Dileep's Blog on Software Testing: Netstat Explained

Netstat Explained

netstat (network statistics) is a command-line tool that displays network connections (incoming and outgoing), routing tables, and a number of network interface statistics. It is available on Unix, Linux, and Windows NT-based operating systems.

It is used for finding problems in the network and to determine the amount of traffic on the network as a performance measurement

Traditionally, it is used more for problem determination than for performance measurement. However, the netstat command can be used to determine the amount of traffic on the network to ascertain whether performance problems are due to network congestion.

The netstat command displays information regarding traffic on the configured network interfaces, such as the following:

* The address of any protocol control blocks associated with the sockets and the state of all sockets
* The number of packets received, transmitted, and dropped in the communications subsystem
* Cumulative statistics per interface
* Routes and their status

Parameters

Parameters used with this command must be prefixed with a hyphen (-) . The screen shot examples I used here taken from the Linux distro Matriux. Below are the options available on netstat

matriux ~ # netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 2445
@/org/kernel/udev/udevd
unix 5 [ ] DGRAM 9936 /dev/log
unix 3 [ ] STREAM CONNECTED 17224
/tmp/ksocket-root/klaunchericERRb.slave-socket
unix 3 [ ] STREAM CONNECTED 17223
unix 2 [ ] STREAM CONNECTED 14169
/tmp/ksocket-root/konquerorMlNAjb.slave-socket
unix 2 [ ] STREAM CONNECTED 14165
/tmp/ksocket-root/konquerorpG8Q6b.slave-socket
unix 2 [ ] STREAM CONNECTED 14167
/tmp/ksocket-root/konqueror44sYWb.slave-socket
unix 3 [ ] STREAM CONNECTED 13781
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 13780
unix 3 [ ] STREAM CONNECTED 13776 /tmp/.ICE-unix/5389
unix 3 [ ] STREAM CONNECTED 13775
unix 3 [ ] STREAM CONNECTED 13774 /tmp/.X11-unix/X0
unix 5 [ ] STREAM CONNECTED 13773
unix 2 [ ] STREAM CONNECTED 13600
/tmp/ksocket-root/konquerorqQigbc.slave-socket
unix 2 [ ] STREAM CONNECTED 13086
/tmp/ksocket-root/konquerorgpcBCb.slave-socket
unix 3 [ ] STREAM CONNECTED 12264
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 12263

-a : Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.

matriux ~ # netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 *:7741 *:* LISTEN
tcp 0 0 192.168.100.183:42963 im-in-f83.google.c:http ESTABLISHED
tcp 0 0 192.168.100.183:42957 im-in-f83.google.c:http TIME_WAIT
tcp 0 0 192.168.100.183:42967 im-in-f83.google.c:http ESTABLISHED
tcp 0 0 192.168.100.183:42956 im-in-f83.google.c:http ESTABLISHED
tcp 0 0 192.168.100.183:42965 im-in-f83.google.c:http TIME_WAIT
tcp 0 0 192.168.100.183:42968 im-in-f83.google.c:http TIME_WAIT
tcp 0 0 192.168.100.183:42966 im-in-f83.google.c:http TIME_WAIT
tcp 0 0 192.168.100.183:42962 im-in-f83.google.c:http ESTABLISHED
udp 0 0 *:7741 *:*
udp 0 0 *:bootpc *:*
udp 0 0 *:ipp *:*
raw 0 0 *:icmp *:* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 10935 @/tmp/fam-root-
unix 2 [ ACC ] STREAM LISTENING 10667 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 10095
/var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 10845
/tmp/ksocket-root/kdeinit__0
unix 2 [ ACC ] STREAM LISTENING 10847
/tmp/ksocket-root/kdeinit-:0
unix 2 [ ACC ] STREAM LISTENING 10854
/tmp/.ICE-unix/dcop5370-1243447644
unix 2 [ ACC ] STREAM LISTENING 10885
/tmp/ksocket-root/klaunchericERRb.slave-socket
unix 2 [ ] DGRAM 2445
@/org/kernel/udev/udevd
unix 2 [ ACC ] STREAM LISTENING 10366 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 11313
/tmp/ksocket-root/matriux-1519-4a1d8160
unix 2 [ ACC ] STREAM LISTENING 11111 /tmp/.ICE-unix/5389

