663 lines
12 KiB
HTML
663 lines
12 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>The netstat Command</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.57"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux Network Administrators Guide"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Configuring TCP/IP Networking"
|
|
HREF="x-087-2-iface.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="All About ifconfig"
|
|
HREF="x-087-2-iface.ifconfig.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Checking the ARP Tables"
|
|
HREF="x-087-2-iface.verify.arp.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux Network Administrators Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x-087-2-iface.ifconfig.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 5. Configuring TCP/IP Networking</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="x-087-2-iface.verify.arp.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="X-087-2-IFACE.NETSTAT"
|
|
>5.9. The netstat Command</A
|
|
></H1
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>netstat</B
|
|
> is a useful tool for checking your network
|
|
configuration and activity. It is in fact a collection of several
|
|
tools lumped together. We discuss each of its functions in the
|
|
following sections.</P
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="X-087-2-IFACE.NETSTAT.-R"
|
|
>5.9.1. Displaying the Routing Table</A
|
|
></H2
|
|
><P
|
|
>When you invoke <B
|
|
CLASS="COMMAND"
|
|
>netstat</B
|
|
> with the
|
|
<TT
|
|
CLASS="OPTION"
|
|
>–r</TT
|
|
> flag, it displays the kernel routing table
|
|
in the way we've been doing with <B
|
|
CLASS="COMMAND"
|
|
>route</B
|
|
>. On
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>vstout</SPAN
|
|
>, it produces:
|
|
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
># <TT
|
|
CLASS="USERINPUT"
|
|
><B
|
|
>netstat -nr</B
|
|
></TT
|
|
>
|
|
Kernel IP routing table
|
|
Destination Gateway Genmask Flags MSS Window irtt Iface
|
|
127.0.0.1 * 255.255.255.255 UH 0 0 0 lo
|
|
172.16.1.0 * 255.255.255.0 U 0 0 0 eth0
|
|
172.16.2.0 172.16.1.1 255.255.255.0 UG 0 0 0 eth0</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
>The <TT
|
|
CLASS="OPTION"
|
|
>–n</TT
|
|
> option makes <B
|
|
CLASS="COMMAND"
|
|
>netstat</B
|
|
>
|
|
print addresses as dotted quad IP numbers rather than the symbolic
|
|
host and network names. This option is especially useful when you want
|
|
to avoid address lookups over the network (e.g., to a DNS or NIS
|
|
server).</P
|
|
><P
|
|
>The second column of <B
|
|
CLASS="COMMAND"
|
|
>netstat</B
|
|
> 's output shows
|
|
the gateway to which the routing entry points. If no gateway is used,
|
|
an asterisk is printed instead. The third column shows the
|
|
“generality” of the route, i.e., the network mask for this
|
|
route. When given an IP address to find a suitable route for, the
|
|
kernel steps through each of the routing table entries, taking the
|
|
bitwise AND of the address and the genmask before comparing it to the
|
|
target of the route.</P
|
|
><P
|
|
>The fourth column displays the following flags that describe the route:
|
|
|
|
<P
|
|
></P
|
|
><DIV
|
|
CLASS="VARIABLELIST"
|
|
><DL
|
|
><DT
|
|
><TT
|
|
CLASS="LITERAL"
|
|
>G</TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>The route uses a gateway.</P
|
|
></DD
|
|
><DT
|
|
><TT
|
|
CLASS="LITERAL"
|
|
>U</TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>The interface to be used is up.</P
|
|
></DD
|
|
><DT
|
|
><TT
|
|
CLASS="LITERAL"
|
|
>H</TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>Only a single host can be reached through the route. For example, this is the
|
|
case for the loopback entry <SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>127.0.0.1</SPAN
|
|
>.</P
|
|
></DD
|
|
><DT
|
|
><TT
|
|
CLASS="LITERAL"
|
|
>D</TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
> This
|
|
route is dynamically created. It is set if the table entry has been
|
|
generated by a routing daemon like <B
|
|
CLASS="COMMAND"
|
|
>gated</B
|
|
> or by an
|
|
