NETSTAT(1) BSD Reference Manual NETSTAT(1)NAMEnetstat - show network status
SYNOPSISnetstat [-Aknv] [-f address_family] [-p protocol] [-M core] [-N system]
netstat-s [-kv] [-f address_family] [-p protocol] [-M core] [-N system]
netstat-i [-bknOPv] [-I interface] [-f address_family] [-M core] [-N
system]
netstat-ig [-knOP] [-I interface] [-f address_family] [-M core] [-N
system]
netstat-is [-bknOPv] [-I interface] [-f address_family] [-M core] [-N
system]
netstat-i -w wait [-bkv] [-I interface] [-f address_family] [-M core]
[-N system]
netstat-m [-k] [-M core] [-N system]
netstat-r [-AknOPv] [-f address_family] [-M core] [-N system]
netstat-rg [-knOP] [-f address_family] [-M core] [-N system]
netstat-rs [-g] [-f address_family] [-M core] [-N system]
DESCRIPTION
The netstat command symbolically displays the contents of various net-
work-related data structures. There are a number of display formats, de-
pending on the selected options.
There are a number of global options that apply to all or many of the
different display formats:
-f address_family
Limit output to the specified address family. Only statis-
tics, connections or interface addresses for address_family
will be displayed. The following address families are recog-
nized: inet, for AF_INET and AF_INET6, ns, for AF_NS, iso,
for AF_ISO, and local, for AF_LOCAL.
-I interface
Limit output to the addresses, statistics or configuration
information on the specified interface. An interface is
specified by it's name (e.g. ef0).
-k By default netstat uses sysctl(3) whenever possible to obtain
statistics and other state information from the kernel. This
option requests that it read the data from /dev/kmem. This
option is implied when the -M option is specified.
-M Extract values associated with the name list from the speci-
fied kernel core file instead of the default /dev/kmem.
-N Extract the name list from the specified system instead of
the default /bsd.
-n Show network and host addresses and ports as numbers (by de-
fault netstat interprets addresses and ports and attempts to
display them symbolically). This option may be used with any
of the display formats.
-O Enable backward compatibility. With certain displays this
provides backwards compatibility output for use with scripts
that interpret netstat output. It also provides for inter-
pretation of some obsolete options. For example, in the in-
terface display -a will be interpreted as -v and netstat will
display active multicast group addresses.
-P Generate output that facilitates parsing by scripts. This
option disables width limitations for specific fields (espe-
cially host, network and port names). It also replaces empty
non-trailing fields with a dash character ``-''.
-p protocol
Limit the display output to the specified protocol, only
statistics or connections for the specified protocol will be
displayed. The following inet(4) protocols are recognized:
ip, icmp, igmp, tcp and udp. The following ns(4) protocols
are recognized: idp, spp and ns_err. The following iso(4)
protocols are recognized: tp, cltp, clnp and esis.
-u Shorthand for -f local.
-v Show more verbose output, repeating this may provide even
more verbose output. See the sections on specific displays
for details.
Active connections
netstat [-Aknv] [-f address_family] [-p protocol] [-M core] [-N system]
The first form of the netstat command displays active network connections
(referred to as sockets).
Options specific to this form of the netstat command are:
-a Include connections used by servers listening for incoming
connections, they are not displayed by default.
-A Show kernel address of protocol control blocks associated
with each connection; used for debugging.
-f address_family
Limit output to connections for the specified address family.
Possible address families are listed in the description of
the global options above.
-p protocol
Limit output to connections for the specified protocol. Pos-
sible protocol names are listed in the description of the
global options above.
-u Shorthand for -f local.
For each connection the following fields are displayed:
PCB When the -A option is present this field displays the address of
the protocol control block for this connection. This information
is generally only used for debugging the system.
Proto The name of protocol being used by this connection.
Recv-Q
The number of bytes that have been received by this connection and
not yet read by the application.
Send-Q
The number of bytes that have been written to this connection by
the application but have not been transmitted over the network.
Local Address
The address and port number (in the form ``host.port'' or
``network.port'') which identifies the local end-point of the con-
nection. When possible the host and network addresses are dis-
played symbolically. Otherwise (or if the -n option is
specified), the address is printed numerically, according to rules
specific to the address family inet(3) (For more information
regarding Internet addresses refer to). Unspecified
(wild-card) addresses and ports appear as ``*''.
Remote Address
The address and port number which identify the remote end-point of
the connection.
(state)
For some protocols, the protocol state for the connection is dis-
played.
Protocol Statistics
netstat-s [-kv] [-f address_family] [-p protocol] [-M core] [-N system]
The second form of the netstat command displays protocol statistics. By
default, non-zero statistics are displayed for all currently supported
protocols.
Options specific to this form of the netstat command are:
-f address_family
Limit output to statistics for protocols in the specified ad-
dress family. Possible address families are listed in the
description of the global options above.
-p protocol
Limit output to statistics for the specified protocol. Pos-
sible protocol names are listed in the description of the
global options above.
-u Shorthand for -f local.
-v Include zero statistics in the display.
Interface Configuration
netstat-i [-bknOPv] [-I interface] [-f address_family] [-M core] [-N
system]
The third form of the netstat command displays the configuration of net-
work interfaces.
Options specific to this form of the netstat command are:
-f address_family
Limit output to addresses in the specified address family.
Physical interface information is always displayed. Possible
address families are listed in the description of the global
options above.
-I interface
Limit output to the addresses configured on the specified in-
terface name.
For each interface, the following fields are displayed:
Name The name of the interface.
Idx The index of the interface. This field is used to identify the
interface in some system calls.
MTU The ``maximum transmission unit'' of the interface. This is the
size (in bytes) of the largest packet that can be sent out this
interface.
Speed If available, this is the speed (in bits per second) of the inter-
face. The abbreviations ``k'' (thousands), ``M'' (millions) and
``G'' (billions) are used for higher speeds.
Mtrc The routing metric assigned to this interface. Although config-
ured on an interface by ifconfig(8), this metric is only used by
routing daemons (such as gated(8)).
Address
The physical or protocol address assigned to the interface. When
possible the addresses are displayed symbolically. Otherwise (or
if the -n option is specified), the address is printed numerical-
ly, according to rules specific to the address family
Network
For address families that support the concept, the network ad-
dresses and network mask. The network address is displayed sym-
bolically when possible unless the -n option is specified. For
POINTOPOINT interfaces, the remote address is displayed in this
field.
Interface Group Membership
netstat-ig [-knOP] [-I interface] [-f address_family] [-M core] [-N
system]
The fourth form of the netstat command displays multicast group member-
ship by interface.
Options specific to this form of the netstat command are:
-f address_family
Limit output to addresses in the specified address family.
Physical interface information is always displayed. Current-
ly only the inet address family supports multicast groups.
-I interface
Limit output to the addresses configured on the specified in-
terface name.
The following fields are displayed:
Name The name of the interface.
Idx The index of the interface. This field is used to identify the
interface in some system calls.
Address
The physical or protocol address assigned to the interface. When
possible the addresses are displayed symbolically. Otherwise (or
if the -n option is specified), the addressed are printed numeri-
cally, according to rules specific to the address family. For
POINTOPOINT interfaces, the remote address is displayed.
Group The multicast group or range of groups enabled on this interface,
displayed symbolically if possible.
State For group addresses at the protocol layer (e.g. IP multicast) the
state of the group membership is displayed.
Timer For group addresses at the protocol layer (e.g. IP multicast) the
group membership timer is displayed.
Refs For group addresses at the protocol layer (e.g. IP multicast) the
count of connections that have joined this group are displayed.
Interface Statistics
netstat-is [-bknOPv] [-I interface] [-f address_family] [-M core] [-N
system]
The fifth form of the netstat command displays statistics for network in-
terfaces, one physical or protocol address per line. Interface statis-
tics are displayed for each physical interface and each protocol address
assigned to each interface. Some protocol families (IP) support statis-
tics per address, these will be listed when available.
Options specific to this form of the netstat command are:
-b Display byte counts instead of packet counts.
-f address_family
Limit output to statistics for addresses in the specified ad-
dress family. Physical interface statistics are always dis-
played. Possible address families are listed in the descrip-
tion of the global options above.
-I interface
Limit output to the statistics for the specified interface.
-v When specified once, the output changes to include detailed
statistics displayed as multiple lines per physical inter-
face. Only non-zero statistics are displayed unless this
flag is specified twice.
The following fields are displayed:
Name The name of the interface.
Idx The index of the interface. This field is used to identify the
interface in some system calls.
Address
The interface address for which these statistics apply. For phys-
ical interfaces, the link level address, if any, is displayed.
For POINTOPOINT interfaces, the remote protocol addresses are dis-
played. When possible the addresses are displayed symbolically
unless the -n option is specified.
Ipkts For physical interfaces, the total number of packets received on
this interface. For protocol interface addresses, the number of
packets received for this particular address are displayed. This
field is not displayed when the -b option is specified.
Ibytes
For physical interfaces, the number of bytes received on this in-
terface. For protocol interface addresses the number of bytes re-
ceived for this particular address are displayed. This field is
only displayed when the -b option is specified.
Ierrs For physical interfaces, the number of input errors. There is no
equivalent for protocol interface addresses, this field is left
blank.
Opkts For physical interfaces, the total number of packets received on
this interface. For protocol interface addresses, the number of
packets sent from this particular address are displayed. This
field is not displayed when the -b option is specified.
Obytes
For physical interfaces, the total number of bytes sent on this
interface. For protocol interface addresses, the number of bytes
sent from this particular address are displayed. This field is
only displayed when the -b option is specified.
Oerrs For physical interfaces, the number of output errors. There is no
equivalent for protocol interface addresses, this field is left
blank.
Coll For CSMA (i.e. Ethernet) interfaces, this field counts the number
of collisions. Other usage of this field should be documented in
the man page for the specific network interface.
Drop The number of packets dropped on output because the queue was
full.
Interface Statistics Monitor
netstat-i -w wait [-bkv] [-I interface] [-f address_family] [-M core]
[-N system]
The sixth form of the netstat command provides a regularly updated dis-
play of statistics about one selected interface and the sum of the
statistics for all interfaces.
By default, netstat chooses an ``interesting'' interface by trying to
find the first non-loopback interface that is up, then the loopback in-
terface if it is up, finally the first interface, up or down. A specific
interface my be chosen with the -I interface option.
Options specific to this form of the netstat command are:
-b Display byte counts instead of packet counts.
-I interface
Specifies the interface to monitor. If this option is not
used, netstat will choose an interface, see above.
-w wait Pause wait seconds between each display. The minimum value
is one second.
-v Specifies that the display should include the count of pack-
ets dropped due to full output queues. This counter is in-
cluded in the display of the selected interface as well as a
sum of dropped packets for all interfaces.
The following fields are displayed:
input packets
The total number of packets received on this interface. This
field is not displayed when the -b option is specified.
input bytes
The number of bytes received on this interface. This field is on-
ly displayed when the -b option is specified.
input errs
The number of input errors.
output packets
The total number of packets received on this interface. This
field is not displayed when the -b option is specified.
output bytes
The total number of bytes sent on this interface. This field is
only displayed when the -b option is specified.
output errs
The number of output errors.
colls For CSMA (i.e. Ethernet) interfaces, this field counts the number
of collisions. Other usage of this field should be documented in
the man page for the specific network interface.
drops The number of packets dropped on output because the queue was
full. This field is only displayed when the -v flag is specified.
Network Buffer utilization
netstat-m [-k] [-M core] [-N system]
The seventh form of the netstat command display provides statistics
recorded by the memory management routines (the network manages a private
pool of memory buffers called mbufs).
