netstat(1M) — ADMINISTRATOR COMMANDS
NAME
netstat − show network status
SYNOPSIS
netstat [ −aAn ] [ −f addr_family ] [ system ] [ core ]
netstat [ −n ] [ −s ] [ −h | −i | −m | −r ] [ −f addr_family ] [ system ] [ core ]
netstat [ −n ] [ −I interface ] interval [ system ] [ core ]
DESCRIPTION
netstat displays the contents of various network-related data structures in various formats, depending on the options you select.
The first form of the command displays a list of active sockets for each protocol. The second form selects one from among various other network data structures. The third form displays running statistics of packet traffic on configured network interfaces; the interval argument indicates the number of seconds in which to gather statistics between displays.
The default value for the system argument is /stand/unix; for core, the default is /dev/kmem.
The following options are available:
−a Show the state of all sockets; normally sockets used by server processes are not shown.
−A Show the address of any protocol control blocks associated with sockets; used for debugging.
−h Show the state of the IMP host table. This does not work in an environment where the IMP host tables do not exist.
−i Show the state of interfaces that have been auto-configured. Interfaces that are statically configured into a system, but not located at boot time, are not shown.
−m Show the statistics recorded by management routines for the network’s private buffer pool. Printing of this information is currently not supported. Similar information can be found with the strstat command in crash(1M).
−n Show network addresses as numbers. netstat normally displays addresses as symbols. This option may be used with any of the display formats.
−r Show the routing tables. When used with the −s option, show routing statistics instead.
−s Show per-protocol statistics. When used with the −r option, show routing statistics.
−f addr_family
Limit statistics or address control block reports to those of the specified addr_family, which can be one of:
inet For the AF_INET address family, or
unix For the AF_UNIX family.
−I interface
Highlight information about the indicated interface in a separate column; the default (for the third form of the command) is the interface with the most traffic since the system was last rebooted. interface can be any valid interface listed in the system configuration file, such as emd1 or lo0.
DISPLAYS
Active Sockets (First Form)
The display for each active socket shows the local and remote address, the send and receive queue sizes (in bytes), the protocol, and the internal state of the protocol.
The symbolic format normally used to display socket addresses is either:
hostname.port
when the name of the host is specified, or:
network.port
if a socket address specifies a network but no specific host. Each hostname and network is shown according to its entry in the /etc/hosts or the /etc/networks file, as appropriate.
If the network or hostname for an address is not known (or if the −n option is specified), the numerical network address is shown. Unspecified, or “wildcard”, addresses and ports appear as “∗”. For more information regarding the Internet naming conventions, refer to inet(7).
TCP Sockets
The possible state values for TCP sockets are as follows:
CLOSED Closed. The socket is not being used.
LISTEN Listening for incoming connections.
SYN_SENT Actively trying to establish connection.
SYN_RECEIVED Initial synchronization of the connection under way.
ESTABLISHED Connection has been established.
CLOSE_WAIT Remote shut down; waiting for the socket to close.
FIN_WAIT_1 Socket closed; shutting down connection.
CLOSING Closed, then remote shutdown; awaiting acknowledgement.
LAST_ACK Remote shut down, then closed; awaiting acknowledgement.
FIN_WAIT_2 Socket closed; waiting for shutdown from remote.
TIME_WAIT Wait after close for remote shutdown retransmission.
Network Data Structures (Second Form)
The form of the display depends upon which of the −m, −i, −h or −r, options you select. If you specify more than one of these options, netstat selects one in the order listed here.
Routing Table Display
The routing table display lists the available routes and the status of each. Each route consists of a destination host or network, and a gateway to use in forwarding packets. The flags column shows the status of the route as follows:
D - Route created dynamically by a redirect
G - Destination is a gateway
H - Destination is a host
S - Route must be switched
T - A gateway switched the route
U - Route is useable
V - A slave switched the route
Direct routes are created for each interface attached to the local host; the gateway field for such entries shows the address of the outgoing interface.
The refcnt column gives the current number of active uses per route. Connection-oriented protocols normally hold on to a single route for the duration of a connection, whereas connectionless protocols obtain a route while sending to the same destination.
The use column displays the number of packets sent per route.
The interface entry indicates the network interface utilized for the route.
Cumulative Traffic Statistics (Third Form)
When the interval argument is given, netstat displays a table of cumulative statistics regarding packets transferred, errors and collisions, the network addresses for the interface, and the maximum transmission unit (“mtu”). The first line of data displayed, and every 24th line thereafter, contains cumulative statistics from the time the system was last rebooted. Each subsequent line shows incremental statistics for the interval (specified on the command line) since the previous display.
SEE ALSO
trpt(1M), crash(1M), hosts(4), networks(4), protocols(4), services(4).
NOTES
The notion of errors is ill-defined.
The kernel’s tables can change while netstat is examining them, creating incorrect or partial displays.
— TCP/IP