-b : Displays the binary (executable) program's name involved in creating each connection or listening port. (Windows XP, 2003 Server only (not Microsoft Windows 2000 or other non-Windows operating systems))

This is available only in windowds

-C : display routing cache instead of FIB (forward information database (FIB). This is the default.)

matriux ~ # netstat -C
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.100.183:58611 im-in-f83.google.c:http ESTABLISHED
tcp 0 0 192.168.100.183:58609 im-in-f83.google.c:http ESTABLISHED
tcp 0 0 192.168.100.183:42967 im-in-f83.google.c:http ESTABLISHED
tcp 0 0 192.168.100.183:42956 im-in-f83.google.c:http ESTABLISHED
tcp 0 0 192.168.100.183:58612 im-in-f83.google.c:http TIME_WAIT
tcp 0 0 192.168.100.183:42962 im-in-f83.google.c:http TIME_WAIT
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 2445
@/org/kernel/udev/udevd
unix 5 [ ] DGRAM 9936 /dev/log
unix 3 [ ] STREAM CONNECTED 54936
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 54935
unix 3 [ ] STREAM CONNECTED 54934
/tmp/ksocket-root/konquerorx0J3lb.slave-socket
unix 3 [ ] STREAM CONNECTED 54932
unix 3 [ ] STREAM CONNECTED 54699 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 54698
unix 3 [ ] STREAM CONNECTED 44869
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44868
unix 3 [ ] STREAM CONNECTED 44867
/tmp/ksocket-root/konquerorLlGFSa.slave-socket
unix 3 [ ] STREAM CONNECTED 44864
unix 3 [ ] STREAM CONNECTED 44858
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44857
unix 3 [ ] STREAM CONNECTED 44853
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44852
unix 3 [ ] STREAM CONNECTED 44851
/tmp/ksocket-root/konquerorm4BxBa.slave-socket
unix 3 [ ] STREAM CONNECTED 44847
unix 3 [ ] STREAM CONNECTED 44850
/tmp/ksocket-root/konquerorlmR3Hb.slave-socket

-c: Displays the information continuously

matriux ~ # netstat -c
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.100.183:42963 im-in-f83.google.c:http ESTABLISHED
tcp 0 0 192.168.100.183:42957 im-in-f83.google.c:http ESTABLISHED
tcp 0 0 192.168.100.183:42964 im-in-f83.google.c:http TIME_WAIT
tcp 0 0 192.168.100.183:42956 im-in-f83.google.c:http ESTABLISHED
tcp 0 0 192.168.100.183:42959 im-in-f83.google.c:http TIME_WAIT
tcp 0 0 192.168.100.183:42962 im-in-f83.google.c:http ESTABLISHED
tcp 0 0 192.168.100.183:42960 im-in-f83.google.c:http TIME_WAIT
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 2445
@/org/kernel/udev/udevd
unix 5 [ ] DGRAM 9936 /dev/log
unix 3 [ ] STREAM CONNECTED 54936
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 54935
unix 3 [ ] STREAM CONNECTED 54934
/tmp/ksocket-root/konquerorx0J3lb.slave-socket
unix 3 [ ] STREAM CONNECTED 54932
unix 3 [ ] STREAM CONNECTED 54699 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 54698
unix 3 [ ] STREAM CONNECTED 44869
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44868
unix 3 [ ] STREAM CONNECTED 44867
/tmp/ksocket-root/konquerorLlGFSa.slave-socket
unix 3 [ ] STREAM CONNECTED 44864
unix 3 [ ] STREAM CONNECTED 44858
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44857
unix 3 [ ] STREAM CONNECTED 44853
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44852
unix 3 [ ] STREAM CONNECTED 44851
/tmp/ksocket-root/konquerorm4BxBa.slave-socket
unix 3 [ ] STREAM CONNECTED 44847
unix 3 [ ] STREAM CONNECTED 44850
/tmp/ksocket-root/konquerorlmR3Hb.slave-socket
unix 3 [ ] STREAM CONNECTED 44834
unix 3 [ ] STREAM CONNECTED 44422 /tmp/.ICE-unix/5389
unix 3 [ ] STREAM CONNECTED 44421
unix 3 [ ] STREAM CONNECTED 44420 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 44417
unix 3 [ ] STREAM CONNECTED 44414
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44413

