netstat - show network status
netstat [ -AanuV ] [ -L laddr ] [ -F faddr ] \
[ -f address_family ] [ system ] [ core ]
netstat [ -imnqrstMN ] [ -f address_family ] [ system ] [ core ]
netstat [ -n ] [ -I interface ] interval [ system ] [ core ]
netstat -C [ -n ] [ interval ] [ system ]
netstat [ -p protocol ] [ system ] [ core ]
The netstat command symbolically displays the contents of various
network-related data structures. There are a number of output formats,
depending on the options for the information presented. The first form
of the command displays a list of active sockets for each protocol. The
second form presents the contents of one of the other network data
structures according to the option selected. Using the third form, with
an interval specified, netstat will continuously display the information
regarding packet traffic on the configured network interfaces. The
fourth form displays statistics about the named protocol.
The options have the following meaning:
-A With the default display, show the address of any protocol control
blocks associated with sockets; used for debugging.
-a With the default display, show the state of all sockets; normally
sockets used by server processes are not shown. If -q is used in
conjunction with -a, information about pending connections on
listening endpoints will be displayed. This includes the number of
partially-synchronized connections, the number of fully-synchronized
connections, and the maximum number of pending connections specified
in the listen(2) call. Note that system provides some scaling on
the listen backlog, such that a request for a queue limit of 32 will
actually result in 49 connections being allowed prior to new
connection requests being ignored. This means that it is possible
for the sum of the two queue lengths to be larger than the limit.
Only TCP protocol control blocks whose foreign address matches the
pattern faddr should be displayed. The format of faddr is
[ipaddr][/port] where ipaddr is up to four decimal numbers separated
by `.' representing the IP address and port is the port number. If
less than four numbers are given for the IP address, trailing
numbers are assumed to be wildcards. For example 192.26 represents
the subnet 22.214.171.124. Host names may be used instead of dotted IP
Only TCP protocol control blocks whose local address matches the
pattern laddr should be displayed. The format of laddr is the same
as that of faddr
-l With the default display, on systems supporting IP security options,
show the mandatory and discretionary access control attributes
associated with sockets. These consist of a mandatory access
control label, printed at the beginning of each line, and a socket
uid and acl, printed at the end of each line. (For AF_INET sockets
only, a second mandatory access control label, SndLabel, is also
shown. SndLabel is a copy of the label in the u_area.) On systems
not supporting IP security options, -l is silently ignored.
-C Display the contents of several of the other formats in dynamic
"full-screen" forms. Many of the values can be displayed as simple
totals (r or "reset"), changes during the previous interval (d or
"delta"), or changes since a fix moment (z or "zero"). Note that
turning interfaces off or on or otherwise reseting them can make it
seem that counters are changing wildly, since that often resets the
counters to zero.
-i Show the state of interfaces which have been auto-configured
(interfaces statically configured into a system, but not located at
boot time are not shown). When -a is also present, show all
addresses (unicast, multicast and link-level) associated with each
-iq Show the information for -i with the number of packets currently in
the output queue, the queue size, and the number of dropped packets
due to a full queue.
Show information only about this interface; used with an interval as
-m Show statistics recorded by the memory management routines (the
network manages a private pool of memory buffers).
-n Show network addresses as numbers (normally netstat interprets
addresses and attempts to display them symbolically). This option
may be used with any of the display formats.
Show statistics about protocol, which is either a well-known name
for a protocol or an alias for it. Some protocol names and aliases
are listed in the file /etc/protocols. A null response typically
means that there are no interesting numbers to report. The program
will complain if protocol is unknown or if there is no statistics
routine for it. (This includes counting packets for the HELO
routing protocol as unknown.) Note that if the protocols list is
obtained from a NIS server, it is important for the correct
operation of netstat that the NIS table contain all protocols that
the client supports but which the server may not, for example STP.
-s Show per-protocol statistics.
-r Show the routing tables. When -s is also present, show routing
-M Show the kernel multicast routing tables. When -s is also present,
show multicast routing statistics instead.
