NETSTAT(8)
NAME
netstat - Display network connections, routing tables,
interface statistics and masquerade connections.
SYNOPSIS
netstat [-venaoc] [--tcp|-t] [--udp|-u] [--raw|-w]
[--unix|-u] [--inet|--ip] [--ax25] [--ipx] [--netrom]
netstat [-veenc] [--inet] [--ipx] [--netrom] [--ddp]
[--ax25] {--route|-r}
netstat [-veenac] {--interfaces|-i} [iface]
netstat [-enc] {--masquerade|-M}
netstat {--statistics|-s}
netstat {-V|--version} {-h|--help}
DESCRIPTION
Netstat displays information of the Linux networking sub-
system.
(no option)
You can view the status of network connections by listing
the open sockets. This is the default operation: If you
don't specify any address families, then the active sock-
ets of all configured address families will be printed.
With -e you get some additional informations (userid).
With the -v switch you can make netstat complain about
known address families which are not supported by the ker-
nel. The -o option displays some additional information on
networking timers. -a print all sockets, including the
listening server sockets. The address family inet will
display raw, udp and tcp sockets.
-r, --route
With the -r, --route option, you get the kernel routing
tables in the same format as route -e use. netstat -er
will use the output format of route. Please see route(8)
for details.
-i, --interface iface
If you use the -i, --interfaces option, a table of all (or
the specified iface) networking interfaces will be
printed. The output uses the ifconfig -e format, and is
described in ifconfig(8). netstat -ei will print a table
or a single interface entry just like ifconfig does. With
the -a switch, you can include interfaces which are not
configured (i.e. don't have the U=UP flag set).
-M, --masquerade
A list of all masqueraded sessions can be viewed, too.
With the -e switch you can include some more informations
about sequenze numbering and deltas, caused by data
rewrites on FTP sessions (PORT command). Masquerade sup-
port is used to hide hosts with unofficial network
addresses from the outside world, as described in
ipfw(4),ipfwadm(8) and ipfw(8).
-s, --statistics
Displays statistics about the networking subsystem of the
Linux Kernel which are read from /proc/net/snmp
OPTIONS
-v, --verbose
Tell the user what is going on by being verbose. Espe-
cially print some usefull informations about unconfigured
address families.
-n, --numeric
shows numerical addresses instead of trying to determine
symbolic host, port or user names.
-A, --af family
use a different method to set the address families. fam-
ily is a comma (',') seperated list of address family key-
words like inet, unix, ipx, ax25, netrom and ddp. This is
has the same effect as using the long options --inet,
--unix, --ipx, --ax25, --netrom and --ddp.
-c, --continous
This will cause netstat to print the selected table every
second continously on the screen until you interrupt it.
OUTPUT
Active Internet connections (TCP, UDP, RAW)
Proto
The protocol (tcp, udp, raw) used by the socket.
Recv-Q
The count of bytes not copied by the user program con-
nected to this socket.
Send-Q
The count of bytes not acknoledged by the remote host.
Local Address
The local address (local hostname) and port number of the
socket. Unless the -n switch is given, the socket address
is resolved to its canonical hostname, and the port number
is translated into the corresponding service name.
Foreign Address
The remote address (remote hostname) and port number of he
socket. As with the local address:port, the -n switch
turns off hostname and service name resolution.
State
The state of the socket. Since there are no states in RAW
and usually no states used in UDP, this row may be left
blank. Normally this can be one of several values:
ESTABLISHED
The socket has an established connection.
SYN_SENT
The socket is actively attempting to establish a
connection.
SYN_RECV
The connection is being initialized.
FIN_WAIT1
The socket is closed, and the connection is shut-
ting down.
FIN_WAIT2
Connection is closed, and the socket is waiting for
a shutdown from the remote end.
TIME_WAIT
The socket is waiting after close for remote shut-
down retransmission.
CLOSED The socket is not being used.
CLOSE_WAIT
The remote end has shut down, waiting for the
socket to close.
LAST_ACK
The remote end shut down, and the socket is closed.
Waiting for acknowledgement.
LISTEN The socket is listening for incoming connections.
Those sockets are only displayed if the -a,--lis-
tening switch is set.
CLOSING
Both sockets are shut down but we still don't have
all our data sent.
UNKNOWN
The state of the socket is unknown.
User
The name or the UID of the owner of the socket.
Timer
(this needs to be written)
Active UNIX domain Sockets
Proto
The protocol (usually unix) used by the socket.
RefCnt
The reference count (i.e. attached processes via this
socket).
Flags
The flags displayed is SO_ACCEPTON (displayed as ACC),
SO_WAITDATA (W) or SO_NOSPACE (N). SO_ACCECPTON is used
on unconnected sockets if their corresponding processes
are waiting for a connect request. The other flags are not
of normal interest.
Type
There are several types of socket access:
SOCK_DGRAM
The socket is used in Datagram (connectionless)
mode.
SOCK_STREAM
This is a stream (connection) socket.
SOCK_RAW
The socket is used as a raw socket.
SOCK_RDM
This one serves reliably-delivered messages.
SOCK_SEQPACKET
This is a sequential packet socket.
SOCK_PACKET
RAW interface access socket.
UNKNOWN
Who ever knows, what the future will bring us -
just fill in here :-)
State
This field will contain one of the following Keywords:
FREE The socket is not allocated
LISTENING
The socket is listening for a connection request.
Those sockets are only displayed if the -a,--lis-
tening switch is set.
CONNECTING
The socket is about to establish a connection.
CONNECTED
The socket is connected.
DISCONNECTING
The socket is disconnecting.
(empty)
The socket is not connected to another one.
UNKNOWN
This state should never happen.
Path
This displays the path name as which the corresponding
processes attached to the socket.
Active IPX sockets
(this needs to be done by somebody who knows it)
Active NET/ROM sockets
(this needs to be done by somebody who knows it)
Active AX.25 sockets
(this needs to be done by somebody who knows it)
FILES
/etc/services -- The services translation file
/proc/net/dev -- devices information
/proc/net/snmp -- networking statistics
/proc/net/raw -- RAW socket information
/proc/net/tcp -- TCP socket information
/proc/net/udp -- UDP socket information
/proc/net/unix -- Unix domain socket information
/proc/net/ipx -- IPX socket information
/proc/net/ax25 -- AX25 socket information
/proc/net/appeltalk -- DDP (appeltalk) socket information
/proc/net/nr -- NET/ROM socket information
/proc/net/route -- Kernel IP routing information
/proc/net/ax25_route -- Kernel AX25 routing information
/proc/net/ipx_route -- Kernel IPX routing information
/proc/net/nr_nodes -- Kernel NET/ROM nodelist
/proc/net/nr_neigh -- Kernel NET/ROM neighbours
/proc/net/ip_masquerade -- Kernel masqueraded connections
SEE ALSO
route(8) ifconfig(8) ipfw(4) ipfw(8) ipfwadm(8)
BUGS
Occasionally strange information may appear if a socket
changes as it is viewed. This is unlikely to occur.
The netstat -i options is described as it should work
after some code cleanup of the BETA release of the net-
tools package.
AUTHORS
The netstat user interface was written by Fred Baumgarten
lt;dc6iq@insu1.etec.uni-karlsruhe.de the man page basically
by Matt Welsh lt;mdw@tc.cornell.edu. It was updated by Alan
Cox lt;Alan.Cox@linux.org but could do with a bit more
work.
The man page and the command included in the net-tools
package is totally rewritten from Bernd Eckenfels
lt;ecki@linux.de.