Forwarding Table
netstat-r [-AknOPv] [-f address_family] [-M core] [-N system]
The eighth form of the netstat command displays the entries in the kernel
forwarding tables and their status for each protocol family supported by
the kernel.
Options specific to this form of the netstat command are:
-A Display the addresses of control blocks and other esoteric
details of the kernel forwarding table that is probably only
of interest to someone debugging the forwarding table.
-v Used once, this option adds the address associated with the
outbound interface. This is useful when interfaces are con-
figured for more than one address. If this option is repeat-
ed, the display includes a reference count of connections us-
ing this entry and the number of packets which have been sent
using this entry.
The following fields are displayed:
Destination
The destination specified by this forwarding table entry. The
destination may be host or a network with mask (sometimes called a
netmask), which specifies which parts of the address are matched.
If the mask is not the obvious value than 16 bits (e.g. if a
entry for an Internet Class B network has a mask other), the mask
is indicated in one of two ways: If the mask is contiguous from
the most-significant bit to the end, the usual case for subnets, a
slash (/) and the number of bits in the mask are appended to net-
work value. Otherwise, an ampersand (&) and a numeric representa-
tion of the mask are appended.
Some address families have the notion of a ``default'' entry that
is used when there is no more appropriate entry for the destina-
tion. This entry will be listed with a destination of
``default''.
When possible the host and network addresses are displayed symbol-
ically unless the -n option is specified.
Gateway
When an intermediate router is used to send packets to the desti-
nation (i.e. the flags field contains a G) this field will display
the address of that router. When an intermediate router is not in
use this field may display the address for the interface used when
sending to the destination, or may contain a link-layer address.
When possible the gateway addresses are displayed symbolically un-
less the -n option is specified.
Flags This field shows a collection of information about the entry
stored as binary choices. The individual flags are discussed in
more detail in the route(8) and route(4) manual pages. The map-
ping between letters and flags is:
1 RTF_PROTO1 Protocol specific routing flag #1
2 RTF_PROTO2 Protocol specific routing flag #2
A RTF_AUTH IPSEC Authenticated tunnel route
B RTF_BLACKHOLE Just discard packets (during updates)
C RTF_CLONING Generate new entries on use
c RTF_CLONED A cloned entry
D RTF_DYNAMIC Created dynamically (by redirect)
E RTF_CRYPT IPSEC Encrypted tunnel route
G RTF_GATEWAY Requires forwarding through an intermediary
H RTF_HOST Host entry (net otherwise)
L RTF_LLINFO Valid protocol to link address translation
M RTF_MODIFIED Modified dynamically (by redirect)
R RTF_REJECT Host or net unreachable
S RTF_STATIC Manually added
T RTF_TUNNEL Tunnelling route
U RTF_UP Entry usable
X RTF_XRESOLVE External daemon translates proto to link addr
Ref This field gives the current number of active connections using
this entry. Connection oriented protocols normally hold on to a
single entry for the duration of a connection while connection-
less protocols hold on to an entry only while sending to the same
destination. This field is only displayed when the -v option is
specified more than once.
Use The use field provides a count of the number of packets sent using
this entry. This field is only displayed when the -v option is
specified more than once.
MTU This field displays the ``maximum transmission unit'' to use for
this destination. This MTU may be less than the MTU configured on
the interface if there is a mechanism for determining the optimum
MTU to the destination or the MTU was explicitly specified (i.e.
by route(8)). In the case of tcp(4) the Dynamic Path MTU discov-
ery mechanism is used to determine the largest MTU available on
the path to the destination.
Interface
This field indicates the network interface that will be used when
sending packets to the destination of this entry. When the -v op-
tion is specified, the specific protocol address on the interface
is also printed. This is useful when multiple protocol addresses
are assigned to one physical interface.
Direct entries are created for each interface attached to the local host;
the gateway field for such entries shows the address of the outgoing in-
terface. Some interfaces such as Ethernet also use link-level entries;
see arp(8). In those cases, the direct network entry has the ``cloning''
flag set (C), which causes individual host entries to be created on de-
mand for hosts on that network. In addition to having the ``cloned''
flag set (c), these host entries contain link-level ``gateway'' entries
with their link-level addresses, and the ``L'' link-level flag is set.
Cloned entries are also created due to the Dynamic Path MTU discovery
mechanism. These will always be host entries, and will have the
``cloned'' flag set (c).
Multicast Forwarding Tables
netstat-rg [-knOP] [-f address_family] [-M core] [-N system]
The ninth form displays the multicast forwarding information, including
the table of multicast virtual addresses and the multicast forwarding
cache. Currently, multicast forwarding information is only available for
the inet address family.
The IP multicast forwarding table display consists of two sections, the
virtual interface table and the multicast forwarding cache. The virtual
interface table describes the interfaces as IP multicast forwarding sees
them. The table consists of an entry for each real interface on which IP
multicast is enabled and a list of tunnels used to connect clouds of sys-
tems supporting IP multicast that are separated by routers that do not
support IP multicast. The fields in this table are:
Vif A non-negative integer which is used to identify this virtual in-
terface in the kernel.
Thresh
The threshold for this interface. Only packets with a TTL greater
than this value will be forwarded.
Rate_lmt
Specifies the maximum bandwidth that should be sent via this vir-
tual interface in kilo-bytes per second.
Local-Address
The address that identifies the address of the local interface, or
the local side of a tunnel. If possible this address is printed
symbolically unless the -n option is given.
Remote-Address
The address that identifies the remote side of a tunnel. For lo-
cal interfaces this field is left blank. If possible this address
is printed symbolically unless the -n option is given.
Pkt_in
The number of multicast packets received on this tunnel or local
interface.
Pkt_out
The number of multicast packets transmitted via this tunnel or lo-
cal interface.
The multicast forwarding cache contains forwarding entries used for send-
ing multicast packets. Unlike unicast packets which are forwarded based
on their destination, multicast packets are forward based on the destina-
tion multicast group and host that originated the packet. Entries in
this cache are created on demand by querying the multicast routing daemon
(for IP this is mrouted(8)) when trying to forward a packet for which
there is no cache entry.
Fields in this table are:
Hash The hash number is used by the kernel to efficiently find an entry
in the cache. This field is mostly of interest to kernel develop-
ers.
Origin-Subnet
Identifies the originating host to which this entry applies. This
field is printed symbolically if possible unless the -n option is
specified.
Mcastgroup
Identifies the destination multicast group to which this entry ap-
plies. This field is printed symbolically if possible unless the
-n option is specified.
# pkts
The number of packets which have been forwarded using this entry.
In-Vif
The virtual interface from which this packet must be received. If
a packet matches this entry but arrives via another virtual inter-
face, it is discarded.
Out-Vifs/Forw-ttl
A list of virtual interfaces to which a packet matching this entry
should be forwarded and an associated minimum time-to-live (TTL)
for each virtual interface. The TTL describes the shortest dis-
tance (number of routers to be traversed) to the first application
listening for packets from this multicast group. If the TTL in a
packet is smaller than the TTL in the entry, the packet is not
transmitted on this virtual interface.
Forwarding Table Statistics
netstat-rs [-g] [-f address_family] [-M core] [-N system]
The tenth form displays statistics about the kernel forwarding tables.
By default, information about the unicast forwarding table is provided.
Options specific to this form of the netstat command are:
-g Provide statistics about kernel multicast forwarding tables.
SEE ALSOnfsstat(1), ps(1), hosts(5), networks(5), protocols(5), services(5),
arp(8), iostat(8), trpt(8), trsp(8), vmstat(8)HISTORY
The netstat command appeared in 4.2BSD. Support for IPv6 and the IP Secu-
rity protocols (ESP and AH) was added at the Information Technology Divi-
sion, Naval Research Laboratory.
FILES
/dev/kmem default kernel memory
/bsd default system namelist
BUGS
The notion of errors is ill-defined.
4.4BSD January 11, 1995 10