Monday, December 29, 2014

NETSTAT command


1. Display routing information maintained by kernel

This information can be retrieved using the -r option along with this command.

Consider the following example :
$ netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     *               255.255.255.0   U         0 0          0 wlan0
link-local      *               255.255.0.0     U         0 0          0 wlan0
default         192.168.1.1     0.0.0.0         UG        0 0          0 wlan0
So we see that kernel routing table information was displayed using the -r option. The flag 'U' indicates that this entry is up while the flag 'G' indicates that this entry is not a direct entry i.e. the destination indicated in this route entry is not on the same network. A list of flags is given below : 

A
 Receive all multicast at this interface.
B OK broadcast.
D Debugging ON.
M Promiscuous Mode.
O No ARP at this interface.
P P2P connection at this interface.
R Interface is running.
U Interface is up. 
G
 Not a direct entry.

2. Display multicast group membership information

This information is displayed for both IPv4 and IPv6 and can be retrieved using -g option with this command.

Consider the following example :
$ netstat -g
IPv6/IPv4 Group Memberships
Interface       RefCnt Group
--------------- ------ ---------------------
lo              1      all-systems.mcast.net
eth0            1      all-systems.mcast.net
wlan0           1      224.0.0.251
wlan0           1      all-systems.mcast.net
lo              1      ip6-allnodes
eth0            1      ip6-allnodes
wlan0           1      ff02::1:ff20:3a8e
wlan0           1      ip6-allnodes
pan0            1      ip6-allnodes
So we see that the multicast information was displayed in the above output.

3. Display information related to all network interfaces

This is made possible using the -i option along with this command.

Consider the following example :
$ netstat -i
Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0         0      0      0 0             0      0      0      0 BMU
lo        16436 0        44      0      0 0            44      0      0      0 LRU
wlan0      1500 0    166164      0      0 0        152434      0      0      0 BMRU
So we see that all the network information related to individual interfaces was displayed in the output. The RX and TX columns are described as follows : 

RX-OK
   : Correct packets received on this interface. 
RX-ERR
 : Incorrect packets received on this interface 
RX-DRP
 : Packets that were dropped at this interface.
RX-OVR : Packets that this interface was unable to receive.

Similar definition is for the TX columns that describe the transmitted packets.

4. Display summary statistics for each protocol

This is very handy information that netstat command provides. This information can be retrieved by using -s option with this command.

Consider the following example :
$ netstat -s
Ip:
    167813 total packets received
    1 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    166864 incoming packets delivered
    153028 requests sent out
Icmp:
    12 ICMP messages received
    0 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 12
    12 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 12
IcmpMsg:
        InType3: 12
        OutType3: 12
Tcp:
    3270 active connections openings
    0 passive connection openings
    11 failed connection attempts
    279 connection resets received
    2 connections established
    158262 segments received
    145989 segments send out
    477 segments retransmited
    0 bad segments received.
    1938 resets sent
Udp:
    5418 packets received
    12 packets to unknown port received.
    0 packet receive errors
    5387 packets sent
UdpLite:
TcpExt:
    52 packets pruned from receive queue because of socket buffer overrun
    1661 TCP sockets finished time wait in fast timer
    2 time wait sockets recycled by time stamp
    5 packets rejects in established connections because of timestamp
    3733 delayed acks sent
    1 delayed acks further delayed because of locked socket
    Quick ack mode was activated 890 times
    384 packets directly queued to recvmsg prequeue.
    210504 bytes directly received in process context from prequeue
    83445 packet headers predicted
    153 packets header predicted and directly queued to user
    8241 acknowledgments not containing data payload received
    1732 predicted acknowledgments
    3 congestion windows recovered without slow start by DSACK
    203 congestion windows recovered without slow start after partial ack
    1 timeouts after reno fast retransmit
    9 timeouts after SACK recovery
    2 timeouts in loss state
    9 retransmits in slow start
    428 other TCP timeouts
    1782 packets collapsed in receive queue due to low socket buffer
    861 DSACKs sent for old packets
    22 DSACKs sent for out of order packets
    276 DSACKs received
    407 connections reset due to unexpected data
    272 connections reset due to early user close
    4 connections aborted due to timeout
    TCPDSACKIgnoredOld: 128
    TCPDSACKIgnoredNoUndo: 31
    TCPSackShiftFallback: 2
IpExt:
    InMcastPkts: 2370
    OutMcastPkts: 1199
    InBcastPkts: 2270
    OutBcastPkts: 1331
    InOctets: 194805011
    OutOctets: 15947915
    InMcastOctets: 74161
    OutMcastOctets: 41385
    InBcastOctets: 477074
    OutBcastOctets: 194151
So we see that vital statistical information related to each protocol was displayed in the output.

5. Monitor continuously

Yes, netstat command provides an option -c using which any type of information can be monitored continuously. Here continuously means that same information would be fetched again and again after each second and the netstat output will grow until you choose to stop the command.