ICMP redirect message (see the section <A
|
|
HREF="x-087-2-issues.icmp.html"
|
|
>Section 2.5</A
|
|
>” in Chapter 2).</P
|
|
></DD
|
|
><DT
|
|
><TT
|
|
CLASS="LITERAL"
|
|
>M</TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
> This
|
|
route is set if the table entry was modified by an ICMP redirect
|
|
message.</P
|
|
></DD
|
|
><DT
|
|
><TT
|
|
CLASS="LITERAL"
|
|
>!</TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>The route is a reject route and datagrams will be dropped.</P
|
|
></DD
|
|
></DL
|
|
></DIV
|
|
></P
|
|
><P
|
|
>
|
|
The next three columns show the MSS, Window and irtt that will be
|
|
applied to TCP connections established via this route. The MSS is the
|
|
Maximum Segment Size and is the size of the largest datagram the
|
|
kernel will construct for transmission via this route. The Window is
|
|
the maximum amount of data the system will accept in a single burst
|
|
from a remote host. The acronym <TT
|
|
CLASS="LITERAL"
|
|
>irtt</TT
|
|
> stands for
|
|
“initial round trip time.” The TCP protocol ensures that
|
|
data is reliably delivered between hosts by retransmitting a datagram
|
|
if it has been lost. The TCP protocol keeps a running count of how
|
|
long it takes for a datagram to be delivered to the remote end, and an
|
|
acknowledgement to be received so that it knows how long to wait
|
|
before assuming a datagram needs to retransmitted; this process is
|
|
called the round-trip time. The initial round-trip time is the value
|
|
that the TCP protocol will use when a connection is first
|
|
established. For most network types, the default value is okay, but
|
|
for some slow networks, notably certain types of amateur packet radio
|
|
networks, the time is too short and causes unnecessary
|
|
retransmission. The <TT
|
|
CLASS="LITERAL"
|
|
>irtt</TT
|
|
> value can be set using the
|
|
<B
|
|
CLASS="COMMAND"
|
|
>route</B
|
|
> command. Values of zero in these fields mean
|
|
that the default is being used.</P
|
|
><P
|
|
>Finally, the last field displays the network interface that this route
|
|
will use.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="X-087-2-IFACE.NETSTAT.-I"
|
|
>5.9.2. Displaying Interface Statistics</A
|
|
></H2
|
|
><P
|
|
>When invoked with the <TT
|
|
CLASS="OPTION"
|
|
>–i</TT
|
|
> flag,
|
|
<B
|
|
CLASS="COMMAND"
|
|
>netstat</B
|
|
> displays statistics for the network
|
|
interfaces currently configured. If the <TT
|
|
CLASS="OPTION"
|
|
>–a</TT
|
|
>
|
|
option is also given, it prints <I
|
|
CLASS="EMPHASIS"
|
|
>all</I
|
|
> interfaces
|
|
present in the kernel, not only those that have been configured
|
|
currently. On <SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>vstout</SPAN
|
|
>, the
|
|
output from <B
|
|
CLASS="COMMAND"
|
|
>netstat</B
|
|
> will look like this:
|
|
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
># <TT
|
|
CLASS="USERINPUT"
|
|
><B
|
|
>netstat -i</B
|
|
></TT
|
|
>
|
|
Kernel Interface table
|
|
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flags
|
|
lo 0 0 3185 0 0 0 3185 0 0 0 BLRU
|
|
eth0 1500 0 972633 17 20 120 628711 217 0 0 BRU</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
>The <TT
|
|
CLASS="LITERAL"
|
|
>MTU</TT
|
|
> and <TT
|
|
CLASS="LITERAL"
|
|
>Met</TT
|
|
> fields show the
|
|
current MTU and metric values for that interface. The
|
|
<TT
|
|
CLASS="LITERAL"
|
|
>RX</TT
|
|
> and <TT
|
|
CLASS="LITERAL"
|
|
>TX</TT
|
|
> columns show how many
|
|
packets have been received or transmitted error-free
|
|
(<TT
|
|
CLASS="LITERAL"
|
|
>RX-OK</TT
|
|
>/<TT
|
|
CLASS="LITERAL"
|
|
>TX-OK</TT
|
|
>) or damaged
|
|
(<TT
|
|
CLASS="LITERAL"
|
|
>RX-ERR</TT
|
|
>/<TT
|
|
CLASS="LITERAL"
|
|
>TX-ERR</TT
|
|
>); how many were
|
|
dropped (<TT
|
|
CLASS="LITERAL"
|
|
>RX-DRP</TT
|
|
>/<TT
|
|
CLASS="LITERAL"
|
|
>TX-DRP</TT
|
|
>); and how
|
|
many were lost because of an overrun
|
|
(<TT
|
|
CLASS="LITERAL"
|
|
>RX-OVR</TT
|
|
>/<TT
|
|
CLASS="LITERAL"
|
|
>TX-OVR</TT
|
|
>).</P
|
|
><P
|
|
>The last column shows the flags that have been set for this interface.