-N Show socket addresses of family AF_LINK symbolically or numerically,
depending on whether the -n option is used, rather than in the
default format of link# where # corresponds to the numerical index
into the ifnet array in the kernel. This option is typically only
useful when displaying the routing tables using the -r option.
Limit statistics or address control block reports to those of the
specified address family. The following address families are
recognized: inet, for AF_INET, and unix, for AF_UNIX. (ns, for
AF_NS is not currently supported.) Note that sockets created with a
type of PF_STP are still classified under AF_INET here, since they
use AF_INET addressing.
-t If used in conjunction with -i, displays the value of the interface
-u A synonym for -f unix.
-T When used in conjunction with -V print just the current value used
to reset the retransmit timers in a TCP protocol control block.
-V Specify very-verbose mode. When used in conjunction with the -a
switch, detailed state information is displayed for each TCP
protocol control block. It is useful to combine use of this switch
with -L and -F to specify particular PCBs.
The arguments, system and core allow substitutes for the defaults
``/unix'' and ``/dev/kmem''.
The default display, for active sockets, shows the local and remote
addresses, send and receive queue sizes (in bytes), protocol, and the
internal state of the protocol. Address formats are of the form
``host.port'' or ``network.port'' if a socket's address specifies a
network but no specific host address. When known the host and network
addresses are displayed symbolically according to the data bases
/etc/hosts and /etc/networks, respectively. If a symbolic name for an
address is unknown, or if the -n option is specified, the address is
printed numerically, according to the address family. For more
information regarding the Internet ``dot format,'' refer to inet(3N).
Unspecified, or ``wildcard'', addresses and ports appear as ``*''.
The interface display provides a table of cumulative statistics regarding
packets transferred, errors, and collisions. The network addresses of
the interface and the maximum transmission unit (``mtu'') are also
The routing table display indicates the available routes and their
status. Each route consists of a destination host or network and a
gateway to use in forwarding packets. The flags field shows a collection
of information about the route stored as binary choices. The individual
flags are discussed in more detail in the route(1M) and route(7) manual
pages. The mapping between letters and flags is:
1 RTF_PROTO1 Protocol-specific routing flag #1
2 RTF_PROTO2 Protocol-specific routing flag #2
B RTF_BLACKHOLE Just discard pkts (during updates)
C RTF_CLONING Generate new routes on use
D RTF_DYNAMIC Created dynamically (by redirect)
G RTF_GATEWAY Destination requires forwarding by intermediary
H RTF_HOST Host entry (net otherwise)
L RTF_LLINFO Valid protocol to link address translation.
M RTF_MODIFIED Modified dynamically (by redirect)
R RTF_REJECT Host or net unreachable
S RTF_STATIC Manually added
U RTF_UP Route usable
X RTF_XRESOLVE External daemon translates proto to link address
c RTF_CKSUM TCP/UDP checksumming done on this route
Direct routes are created for each interface attached to the local host;
the gateway field for such entries shows the address of the outgoing
interface. The MTU field shows the MTU value set with the route(1M)
command for that route. The RTT and RTTvar fields show the estimated
round-trip time (RTT) and the variance in RTT for routes with large
amounts of TCP traffic. The RTT and RTTvar values are in seconds with a
resolution of .125 seconds. The use field provides a count of the number
of packets sent using that route. The interface entry indicates the
network interface utilized for the route.
When netstat is invoked with an interval argument, it displays a running
count of statistics related to network interfaces. This display consists
of a column for the primary interface (the first interface found during
autoconfiguration) and a column summarizing information for all
interfaces. The primary interface may be replaced with another interface
with the -I option. The first line of each screen of information
contains a summary since the system was last rebooted. Subsequent lines
of output show values accumulated over the preceding interval.
DETERMINING SERVICE USAGE [Toc] [Back]
To match a socket to a process, the fuser(1M) command can be used. For
example, the command
will display information about any processes listening on TCP port 25.
Note that fuser requires the numeric value for the port, not the name of
the service. The -n option will force netstat to display service
fuser(1M), nfsstat(1M), route(1M), smtstat(1), hosts(4), networks(4),
protocols(4), services(4), route(7), stp(7)
The notion of errors is ill-defined.
PPPPaaaaggggeeee 5555 [ Back ]