Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Google   


Solaris netstat

News See Also Recommended Links Humor Etc

The netstat command is used to query TCP/IP about the network status of the local host. This command is located in the /usr/bin directory. When used with the -i option, netstat displays the state of the Ethernet interfaces, with r option it displaied routing information and with -s option statistical information:

netstat -i   # the state of the Enthernet interfaces

netstat -r # displays routing info

netstat -s -- statistical information

More extended list of typical idioms can be found at Sun Microsystems - BigAdmin Shell Commands:

 
netstat -a | grep EST | wc -l
/* Displays number active established connections to the localhost */
2005-03-22
netstat -a | more
/* Show the state of all the sockets on a machine */
2005-03-22
netstat -i
/* Show the state of the interfaces used for TCP/IP traffice */
2005-03-22
netstat -k hme0
/* Undocumented netstat command */
2005-03-22
netstat -np
/* Similar to arp -a without name resolution */
2005-03-22
netstat -r
/* Show the state of the network routing table for TCP/IP traffic */
2005-03-22
netstat -rn
/* Displays routing information but bypasses hostname lookup. */
2005-03-22

 The exact syntax of this command is very implementation-dependent. See the User's Guide or the Command Reference Manual of your implementation for full details. It is a useful tool for debugging purposes.

In general, NETSTAT will provide information on:

The NETSTAT command is implemented in TCP/IP for VM, MVS, OS/400, OS/2, DOS and all AIX systems.

Typical usage


Notes:
  • Those pages are written by people for whom English is not a native language. Some amount of grammar and spelling errors should be expected.
  • This is a Spartan WHYFF (We Help You For Free) site. It cannot replace the best teachers and the best books.
  • The site contain some obsolete pages as it develops like a living tree... Some links on older pages are broken. Please try to use Google, Open directory, etc. to find a replacement link (see HOWTO search the WEB for details). We would appreciate if you can mail us a correct link.

Search Amazon by keywords:

Google   
Open directory

Research Index

 

Old News

[Nov 4, 2004] LinuxPlanet - Tutorials - Keep an Eye on Your Linux Systems with Netstat - Using Netstat For Surveillance And Troubleshooting

by Carla Schroder

Using Netstat For Surveillance And Troubleshooting

Two of the fundamental aspects of Linux system security and troubleshooting are knowing what services are running, and what connections and services are available. We're all familiar with ps for viewing active services. netstat goes a couple of steps further, and displays all available connections, services, and their status. It shows one type of service that ps does not: services run from inetd or xinetd, because inetd/xinetd start them up on demand. If the service is available but not active, such as telnet, all you see in ps is either inetd or xinetd:

$ ps ax | grep -E 'telnet|inetd'
  520 ?            Ss         0:00 /usr/sbin/inetd

But netstat shows telnet sitting idly, waiting for a connection:

$ netstat --inet -a | grep telnet
tcp      0     0     *:telnet      *:*    LISTEN

This netstat invocation shows all activity:

$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address  Foreign Address State
tcp     0      0      *:telnet       *:*           LISTEN
tcp     0      0      *:ipp          *:*           LISTEN
tcp     0      0      *:smtp         *:*           LISTEN
tcp     0      0      192.168.1.5:32851 nest.anthill.echid:ircd     ESTABLISHED
udp     0      0      *:ipp          *:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags    Type     State       I-Node Path
unix  2      [ ACC ]  STREAM   LISTENING   1065   /tmp/ksocket-carla/klaunchertDCh2b.slave-socket
unix  2      [ ACC ]  STREAM   LISTENING   1002   /tmp/ssh-OoMGfFm666/agent.666
unix  2      [ ACC ]  STREAM   LISTENING   819    private/smtp

Your total output will probably run to a couple hundred lines. (A fun and quick way to count lines of output is netstat -a | wc -l.) You can ignore everything under "Active UNIX domain sockets." Those are local inter-process communications, not network connections. To avoid displaying them at all, do this:

$ netstat --inet -a

This will display only network connections, both listening and established. Already netstat has earned its keep--both the telnet and smtp services are running. This is bad, because I don't want to have either a telnet or smtp server running on this machine. So now I know I need to turn them off, and re-configure my startup files so they won't start at boot.

How do you know what services you want running? That is a mondo subject for another day, and an important one. For example, if your system has been compromised, this is one place to find evidence of a Trojan horse or other malware phoning home. In this example, ipp is Internet Printing Protocol, which belongs to CUPS (Common Unix Printing System.) If you want your printer to work, this needs to be here. The connection on 192.168.1.5:32851 is my active IRC (Internet Relay Chat) connection. Refer to your /etc/services file to learn more about TCP and UDP ports, and the services assigned to them.