-e : Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.

matriux ~ # netstat -e
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State User Inode
tcp 0 0 192.168.100.183:42954 im-in-f83.google.c:http
ESTABLISHED root 59102
tcp 0 0 192.168.100.183:57095 im-in-f83.google.c:http
ESTABLISHED root 58936
tcp 0 0 192.168.100.183:42955 im-in-f83.google.c:http
TIME_WAIT root 0
tcp 0 0 192.168.100.183:42956 im-in-f83.google.c:http
ESTABLISHED root 59241
tcp 0 0 192.168.100.183:57093 im-in-f83.google.c:http
TIME_WAIT root 0
tcp 0 0 192.168.100.183:57094 im-in-f83.google.c:http
ESTABLISHED root 58912
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 2445
@/org/kernel/udev/udevd
unix 5 [ ] DGRAM 9936 /dev/log
unix 3 [ ] STREAM CONNECTED 54936
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 54935
unix 3 [ ] STREAM CONNECTED 54934
/tmp/ksocket-root/konquerorx0J3lb.slave-socket
unix 3 [ ] STREAM CONNECTED 54932
unix 3 [ ] STREAM CONNECTED 54699 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 54698
unix 3 [ ] STREAM CONNECTED 44869
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44868
unix 3 [ ] STREAM CONNECTED 44867
/tmp/ksocket-root/konquerorLlGFSa.slave-socket
unix 3 [ ] STREAM CONNECTED 44864
unix 3 [ ] STREAM CONNECTED 44858
/tmp/.ICE-unix/dcop5370-1243447644

-F : Display Forwarding Information Base (this is the default, not available under Windows)

matriux ~ # netstat -F
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.100.183:58609 im-in-f83.google.c:http ESTABLISHED
tcp 0 0 192.168.100.183:42967 im-in-f83.google.c:http ESTABLISHED
tcp 0 0 192.168.100.183:42956 im-in-f83.google.c:http ESTABLISHED
tcp 0 0 192.168.100.183:58607 im-in-f83.google.c:http TIME_WAIT
tcp 0 0 192.168.100.183:58610 im-in-f83.google.c:http TIME_WAIT
tcp 0 0 192.168.100.183:42962 im-in-f83.google.c:http ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 2445
@/org/kernel/udev/udevd
unix 5 [ ] DGRAM 9936 /dev/log
unix 3 [ ] STREAM CONNECTED 54936
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 54935
unix 3 [ ] STREAM CONNECTED 54934
/tmp/ksocket-root/konquerorx0J3lb.slave-socket
unix 3 [ ] STREAM CONNECTED 54932
unix 3 [ ] STREAM CONNECTED 54699 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 54698
unix 3 [ ] STREAM CONNECTED 44869
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44868
unix 3 [ ] STREAM CONNECTED 44867
/tmp/ksocket-root/konquerorLlGFSa.slave-socket
unix 3 [ ] STREAM CONNECTED 44864
unix 3 [ ] STREAM CONNECTED 44858
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44857
unix 3 [ ] STREAM CONNECTED 44853
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44852
unix 3 [ ] STREAM CONNECTED 44851
/tmp/ksocket-root/konquerorm4BxBa.slave-socket
unix 3 [ ] STREAM CONNECTED 44847
unix 3 [ ] STREAM CONNECTED 44850
/tmp/ksocket-root/konquerorlmR3Hb.slave-socket
unix 3 [ ] STREAM CONNECTED 44834
unix 3 [ ] STREAM CONNECTED 44422 /tmp/.ICE-unix/5389

-g: Display multicast group memberships

matriux ~ # netstat -g
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 ALL-SYSTEMS.MCAST.NET
eth1 1 ALL-SYSTEMS.MCAST.NET

-h : Displays Help for netstat

matriux ~ # netstat -h
usage: netstat [-veenNcCF] [] -r netstat {-V|--version|-h|--help}
netstat [-vnNcaeol] [ ...]
netstat { [-veenNac] -i | [-cnNe] -M | -s }

