NETSTAT(1) NETSTAT(1) NAME netstat - show network status SYNOPSIS netstat [ -AanuVW ] [ -L laddr ] [ -F faddr ] [ -P prefixlen ] \ [ -f address_family ] [ system ] [ core ] netstat [ -imnqrstMN ] [ -f address_family ] [ system ] [ core ] netstat [ -n ] [ -I interface ] interval [ system ] [ core ] netstat -C [ -n ] [ interval ] [ system ] netstat [ -p protocol ] [ system ] [ core ] DESCRIPTION The netstat command symbolically displays the contents of various network-related data structures. There are a number of output formats, depending on the options for the information presented. The first form of the command displays a list of active sockets for each protocol. The second form presents the contents of one of the other network data structures according to the option selected. Using the third form, with an interval specified, netstat will continuously display the information regarding packet traffic on the configured network interfaces. The fourth form displays statistics about the named protocol. The options have the following meaning: -A With the default display, show the address of any protocol control blocks associated with sockets; used for debugging. -a With the default display, show the state of all sockets; normally sockets used by server processes are not shown. If -q is used in conjunction with -a, information about pending connections on listening endpoints will be displayed. This includes the number of partially-synchronized connections, the number of fully-synchronized connections, and the maximum number of pending connections specified in the listen(2) call. Note that system provides some scaling on the listen backlog, such that a request for a queue limit of 32 will actually result in 49 connections being allowed prior to new connection requests being ignored. This means that it is possible for the sum of the two queue lengths to be larger than the limit. If -r is used in conjunction with -a, routing table entries which contain link-layer addresses are shown. Normally, these entries are not displayed. -F faddr Only TCP protocol control blocks whose foreign address matches the pattern faddr should be displayed. The format of faddr is [ipaddr][/port] where ipaddr could be an ipv4 address or an ipv6 address. If it is an ipv4 address, then ipaddr is up to four decimal numbers separated by `.' representing the IP address and port is the port number. If less than four numbers are given for the IPv4 address, trailing numbers are assumed to be wildcards. For example 192.26 represents the subnet 192.26.0.0. If ipaddr is an ipv6 address, then -P option should also be used in conjunction with -F option to specify the prefix length. Prefix length is the number of bits upto which address matching will be done. If the -P option is not provided, then the prefix length will be taken to be 128. Host names may be used instead of IP address notation. -L laddr Only TCP protocol control blocks whose local address matches the pattern laddr should be displayed. The format of laddr is the same as that of faddr -P prefixlen This option is for specifying the prefix length, that is the number of bits, for which address matching has to be done. This option should be used only when an ipv6 address is provided with -F or -L options, else it is ignored. -l With the default display, on systems supporting IP security options, show the mandatory and discretionary access control attributes associated with sockets. These consist of a mandatory access control label, printed at the beginning of each line, and a socket uid and acl, printed at the end of each line. (For AF_INET sockets only, a second mandatory access control label, SndLabel, is also shown. SndLabel is a copy of the label in the u_area.) On systems not supporting IP security options, -l is silently ignored. -C Display the contents of several of the other formats in dynamic "full-screen" forms. Many of the values can be displayed as simple totals (r or "reset"), changes during the previous interval (d or "delta"), or changes since a fix moment (z or "zero"). Note that turning interfaces off or on or otherwise reseting them can make it seem that counters are changing wildly, since that often resets the counters to zero. -i Show the state of interfaces which have been auto-configured (interfaces statically configured into a system, but not located at boot time are not shown). When -a is also present, show all addresses (unicast, multicast and link-level) associated with each interface. -iq Show the information for -i with the number of packets currently in the output queue, the queue size, and the number of dropped packets due to a full queue. -I interface Show information only about this interface; used with an interval as described below. -m Show statistics recorded by the memory management routines (the network manages a private pool of memory buffers). -n Show network addresses as numbers (normally netstat interprets addresses and attempts to display them symbolically). This option may be used with any of the display formats. -p protocol Show statistics about protocol, which is either a well-known name for a protocol or an alias for it. Some protocol names and aliases are listed in the file /etc/protocols. A null response typically means that there are no interesting numbers to report. The program will complain if protocol is unknown or if there is no statistics routine for it. (This includes counting packets for the HELO routing protocol as unknown.) Note that if the protocols list is obtained from a NIS server, it is important for the correct operation