 

What It Means

"Proto" is short for protocol, which is either TCP or UDP. "Recv-Q" and "Send-Q" mean receiving queue and sending queue. These should always be zero; if they're not you might have a problem. Packets should not be piling up in either queue, except briefly, as this example shows:

tcp   0   593  192.168.1.5:34321 venus.euao.com:smtp ESTABLISHED

That happened when I hit the "check mail" button in KMail; a brief queuing of outgoing packets is normal behavior. If the receiving queue is consistently jamming up, you might be experiencing a denial-of-service attack. If the sending queue does not clear quickly, you might have an application that is sending them out too fast, or the receiver cannot accept them quickly enough.

"Local address" is either your IP and port number, or IP and the name of a service. "Foreign address" is the hostname and service you are connected to. The asterisk is a placeholder for IP addresses, which of course cannot be known until a remote host connects. "State" is the current status of the connection. Any TCP state can be displayed here, but these three are the ones you want to see:

LISTEN- waiting to receive a connection
ESTABLISHED- a connection is active
TIME_WAIT- a recently terminated connection;
this should last only a minute or two, then change back to LISTEN. The socket pair cannot be re-used as long the TIME_WAIT state persists.

 

UDP is stateless, so the "State" column is always blank.

A socket pair is both sides of a TCP/IP connection, like this example for a locally-attached printer:

localhost:ipp               localhost:34493             ESTABLISHED

Or a telnet connection to a remote server:

192.168.1.5:34437           65.106.57.106.pt:telnet    ESTABLISHED

A socket is any hostname-port combination, or IP address-port.

Continuous Capture, "Borken" DNS, and Interface Checking

Because all these things change often, how do you capture the changes? Run netstat continuously with the -c flag and record the output:

$ netstat --inet -a -c > netstat.txt

Then check email, start and stop services, surf the web, log in to a telnet BBS and play Legend of the Red Dragon; then review your capture file to see what it all looks like.

If netstat is taking too long, or not resolving a hostname at all, give it the -n flag to turn off DNS lookups:

$ netstat --inet -an

netstat can help diagnose NIC problems. Use the -i flag when you're troubleshooting a flakey connection, and you suspect your NIC:

$ netstat -i
Kernel Interface table
Iface   MTU  Met   RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0    1500  0    28698  0      0      0     33742  0      0      0     BMRU
lo      16436 0    14     0      0      0     14     0      0      0     LRU
You should see large numbers in the RX-OK (received OK) and TX-OK (transmitted OK) columns, and very low numbers in all the others. If you are seeing a lot of RX-ERRs or TX-ERRs, suspect the NIC or the patch cable. This is what the flags mean:
B = broadcast address
L = loopback device
M = promicuous mode
R = interface is running
U = interface is up

 

Resources

Linux Network Administrator's Guide, by Olaf Kirch & Terry Dawson

 

 

DESCRIPTION

OPTIONS

OPERANDS

DISPLAYS

FILES

ATTRIBUTES

SEE ALSO

NOTES

SunOS 5.10  Last Revised 14 Jun 2004

Linux Netstat

 

netstat

netstat [options] [delay]

TCP/IP command. Show network status. Print information on active sockets, routing tables, interfaces, masquerade connections, or multicast memberships. By default, netstat lists open sockets. When a delay is specified, netstat will print new information every delay seconds.

Options

The first five options (-g, -i, -M, -r, and -s) determine what kind of information netstat should display.

-g, --groups

Show multicast group memberships.

-i, --interface[=name]

Show all network interfaces, or just the interface specified by name.

-M, --masquerade

Show masqueraded connections.

-r, --route

Show kernel routing tables.

-s, --statistics

Show statistics for each protocol.

-a, --all

Show all entries.

-A family, --protocol=family

Show connections only for the specified address family. Accepted values are inet, unix, ipx, ax25, netrom, and ddp. Specify multiple families in a comma-separated list.

-c, --continuous

Display information continuously, refreshing once every second.

-C

Print routing information from the route cache.

-e, --extend

Increase level of detail in reports. Use twice for maximum detail.

-F

Print routing information from the forward information database (FIB). This is the default.

-l, --listening

Show only listening sockets.

-n, --numeric

Show network addresses, ports, and users as numbers.

--numeric-hosts

Show host addresses as numbers, but resolve others.

--numeric-ports

Show ports as numbers, but resolve others.

--numeric-users

Show user ID numbers for users, but resolve others.

-N, --symbolic

Where possible, print symbolic host, port, or usernames instead of numerical representations. This is the default behavior.

-o, --timers

Include information on network timers.

-p, --program

Show the process ID and name of the program owning the socket.

-t, --tcp

Limit report to information on TCP sockets.

-u, --udp

Limit report to information on UDP sockets.

-v, --verbose

Verbose mode.

-w, --raw

Limit report to information on raw sockets.


Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Quiz

 Q1.  Which command (and options) will show the routing table, but will bypass hostname lookup ?

 A: netstat –nr

 Q2. Which command (and options) will show the state of all sockets ?

 A: netstat –a

 

Last modified: February 28, 2008