Here is an example where the interface information can be monitored continuously :
$ netstat -ic
Kernel Interface table
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0         0      0      0 0             0      0      0      0 BMU
lo        16436 0        44      0      0 0            44      0      0      0 LRU
wlan0      1500 0    167000      0      0 0        153174      0      0      0 BMRU
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0         0      0      0 0             0      0      0      0 BMU
lo        16436 0        44      0      0 0            44      0      0      0 LRU
wlan0      1500 0    167000      0      0 0        153174      0      0      0 BMRU
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0         0      0      0 0             0      0      0      0 BMU
lo        16436 0        44      0      0 0            44      0      0      0 LRU
wlan0      1500 0    167000      0      0 0        153174      0      0      0 BMRU
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0         0      0      0 0             0      0      0      0 BMU
lo        16436 0        44      0      0 0            44      0      0      0 LRU
wlan0      1500 0    167000      0      0 0        153174      0      0      0 BMRU
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0         0      0      0 0             0      0      0      0 BMU
lo        16436 0        44      0      0 0            44      0      0      0 LRU
wlan0      1500 0    167000      0      0 0        153174      0      0      0 BMRU
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0         0      0      0 0             0      0      0      0 BMU
lo        16436 0        44      0      0 0            44      0      0      0 LRU
wlan0      1500 0    167000      0      0 0        153174      0      0      0 BMRU
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0         0      0      0 0             0      0      0      0 BMU
lo        16436 0        44      0      0 0            44      0      0      0 LRU
wlan0      1500 0    167000      0      0 0        153174      0      0      0 BMRU
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0         0      0      0 0             0      0      0      0 BMU
lo        16436 0        44      0      0 0            44      0      0      0 LRU
wlan0      1500 0    167001      0      0 0        153174      0      0      0 BMRU
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0         0      0      0 0             0      0      0      0 BMU
lo        16436 0        44      0      0 0            44      0      0      0 LRU
wlan0      1500 0    167001      0      0 0        153175      0      0      0 BMRU
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0         0      0      0 0             0      0      0      0 BMU
lo        16436 0        44      0      0 0            44      0      0      0 LRU
wlan0      1500 0    167001      0      0 0        153175      0      0      0 BMRU
Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500 0         0      0      0 0             0      0      0      0 BMU
lo        16436 0        44      0      0 0            44      0      0      0 LRU
wlan0      1500 0    167001      0      0 0        153175      0      0      0 BMRU
^C
$
So we see that the interface information (using -i) was displayed continuously again and again using -c option. The figure change (highlighted in bold) in the output above gives us an idea how -c option is useful to see updates in statistics in real time.

6. Display extra information

Apart from the information that netstat produces in output, Extra information can be produced in output using -e option.

Consider an example below :
$ netstat -e
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      
tcp        0      0 himanshu-laptop.l:46096 sjc-not16.sjc.dropb:www ESTABLISHED himanshu   88185      
tcp       38      0 himanshu-laptop.l:40156 v-d-1a.sjc.dropbo:https CLOSE_WAIT  himanshu   88182      
tcp       38      0 himanshu-laptop.l:54501 v-client-5a.sjc.d:https CLOSE_WAIT  himanshu   247035     
tcp       38      0 himanshu-laptop.l:60738 v-client-2b.sjc.d:https CLOSE_WAIT  himanshu   10991      
tcp        0      0 himanshu-laptop.l:59610 del01s05-in-f22.1:https ESTABLISHED himanshu   186169     
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ]         DGRAM                    3273     @/org/kernel/udev/udevd
unix  20     [ ]         DGRAM                    4787     /dev/log
unix  3      [ ]         STREAM     CONNECTED     206978   @/tmp/dbus-VwQ8GS3QiP
unix  3      [ ]         STREAM     CONNECTED     206977   
unix  3      [ ]         STREAM     CONNECTED     206943   @/tmp/dbus-VwQ8GS3QiP
unix  3      [ ]         STREAM     CONNECTED     206942   
unix  3      [ ]         STREAM     CONNECTED     206941   @/tmp/.ICE-unix/1543
unix  3      [ ]         STREAM     CONNECTED     206940   
unix  3      [ ]         STREAM     CONNECTED     206939   @/tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     206938   
unix  3      [ ]         STREAM     CONNECTED     206937   /tmp/orbit-himanshu/linc-dcf-0-427340219d277
unix  3      [ ]         STREAM     CONNECTED     206936   
unix  3      [ ]         STREAM     CONNECTED     206933   /tmp/orbit-himanshu/linc-630-0-480531b88e2fc
...
...
...
So we see that lots of extra information related to internet connections (like user, Inode etc) was produced in the output.

7. Display network timer related information

This type of information can be produced in output using -o option with this command.

Consider the following example :
$ netstat -o
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 himanshu-laptop.l:46096 sjc-not16.sjc.dropb:www ESTABLISHED off (0.00/0/0)
tcp       38      0 himanshu-laptop.l:40156 v-d-1a.sjc.dropbo:https CLOSE_WAIT  off (0.00/0/0)
tcp       38      0 himanshu-laptop.l:54501 v-client-5a.sjc.d:https CLOSE_WAIT  off (0.00/0/0)
tcp       38      0 himanshu-laptop.l:60738 v-client-2b.sjc.d:https CLOSE_WAIT  off (0.00/0/0)
tcp        0      0 himanshu-laptop.l:59610 del01s05-in-f22.1:https ESTABLISHED off (0.00/0/0)
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ]         DGRAM                    3273     @/org/kernel/udev/udevd
unix  20     [ ]         DGRAM                    4787     /dev/log
unix  3      [ ]         STREAM     CONNECTED     206978   @/tmp/dbus-VwQ8GS3QiP
unix  3      [ ]         STREAM     CONNECTED     206977   
unix  3      [ ]         STREAM     CONNECTED     206943   @/tmp/dbus-VwQ8GS3QiP
unix  3      [ ]         STREAM     CONNECTED     206942   
...
...
...
So we see that the timer related information (highlighted in bold) was produced in the output.

8. Display the PID of the program using socket

The PID of the program using a particular socket can be produced in the output using the option -p with this command.

Consider the following example :
$ netstat -p
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0    195 himanshu-laptop.l:46096 sjc-not16.sjc.dropb:www ESTABLISHED 1643/dropbox    
tcp       38      0 himanshu-laptop.l:40156 v-d-1a.sjc.dropbo:https CLOSE_WAIT  1643/dropbox    
tcp       38      0 himanshu-laptop.l:54501 v-client-5a.sjc.d:https CLOSE_WAIT  1643/dropbox    
tcp       38      0 himanshu-laptop.l:60738 v-client-2b.sjc.d:https CLOSE_WAIT  1643/dropbox    
tcp        0      0 himanshu-laptop.l:59610 del01s05-in-f22.1:https ESTABLISHED 1887/firefox    
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name    Path
unix  2      [ ]         DGRAM                    3273     -                   @/org/kernel/udev/udevd
unix  20     [ ]         DGRAM                    4787     -                   /dev/log
unix  3      [ ]         STREAM     CONNECTED     206978   1581/dbus-daemon    @/tmp/dbus-VwQ8GS3QiP
unix  3      [ ]         STREAM     CONNECTED     206977   1627/metacity       
...
...
...
As suggested by the highlighted portion in the output, the PID related information was produced using -p option.

9. Show only listening sockets

This can be made possible by using the -l option with this command.

Consider the following example :
$ netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 localhost:ipp           *:*                     LISTEN     
tcp        0      0 *:17500                 *:*                     LISTEN     
tcp6       0      0 [::]:netbios-ssn        [::]:*                  LISTEN     
tcp6       0      0 localhost:ipp           [::]:*                  LISTEN     
tcp6       0      0 [::]:microsoft-ds       [::]:*                  LISTEN
...
...
...
So we see that only those sockets whose state is LISTEN are produced in the output.

10. Show routing information from route cache

Information from route cache is produced in the output using -C option with this command.

Consider the following example :
$ netstat -C
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 himanshu-laptop.l:46096 sjc-not16.sjc.dropb:www ESTABLISHED
tcp       38      0 himanshu-laptop.l:40156 v-d-1a.sjc.dropbo:https CLOSE_WAIT 
tcp       38      0 himanshu-laptop.l:54501 v-client-5a.sjc.d:https CLOSE_WAIT 
tcp       38      0 himanshu-laptop.l:60738 v-client-2b.sjc.d:https CLOSE_WAIT 
tcp        0      0 himanshu-laptop.l:59610 del01s05-in-f22.1:https ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ]         DGRAM                    3273     @/org/kernel/udev/udevd
unix  20     [ ]         DGRAM                    4787     /dev/log
unix  3      [ ]         STREAM     CONNECTED     206978   @/tmp/dbus-VwQ8GS3QiP
unix  3      [ ]         STREAM     CONNECTED     206977   
unix  3      [ ]         STREAM     CONNECTED     206943   @/tmp/dbus-VwQ8GS3QiP
unix  3      [ ]         STREAM     CONNECTED     206942   
...
...
...
The output above is produced using the information from route cache. 

--
If it says 0.0.0.0 on the Local Address column, it means that port is listening on all 'network interfaces' (i.e. your computer, 
your modem(s) and your network card(s))

0.0.0.0 means the process is bound to all interfaces.
127.0.0.1 means the process is bound only to the 127.0.0.1 interface (loopback).
If you had other interfaces you might have x.y.z.a entries indicating the process was bound to those specific interfaces.
A process will only be told if traffic arrives on the interfaces to which it is bound, so yes, it's kind of a filter, although it's not usually described in those terms.
--

No comments:

Post a Comment