C.3 Using netstat to View the Network State netstat is an extensive tool for viewing the network state. For example, you can use netstat to display the routing table and the state of the socket currently created. Displaying routing tables If you start it with the -r option, netstat outputs the routing tables of the kernel. This corresponds broadly to the result of the route command. The option -n is used to output the IP addresses of computers instead of their DNS names. root@tux # netstat -nr Kernel routing table Destination Gateway Genmask Flags MSS Window Use Iface 129.13.42.0 0.0.0.0 255.255.255.0 U 0 0 478 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 50 lo 0.0.0.0 129.13.42.233 0.0.0.0 UG 0 0 238 eth0 The first column of this output shows the route destination. The column Flags shows the type of destination (i.e., Gateway (G) or Host (H)), to better explicate the entry in the first column. If the destination is a gateway (router), the second column shows the IP address of that router (or, more exactly, the IP address of the adapter where the packet arrives in that router). If the route does not lead across a gateway, then the second column shows the value 0.0.0.0. The third column shows the reach of a route. In routes with a (sub)network as the destination, the entry in the third column corresponds to the network mask; the value 255.255.255.255 is output for routes to computers (H). The default route has the mask 0.0.0.0. All entries in the routing table are sorted so that the more special routes (long network masks) are listed before the more general routes (short network masks). When searching for a matching route, the kernel takes the bit-by-bit AND of the destination address and the network mask and compares the result with the route's destination. The fourth column shows various flags that provide more information about a route. As has been mentioned, these flags specify the type of destination (gateway or host), among other things: G: The next hop is a router (gateway). This means that the packet is sent with the router's MAC address. U shows that the network device is enabled (UP). H: The next hop is an end system, addressed directly by its MAC address in the MAC layer. D: This entry was created dynamically, either by an ICMP redirect packet or by a routing protocol. M: The route was modified by an ICMP redirect. The last column shows the output interface for a route. Viewing Interface Statistics We can start netstat with -i to output current statistics about active network devices. This option can be used together with the option -a to show inactive network devices in addition to active network devices. The output from netstat -i looks like an output of the ifconfig command and uses the same parameters. Active Connections and Sockets netstat supports a number of options we can use to list active and passive sockets. The arguments -t, -u,-w, and -x show active TCP, UDP, RAW, and UNIX sockets. We can additionally use the option -a to list all sockets currently waiting for an incoming connection. This shows all open server sockets. root@tux # netstat -ta Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 localhost.4261 localhost.sunrpc TIME_WAIT tcp 0 0 sioux.1023 cocopah.1017 ESTABLISHED tcp 0 280 sioux.22 tpc17.telemat.873 ESTABLISHED tcp 0 0 localhost.4254 localhost.2301 TIME_WAIT tcp 0 0 localhost.4255 localhost.2301 TIME_WAIT tcp 0 217 tmnis.domain tmins.4263 ESTABLISHED tcp 0 0 sioux.4257 tlps17.print-sr SYN_SENT tcp 0 0 sioux.4259 tlps17.print-sr SYN_SENT tcp 0 0 *.printer *.* LISTEN tcp 0 0 *.dnacml *.* LISTEN tcp 0 0 *.1027 *.* LISTEN udp 0 0 sioux.domain *.* udp 0 0 *.908 *.* udp 0 0 *.987 *.* udp 0 0 *.1017 *.* This example of a netstat -ta output shows that most sockets either are in the LISTEN state (waiting for incoming connections) or already have an existing TCP connection (ESTABLISHED). Previously closed connections remain in the TIME_WAIT state for a little while before the sockets are deleted and so can be reused. (See Chapter 24.) The first two columns of the output show the current number of packets in the input queue (Recv-Queue) and the output queue (Send-Queue). The fourth and fifth columns show the socket addresses (IP address / DNS name, and port) of the two communication peers. An asterisk next to connections that don't yet exist means that there is no communication peer yet, so that no address can be specified. *:ssh means that the computer waits for connections incoming at port ssh. The allocation of port addresses to protocols is defined in /etc/services. |