flag (not shown) indicates a route resulting from an ICMP redirect. G and H together indicate a host route that passes through an intermediate gateway. The remaining fields give statistics on the route: the current number of TCP connections using the route, the number of packets sent, and the interface used. Remember that this output varies slightly among operating systems.
See page 283 for more information about the routing table.
Use this form of netstat to check on the health of your machine’s routing table. It’s particularly important to verify that the system has a default route and that it is correct. On some systems, the default route is represented by an all-0 destination address (0.0.0.0); on others, the word “default” appears instead.
Viewing operational statistics for various network protocols
netstat -s dumps the contents of counters that are scattered throughout the network code. The output has separate sections for IP, ICMP, TCP, and UDP. Below are pieces of netstat -s output from a gateway machine; they have been edited to show only the tastiest pieces of information.
ip:
2313683 total packets received
0 bad header checksums
1642600 packets for this host
25743 packets sent from this host
0 output packets dropped due to no bufs, etc.
The absence of checksum errors indicates a clean hardware connection. It is important to check that packets are not getting dropped because of lack of memory (bufs in this example, but often referred to as “mbufs”).5