-r, --route display routing table
-i, --interfaces display interface table
-g, --groups display multicast group memberships
-s, --statistics display networking statistics (like SNMP)
-M, --masquerade display masqueraded connections

-v, --verbose be verbose
-n, --numeric don't resolve names
--numeric-hosts don't resolve host names
--numeric-ports don't resolve port names
--numeric-users don't resolve user names
-N, --symbolic resolve hardware names
-e, --extend display other/more information
-p, --programs display PID/Program name for sockets
-c, --continuous continuous listing

-l, --listening display listening server sockets
-a, --all, --listening display all sockets (default: connected)
-o, --timers display timers
-F, --fib display Forwarding Information Base (default)
-C, --cache display routing cache instead of FIB

={-t|--tcp} {-u|--udp} {-w|--raw} {-x|--unix} --ax25 --ipx --netrom
=Use '-6|-4' or '-A ' or '--'; default: inet
List of possible address families (which support routing):
inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
x25 (CCITT X.25)

-i : Displays network interfaces and their statistics (not available under Windows)

matriux ~ # netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
eth1 1500 0 5026 0 0 0 1989 0
0 0 BMNRU
lo 16436 0 0 0 0 0 0 0
0 0 LRU

-l : Display the results of listening server sockets

matriux ~ # netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 *:7741 *:* LISTEN
udp 0 0 *:7741 *:*
udp 0 0 *:bootpc *:*
udp 0 0 *:ipp *:*
raw 0 0 *:icmp *:* 7
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 10935 @/tmp/fam-root-
unix 2 [ ACC ] STREAM LISTENING 10667 /tmp/.X11-unix/X0
unix 2 [ ACC ] STREAM LISTENING 10095
/var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 10845
/tmp/ksocket-root/kdeinit__0
unix 2 [ ACC ] STREAM LISTENING 10847
/tmp/ksocket-root/kdeinit-:0
unix 2 [ ACC ] STREAM LISTENING 10854
/tmp/.ICE-unix/dcop5370-1243447644
unix 2 [ ACC ] STREAM LISTENING 10885
/tmp/ksocket-root/klaunchericERRb.slave-socket
unix 2 [ ACC ] STREAM LISTENING 10366 /dev/gpmctl
unix 2 [ ACC ] STREAM LISTENING 11313
/tmp/ksocket-root/matriux-1519-4a1d8160
unix 2 [ ACC ] STREAM LISTENING 11111 /tmp/.ICE-unix/5389
unix 2 [ ACC ] STREAM LISTENING 10063 /var/run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 10270
/var/run/cups/cups.sock

-n : Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.

matriux ~ # netstat -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.100.183:57087 209.85.153.83:80 ESTABLISHED
tcp 0 0 192.168.100.183:57085 209.85.153.83:80 TIME_WAIT
tcp 0 0 192.168.100.183:57090 209.85.153.83:80 ESTABLISHED
tcp 0 0 192.168.100.183:57089 209.85.153.83:80 ESTABLISHED
tcp 0 0 192.168.100.183:57081 209.85.153.83:80 TIME_WAIT
tcp 0 0 192.168.100.183:57082 209.85.153.83:80 TIME_WAIT
tcp 0 0 192.168.100.183:57086 209.85.153.83:80 ESTABLISHED
tcp 0 0 192.168.100.183:57080 209.85.153.83:80 TIME_WAIT
tcp 0 0 192.168.100.183:57088 209.85.153.83:80 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 2445
@/org/kernel/udev/udevd
unix 5 [ ] DGRAM 9936 /dev/log
unix 3 [ ] STREAM CONNECTED 54936
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 54935
unix 3 [ ] STREAM CONNECTED 54934
/tmp/ksocket-root/konquerorx0J3lb.slave-socket
unix 3 [ ] STREAM CONNECTED 54932
unix 3 [ ] STREAM CONNECTED 54699 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 54698
unix 3 [ ] STREAM CONNECTED 44869
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44868
unix 3 [ ] STREAM CONNECTED 44867
/tmp/ksocket-root/konquerorLlGFSa.slave-socket
unix 3 [ ] STREAM CONNECTED 44864
unix 3 [ ] STREAM CONNECTED 44858
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44857
unix 3 [ ] STREAM CONNECTED 44853
/tmp/.ICE-unix/dcop5370-1243447644

