netstat(1M) System Administration Commands netstat(1M)NAMEnetstat - show network status
SYNOPSISnetstat [-anvR] [-f address_family] [-P protocol]
netstat-g [-nv] [-f address_family]
netstat-p [-n] [-f address_family]
netstat-s [-f address_family] [-P protocol]
[-T u | d ] [interval [count]]
netstat-m [-T u | d ] [-v] [interval [count]]
netstat-i [-I interface] [-an] [-f address_family]
[-T u | d ] [interval [count]]
netstat-r [-anvR] [-f address_family | filter]
netstat-M [-ns] [-f address_family]
netstat-D [-I interface] [-f address_family]
netstat-d [-f address_family]
DESCRIPTION
The netstat command displays the contents of certain network-related
data structures in various formats, depending on the options you
select.
The netstat command has the several forms shown in the SYNOPSIS sec‐
tion, above, listed as follows:
o The first form of the command (with no required arguments)
displays a list of active sockets for each protocol.
o The second, third, and fourth forms (-g, -p, and -s options)
display information from various network data structures.
o The fifth form (-m option) displays STREAMS memory statis‐
tics.
o The sixth form (-i option) shows the state of the inter‐
faces.
o The seventh form (-r option) displays the routing table.
o The eighth form (-M option) displays the multicast routing
table.
o The ninth form (-D option) displays the state of DHCP on one
or all interfaces.
o The tenth form (-d option) displays the table of destination
cache entries.
These forms are described in greater detail below.
With no arguments (the first form), netstat displays connected sockets
for PF_INET, PF_INET6, and PF_UNIX, unless modified otherwise by the -f
option.
OPTIONS-a
Show the state of all sockets, all routing table entries, or all
interfaces, both physical and logical. Normally, listener sockets
used by server processes are not shown. Under most conditions, only
interface, host, network, and default routes are shown and only the
status of physical interfaces is shown.
-d
Show the destination cache entry table. See DISPLAYS, below.
-f address_family
Limit all displays to those of the specified address_family. The
value of address_family can be one of the following:
inet For the AF_INET address family showing IPv4 information.
inet6 For the AF_INET6 address family showing IPv6 information.
unix For the AF_UNIX address family.
-f filter
With -r only, limit the display of routes to those matching the
specified filter. A filter rule consists of a keyword:value pair.
The known keywords and the value syntax are:
af:{inet|inet6|unix|number}
Selects an address family. This is identical to -f address_fam‐
ily and both syntaxes are supported.
outif:{name|ifIndex|any|none}
Selects an output interface. You can specify the interface by
name (such as hme0) or by ifIndex number (for example, 2). If
any is used, the filter matches all routes having a specified
interface (anything other than null). If none is used, the fil‐
ter matches all routes having a null interface. Note that you
can view the index number (ifIndex) for an interface with the
-a option of ifconfig(1M).
dst:{ip-address[/mask]|any|none}
Selects a destination IP address. If specified with a mask
length, then any routes with matching or longer (more specific)
masks are selected. If any is used, then all but addresses but
0 are selected. If none is used, then address 0 is selected.
flags:[+ -]?[ABDGHLMSU]+
Selects routes tagged with the specified flags. By default, the
flags as specified must be set in order to match. With a lead‐
ing +, the flags specified must be set but others are ignored.
With a leading -, the flags specified must not be set and oth‐
ers are permitted.
You can specify multiple instances of -f to specify multiple fil‐
ters. For example:
% netstat-nr -f outif:hme0 -f outif:hme1 -f dst:10.0.0.0/8
The preceding command displays routes within network 10.0.0.0/8,
with mask length 8 or greater, and an output interface of either
hme0 or hme1, and excludes all other routes.
-g
Show the multicast group memberships for all interfaces. If the -v
option is included, source-specific membership information is also
displayed. See DISPLAYS, below.
-i
Show the state of the interfaces that are used for IP traffic. Nor‐
mally this shows statistics for the physical interfaces. When com‐
bined with the -a option, this will also report information for the
logical interfaces. See ifconfig(1M).
-m
Show the STREAMS memory statistics.
-n
Show network addresses as numbers. netstat normally displays
addresses as symbols. This option may be used with any of the dis‐
play formats.
-p
Show the net to media tables. See DISPLAYS, below.
-r
Show the routing tables. Normally, only interface, host, network,
and default routes are shown, but when this option is combined with
the -a option, all routes will be displayed, including cache. If
you have not set up a multicast route, -ra might not show any mul‐
ticast routing entries, although the kernel will derive such an
entry if needed.
-s
Show per-protocol statistics. When used with the -M option, show
multicast routing statistics instead. When used with the -a option,
per-interface statistics will be displayed, when available, in
addition to statistics global to the system. See DISPLAYS, below.
-T u | d
Display a time stamp.
Specify u for a printed representation of the internal representa‐
tion of time. See time(2). Specify d for standard date format. See
date(1).
-v
Verbose. Show additional information for the sockets, STREAMS mem‐
ory statistics, routing table, and multicast group memberships.
-I interface
Show the state of a particular interface. interface can be any
valid interface such as hme0 or eri0. Normally, the status and sta‐
tistics for physical interfaces are displayed. When this option is
combined with the -a option, information for the logical interfaces
is also reported.
-M
Show the multicast routing tables. When used with the -s option,
show multicast routing statistics instead.
-P protocol
Limit display of statistics or state of all sockets to those appli‐
cable to protocol. The protocol can be one of ip, ipv6, icmp,
icmpv6, icmp, icmpv6, igmp, udp, tcp, rawip. rawip can also be
specified as raw. The command accepts protocol options only as all
lowercase.
-D
Show the status of DHCP configured interfaces.
-R
This modifier displays extended security attributes for sockets and
routing table entries. The -R modifier is available only if the
system is configured with the Solaris Trusted Extensions feature.
With -r only, this option displays the routing entries' gateway
security attributes. See route(1M) for more information on security
attributes.
When displaying socket information using the first form of the com‐
mmand, this option displays additional information for Multi-Level
Port(MLP) sockets. This includes:
o The label for the peer if the socket is connected.
o The following flags can be appended to the socket's
"State" output:
P The socket is a MLP on zone-private IP addresses.
S The socket is a MLP on IP addresses shared between
zones.
OPERANDS
interval Display statistics accumulated since last display every
interval seconds, repeating forever, unless count is speci‐
fied. When invoked with interval, the first row of netstat
output shows statistics accumulated since last reboot.
The following options support interval: -i, -m, -s and -Ms.
Some values are configuration parameters and are just
redisplayed at each interval.
count Display interface statistics the number of times specified
by count, at the interval specified by interval.
DISPLAYS
Active Sockets (First Form)
The display for each active socket shows the local and remote address,
the send and receive queue sizes (in bytes), the send and receive win‐
dows (in bytes), and the internal state of the protocol.
The symbolic format normally used to display socket addresses is
either:
hostname.port
when the name of the host is specified, or
network.port
if a socket address specifies a network but no specific host.
The numeric host address or network number associated with the socket
is used to look up the corresponding symbolic hostname or network name
in the hosts or networks database.
If the network or hostname for an address is not known, or if the -n
option is specified, the numerical network address is shown. Unspeci‐
fied, or "wildcard", addresses and ports appear as an asterisk (*). For
more information regarding the Internet naming conventions, refer to
inet(7P) and inet6(7P).
For SCTP sockets, because an endpoint can be represented by multiple
addresses, the verbose option (-v) displays the list of all the local
and remote addresses.
TCP Sockets
The possible state values for TCP sockets are as follows:
BOUND Bound, ready to connect or listen.
CLOSED Closed. The socket is not being used.
CLOSING Closed, then remote shutdown; awaiting acknowledgment.
CLOSE_WAIT Remote shutdown; waiting for the socket to close.
ESTABLISHED Connection has been established.
FIN_WAIT_1 Socket closed; shutting down connection.
FIN_WAIT_2 Socket closed; waiting for shutdown from remote.
IDLE Idle, opened but not bound.
LAST_ACK Remote shutdown, then closed; awaiting acknowledgment.
LISTEN Listening for incoming connections.
SYN_RECEIVED Initial synchronization of the connection under way.
SYN_SENT Actively trying to establish connection.
TIME_WAIT Wait after close for remote shutdown retransmission.
SCTP Sockets
The possible state values for SCTP sockets are as follows:
CLOSED Closed. The socket is not being used.
LISTEN Listening for incoming associations.
ESTABLISHED Association has been established.
COOKIE_WAIT INIT has been sent to the peer, awaiting acknowl‐
edgment.
COOKIE_ECHOED State cookie from the INIT-ACK has been sent to
the peer, awaiting acknowledgement.
SHUTDOWN_PENDING SHUTDOWN has been received from the upper layer,
awaiting acknowledgement of all outstanding DATA
from the peer.
SHUTDOWN_SENT All outstanding data has been acknowledged in the
SHUTDOWN_SENT state. SHUTDOWN has been sent to the
peer, awaiting acknowledgement.
SHUTDOWN_RECEIVED SHUTDOWN has been received from the peer, awaiting
acknowledgement of all outstanding DATA.
SHUTDOWN_ACK_SENT All outstanding data has been acknowledged in the
SHUTDOWN_RECEIVED state. SHUTDOWN_ACK has been
sent to the peer.
Network Data Structures (Second Through Fifth Forms)
The form of the display depends upon which of the -g, -m, -p, or -s
options you select.
-g Displays the list of multicast group membership.
-m Displays the memory usage, for example, STREAMS mblks.
-p Displays the net to media mapping table. For IPv4, the address
resolution table is displayed. See arp(1M). For IPv6, the neigh‐
bor cache is displayed.
-s Displays the statistics for the various protocol layers.
The statistics use the MIB specified variables. The defined values for
ipForwarding are:
forwarding(1) Acting as a gateway.
not-forwarding(2) Not acting as a gateway.
The IPv6 and ICMPv6 protocol layers maintain per-interface statistics.
If the -a option is specified with the -s option, then the per-inter‐
face statistics as well as the total sums are displayed. Otherwise,
just the sum of the statistics are shown.
For the second, third, and fourth forms of the command, you must spec‐
ify at least -g, -p, or -s. You can specify any combination of these
options. You can also specify -m (the fifth form) with any set of the
-g, -p, and -s options. If you specify more than one of these options,
netstat displays the information for each one of them.
Interface Status (Sixth Form)
The interface status display lists information for all current inter‐
faces, one interface per line. If an interface is specified using the
-I option, it displays information for only the specified interface.
The list consists of the interface name, mtu (maximum transmission
unit, or maximum packet size)(see ifconfig(1M)), the network to which
the interface is attached, addresses for each interface, and counter
associated with the interface. The counters show the number of input
packets, input errors, output packets, output errors, and collisions,
respectively. For Point-to-Point interfaces, the Net/Dest field is the
name or address on the other side of the link.
If the -a option is specified with either the -i option or the -I
option, then the output includes names of the physical interface(s),
counts for input packets and output packets for each logical interface,
plus additional information.
If the -n option is specified, the list displays the IP address instead
of the interface name.
If an optional interval is specified, the output will be continually
displayed in interval seconds until interrupted by the user or until
count is reached. See OPERANDS.
The physical interface is specified using the -I option. When used with
the interval operand, output for the -I option has the following for‐
mat:
input eri0 output input (Total) output
packets errs packets errs colls packets errs packets errs colls
227681 0 659471 1 502 261331 0 99597 1 502
10 0 0 0 0 10 0 0 0 0
8 0 0 0 0 8 0 0 0 0
10 0 2 0 0 10 0 2 0 0
If the input interface is not specified, the first interface of address
family inet or inet6 will be displayed.
Routing Table (Seventh Form)
The routing table display lists the available routes and the status of
each. Each route consists of a destination host or network, and a gate‐
way to use in forwarding packets. The flags column shows the status of
the route. These flags are as follows:
U Indicates route is up.
G Route is to a gateway.
H Route is to a host and not a network.
M Redundant route established with the -multirt option.
S Route was established using the -setsrc option.
D Route was created dynamically by a redirect.
B Packets will be silently dropped (RTF_BLACKHOLE set).
R Packets will be dropped with ICMP error sent (RTF_REJECT set).
I Indirect routes (gateway not directly reachable) established with
the -indirect option.
If the -a option is specified, there will be routing entries with the
following flags:
b Broadcast addresses.
C Clones interface host route entries for on-link destinations.
L Local addresses for the host.
Interface routes are created for each interface attached to the local
host; the gateway field for such entries shows the address of the out‐
going interface.
The use column displays the number of packets sent or forwarded using
the route in question.
The interface entry indicates the network interface utilized for the
route.
Multicast Routing Tables (Eighth Form)
The multicast routing table consists of the virtual interface table and
the actual routing table.
DHCP Interface Information (Ninth Form)
The DHCP interface information consists of the interface name, its cur‐
rent state, lease information, packet counts, and a list of flags.
The states correlate with the specifications set forth in RFC 2131.
Lease information includes:
o when the lease began;
o when lease renewal will begin; and
o when the lease will expire.
The flags currently defined include:
BOOTP The interface has a lease obtained through BOOTP (IPv4
only).
BUSY The interface is busy with a DHCP transaction.
PRIMARY The interface is the primary interface. See dhcpinfo(1) and
ifconfig(1M).
FAILED The interface is in failure state and must be manually
restarted.
Packet counts are maintained for the number of packets sent, the number
of packets received, and the number of lease offers declined by the
DHCP client. All three counters are initialized to zero and then incre‐
mented while obtaining a lease. The counters are reset when the period
of lease renewal begins for the interface. Thus, the counters represent
either the number of packets sent, received, and declined while obtain‐
ing the current lease, or the number of packets sent, received, and
declined while attempting to obtain a future lease.
Destination Cache Entry Table (Tenth Form)
The destination cache entry display shows the recorded path MTU, the
age (in seconds) of the entry, and flags. The P flag indicates that a
path MTU is recorded. The S flag indicates that the path MTU is smaller
than the minumum that IP will allow. The U flag indicates that some
transport metrics (round-trip time, and so forth) are cached in the
destination cache entry.
FILES
/etc/default/inet_type DEFAULT_IP setting
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWcs │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOarp(1M), dhcpinfo(1), dhcpagent(1M), ifconfig(1M), iostat(1M),
kstat(1M), mibiisa(1M), savecore(1M), vmstat(1M), hosts(4),
inet_type(4), networks(4), protocols(4), services(4), attributes(5),
dhcp(5), kstat(7D), inet(7P), inet6(7P)
Droms, R., RFC 2131, Dynamic Host Configuration Protocol, Network Work‐
ing Group, March 1997.
Droms, R. RFC 3315, Dynamic Host Configuration Protocol for IPv6
(DHCPv6). Cisco Systems. July 2003.
NOTES
When displaying interface information, netstat honors the DEFAULT_IP
setting in /etc/default/inet_type. If it is set to IP_VERSION4, then
netstat will omit information relating to IPv6 interfaces, statistics,
connections, routes and the like.
However, you can override the DEFAULT_IP setting in
/etc/default/inet_type on the command-line. For example, if you have
used the command-line to explicitly request IPv6 information by using
the inet6 address family or one of the IPv6 protocols, it will override
the DEFAULT_IP setting.
If you need to examine network status information following a kernel
crash, use the mdb(1) utility on the savecore(1M) output.
The netstat utility obtains TCP statistics from the system by opening
/dev/tcp and issuing queries. Because of this, netstat might display an
extra, unused connection in IDLE state when reporting connection sta‐
tus.
Previous versions of netstat had undocumented methods for reporting
kernel statistics published using the kstat(7D) facility. This func‐
tionality has been removed. Use kstat(1M) instead.
netstat restricts its output to information that is relevant to the
zone in which netstat runs. (This is true for both shared-IP and exclu‐
sive-IP zones.)
SunOS 5.11 11 Nov 2009 netstat(1M)