of netstat that the NIS table contain all protocols that the client supports but which the server may not, for example STP. -s Show per-protocol statistics. -r Show the routing tables. When -a is also present, in addition, show all addresses (unicast, multicast and link-level) "direct" routes associated with each interface. However, when -s is also present, show routing statistics instead. -M Show the kernel multicast routing tables. When -s is also present, show multicast routing statistics instead. -N Show socket addresses of family AF_LINK symbolically or numerically, depending on whether the -n option is used, rather than in the default format of link# where # corresponds to the numerical index into the ifnet array in the kernel. This option is typically only useful when displaying the routing tables using the -r option. -f address_family Limit statistics or address control block reports to those of the specified address family. The following address families are recognized: inet, for AF_INET, and inet6, for AF_INET6, and unix, for AF_UNIX. (ns, for AF_NS is not currently supported.) Note that sockets created with a type of PF_STP are still classified under AF_INET here, since they use AF_INET addressing. -t If used in conjunction with -i, displays the value of the interface watchdog timer. -u A synonym for -f unix. -T When used in conjunction with -V print just the current value used to reset the retransmit timers in a TCP protocol control block. -V Specify very-verbose mode. When used in conjunction with the -a switch, detailed state information is displayed for each TCP protocol control block. It is useful to combine use of this switch with -L and -F to specify particular PCBs. -W Print full IPv6 addresses. The arguments, system and core allow substitutes for the defaults ``/unix'' and ``/dev/kmem''. The default display, for active sockets, shows the local and remote addresses, send and receive queue sizes (in bytes), protocol, and the internal state of the protocol. Address formats are of the form ``host.port'' or ``network.port'' if a socket's address specifies a network but no specific host address. When known the host and network addresses are displayed symbolically according to the data bases /etc/hosts and /etc/networks, respectively. If a symbolic name for an address is unknown, or if the -n option is specified, the address is printed numerically, according to the address family. For more information regarding the Internet ``dot format,'' refer to inet(3N). Unspecified, or ``wildcard'', addresses and ports appear as ``*''. The interface display provides a table of cumulative statistics regarding packets transferred, errors, and collisions. The network addresses of the interface and the maximum transmission unit (``mtu'') are also displayed. The routing table display indicates the available routes and their status. Each route consists of a destination host or network and a gateway to use in forwarding packets. The flags field shows a collection of information about the route stored as binary choices. The individual flags are discussed in more detail in the route(1M) and route(7) manual pages. The mapping between letters and flags is: 1 RTF_PROTO1 Protocol-specific routing flag #1 2 RTF_PROTO2 Protocol-specific routing flag #2 B RTF_BLACKHOLE Just discard pkts (during updates) C RTF_CLONING Generate new routes on use D RTF_DYNAMIC Created dynamically (by redirect) G RTF_GATEWAY Destination requires forwarding by intermediary H RTF_HOST Host entry (net otherwise) L RTF_LLINFO Valid protocol to link address translation. M RTF_MODIFIED Modified dynamically (by redirect) R RTF_REJECT Host or net unreachable S RTF_STATIC Manually added U RTF_UP Route usable W RTF_WASCLONED Route was generated as a result of cloning X RTF_XRESOLVE External daemon translates proto to link address c RTF_CKSUM TCP/UDP checksumming done on this route Direct routes are created for each interface attached to the local host; the gateway field for such entries shows the address of the outgoing interface. The MTU field shows the MTU value set with the route(1M) command for that route. The RTT and RTTvar fields show the estimated round-trip time (RTT) and the variance in RTT for routes with large amounts of TCP traffic. The RTT and RTTvar values are in seconds with a resolution of .125 seconds. The use field provides a count of the number of packets sent using that route. The interface entry indicates the network interface utilized for the route. When netstat is invoked with an interval argument, it displays a running count of statistics related to network interfaces. This display consists of a column for the primary interface (the first interface found during autoconfiguration) and a column summarizing information for all interfaces. The primary interface may be replaced with another interface with the -I option. The first line of each screen of information contains a summary since the system was last rebooted. Subsequent lines of output show values accumulated over the preceding interval. DETERMINING SERVICE USAGE To match a socket to a process, the fuser(1M) command can be used. For example, the command fuser 25/tcp will display information about any processes listening on TCP port 25. Note that fuser requires the numeric value for the port, not the name of the service. The -n option will force netstat to display service information numerically. SEE ALSO fuser(1M), nfsstat(1M), route(1M), smtstat(1), hosts(4), networks(4), protocols(4), services(4), route(7), stp(7) BUGS The notion of errors is ill-defined. Page 5