-N : Displayes Symbolic resolve hardware names

matriux ~ # netstat -N
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.100.183:57090 209.85.153.83:http TIME_WAIT
tcp 0 0 192.168.100.183:57089 209.85.153.83:http TIME_WAIT
tcp 0 0 192.168.100.183:57086 209.85.153.83:http TIME_WAIT
tcp 0 0 192.168.100.183:57092 209.85.153.83:http TIME_WAIT
tcp 0 0 192.168.100.183:57088 209.85.153.83:http TIME_WAIT
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 2445
@/org/kernel/udev/udevd
unix 5 [ ] DGRAM 9936 /dev/log
unix 3 [ ] STREAM CONNECTED 54936
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 54935
unix 3 [ ] STREAM CONNECTED 54934
/tmp/ksocket-root/konquerorx0J3lb.slave-socket
unix 3 [ ] STREAM CONNECTED 54932
unix 3 [ ] STREAM CONNECTED 54699 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 54698
unix 3 [ ] STREAM CONNECTED 44869
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44868
unix 3 [ ] STREAM CONNECTED 44867
/tmp/ksocket-root/konquerorLlGFSa.slave-socket
unix 3 [ ] STREAM CONNECTED 44864
unix 3 [ ] STREAM CONNECTED 44858
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44857
unix 3 [ ] STREAM CONNECTED 44853
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44852
unix 3 [ ] STREAM CONNECTED 44851
/tmp/ksocket-root/konquerorm4BxBa.slave-socket

-o : Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p. This parameter is available on Microsoft Windows XP, 2003 Server (and Windows 2000 if a hotfix is applied).

matriux ~ # netstat -o
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State Timer
tcp 0 0 192.168.100.183:42963 im-in-f83.google.c:http
TIME_WAIT timewait (48.46/0/0)
tcp 0 0 192.168.100.183:42967 im-in-f83.google.c:http
ESTABLISHED off (0.00/0/0)
tcp 0 0 192.168.100.183:42956 im-in-f83.google.c:http
ESTABLISHED off (0.00/0/0)
tcp 0 0 192.168.100.183:42965 im-in-f83.google.c:http
TIME_WAIT timewait (10.56/0/0)
tcp 0 0 192.168.100.183:58607 im-in-f83.google.c:http
ESTABLISHED off (0.00/0/0)
tcp 0 0 192.168.100.183:42968 im-in-f83.google.c:http
TIME_WAIT timewait (11.75/0/0)
tcp 0 0 192.168.100.183:58608 im-in-f83.google.c:http
TIME_WAIT timewait (55.19/0/0)
tcp 0 0 192.168.100.183:42962 im-in-f83.google.c:http
ESTABLISHED off (0.00/0/0)
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 2445
@/org/kernel/udev/udevd
unix 5 [ ] DGRAM 9936 /dev/log
unix 3 [ ] STREAM CONNECTED 54936
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 54935
unix 3 [ ] STREAM CONNECTED 54934
/tmp/ksocket-root/konquerorx0J3lb.slave-socket
unix 3 [ ] STREAM CONNECTED 54932
unix 3 [ ] STREAM CONNECTED 54699 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 54698
unix 3 [ ] STREAM CONNECTED 44869
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44868
unix 3 [ ] STREAM CONNECTED 44867
/tmp/ksocket-root/konquerorLlGFSa.slave-socket
unix 3 [ ] STREAM CONNECTED 44864
unix 3 [ ] STREAM CONNECTED 44858
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44857
unix 3 [ ] STREAM CONNECTED 44853
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44852
unix 3 [ ] STREAM CONNECTED 44851
/tmp/ksocket-root/konquerorm4BxBa.slave-socket
unix 3 [ ] STREAM CONNECTED 44847
unix 3 [ ] STREAM CONNECTED 44850
/tmp/ksocket-root/konquerorlmR3Hb.slave-socket
unix 3 [ ] STREAM CONNECTED 44834
unix 3 [ ] STREAM CONNECTED 44422 /tmp/.ICE-unix/5389
unix 3 [ ] STREAM CONNECTED 44421
unix 3 [ ] STREAM CONNECTED 44420 /tmp/.X11-unix/X0

