NAME
netstat —
show network status
SYNOPSIS
netstat |
[-Aan]
[-f
address_family[,family
...]] [-M
core] [-N
system] |
netstat |
[-bdghiLlmnqrSsTtv]
[-f
address_family[,family
...]] [-M
core] [-N
system] |
netstat |
[-dn]
[-I
interface]
[-M core]
[-N
system]
[-w
wait] |
netstat |
[-M
core] [-N
system]
[-p
protocol] |
netstat |
[-M
core] [-N
system]
[-p
protocol] -P
pcbaddr |
netstat |
[-i]
[-I
Interface]
[-p
protocol] |
netstat |
[-is]
[-f
address_family[,family
...]] [-I
Interface] |
netstat |
[-s]
[-I
Interface] -B |
DESCRIPTION
The
netstat command symbolically displays the contents of
various network-related data structures. There are a number of output formats,
depending on the options for the information presented. The first form of the
command displays a list of active sockets for each protocol. The second form
presents the contents of one of the other network data structures according to
the option selected. Using the third form, with a
wait
interval specified,
netstat will continuously display the
information regarding packet traffic on the configured network interfaces. The
fourth form displays statistics about the named protocol. The fifth and sixth
forms display per interface statistics for the specified protocol or address
family.
The options have the following meaning:
-
-
- -A
- With the default display, show the address of any protocol
control blocks associated with sockets; used for debugging.
-
-
- -a
- With the default display, show the state of all sockets;
normally sockets used by server processes are not shown.
-
-
- -B
- With the default display, show the current
bpf(4) peers. To show only the
peers listening to a specific interface, use the -I
option. If the -s option is present, show the current
bpf(4) statistics.
-
-
- -b
- With the interface display (option -i),
show bytes in and out, instead of packets in and out.
-
-
- -d
- With either interface display (option -i
or an interval, as described below), show the number of dropped
packets.
-
-
- -f
address_family[,family
...]
- Limit statistics or address control block reports to those
of the specified address_families. The following
address families are recognized: inet, for
AF_INET
; inet6, for
AF_INET6
; arp, for
AF_ARP
; ns, for
AF_NS
; atalk, for
AF_APPLETALK
; mpls, for
AF_MPLS
; and local or
unix, for AF_LOCAL
.
-
-
- -g
- Show information related to multicast (group address)
routing. By default, show the IP Multicast virtual-interface and routing
tables. If the -s option is also present, show multicast
routing statistics.
-
-
- -h
- When used with -b in combination with
either -i or -I, output
"human-readable" byte counts.
-
-
- -I
interface
- Show information about the specified interface; used with a
wait interval as described below. If the
-f address_family option (with the
-s option) or the -p
protocol option is present, show per-interface
statistics on the interface for the specified
address_family or protocol,
respectively.
-
-
- -i
- Show the state of interfaces which have been
auto-configured (interfaces statically configured into a system, but not
located at boot time are not shown). If the -a options
is also present, multicast addresses currently in use are shown for each
Ethernet interface and for each IP interface address. Multicast addresses
are shown on separate lines following the interface address with which
they are associated. If the -f
address_family option (with the -s
option) or the -p protocol option
is present, show per-interface statistics on all interfaces for the
specified address_family or
protocol, respectively.
-
-
- -L
- Don't show link-level routes (e.g., IPv4 ARP or IPv6
neighbour cache).
-
-
- -l
- With the -g option, display wider fields
for the IPv6 multicast routing table “Origin” and
“Group” columns.
-
-
- -M
core
- Use kvm(3)
instead of sysctl(3) to
retrieve information and extract values associated with the name list from
the specified core. If the -M option is not given but
the -N option is given, the default
/dev/mem is used.
-
-
- -m
- Show statistics recorded by the mbuf memory management
routines (the network manages a private pool of memory buffers).
-
-
- -N
system
- Use kvm(3)
instead of sysctl(3) to
retrieve information and extract the name list from the specified system.
For the default behavior when only -M option is given,
see the description about when execfile is
NULL
in
kvm_openfiles(3).
-
-
- -n
- Show network addresses and ports as numbers (normally
netstat interprets addresses and ports and attempts to
display them symbolically). This option may be used with any of the
display formats.
-
-
- -P
pcbaddr
- Dump the contents of the protocol control block (PCB)
located at kernel virtual address pcbaddr. This
address may be obtained using the -A flag. The default
protocol is TCP, but may be overridden using the -p
flag.
