9.6 Netstat

The netstat program is a bit of a catch-all network reporting tool for Unix workstations. The default behavior is to print information about active network connections on a workstation, which it obtains from the operating system. This can be useful for examining problems on servers and client machines alike.

Netstat comes installed on every Unix operating system, though the options and behavior are very different from system to system. Running netstat with no arguments typically causes it to print a list of every open TCP connection on the machine and a list of active Unix domain sockets: ^[9]

^[9] These are a network connection internal to a machine that programs use to communicate with each other.

 Solaris% netstat    TCP: IPv4       Local Address        Remote Address    Swind Send-Q Rwind Recv-Q  State    -------------------- -------------------- ----- ------ ----- ------ -------    workstation.63078    SERVER1.eklogin      24820      0 24820      0 ESTABLISHED    workstation.37318    SERVER2.telnet        2197      0 24820      0 ESTABLISHED    workstation.45954    ROUTER1.ssh           3953      0 25192      0 ESTABLISHED    workstation.telnet   CLIENT.61786          8460      0 25380      0 ESTABLISHED    workstation.47669    MAILSERVER.imap      64240      0 24820      0 TIME_WAIT    Active UNIX domain sockets    Address  Type          Vnode     Conn  Local Addr      Remote Addr    30002d95cb8 stream-ord 300027b6638 00000000 /tmp/.X11-unix/X0 

In this example, you can see that this machine, workstation.example.com, has several established TCP connections. ^[10] One is an encrypted login (eklogin) session to server1.example.com, one is a telnet session to server2.example.com, and another is an ssh connection to a router. You can also see that the host client.example.com has a telnet session open to the workstation. Additionally, there is an Internet Message Access Protocol (IMAP) connection from the workstation that is in the TIME_WAIT state, which is a TCP state where the connection is all but terminated , pending a timeout to ensure that no extra data will be transmitted on the port.

^[10] The actual netstat output is not usually as well formatted as this; the spacing has been cleaned up a bit for the sake of clarity.

The output on other operating systems may be organized in an entirely different fashion, but the general idea will be the same. This program is obviously a useful means to figuring out exactly what services a machine is trying to contact. On a server, it allows you to figure what clients are connecting and what state the connections are in.

Netstat is also a common way, and on some systems the only way, to view the routing table. Using the -r option:

 Solaris% netstat -r    Routing Table: IPv4      Destination           Gateway           Flags  Ref   Use   Interface    -------------------- -------------------- ----- ----- ------- ---------    192.0.2.0            workstation          U        1    15116  eri0    BASE-ADDRESS.MCAST.NET workstation        U        1        0  eri0    default              ROUTER1              UG       1   778357    localhost            localhost            UH       3 12485044  lo0 

Other Netstat functionality varies so much from system to system that your best bet is to read the Netstat man page for details on which features are available. Most versions include an option that will allow you to view traffic statistics for each interface in real time. On Solaris, you can run Netstat as netstat -i 1 and it will print second-by-second statistics for network traffic. This is an easy way to view the number of packets per second received and transmitted. A handy feature on Linux versions of Netstat is the -p flag, which causes it to print the program name and process ID associated with each network connection.