-p Linux: Process : Show which processes are using which sockets (similar to -b under Windows) (you must be root to do this) on Windows: Protocol : Shows connections for the protocol specified by Protocol. In this case, the Protocol can be tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display statistics by protocol, Protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6.

matriux ~ # netstat -p
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name
tcp 0 0 192.168.100.183:42954 im-in-f83.google.c:http
ESTABLISHED 10246/klaunchericER
tcp 0 0 192.168.100.183:57095 im-in-f83.google.c:http
TIME_WAIT -
tcp 0 0 192.168.100.183:42955 im-in-f83.google.c:http
TIME_WAIT -
tcp 0 0 192.168.100.183:42957 im-in-f83.google.c:http
ESTABLISHED 10311/klaunchericER
tcp 0 0 192.168.100.183:42956 im-in-f83.google.c:http
ESTABLISHED 11776/klaunchericER
tcp 0 0 192.168.100.183:42958 im-in-f83.google.c:http
TIME_WAIT -
tcp 0 0 192.168.100.183:57094 im-in-f83.google.c:http
ESTABLISHED 10315/klaunchericER
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node PID/Program
name Path
unix 2 [ ] DGRAM 2445 3226/udevd
@/org/kernel/udev/udevd
unix 5 [ ] DGRAM 9936
4884/syslogd /dev/log
unix 3 [ ] STREAM CONNECTED 54936
5370/dcopserver [kd /tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 54935 11776/klaunchericER
unix 3 [ ] STREAM CONNECTED 54934
5499/konqueror [kde /tmp/ksocket-root/konquerorx0J3lb.slave-socket
unix 3 [ ] STREAM CONNECTED 54932 11776/klaunchericER
unix 3 [ ] STREAM CONNECTED 54699 5306/X
/tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 54698 5374/klauncher [kde
unix 3 [ ] STREAM CONNECTED 44869
5370/dcopserver [kd /tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44868 10318/klaunchericER
unix 3 [ ] STREAM CONNECTED 44867
5499/konqueror [kde /tmp/ksocket-root/konquerorLlGFSa.slave-socket
unix 3 [ ] STREAM CONNECTED 44864 10318/klaunchericER
unix 3 [ ] STREAM CONNECTED 44858
5370/dcopserver [kd /tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44857 10315/klaunchericER

-r : Displays the contents of the IP routing table. (This is equivalent to the route print command under Windows.)

matriux ~ # netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.100.0 * 255.255.255.0 U 0 0 0 eth1
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.100.254 0.0.0.0 UG 0 0 0 eth1

-s : Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 protocol for Windows XP is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols.

matriux ~ # netstat -s
Ip:
4582 total packets received
9 with invalid addresses
0 forwarded
0 incoming packets discarded
4573 incoming packets delivered
2107 requests sent out
16 dropped because of missing route
Icmp:
9 ICMP messages received
3 input ICMP message failed.
ICMP input histogram:
echo requests: 3
echo replies: 6
4 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
destination unreachable: 1
echo request: 3
IcmpMsg:
InType0: 6
InType8: 3
OutType3: 1
OutType8: 3
Tcp:
142 active connections openings
0 passive connection openings
0 failed connection attempts
9 connection resets received
0 connections established
1783 segments received
1920 segments send out
0 segments retransmited
0 bad segments received.
2 resets sent
Udp:
183 packets received
1 packets to unknown port received.
0 packet receive errors
183 packets sent
UdpLite:
TcpExt:
112 TCP sockets finished time wait in fast timer
40 delayed acks sent
697 packets directly queued to recvmsg prequeue.
2866 bytes directly in process context from backlog
820028 bytes directly received in process context from prequeue
270 packet headers predicted
639 packets header predicted and directly queued to user
270 acknowledgments not containing data payload received
8 predicted acknowledgments
7 connections reset due to early user close
IpExt:
InBcastPkts: 2606
OutBcastPkts: 6

-v : When used in conjunction with -b it will display the sequence of components involved in creating the connection or listening port for all executables.

