5.9. The netstat Command

netstat is a useful tool for checking your network configuration and activity. It is in fact a collection of several tools lumped together. We discuss each of its functions in the following sections.

5.9.1. Displaying the Routing Table

When you invoke netstat with the –r flag, it displays the kernel routing table in the way we've been doing with route. On vstout, it produces:
# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 127.0.0.1 doc-index.html f3.html i19694.html index.html lag2_0101.jpg lag2_0201.jpg lag2_0202.jpg lag2_0301.jpg lag2_0501.jpg lag2_0601.jpg lag2_0801.jpg lag2_0901.jpg lag2_0902.jpg lag2_0903.jpg lag2_0904.jpg lag2_0905.jpg lag2_0906.jpg lag2_0907.jpg lag2_0908.jpg lag2_0909.jpg lag2_1101.jpg lag2_1501.jpg lag2_1601.jpg lag2_2001.jpg lag2_2101.jpg lag2_2301.jpg lag2_aa01.jpg lag2_aa02.jpg lag2_ab01.jpg lag2_ab02.jpg x-082-2-firewall.attacks.html x-087-2-accounting.flushing.rules.html x-087-2-accounting.html x-087-2-accounting.ipfwadm.html x-087-2-accounting.kernel.config.html x-087-2-accounting.passive.collection.html x-087-2-accounting.viewing.results.html x-087-2-accounting.zeroing.counter.html x-087-2-appendix.brewery.html x-087-2-appendix.cables.html x-087-2-appendix.gpl.html x-087-2-appl.html x-087-2-appl.inetd.html x-087-2-appl.remote.html x-087-2-appl.rpc.html x-087-2-appl.services.html x-087-2-appl.tcpd.html x-087-2-cable.plip.html x-087-2-cable.serial.html x-087-2-cnews.active.html x-087-2-cnews.batcher.html x-087-2-cnews.control.html x-087-2-cnews.explist.html x-087-2-cnews.html x-087-2-cnews.maint.html x-087-2-cnews.misc.html x-087-2-cnews.nfs.html x-087-2-cnews.rnews.html x-087-2-cnews.sys.html x-087-2-create.subnets.html x-087-2-exim.delivery.html x-087-2-exim.html x-087-2-exim.options.html x-087-2-exim.queue.html x-087-2-exim.simple.html x-087-2-firewall.checkingconf.html x-087-2-firewall.example.html x-087-2-firewall.filtering.html x-087-2-firewall.filteringmethods.html x-087-2-firewall.future.html x-087-2-firewall.fwchains.html x-087-2-firewall.howto.html x-087-2-firewall.html x-087-2-firewall.introduction.html x-087-2-firewall.original.html x-087-2-firewall.tos.manipulation.html x-087-2-hardware.drivers.ethernet.html x-087-2-hardware.drivers.plip.html x-087-2-hardware.drivers.slip.html x-087-2-hardware.html x-087-2-hardware.kernel.config.html x-087-2-hardware.other.html x-087-2-hwconfig.tour.html x-087-2-iface.addresses.html x-087-2-iface.binaries.html x-087-2-iface.hostname.html x-087-2-iface.html x-087-2-iface.ifconfig.html x-087-2-iface.interface.html x-087-2-iface.netstat.html x-087-2-iface.procfs.html x-087-2-iface.simple-resolv.html x-087-2-iface.verify.arp.html x-087-2-inn.html x-087-2-intro.history.html x-087-2-intro.html x-087-2-intro.outlook.html x-087-2-intro.tcpip.html x-087-2-intro.uucp.html x-087-2-ipconfig.options.html x-087-2-ipmasq.html x-087-2-ipx.html x-087-2-ipx.interfaces.html x-087-2-ipx.kernel.html x-087-2-ipx.ncpfs.client.html x-087-2-ipx.ncpfs.printing.html x-087-2-ipx.ncpfs.server.html x-087-2-ipx.othertools.html x-087-2-ipx.router.html x-087-2-issues.arp.html x-087-2-issues.html x-087-2-issues.icmp.html x-087-2-issues.interfaces.html x-087-2-issues.ip-addresses.html x-087-2-issues.resolving.html x-087-2-issues.routing.html x-087-2-mail.address.html x-087-2-mail.delivery.html x-087-2-mail.elm.html x-087-2-mail.html x-087-2-mail.message-format.html x-087-2-mail.routing.html x-087-2-masq.configuration.html x-087-2-masq.kernel.config.html x-087-2-masq.namelookups.html x-087-2-masq.side.effects.html x-087-2-news.algorithm.html x-087-2-news.history.html x-087-2-news.html x-087-2-newsreaders.html x-087-2-newsreaders.nn.html x-087-2-newsreaders.tin.html x-087-2-newsreaders.trn.html x-087-2-news.usenet.html x-087-2-nfs.daemons.html x-087-2-nfs.exports.html x-087-2-nfs.html x-087-2-nfs.kernelv2.html x-087-2-nfs.kernelv3.html x-087-2-nfs.mountd.html x-087-2-nfs.nfsd.html x-087-2-nis.clients.html x-087-2-nis.html x-087-2-nis.nisplus.html x-087-2-nis.nsswitch.html x-087-2-nis.passwd.html x-087-2-nis.securenets.html x-087-2-nis.server.html x-087-2-nis.shadow.html x-087-2-nis.yp.html x-087-2-nntp.access.html x-087-2-nntp.authorize.html x-087-2-nntp.html x-087-2-nntp.interact.html x-087-2-nntp.nntpd.html x-087-2-nntp.protocol.html x-087-2-ppp.authentication.html x-087-2-ppp.html x-087-2-ppp.options.html x-087-2-resolv.howdnsworks.html x-087-2-resolv.html x-087-2-resolv.library.html x-087-2-resolv.named.html x-087-2-sage.app.html x-087-2-sendmail.html x-087-2-serial-configuration.html x-087-2-serial.devices.html x-087-2-serial.getty.html x-087-2-serial.hardware.html x-087-2-serial.html x-087-2-serial.software.html x-087-2-serial.ttys.html x-087-2-slip.dip.html x-087-2-slip.general.html x-087-2-slip.html x-087-2-slip.operation.html x-087-2-slip.server.html x-087-2-submitchanges.html x-087-2-uucp.config.files.html x-087-2-uucp.dialin.html x-087-2-uucp.html x-087-2-uucp.intro.grades.html x-087-2-uucp.misc.faq.html x-087-2-uucp.permissions.html x-087-2-uucp.protocols.html x10579.html x11684.html x11757.html x12.html x1312.html x13819.html x1392.html x14586.html x14607.html x14644.html x14661.html x14903.html x14923.html x15220.html x15291.html x15583.html x15649.html x15691.html x15909.html x15964.html x15999.html x16298.html x16700.html x16.html x18201.html x18278.html x18301.html x18326.html x18341.html x19004.html x19030.html x19519.html x19583.html x19588.html x19598.html x19602.html x19608.html x19644.html x19649.html x19653.html x19657.html x19660.html x19663.html x394.html x410.html x425.html x453.html x523.html x575.html x6009.html x6507.html x6560.html x6675.html x6968.html x7037.html x7261.html x7297.html x9803.html 255.255.255.255 UH 0 0 0 lo 172.16.1.0 doc-index.html f3.html i19694.html index.html lag2_0101.jpg lag2_0201.jpg lag2_0202.jpg lag2_0301.jpg lag2_0501.jpg lag2_0601.jpg lag2_0801.jpg lag2_0901.jpg lag2_0902.jpg lag2_0903.jpg lag2_0904.jpg lag2_0905.jpg lag2_0906.jpg lag2_0907.jpg lag2_0908.jpg lag2_0909.jpg lag2_1101.jpg lag2_1501.jpg lag2_1601.jpg lag2_2001.jpg lag2_2101.jpg lag2_2301.jpg lag2_aa01.jpg lag2_aa02.jpg lag2_ab01.jpg lag2_ab02.jpg x-082-2-firewall.attacks.html x-087-2-accounting.flushing.rules.html x-087-2-accounting.html x-087-2-accounting.ipfwadm.html x-087-2-accounting.kernel.config.html x-087-2-accounting.passive.collection.html x-087-2-accounting.viewing.results.html x-087-2-accounting.zeroing.counter.html x-087-2-appendix.brewery.html x-087-2-appendix.cables.html x-087-2-appendix.gpl.html x-087-2-appl.html x-087-2-appl.inetd.html x-087-2-appl.remote.html x-087-2-appl.rpc.html x-087-2-appl.services.html x-087-2-appl.tcpd.html x-087-2-cable.plip.html x-087-2-cable.serial.html x-087-2-cnews.active.html x-087-2-cnews.batcher.html x-087-2-cnews.control.html x-087-2-cnews.explist.html x-087-2-cnews.html x-087-2-cnews.maint.html x-087-2-cnews.misc.html x-087-2-cnews.nfs.html x-087-2-cnews.rnews.html x-087-2-cnews.sys.html x-087-2-create.subnets.html x-087-2-exim.delivery.html x-087-2-exim.html x-087-2-exim.options.html x-087-2-exim.queue.html x-087-2-exim.simple.html x-087-2-firewall.checkingconf.html x-087-2-firewall.example.html x-087-2-firewall.filtering.html x-087-2-firewall.filteringmethods.html x-087-2-firewall.future.html x-087-2-firewall.fwchains.html x-087-2-firewall.howto.html x-087-2-firewall.html