-
-
- -p
protocol
- Show statistics about protocol, which
is either a well-known name for a protocol or an alias for it. Some
protocol names and aliases are listed in the file
/etc/protocols. A null response typically means that
there are no interesting numbers to report. The program will complain if
protocol is unknown or if there is no statistics
routine for it.
-
-
- -q
- Show software interrupt queue setting/statistics for all
protocols.
-
-
- -r
- Show the routing tables. When -s is also
present, show routing statistics instead.
-
-
- -S
- Show network addresses as numbers (as with
-n, but show ports symbolically).
-
-
- -s
- Show per-protocol statistics. If this option is repeated,
counters with a value of zero are suppressed.
-
-
- -T
- Show MPLS Tags for the routing tables. If multiple tags
exists, they will be comma separated, first tag being the BoS one.
-
-
- -t
- With the -i option, display the current
value of the watchdog timer function.
-
-
- -v
- Show extra (verbose) detail for the routing tables
(-r), or avoid truncation of long addresses.
-
-
- -w
wait
- Show network interface statistics at intervals of
wait seconds.
-
-
- -X
- Force use of
sysctl(3) when retrieving
information. Some features of netstat may not be (fully)
supported when using
sysctl(3). This flag forces
the use of the latter regardless, and emits a message if a not yet fully
supported feature is used in conjunction with it. This flag might be
removed at any time; do not rely on its presence.
The default display, for active sockets, shows the local and remote addresses,
send and receive queue sizes (in bytes), protocol, and the internal state of
the protocol. Address formats are of the form ``host.port'' or
``network.port'' if a socket's address specifies a network but no specific
host address. When known the host and network addresses are displayed
symbolically according to the data bases
/etc/hosts and
/etc/networks, respectively. If a symbolic name for an
address is unknown, or if the
-n option is specified, the
address is printed numerically, according to the address family. For more
information regarding the Internet ``dot format,'' refer to
inet(3)). Unspecified, or
``wildcard'', addresses and ports appear as ``*''. You can use the
fstat(1) command to find out
which process or processes hold references to a socket.
The interface display provides a table of cumulative statistics regarding
packets transferred, errors, and collisions. The network addresses of the
interface and the maximum transmission unit (``mtu'') are also displayed.
The routing table display indicates the available routes and their status. Each
route consists of a destination host or network and a gateway to use in
forwarding packets. The flags field shows a collection of information about
the route stored as binary choices. The individual flags are discussed in more
detail in the
route(8) and
route(4) manual pages.
Direct routes are created for each interface attached to the local host; the
gateway field for such entries shows the address of the outgoing interface.
The refcnt field gives the current number of active uses of the route.
Connection oriented protocols normally hold on to a single route for the
duration of a connection while connectionless protocols obtain a route while
sending to the same destination. The use field provides a count of the number
of packets sent using that route. The mtu entry shows the mtu associated with
that route. This mtu value is used as the basis for the TCP maximum segment
size. The 'L' flag appended to the mtu value indicates that the value is
locked, and that path mtu discovery is turned off for that route. A
‘-’ indicates that the mtu for this route has not been set, and a
default TCP maximum segment size will be used. The interface entry indicates
the network interface used for the route.
When
netstat is invoked with the
-w option
and a
wait interval argument, it displays a running
count of statistics related to network interfaces. An obsolescent version of
this option used a numeric parameter with no option, and is currently
supported for backward compatibility. This display consists of a column for
the primary interface (the first interface found during autoconfiguration) and
a column summarizing information for all interfaces. The primary interface may
be replaced with another interface with the
-I option. The
first line of each screen of information contains a summary since the system
was last rebooted. Subsequent lines of output show values accumulated over the
preceding interval.
The first character of the flags column in the
-B option shows
the status of the
bpf(4) descriptor
which has three different values: Idle ('I'), Waiting ('W') and Timed Out
('T'). The second character indicates whether the promisc flag is set. The
third character indicates the status of the immediate mode. The fourth
character indicates whether the peer will have the ability to see the packets
sent. And the fifth character shows the header complete flag status.
SEE ALSO
fstat(1),
nfsstat(1),
ps(1),
sockstat(1),
vmstat(1),
inet(3),
bpf(4),
hosts(5),
networks(5),
protocols(5),
services(5),
iostat(8),
trpt(8)
HISTORY
The
netstat command appeared in
4.2BSD. IPv6 support was added by WIDE/KAME project.
BUGS
The notion of errors is ill-defined.