System Administration Commands netstat(1M)
NAME
netstat - show network status
SYNOPSIS
netstat [-anvR] [-f addressfamily] [-P protocol]
netstat -g [-nv] [-f addressfamily]
netstat -p [-n] [-f addressfamily]
netstat -s [-f addressfamily] [-P protocol]
[interval [count]
netstat -m [-v] [interval [count]
netstat -i [-I interface] [-an] [-f addressfamily]
[interval [count]
netstat -r [-anvR] [-f addressfamily filter]
netstat -M [-ns] [-f addressfamily]
netstat -D [-I interface] [-f addressfamily]
DESCRIPTION
The netstat command displays the contents of certain
network-related data structures in various formats, depend-
ing on the options you select.
The netstat command has the several forms shown in the
SYNOPSIS section, above, listed as follows:
o The first form of the command (with no required
arguments) displays a list of active sockets for
each protocol.
o The second, third, and fourth forms (-g, -p, and -s
options) display information from various network
data structures.
o The fifth form (-m option) displays STREAMS memory
statistics.
SunOS 5.11 Last change: 10 Aug 2007 1
System Administration Commands netstat(1M)
o The sixth form (-i option) shows the state of the
interfaces.
o The seventh form (-r option) displays the routing
table.
o The eighth form (-M option) displays the multicast
routing table.
o The ninth form (-D option) displays the state of
DHCP on one or all interfaces.
These forms are described in greater detail below.
With no arguments (the first form), netstat displays con-
nected sockets for PFINET, PFINET6, and PFUNIX, unless
modified otherwise by the -f option.
OPTIONS
-a
Show the state of all sockets, all routing table
entries, or all interfaces, both physical and logical.
Normally, listener sockets used by server processes are
not shown. Under most conditions, only interface, host,
network, and default routes are shown and only the
status of physical interfaces is shown.
-f addressfamily
Limit all displays to those of the specified
addressfamily. The value of addressfamily can be one
of the following:
inet For the AFINET address family showing IPv4
information.
inet6 For the AFINET6 address family showing IPv6
information.
unix For the AFUNIX address family.
-f filter
With -r only, limit the display of routes to those
SunOS 5.11 Last change: 10 Aug 2007 2
System Administration Commands netstat(1M)
matching the specified filter. A filter rule consists of
a keyword:value pair. The known keywords and the value
syntax are:
af:{inetinet6unixnumber}
Selects an address family. This is identical to -f
addressfamily and both syntaxes are supported.
outif:{nameifIndexanynone}
Selects an output interface. You can specify the
interface by name (such as hme0) or by ifIndex
number (for example, 2). If any is used, the filter
matches all routes having a specified interface
(anything other than null). If none is used, the
filter matches all routes having a null interface.
Note that you can view the index number (ifIndex)
for an interface with the -a option of ifconfig(1M).
dst:{ip-address[/mask]anynone}
Selects a destination IP address. If specified with
a mask length, then any routes with matching or
longer (more specific) masks are selected. If any is
used, then all but addresses but 0 are selected. If
none is used, then address 0 is selected.
flags:[] -]?[ABDGHLMSU]
Selects routes tagged with the specified flags. By
default, the flags as specified must be set in order
to match. With a leading ], the flags specified must
be set but others are ignored. With a leading -, the
flags specified must not be set and others are per-
mitted.
You can specify multiple instances of -f to specify mul-
tiple filters. For example:
% netstat -nr -f outif:hme0 -f outif:hme1 -f dst:10.0.0.0/8
The preceding command displays routes within network
10.0.0.0/8, with mask length 8 or greater, and an output
interface of either hme0 or hme1, and excludes all other
routes.
SunOS 5.11 Last change: 10 Aug 2007 3
System Administration Commands netstat(1M)
-g
Show the multicast group memberships for all interfaces.
If the -v option is included, source-specific membership
information is also displayed. See DISPLAYS, below.
-i
Show the state of the interfaces that are used for IP
traffic. Normally this shows statistics for the physical
interfaces. When combined with the -a option, this will
also report information for the logical interfaces. See
ifconfig(1M).
-m
Show the STREAMS memory statistics.