matriux ~ # netstat -v
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.100.183:57083 im-in-f83.google.c:http TIME_WAIT
tcp 0 0 192.168.100.183:57085 im-in-f83.google.c:http ESTABLISHED
tcp 0 0 192.168.100.183:57084 im-in-f83.google.c:http TIME_WAIT
tcp 0 0 192.168.100.183:57081 im-in-f83.google.c:http ESTABLISHED
tcp 0 0 192.168.100.183:57082 im-in-f83.google.c:http ESTABLISHED
tcp 0 0 192.168.100.183:57080 im-in-f83.google.c:http ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 2445
@/org/kernel/udev/udevd
unix 5 [ ] DGRAM 9936 /dev/log
unix 3 [ ] STREAM CONNECTED 44869
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44868
unix 3 [ ] STREAM CONNECTED 44867
/tmp/ksocket-root/konquerorLlGFSa.slave-socket
unix 3 [ ] STREAM CONNECTED 44864
unix 3 [ ] STREAM CONNECTED 44858
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44857
unix 3 [ ] STREAM CONNECTED 44853
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44852
unix 3 [ ] STREAM CONNECTED 44851
/tmp/ksocket-root/konquerorm4BxBa.slave-socket
unix 3 [ ] STREAM CONNECTED 44847
unix 3 [ ] STREAM CONNECTED 44850
/tmp/ksocket-root/konquerorlmR3Hb.slave-socket
unix 3 [ ] STREAM CONNECTED 44834
unix 3 [ ] STREAM CONNECTED 44422 /tmp/.ICE-unix/5389
unix 3 [ ] STREAM CONNECTED 44421
unix 3 [ ] STREAM CONNECTED 44420 /tmp/.X11-unix/X0
unix 3 [ ] STREAM CONNECTED 44417
unix 3 [ ] STREAM CONNECTED 44414
/tmp/.ICE-unix/dcop5370-1243447644
unix 3 [ ] STREAM CONNECTED 44413

Interval : Redisplays the selected information every Interval seconds. Press CTRL+C to stop the redisplay. If this parameter is omitted, netstat prints the selected information only once.

/? : Displays help at the command prompt. (only on Windows)

Netstat provides statistics for the following:

* Proto - The name of the protocol (TCP or UDP).

* Local Address - The IP address of the local computer and the port number being used. The name of the local computer that corresponds to the IP address and the name of the port is shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).

* Foreign Address - The IP address and port number of the remote computer to which the socket is connected. The names that corresponds to the IP address and the port are shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).

* State - Indicates the state of a TCP connection. The possible states are as follows: CLOSE_WAIT, CLOSED, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, LISTEN, SYN_RECEIVED, SYN_SEND, and TIME_WAIT. For more information about the states of a TCP connection, see.

Connection States

Indicates the state of a TCP connection. The possible states are as follows:

CLOSE_WAIT

CLOSED

ESTABLISHED

FIN_WAIT_1

FIN_WAIT_2

LAST_ACK

LISTEN

SYN_RECEIVED

SYN_SEND

TIMED_WAIT

· To display the statistics for only the TCP or UDP protocols, type one of the following commands:

netstat -s -p tcp

netstat -s -p udp

· To display active TCP connections and the process IDs every 5 seconds, type the following command (works on Microsoft XP and 2003 only, or Windows 2000 with hotfix):

netstat -o 5

· To display active TCP connections and the process IDs using numerical form, type the following command (works on Microsoft XP and 2003 only, or Windows 2000 with hotfix):

netstat -n -o

This Article can be found at the blog section of www.dileepk.info

1 comment:

Colin McD said...: Thank you for the article. It is helpful.

What I have been trying to find for a long time is an indepth explanation of the netstat -s statistics and what they mean.
Like if I have
50 failed connection attempts

site has tried to connect and has failed to send valid TCP frames. Look at MTU values.

Ideally a guide where if I find unusual netstat -s statistics I can check if they are normal or concerning or (even better) a symptom of a problem.

But hey glad that your guide is here and giving it a +1; December 28, 2011 at 6:36 AM

Tuesday, June 2, 2009

Netstat Explained

1 comment: