The netstat program is a bit of a catch-all network reporting tool for Unix workstations. The default behavior is to print information about active network connections on a workstation, which it obtains from the operating system. This can be useful for examining problems on servers and client machines alike. Netstat comes installed on every Unix operating system, though the options and behavior are very different from system to system. Running netstat with no arguments typically causes it to print a list of every open TCP connection on the machine and a list of active Unix domain sockets: [9]
Solaris% netstat TCP: IPv4 Local Address Remote Address Swind Send-Q Rwind Recv-Q State -------------------- -------------------- ----- ------ ----- ------ ------- workstation.63078 SERVER1.eklogin 24820 0 24820 0 ESTABLISHED workstation.37318 SERVER2.telnet 2197 0 24820 0 ESTABLISHED workstation.45954 ROUTER1.ssh 3953 0 25192 0 ESTABLISHED workstation.telnet CLIENT.61786 8460 0 25380 0 ESTABLISHED workstation.47669 MAILSERVER.imap 64240 0 24820 0 TIME_WAIT Active UNIX domain sockets Address Type Vnode Conn Local Addr Remote Addr 30002d95cb8 stream-ord 300027b6638 00000000 /tmp/.X11-unix/X0 In this example, you can see that this machine, workstation.example.com, has several established TCP connections. [10] One is an encrypted login (eklogin) session to server1.example.com, one is a telnet session to server2.example.com, and another is an ssh connection to a router. You can also see that the host client.example.com has a telnet session open to the workstation. Additionally, there is an Internet Message Access Protocol (IMAP) connection from the workstation that is in the TIME_WAIT state, which is a TCP state where the connection is all but terminated , pending a timeout to ensure that no extra data will be transmitted on the port.
The output on other operating systems may be organized in an entirely different fashion, but the general idea will be the same. This program is obviously a useful means to figuring out exactly what services a machine is trying to contact. On a server, it allows you to figure what clients are connecting and what state the connections are in. Netstat is also a common way, and on some systems the only way, to view the routing table. Using the -r option: Solaris% netstat -r Routing Table: IPv4 Destination Gateway Flags Ref Use Interface -------------------- -------------------- ----- ----- ------- --------- 192.0.2.0 workstation U 1 15116 eri0 BASE-ADDRESS.MCAST.NET workstation U 1 0 eri0 default ROUTER1 UG 1 778357 localhost localhost UH 3 12485044 lo0 Other Netstat functionality varies so much from system to system that your best bet is to read the Netstat man page for details on which features are available. Most versions include an option that will allow you to view traffic statistics for each interface in real time. On Solaris, you can run Netstat as netstat -i 1 and it will print second-by-second statistics for network traffic. This is an easy way to view the number of packets per second received and transmitted. A handy feature on Linux versions of Netstat is the -p flag, which causes it to print the program name and process ID associated with each network connection. |