-n
Show network addresses as numbers. netstat normally
displays addresses as symbols. This option may be used
with any of the display formats.
-p
Show the net to media tables. See DISPLAYS, below.
-r
Show the routing tables. Normally, only interface, host,
network, and default routes are shown, but when this
option is combined with the -a option, all routes will
be displayed, including cache. If you have not set up a
multicast route, -ra might not show any multicast rout-
ing entries, although the kernel will derive such an
entry if needed.
-s
Show per-protocol statistics. When used with the -M
option, show multicast routing statistics instead. When
used with the -a option, per-interface statistics will
be displayed, when available, in addition to statistics
global to the system. See DISPLAYS, below.
SunOS 5.11 Last change: 10 Aug 2007 4
System Administration Commands netstat(1M)
-v
Verbose. Show additional information for the sockets,
STREAMS memory statistics, routing table, and multicast
group memberships.
-I interface
Show the state of a particular interface. interface can
be any valid interface such as hme0 or eri0. Normally,
the status and statistics for physical interfaces are
displayed. When this option is combined with the -a
option, information for the logical interfaces is also
reported.
-M
Show the multicast routing tables. When used with the -s
option, show multicast routing statistics instead.
-P protocol
Limit display of statistics or state of all sockets to
those applicable to protocol. The protocol can be one of
ip, ipv6, icmp, icmpv6, icmp, icmpv6, igmp, udp, tcp,
rawip. rawip can also be specified as raw. The command
accepts protocol options only as all lowercase.
-D
Show the status of DHCP configured interfaces.
-R
This modifier displays extended security attributes for
sockets and routing table entries. The -R modifier is
available only if the system is configured with the
Solaris Trusted Extensions feature.
With -r only, this option displays the routing entries'
gateway security attributes. See route(1M) for more
information on security attributes.
When displaying socket information using the first form
of the commmand, this option displays additional infor-
mation for Multi-Level Port(MLP) sockets. This includes:
SunOS 5.11 Last change: 10 Aug 2007 5
System Administration Commands netstat(1M)
o The label for the peer if the socket is con-
nected.
o The following flags can be appended to the
socket's "State" output:
P The socket is a MLP on zone-private IP
addresses.
S The socket is a MLP on IP addresses shared
between zones.
OPERANDS
interval Display statistics accumulated since last
display every interval seconds, repeating for-
ever, unless count is specified. When invoked
with interval, the first row of netstat output
shows statistics accumulated since last reboot.
The following options support interval: -i, -m,
-s and -Ms. Some values are configuration param-
eters and are just redisplayed at each interval.
count Display interface statistics the number of times
specified by count, at the interval specified by
interval.
DISPLAYS
Active Sockets (First Form)
The display for each active socket shows the local and
remote address, the send and receive queue sizes (in bytes),
the send and receive windows (in bytes), and the internal
state of the protocol.
The symbolic format normally used to display socket
addresses is either:
hostname.port
when the name of the host is specified, or
SunOS 5.11 Last change: 10 Aug 2007 6
System Administration Commands netstat(1M)
network.port
if a socket address specifies a network but no specific
host.
The numeric host address or network number associated with
the socket is used to look up the corresponding symbolic
hostname or network name in the hosts or networks database.
If the network or hostname for an address is not known, or
if the -n option is specified, the numerical network address
is shown. Unspecified, or "wildcard", addresses and ports
appear as an asterisk (*). For more information regarding
the Internet naming conventions, refer to inet(7P) and
inet6(7P).
For SCTP sockets, because an endpoint can be represented by
multiple addresses, the verbose option (-v) displays the
list of all the local and remote addresses.
TCP Sockets
The possible state values for TCP sockets are as follows:
BOUND Bound, ready to connect or listen.
CLOSED Closed. The socket is not being used.
CLOSING Closed, then remote shutdown; awaiting ack-
nowledgment.
CLOSEWAIT Remote shutdown; waiting for the socket to
close.
ESTABLISHED Connection has been established.
FINWAIT1 Socket closed; shutting down connection.
FINWAIT2 Socket closed; waiting for shutdown from
remote.
SunOS 5.11 Last change: 10 Aug 2007 7
System Administration Commands netstat(1M)
IDLE Idle, opened but not bound.
LASTACK Remote shutdown, then closed; awaiting ack-
nowledgment.
LISTEN Listening for incoming connections.
SYNRECEIVED Initial synchronization of the connection
under way.
SYNSENT Actively trying to establish connection.
TIMEWAIT Wait after close for remote shutdown
retransmission.
SCTP Sockets
The possible state values for SCTP sockets are as follows:
CLOSED Closed. The socket is not being used.
LISTEN Listening for incoming associations.
ESTABLISHED Association has been established.
COKIEWAIT INIT has been sent to the peer, await-
ing acknowledgment.
COKIECHOED State cookie from the INIT-ACK has been
sent to the peer, awaiting acknowledge-
ment.
SHUTDOWNPENDING SHUTDOWN has been received from the
upper layer, awaiting acknowledgement
of all outstanding DATA from the peer.
SHUTDOWNSENT All outstanding data has been ack-
nowledged in the SHUTDOWNSENT state.
SHUTDOWN has been sent to the peer,
awaiting acknowledgement.
SunOS 5.11 Last change: 10 Aug 2007 8
System Administration Commands netstat(1M)
SHUTDOWNRECEIVED SHUTDOWN has been received from the
peer, awaiting acknowledgement of all
outstanding DATA.
SHUTDOWNACKSENT All outstanding data has been ack-
nowledged in the SHUTDOWNRECEIVED
state. SHUTDOWNACK has been sent to
the peer.
Network Data Structures (Second Through Fifth Forms)
The form of the display depends upon which of the -g, -m,
-p, or -s options you select.
-g Displays the list of multicast group membership.
-m Displays the memory usage, for example, STREAMS mblks.
-p Displays the net to media mapping table. For IPv4, the
address resolution table is displayed. See arp(1M).
For IPv6, the neighbor cache is displayed.
-s Displays the statistics for the various protocol
layers.
The statistics use the MIB specified variables. The defined
values for ipForwarding are:
forwarding(1) Acting as a gateway.
not-forwarding(2) Not acting as a gateway.
The IPv6 and ICMPv6 protocol layers maintain per-interface
statistics. If the -a option is specified with the -s
option, then the per-interface statistics as well as the
total sums are displayed. Otherwise, just the sum of the
statistics are shown.
For the second, third, and fourth forms of the command, you
must specify at least -g, -p, or -s. You can specify any
combination of these options. You can also specify -m (the
fifth form) with any set of the -g, -p, and -s options. If
SunOS 5.11 Last change: 10 Aug 2007 9
System Administration Commands netstat(1M)
you specify more than one of these options, netstat displays
the information for each one of them.
Interface Status (Sixth Form)
The interface status display lists information for all
current interfaces, one interface per line. If an interface
is specified using the -I option, it displays information
for only the specified interface.
The list consists of the interface name, mtu (maximum
transmission unit, or maximum packet size)(see
ifconfig(1M)), the network to which the interface is
attached, addresses for each interface, and counter associ-
ated with the interface. The counters show the number of
input packets, input errors, output packets, output errors,
and collisions, respectively. For Point-to-Point interfaces,
the Net/Dest field is the name or address on the other side
of the link.
If the -a option is specified with either the -i option or
the -I option, then the output includes names of the physi-
cal interface(s), counts for input packets and output pack-
ets for each logical interface, plus additional information.
If the -n option is specified, the list displays the IP
address instead of the interface name.
If an optional interval is specified, the output will be
continually displayed in interval seconds until interrupted
by the user or until count is reached. See OPERANDS.
The physical interface is specified using the -I option.
When used with the interval operand, output for the -I
option has the following format:
input eri0 output input (Total) output
packets errs packets errs colls packets errs packets errs colls
227681 0 659471 1 502 261331 0 99597 1 502
10 0 0 0 0 10 0 0 0 0
8 0 0 0 0 8 0 0 0 0
10 0 2 0 0 10 0 2 0 0
If the input interface is not specified, the first interface
of address family inet or inet6 will be displayed.
SunOS 5.11 Last change: 10 Aug 2007 10
System Administration Commands netstat(1M)
Routing Table (Seventh Form)
The routing table display lists the available routes and the
status of each. Each route consists of a destination host or
network, and a gateway to use in forwarding packets. The
flags column shows the status of the route. These flags are
as follows:
U Indicates route is up.
G Route is to a gateway.
H Route is to a host and not a network.
M Redundant route established with the -multirt option.
S Route was established using the -setsrc option.
D Route was created dynamically by a redirect.
If the -a option is specified, there will be routing entries
with the following flags:
A Combined routing and address resolution entries.
B Broadcast addresses.
L Local addresses for the host.
Interface routes are created for each interface attached to
the local host; the gateway field for such entries shows the
address of the outgoing interface.
The use column displays the number of packets sent using a
combined routing and address resolution (A) or a broadcast
(B) route. For a local (L) route, this count is the number
of packets received, and for all other routes it is the
number of times the routing entry has been used to create a
new combined route and address resolution entry.
SunOS 5.11 Last change: 10 Aug 2007 11
System Administration Commands netstat(1M)
The interface entry indicates the network interface utilized
for the route.
Multicast Routing Tables (Eighth Form)
The multicast routing table consists of the virtual inter-
face table and the actual routing table.
DHCP Interface Information (Ninth Form)
The DHCP interface information consists of the interface
name, its current state, lease information, packet counts,
and a list of flags.
The states correlate with the specifications set forth in
RFC 2131.
Lease information includes:
o when the lease began;
o when lease renewal will begin; and
o when the lease will expire.
The flags currently defined include:
BOTP The interface has a lease obtained through BOTP
(IPv4 only).
BUSY The interface is busy with a DHCP transaction.
PRIMARY The interface is the primary interface. See
dhcpinfo(1) and ifconfig(1M).
FAILED The interface is in failure state and must be
manually restarted.
Packet counts are maintained for the number of packets sent,
the number of packets received, and the number of lease
offers declined by the DHCP client. All three counters are
initialized to zero and then incremented while obtaining a
lease. The counters are reset when the period of lease
renewal begins for the interface. Thus, the counters
represent either the number of packets sent, received, and
declined while obtaining the current lease, or the number of
SunOS 5.11 Last change: 10 Aug 2007 12
System Administration Commands netstat(1M)
packets sent, received, and declined while attempting to
obtain a future lease.
FILES
/etc/default/inettype DEFAULTIP setting
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWcsu
SEE ALSO
arp(1M), dhcpinfo(1), dhcpagent(1M), ifconfig(1M),
iostat(1M), kstat(1M), mibiisa(1M), savecore(1M),
vmstat(1M), hosts(4), inettype(4), networks(4), proto-
cols(4), services(4), attributes(5), dhcp(5), kstat(7D),
inet(7P), inet6(7P)
Droms, R., RFC 2131, Dynamic Host Configuration Protocol,
Network Working Group, March 1997.
Droms, R. RFC 3315, Dynamic Host Configuration Protocol for
IPv6 (DHCPv6). Cisco Systems. July 2003.
NOTES
When displaying interface information, netstat honors the
DEFAULTIP setting in /etc/default/inettype. If it is set
to IPVERSION4, then netstat will omit information relating
to IPv6 interfaces, statistics, connections, routes and the
like.
However, you can override the DEFAULTIP setting in
/etc/default/inettype on the command-line. For example, if
you have used the command-line to explicitly request IPv6
information by using the inet6 address family or one of the
IPv6 protocols, it will override the DEFAULTIP setting.
If you need to examine network status information following
a kernel crash, use the mdb(1) utility on the savecore(1M)
SunOS 5.11 Last change: 10 Aug 2007 13
System Administration Commands netstat(1M)
output.
The netstat utility obtains TCP statistics from the system
by opening /dev/tcp and issuing queries. Because of this,
netstat might display an extra, unused connection in IDLE
state when reporting connection status.
Previous versions of netstat had undocumented methods for
reporting kernel statistics published using the kstat(7D)
facility. This functionality has been removed. Use kstat(1M)
instead.
netstat restricts its output to information that is relevant
to the zone in which netstat runs. (This is true for both
shared-IP and exclusive-IP zones.)
SunOS 5.11 Last change: 10 Aug 2007 14
|
