Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Solaris netstat

See Also

Old News

[Nov 4, 2004] LinuxPlanet - Tutorials - Keep an Eye on Your Linux Systems with Netstat - Using Netstat For Surveillance And Troubleshooting

by Carla Schroder

Using Netstat For Surveillance And Troubleshooting

Two of the fundamental aspects of Linux system security and troubleshooting are knowing what services are running, and what connections and services are available. We're all familiar with ps for viewing active services. netstat goes a couple of steps further, and displays all available connections, services, and their status. It shows one type of service that ps does not: services run from inetd or xinetd, because inetd/xinetd start them up on demand. If the service is available but not active, such as telnet, all you see in ps is either inetd or xinetd:
$ ps ax | grep -E 'telnet|inetd'
  520 ?            Ss         0:00 /usr/sbin/inetd
But netstat shows telnet sitting idly, waiting for a connection:
$ netstat --inet -a | grep telnet
tcp      0     0     *:telnet      *:*    LISTEN
This netstat invocation shows all activity:
$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address  Foreign Address State
tcp     0      0      *:telnet       *:*           LISTEN
tcp     0      0      *:ipp          *:*           LISTEN
tcp     0      0      *:smtp         *:*           LISTEN
tcp     0      0      192.168.1.5:32851 nest.anthill.echid:ircd     ESTABLISHED
udp     0      0      *:ipp          *:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags    Type     State       I-Node Path
unix  2      [ ACC ]  STREAM   LISTENING   1065   /tmp/ksocket-carla/klaunchertDCh2b.slave-socket
unix  2      [ ACC ]  STREAM   LISTENING   1002   /tmp/ssh-OoMGfFm666/agent.666
unix  2      [ ACC ]  STREAM   LISTENING   819    private/smtp
Your total output will probably run to a couple hundred lines. (A fun and quick way to count lines of output is netstat -a | wc -l.) You can ignore everything under "Active UNIX domain sockets." Those are local inter-process communications, not network connections. To avoid displaying them at all, do this:
$ netstat --inet -a
This will display only network connections, both listening and established. Already netstat has earned its keep--both the telnet and smtp services are running. This is bad, because I don't want to have either a telnet or smtp server running on this machine. So now I know I need to turn them off, and re-configure my startup files so they won't start at boot.

How do you know what services you want running? That is a mondo subject for another day, and an important one. For example, if your system has been compromised, this is one place to find evidence of a Trojan horse or other malware phoning home. In this example, ipp is Internet Printing Protocol, which belongs to CUPS (Common Unix Printing System.) If you want your printer to work, this needs to be here. The connection on 192.168.1.5:32851 is my active IRC (Internet Relay Chat) connection. Refer to your /etc/services file to learn more about TCP and UDP ports, and the services assigned to them.

What It Means

"Proto" is short for protocol, which is either TCP or UDP. "Recv-Q" and "Send-Q" mean receiving queue and sending queue. These should always be zero; if they're not you might have a problem. Packets should not be piling up in either queue, except briefly, as this example shows:
tcp   0   593  192.168.1.5:34321 venus.euao.com:smtp ESTABLISHED
That happened when I hit the "check mail" button in KMail; a brief queuing of outgoing packets is normal behavior. If the receiving queue is consistently jamming up, you might be experiencing a denial-of-service attack. If the sending queue does not clear quickly, you might have an application that is sending them out too fast, or the receiver cannot accept them quickly enough.

"Local address" is either your IP and port number, or IP and the name of a service. "Foreign address" is the hostname and service you are connected to. The asterisk is a placeholder for IP addresses, which of course cannot be known until a remote host connects. "State" is the current status of the connection. Any TCP state can be displayed here, but these three are the ones you want to see:

LISTEN- waiting to receive a connection
ESTABLISHED- a connection is active
TIME_WAIT- a recently terminated connection;
this should last only a minute or two, then change back to LISTEN. The socket pair cannot be re-used as long the TIME_WAIT state persists.

UDP is stateless, so the "State" column is always blank.

A socket pair is both sides of a TCP/IP connection, like this example for a locally-attached printer:
localhost:ipp               localhost:34493             ESTABLISHED
Or a telnet connection to a remote server:
192.168.1.5:34437           65.106.57.106.pt:telnet    ESTABLISHED
A socket is any hostname-port combination, or IP address-port.

Continuous Capture, "Borken" DNS, and Interface Checking

Because all these things change often, how do you capture the changes? Run netstat continuously with the -c flag and record the output:
$ netstat --inet -a -c > netstat.txt
Then check email, start and stop services, surf the web, log in to a telnet BBS and play Legend of the Red Dragon; then review your capture file to see what it all looks like.

If netstat is taking too long, or not resolving a hostname at all, give it the -n flag to turn off DNS lookups:
$ netstat --inet -an
netstat can help diagnose NIC problems. Use the -i flag when you're troubleshooting a flakey connection, and you suspect your NIC:
$ netstat -i
Kernel Interface table
Iface   MTU  Met   RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0    1500  0    28698  0      0      0     33742  0      0      0     BMRU
lo      16436 0    14     0      0      0     14     0      0      0     LRU
You should see large numbers in the RX-OK (received OK) and TX-OK (transmitted OK) columns, and very low numbers in all the others. If you are seeing a lot of RX-ERRs or TX-ERRs, suspect the NIC or the patch cable. This is what the flags mean:
B = broadcast address
L = loopback device
M = promicuous mode
R = interface is running
U = interface is up

Resources

Linux Network Administrator's Guide, by Olaf Kirch & Terry Dawson

netstat

-anv

-f

address_family

-P

protocol

netstat

-g

-n

-f

address_family

netstat

-p

-n

-f

address_family

netstat

-s

-f

address_family

-P

protocol

interval

count

netstat

-m

-v

interval

count

netstat

-i

-I

interface

-an

-f

address_family

interval

count

netstat

-r

-anv

-f

address_family

filter

netstat

-M

-ns

-f

address_family

netstat

-D

-I

interface

-f

address_family

DESCRIPTION

The netstat command displays the contents of certain network-related data structures in various formats, depending on the options you select.

The netstat command has the several forms shown in the SYNOPSIS section, above, listed as follows:

The first form of the command (with no required arguments) displays a list of active sockets for each protocol.
The second, third, and fourth forms (-g, -p, and -s options) display information from various network data structures.
The fifth form (-m option) displays STREAMS memory statistics.
The sixth form (-i option) shows the state of the interfaces.
The seventh form (-r option) displays the routing table.
The eighth form (-M option) displays the multicast routing table.
The ninth form (-D option) displays the state of DHCP on one or all interfaces.

These forms are described in greater detail below.

With no arguments (the first form), netstat displays connected sockets for PF_INET, PF_INET6, and PF_UNIX, unless modified otherwise by the -f option.

OPTIONS

-a

Show the state of all sockets, all routing table entries, or all interfaces, both physical and logical. Normally, listener sockets used by server processes are not shown. Under most conditions, only interface, host, network, and default routes are shown and only the status of physical interfaces is shown.

-f address_family

Limit all displays to those of the specified address_family. The value of address_family can be one of the following:

inet: For the AF_INET address family showing IPv4 information.
inet6: For the AF_INET6 address family showing IPv6 information.
unix: For the AF_UNIX address family.

-f filter

With -r only, limit the display of routes to those matching the specified filter. A filter rule consists of a "keyword:value" pair. The known keywords and the value syntax are:

af:{inet|inet6|unix|number}: Selects an address family. This is identical to -f address_family and both syntaxes are supported.
{inif|outif}:{name|ifIndex|any|none}: Selects an input or output interface. You can specify the interface by name (such as hme0) or by ifIndex number (for example, 2). If any is used, the filter matches all routes having a specified interface (anything other than null). If none is used, the filter matches all routes having a null interface. Note that you can view the index number (ifIndex) for an interface with the -a option of ifconfig(1M).
{src|dst}:{ip-address[/mask]|any|none}: Selects a source or destination IP address. If specified with a mask length, then any routes with matching or longer (more specific) masks are selected. If any is used, then all but addresses but 0 are selected. If none is used, then address 0 is selected.
flags:[+ -]?[ABDGHLMSU]+: Selects routes tagged with the specified flags. By default, the flags as specified must be set in order to match. With a leading +, the flags specified must be set but others are ignored. With a leading -, the flags specified must not be set and others are permitted.

You can specify multiple instances of -f to specify multiple filters. For example:

% netstat -nr -f outif:hme0 -f outif:hme1 -f dst:10.0.0.0/8

The preceding command displays routes within network 10.0.0.0/8, with mask length 8 or greater, and an output interface of either hme0 or hme1, and excludes all other routes.

-g

Show the multicast group memberships for all interfaces. See DISPLAYS, below.

-i

Show the state of the interfaces that are used for IP traffic. Normally this shows statistics for the physical interfaces. When combined with the -a option, this will also report information for the logical interfaces. See ifconfig(1M).

-m

Show the STREAMS memory statistics.

-n

Show network addresses as numbers. netstat normally displays addresses as symbols. This option may be used with any of the display formats.

-p

Show the net to media tables. See DISPLAYS, below.

-r

Show the routing tables. Normally, only interface, host, network, and default routes are shown, but when this option is combined with the -a option, all routes will be displayed, including cache.

-s

Show per-protocol statistics. When used with the -M option, show multicast routing statistics instead. When used with the -a option, per-interface statistics will be displayed, when available, in addition to statistics global to the system. See DISPLAYS, below.

-v

Verbose. Show additional information for the sockets, STREAMS memory statistics, and the routing table.

-I interface

Show the state of a particular interface. interface can be any valid interface such as hme0 or eri0. Normally, the status and statistics for physical interfaces are displayed. When this option is combined with the -a option, information for the logical interfaces is also reported.

-M

Show the multicast routing tables. When used with the -s option, show multicast routing statistics instead.

-P protocol

Limit display of statistics or state of all sockets to those applicable to protocol. The protocol can be one of ip, ipv6, icmp, icmpv6, icmp, icmpv6, igmp, udp, tcp, rawip. rawip can also be specified as raw. The command accepts protocol options only as all lowercase.

-D

Show the status of DHCP configured interfaces.

OPERANDS

interval: Display statistics accumulated since last display every interval seconds, repeating forever, unless count is specified. When invoked with interval, the first row of netstat output shows statistics accumulated since last reboot.
The following options support interval: -i, -m, -s and -Ms. Some values are configuration parameters and are just redisplayed at each interval.
count: Display interface statistics the number of times specified by count, at the interval specified by interval.

DISPLAYS

Active Sockets (First Form)

The display for each active socket shows the local and remote address, the send and receive queue sizes (in bytes), the send and receive windows (in bytes), and the internal state of the protocol.

The symbolic format normally used to display socket addresses is either:

hostname.port

network.port

The numeric host address or network number associated with the socket is used to look up the corresponding symbolic hostname or network name in the hosts or networks database.

If the network or hostname for an address is not known, or if the -n option is specified, the numerical network address is shown. Unspecified, or "wildcard", addresses and ports appear as "*". For more information regarding the Internet naming conventions, refer to inet(7P) and inet6(7P).

For SCTP sockets, because an endpoint can be represented by multiple addresses, the verbose option (-v) displays the list of all the local and remote addresses.

`TCP Sockets`

The possible state values for TCP sockets are as follows:

BOUND: Bound, ready to connect or listen.
CLOSED: Closed. The socket is not being used.
CLOSING: Closed, then remote shutdown; awaiting acknowledgment.
CLOSE_WAIT: Remote shutdown; waiting for the socket to close.
ESTABLISHED: Connection has been established.
FIN_WAIT_1: Socket closed; shutting down connection.
FIN_WAIT_2: Socket closed; waiting for shutdown from remote.
IDLE: Idle, opened but not bound.
LAST_ACK: Remote shutdown, then closed; awaiting acknowledgment.
LISTEN: Listening for incoming connections.
SYN_RECEIVED: Initial synchronization of the connection under way.
SYN_SENT: Actively trying to establish connection.
TIME_WAIT: Wait after close for remote shutdown retransmission.

`SCTP Sockets`

The possible state values for SCTP sockets are as follows:

CLOSED: Closed. The socket is not being used.
LISTEN: Listening for incoming associations.
ESTABLISHED: Association has been established.
COOKIE_WAIT: INIT has been sent to the peer, awaiting acknowledgment.
COOKIE_ECHOED: State cookie from the INIT-ACK has been sent to the peer, awaiting acknowledgement.
SHUTDOWN_PENDING: SHUTDOWN has been received from the upper layer, awaiting acknowledgement of all outstanding DATA from the peer.
SHUTDOWN_SENT: All outstanding data has been acknowledged in the SHUTDOWN_SENT state. SHUTDOWN has been sent to the peer, awaiting acknowledgement.
SHUTDOWN_RECEIVED: SHUTDOWN has been received from the peer, awaiting acknowledgement of all outstanding DATA.
SHUTDOWN_ACK_SENT: All outstanding data has been acknowledged in the SHUTDOWN_RECEIVED state. SHUTDOWN_ACK has been sent to the peer.

Network Data Structures (Second Through Fifth Forms)

The form of the display depends upon which of the -g, -m, -p, or -s options you select.

-g: Displays the list of multicast group membership.
-m: Displays the memory usage, for example, STREAMS mblks.
-p: Displays the net to media mapping table. For IPv4, the address resolution table is displayed. See arp(1M). For IPv6, the neighbor cache is displayed.
-s: Displays the statistics for the various protocol layers.

The statistics use the MIB specified variables. The defined values for ipForwarding are:

forwarding(1): Acting as a gateway.
not-forwarding(2): Not acting as a gateway.

The IPv6 and ICMPv6 protocol layers maintain per-interface statistics. If the -a option is specified with the -s option, then the per-interface statistics as well as the total sums are displayed. Otherwise, just the sum of the statistics are shown.

For the second, third, and fourth forms of the command, you must specify at least -g, -p, or -s. You can specify any combination of these options. You can also specify -m (the fifth form) with any set of the -g, -p, and -s options. If you specify more than one of these options, netstat displays the information for each one of them.

Interface Status (Sixth Form)

The interface status display lists information for all current interfaces, one interface per line. If an interface is specified using the -I option, it displays information for only the specified interface.

The list consists of the interface name, mtu (maximum transmission unit, or maximum packet size)(see ifconfig(1M)), the network to which the interface is attached, addresses for each interface, and counter associated with the interface. The counters show the number of input packets, input errors, output packets, output errors, and collisions, respectively. For Point-to-Point interfaces, the Net/Dest field is the name or address on the other side of the link.

If the -a option is specified with either the -i option or the -I option, then the output includes names of the physical interface(s), counts for input packets and output packets for each logical interface, plus additional information.

If the -n option is specified, the list displays the IP address instead of the interface name.

If an optional interval is specified, the output will be continually displayed in interval seconds until interrupted by the user or until count is reached. See OPERANDS.

The physical interface is specified using the -I option. When used with the interval operand, output for the -I option has the following format:

input    eri0          output        input          (Total)    output
packets  errs  packets errs  colls   packets  errs  packets   errs   colls 
227681   0     659471  1     502     261331   0     99597     1      502
10       0     0       0     0       10       0     0         0      0 
8        0     0       0     0       8        0     0         0      0 
10       0     2       0     0       10       0     2         0      0

If the input interface is not specified, the first interface of address family inet or inet6 will be displayed.

Routing Table (Seventh Form)

The routing table display lists the available routes and the status of each. Each route consists of a destination host or network, and a gateway to use in forwarding packets. The flags column shows the status of the route. These flags are as follows:

U: Indicates route is "up".
G: Route is to a gateway.
H: Route is to a host and not a network.
M: Redundant route established with the -multirt option.
S: Route was established using the -setsrc option.
D: Route was created dynamically by a redirect.

If the -a option is specified, there will be routing entries with the following flags:

A: Combined routing and address resolution entries.
B: Broadcast addresses.
L: Local addresses for the host.

Interface routes are created for each interface attached to the local host; the gateway field for such entries shows the address of the outgoing interface.

The use column displays the number of packets sent using a combined routing and address resolution (A) or a broadcast (B) route. For a local (L) route, this count is the number of packets received, and for all other routes it is the number of times the routing entry has been used to create a new combined route and address resolution entry.

The interface entry indicates the network interface utilized for the route.

Multicast Routing Tables (Eighth Form)

The multicast routing table consists of the virtual interface table and the actual routing table.

DHCP Interface Information (Ninth Form)

The DHCP interface information consists of the interface name, its current state, lease information, packet counts, and a list of flags.

The states correlate with the specifications set forth in RFC 2131.

Lease information includes:

when the lease began;
when lease renewal will begin; and
when the lease will expire.

The flags currently defined include:

BOOTP: The interface has a lease obtained through BOOTP.
BUSY: The interface is busy with a DHCP transaction.
PRIMARY: The interface is the primary interface. See dhcpinfo(1).
FAILED: The interface is in failure state and must be manually restarted.

FILES

/etc/default/inet_type: DEFAULT_IP setting

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWcsu

NOTES

When displaying interface information, netstat honors the DEFAULT_IP setting in /etc/default/inet_type. If it is set to IP_VERSION4, then netstat will omit information relating to IPv6 interfaces, statistics, connections, routes and the like.

However, you can override the DEFAULT_IP setting in /etc/default/inet_type on the command-line. For example, if you have used the command-line to explicitly request IPv6 information by using the inet6 address family or one of the IPv6 protocols, it will override the DEFAULT_IP setting.

If you need to examine network status information following a kernel crash, use the mdb(1) utility on the savecore(1M) output.

The netstat utility obtains TCP statistics from the system by opening /dev/tcp and issuing queries. Because of this, netstat might display an extra, unused connection in IDLE state when reporting connection status.

Previous versions of netstat had undocumented methods for reporting kernel statistics published using the kstat(7D) facility. This functionality has been removed. Use kstat(1M) instead.

SunOS 5.10 Last Revised 14 Jun 2004

Linux Netstat

netstat

netstat [options] [delay]

TCP/IP command. Show network status. Print information on active sockets, routing tables, interfaces, masquerade connections, or multicast memberships. By default, netstat lists open sockets. When a delay is specified, netstat will print new information every delay seconds.

Options

The first five options (-g, -i, -M, -r, and -s) determine what kind of information netstat should display.

-g, --groups

Show multicast group memberships.

-i, --interface[=name]

Show all network interfaces, or just the interface specified by name.

-M, --masquerade

Show masqueraded connections.

-r, --route

Show kernel routing tables.

-s, --statistics

Show statistics for each protocol.

-a, --all

Show all entries.

-A family, --protocol=family

Show connections only for the specified address family. Accepted values are inet, unix, ipx, ax25, netrom, and ddp. Specify multiple families in a comma-separated list.

-c, --continuous

Display information continuously, refreshing once every second.

-C

Print routing information from the route cache.

-e, --extend

Increase level of detail in reports. Use twice for maximum detail.

-F

Print routing information from the forward information database (FIB). This is the default.

-l, --listening

Show only listening sockets.

-n, --numeric

Show network addresses, ports, and users as numbers.

--numeric-hosts

Show host addresses as numbers, but resolve others.

--numeric-ports

Show ports as numbers, but resolve others.

--numeric-users

Show user ID numbers for users, but resolve others.

-N, --symbolic

Where possible, print symbolic host, port, or usernames instead of numerical representations. This is the default behavior.

-o, --timers

Include information on network timers.

-p, --program

Show the process ID and name of the program owning the socket.

-t, --tcp

Limit report to information on TCP sockets.

-u, --udp

Limit report to information on UDP sockets.

-v, --verbose

Verbose mode.

-w, --raw

Limit report to information on raw sockets.

Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Quiz

Q1. Which command (and options) will show the routing table, but will bypass hostname lookup ?

A: netstat –nr

Q2. Which command (and options) will show the state of all sockets ?

A: netstat –a

Last modified: February 28, 2008

netstat -a \| grep EST \| wc -l /* Displays number active established connections to the localhost */	2005-03-22
netstat -a \| more /* Show the state of all the sockets on a machine */	2005-03-22
netstat -i /* Show the state of the interfaces used for TCP/IP traffice */	2005-03-22
netstat -k hme0 /* Undocumented netstat command */	2005-03-22
netstat -np /* Similar to arp -a without name resolution */	2005-03-22
netstat -r /* Show the state of the network routing table for TCP/IP traffic */	2005-03-22
netstat -rn /* Displays routing information but bypasses hostname lookup. */	2005-03-22

Solaris netstat

Old News

Using Netstat For Surveillance And Troubleshooting

What It Means

Continuous Capture, "Borken" DNS, and Interface Checking

Resources

DESCRIPTION

OPTIONS

OPERANDS

DISPLAYS

Active Sockets (First Form)

TCP Sockets

SCTP Sockets

Network Data Structures (Second Through Fifth Forms)

Interface Status (Sixth Form)

Routing Table (Seventh Form)

Multicast Routing Tables (Eighth Form)

DHCP Interface Information (Ninth Form)

FILES

ATTRIBUTES

SEE ALSO

NOTES

Linux Netstat

netstat

Options

Quiz

`TCP Sockets`

`SCTP Sockets`