x-087-2-firewall.introduction.html x-087-2-firewall.original.html x-087-2-firewall.tos.manipulation.html x-087-2-hardware.drivers.ethernet.html x-087-2-hardware.drivers.plip.html x-087-2-hardware.drivers.slip.html x-087-2-hardware.html x-087-2-hardware.kernel.config.html x-087-2-hardware.other.html x-087-2-hwconfig.tour.html x-087-2-iface.addresses.html x-087-2-iface.binaries.html x-087-2-iface.hostname.html x-087-2-iface.html x-087-2-iface.ifconfig.html x-087-2-iface.interface.html x-087-2-iface.netstat.html x-087-2-iface.procfs.html x-087-2-iface.simple-resolv.html x-087-2-iface.verify.arp.html x-087-2-inn.html x-087-2-intro.history.html x-087-2-intro.html x-087-2-intro.outlook.html x-087-2-intro.tcpip.html x-087-2-intro.uucp.html x-087-2-ipconfig.options.html x-087-2-ipmasq.html x-087-2-ipx.html x-087-2-ipx.interfaces.html x-087-2-ipx.kernel.html x-087-2-ipx.ncpfs.client.html x-087-2-ipx.ncpfs.printing.html x-087-2-ipx.ncpfs.server.html x-087-2-ipx.othertools.html x-087-2-ipx.router.html x-087-2-issues.arp.html x-087-2-issues.html x-087-2-issues.icmp.html x-087-2-issues.interfaces.html x-087-2-issues.ip-addresses.html x-087-2-issues.resolving.html x-087-2-issues.routing.html x-087-2-mail.address.html x-087-2-mail.delivery.html x-087-2-mail.elm.html x-087-2-mail.html x-087-2-mail.message-format.html x-087-2-mail.routing.html x-087-2-masq.configuration.html x-087-2-masq.kernel.config.html x-087-2-masq.namelookups.html x-087-2-masq.side.effects.html x-087-2-news.algorithm.html x-087-2-news.history.html x-087-2-news.html x-087-2-newsreaders.html x-087-2-newsreaders.nn.html x-087-2-newsreaders.tin.html x-087-2-newsreaders.trn.html x-087-2-news.usenet.html x-087-2-nfs.daemons.html x-087-2-nfs.exports.html x-087-2-nfs.html x-087-2-nfs.kernelv2.html x-087-2-nfs.kernelv3.html x-087-2-nfs.mountd.html x-087-2-nfs.nfsd.html x-087-2-nis.clients.html x-087-2-nis.html x-087-2-nis.nisplus.html x-087-2-nis.nsswitch.html x-087-2-nis.passwd.html x-087-2-nis.securenets.html x-087-2-nis.server.html x-087-2-nis.shadow.html x-087-2-nis.yp.html x-087-2-nntp.access.html x-087-2-nntp.authorize.html x-087-2-nntp.html x-087-2-nntp.interact.html x-087-2-nntp.nntpd.html x-087-2-nntp.protocol.html x-087-2-ppp.authentication.html x-087-2-ppp.html x-087-2-ppp.options.html x-087-2-resolv.howdnsworks.html x-087-2-resolv.html x-087-2-resolv.library.html x-087-2-resolv.named.html x-087-2-sage.app.html x-087-2-sendmail.html x-087-2-serial-configuration.html x-087-2-serial.devices.html x-087-2-serial.getty.html x-087-2-serial.hardware.html x-087-2-serial.html x-087-2-serial.software.html x-087-2-serial.ttys.html x-087-2-slip.dip.html x-087-2-slip.general.html x-087-2-slip.html x-087-2-slip.operation.html x-087-2-slip.server.html x-087-2-submitchanges.html x-087-2-uucp.config.files.html x-087-2-uucp.dialin.html x-087-2-uucp.html x-087-2-uucp.intro.grades.html x-087-2-uucp.misc.faq.html x-087-2-uucp.permissions.html x-087-2-uucp.protocols.html x10579.html x11684.html x11757.html x12.html x1312.html x13819.html x1392.html x14586.html x14607.html x14644.html x14661.html x14903.html x14923.html x15220.html x15291.html x15583.html x15649.html x15691.html x15909.html x15964.html x15999.html x16298.html x16700.html x16.html x18201.html x18278.html x18301.html x18326.html x18341.html x19004.html x19030.html x19519.html x19583.html x19588.html x19598.html x19602.html x19608.html x19644.html x19649.html x19653.html x19657.html x19660.html x19663.html x394.html x410.html x425.html x453.html x523.html x575.html x6009.html x6507.html x6560.html x6675.html x6968.html x7037.html x7261.html x7297.html x9803.html 255.255.255.0 U 0 0 0 eth0 172.16.2.0 172.16.1.1 255.255.255.0 UG 0 0 0 eth0

The –n option makes netstat print addresses as dotted quad IP numbers rather than the symbolic host and network names. This option is especially useful when you want to avoid address lookups over the network (e.g., to a DNS or NIS server).

The second column of netstat 's output shows the gateway to which the routing entry points. If no gateway is used, an asterisk is printed instead. The third column shows the “generality” of the route, i.e., the network mask for this route. When given an IP address to find a suitable route for, the kernel steps through each of the routing table entries, taking the bitwise AND of the address and the genmask before comparing it to the target of the route.

The fourth column displays the following flags that describe the route:

G

The route uses a gateway.

U

The interface to be used is up.

H

Only a single host can be reached through the route. For example, this is the case for the loopback entry 127.0.0.1.

D

This route is dynamically created. It is set if the table entry has been generated by a routing daemon like gated or by an ICMP redirect message (see the section Section 2.5” in Chapter 2).

M

This route is set if the table entry was modified by an ICMP redirect message.

!

The route is a reject route and datagrams will be dropped.

The next three columns show the MSS, Window and irtt that will be applied to TCP connections established via this route. The MSS is the Maximum Segment Size and is the size of the largest datagram the kernel will construct for transmission via this route. The Window is the maximum amount of data the system will accept in a single burst from a remote host. The acronym irtt stands for “initial round trip time.” The TCP protocol ensures that data is reliably delivered between hosts by retransmitting a datagram if it has been lost. The TCP protocol keeps a running count of how long it takes for a datagram to be delivered to the remote end, and an acknowledgement to be received so that it knows how long to wait before assuming a datagram needs to retransmitted; this process is called the round-trip time. The initial round-trip time is the value that the TCP protocol will use when a connection is first established. For most network types, the default value is okay, but for some slow networks, notably certain types of amateur packet radio networks, the time is too short and causes unnecessary retransmission. The irtt value can be set using the route command. Values of zero in these fields mean that the default is being used.

Finally, the last field displays the network interface that this route will use.

5.9.2. Displaying Interface Statistics

When invoked with the –i flag, netstat displays statistics for the network interfaces currently configured. If the –a option is also given, it prints all interfaces present in the kernel, not only those that have been configured currently. On vstout, the output from netstat will look like this:
# netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flags lo 0 0 3185 0 0 0 3185 0 0 0 BLRU eth0 1500 0 972633 17 20 120 628711 217 0 0 BRU

The MTU and Met fields show the current MTU and metric values for that interface. The RX and TX columns show how many packets have been received or transmitted error-free (RX-OK/TX-OK) or damaged (RX-ERR/TX-ERR); how many were dropped (RX-DRP/TX-DRP); and how many were lost because of an overrun (RX-OVR/TX-OVR).

The last column shows the flags that have been set for this interface. These characters are one-character versions of the long flag names that are printed when you display the interface configuration with ifconfig:

B

A broadcast address has been set.

L

This interface is a loopback device.

M

All packets are received (promiscuous mode).

O

ARP is turned off for this interface.

P

This is a point-to-point connection.

R

Interface is running.

U

Interface is up.

5.9.3. Displaying Connections

netstat supports a set of options to display active or passive sockets. The options –t, –u, –w, and –x show active TCP, UDP, RAW, or Unix socket connections. If you provide the –a flag in addition, sockets that are waiting for a connection (i.e., listening) are displayed as well. This display will give you a list of all servers that are currently running on your system.

Invoking netstat -ta on vlager produces this output:
$ netstat -ta Active Internet Connections Proto Recv-Q Send-Q Local Address Foreign Address (State) tcp 0 0 *:domain *:* LISTEN tcp 0 0 *:time *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 0 vlager:smtp vstout:1040 ESTABLISHED tcp 0 0 *:telnet *:* LISTEN tcp 0 0 localhost:1046 vbardolino:telnet ESTABLISHED tcp 0 0 *:chargen *:* LISTEN tcp 0 0 *:daytime *:* LISTEN tcp 0 0 *:discard *:* LISTEN tcp 0 0 *:echo *:* LISTEN tcp 0 0 *:shell *:* LISTEN tcp 0 0 *:login *:* LISTEN 

This output shows most servers simply waiting for an incoming connection. However, the fourth line shows an incoming SMTP connection from vstout, and the sixth line tells you there is an outgoing telnet connection to vbardolino.[1]

Using the –a flag by itself will display all sockets from all families.

Notes

[1]

You can tell whether a connection is outgoing from the port numbers. The port number shown for the calling host will always be a simple integer. On the host being called, a well-known service port will be in use for which netstat uses the symbolic name such as smtp, found in /etc/services.