|
|
These characters are one-character versions of the long flag names
|
|
that are printed when you display the interface configuration with
|
|
<B
|
|
CLASS="COMMAND"
|
|
>ifconfig</B
|
|
>:
|
|
|
|
<P
|
|
></P
|
|
><DIV
|
|
CLASS="VARIABLELIST"
|
|
><DL
|
|
><DT
|
|
><TT
|
|
CLASS="LITERAL"
|
|
>B</TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>A broadcast address has been set.</P
|
|
></DD
|
|
><DT
|
|
><TT
|
|
CLASS="LITERAL"
|
|
>L</TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>This interface is a loopback device.</P
|
|
></DD
|
|
><DT
|
|
><TT
|
|
CLASS="LITERAL"
|
|
>M</TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>All packets are received (promiscuous mode).</P
|
|
></DD
|
|
><DT
|
|
><TT
|
|
CLASS="LITERAL"
|
|
>O</TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>ARP is turned off for this interface.</P
|
|
></DD
|
|
><DT
|
|
><TT
|
|
CLASS="LITERAL"
|
|
>P</TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>This is a point-to-point connection.</P
|
|
></DD
|
|
><DT
|
|
><TT
|
|
CLASS="LITERAL"
|
|
>R</TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>Interface is running.</P
|
|
></DD
|
|
><DT
|
|
><TT
|
|
CLASS="LITERAL"
|
|
>U</TT
|
|
></DT
|
|
><DD
|
|
><P
|
|
>Interface is up.</P
|
|
></DD
|
|
></DL
|
|
></DIV
|
|
></P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="X-087-2-IFACE.NETSTAT.-T-U-X"
|
|
>5.9.3. Displaying Connections</A
|
|
></H2
|
|
><P
|
|
><B
|
|
CLASS="COMMAND"
|
|
>netstat</B
|
|
> supports a set of options to display active
|
|
or passive sockets. The options <TT
|
|
CLASS="OPTION"
|
|
>–t</TT
|
|
>,
|
|
<TT
|
|
CLASS="OPTION"
|
|
>–u</TT
|
|
>, <TT
|
|
CLASS="OPTION"
|
|
>–w</TT
|
|
>, and
|
|
<TT
|
|
CLASS="OPTION"
|
|
>–x</TT
|
|
> show active TCP, UDP, RAW, or Unix socket
|
|
connections. If you provide the <TT
|
|
CLASS="OPTION"
|
|
>–a</TT
|
|
> flag in
|
|
addition, sockets that are waiting for a connection (i.e., listening)
|
|
are displayed as well. This display will give you a list of all
|
|
servers that are currently running on your system.</P
|
|
><P
|
|
>Invoking <B
|
|
CLASS="COMMAND"
|
|
>netstat -ta</B
|
|
> on
|
|
<SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>vlager</SPAN
|
|
> produces this output:
|
|
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>$ <TT
|
|
CLASS="USERINPUT"
|
|
><B
|
|
>netstat -ta</B
|
|
></TT
|
|
>
|
|
Active Internet Connections
|
|
Proto Recv-Q Send-Q Local Address Foreign Address (State)
|
|
tcp 0 0 *:domain *:* LISTEN
|
|
tcp 0 0 *:time *:* LISTEN
|
|
tcp 0 0 *:smtp *:* LISTEN
|
|
tcp 0 0 vlager:smtp vstout:1040 ESTABLISHED
|
|
tcp 0 0 *:telnet *:* LISTEN
|
|
tcp 0 0 localhost:1046 vbardolino:telnet ESTABLISHED
|
|
tcp 0 0 *:chargen *:* LISTEN
|
|
tcp 0 0 *:daytime *:* LISTEN
|
|
tcp 0 0 *:discard *:* LISTEN
|
|
tcp 0 0 *:echo *:* LISTEN
|
|
tcp 0 0 *:shell *:* LISTEN
|
|
tcp 0 0 *:login *:* LISTEN </PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
>This output shows most servers simply waiting for an incoming
|
|
connection. However, the fourth line shows an incoming SMTP connection
|
|
from <SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>vstout</SPAN
|
|
>, and the sixth
|
|
line tells you there is an outgoing <B
|
|
CLASS="COMMAND"
|
|
>telnet</B
|
|
>
|
|
connection to <SPAN
|
|
CLASS="SYSTEMITEM"
|
|
>vbardolino</SPAN
|
|
>.<A
|
|
NAME="X-087-2-FNTC13"
|
|
HREF="#FTN.X-087-2-FNTC13"
|
|
>[1]</A
|
|
> </P
|
|
><P
|
|
>Using the <TT
|
|
CLASS="OPTION"
|
|
>–a</TT
|
|
> flag by itself will display all
|
|
sockets from all families.</P
|
|
><P
|
|
></P
|
|
></DIV
|
|
></DIV
|
|
><H3
|
|
CLASS="FOOTNOTES"
|
|
>Notes</H3
|
|
><TABLE
|
|
BORDER="0"
|
|
CLASS="FOOTNOTES"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
WIDTH="5%"
|
|
><A
|
|
NAME="FTN.X-087-2-FNTC13"
|
|
HREF="x-087-2-iface.netstat.html#X-087-2-FNTC13"
|
|
>[1]</A
|
|
></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
WIDTH="95%"
|
|
><P
|
|
> You can tell whether a connection is
|
|
outgoing from the port numbers. The port number shown for the
|
|
<I
|
|
CLASS="EMPHASIS"
|
|
>calling</I
|
|
> host will always be a simple integer. On
|
|
the host being called, a well-known service port will be in use for
|
|
which <B
|
|
CLASS="COMMAND"
|
|
>netstat</B
|
|
> uses the symbolic name such as
|
|
<TT
|
|
CLASS="LITERAL"
|
|
>smtp</TT
|
|
>, found in <TT
|
|
CLASS="FILENAME"
|
|
>/etc/services</TT
|
|
>.</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-iface.ifconfig.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-iface.verify.arp.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>All About ifconfig</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="x-087-2-iface.html"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Checking the ARP Tables</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |