From Linux Man Pages
Contents
- 1 NAME
- 2 SYNOPSIS
- 3 DESCRIPTION
- 4 (none)
- 5 --route , -r
- 6 --groups , -g
- 7 --interfaces , -i
- 8 --masquerade , -M
- 9 --statistics , -s
- 10 --verbose , -v
- 11 --numeric , -n
- 12 --numeric-hosts
- 13 --numeric-ports
- 14 --numeric-users
- 15 --protocol=family , -A
- 16 -c, --continuous
- 17 -e, --extend
- 18 -o, --timers
- 19 -p, --program
- 20 -l, --listening
- 21 -a, --all
- 22 -F
- 23 -C
- 24 Proto
- 25 Recv-Q
- 26 Send-Q
- 27 Local Address
- 28 Foreign Address
- 29 State
- 30 User
- 31 PID/Program name
- 32 Timer
- 33 Active UNIX domain Sockets
- 34 Proto
- 35 RefCnt
- 36 Flags
- 37 Type
- 38 State
- 39 PID/Program name
- 40 Path
- 41 Active IPX sockets
- 42 Active NET/ROM sockets
- 43 Active AX.25 sockets
|
NAME
netstat - Print network connections, routing tables, interface statis-
tics, masquerade connections, and multicast memberships
SYNOPSIS
netstat [address_family_options] [--tcp|-t] [--udp|-u] [--raw|-w]
[--listening|-l] [--all|-a] [--numeric|-n] [--numeric-hosts][--numeric-
ports][--numeric-ports] [--symbolic|-N] [--extend|-e[--extend|-e]]
[--timers|-o] [--program|-p] [--verbose|-v] [--continuous|-c]
netstat {--route|-r} [address_family_options]
[--extend|-e[--extend|-e]] [--verbose|-v] [--numeric|-n] [--numeric-
hosts][--numeric-ports][--numeric-ports] [--continuous|-c]
netstat [--interfaces|-i] [--all|-a] [--extend|-e[--extend|-e]] [--ver-
bose|-v] [--program|-p] [--numeric|-n] [--numeric-hosts][--numeric-
ports][--numeric-ports] [--continuous|-c]
netstat {--groups|-g} [--numeric|-n] [--numeric-hosts][--numeric-
ports][--numeric-ports] [--continuous|-c]
netstat {--masquerade|-M} [--extend|-e] [--numeric|-n] [--numeric-
hosts][--numeric-ports][--numeric-ports] [--continuous|-c]
netstat {--statistics|-s} [--tcp|-t] [--udp|-u] [--raw|-w]
netstat {--version|-V}
netstat {--help|-h}
address_family_options:
[--protocol={inet,unix,ipx,ax25,netrom,ddp}[,...]] [--unix|-x]
[--inet|--ip] [--ax25] [--ipx] [--netrom] [--ddp]
DESCRIPTION
Netstat prints information about the Linux networking subsystem. The
type of information printed is controlled by the first argument, as
follows:
(none)
By default, netstat displays a list of open sockets. If you don't
specify any address families, then the active sockets of all configured
address families will be printed.
--route , -r
Display the kernel routing tables.
--groups , -g
Display multicast group membership information for IPv4 and IPv6.
--interfaces , -i
Display a table of all network interfaces.
--masquerade , -M
Display a list of masqueraded connections.
--statistics , -s
Display summary statistics for each protocol.
OPTIONS
--verbose , -v
Tell the user what is going on by being verbose. Especially print some
useful information about unconfigured address families.
--numeric , -n
Show numerical addresses instead of trying to determine symbolic host,
port or user names.
--numeric-hosts
shows numerical host addresses but does not affect the resolution of
port or user names.
--numeric-ports
shows numerical port numbers but does not affect the resolution of host
or user names.
--numeric-users
shows numerical user IDs but does not affect the resolution of host or
port names.
--protocol=family , -A
Specifies the address families (perhaps better described as low level
protocols) for which connections are to be shown. family is a comma
(',') separated list of address family keywords like inet, unix, ipx,
ax25, netrom, and ddp. This has the same effect as using the --inet,
--unix (-x), --ipx, --ax25, --netrom, and --ddp options.
The address family inet includes raw, udp and tcp protocol sockets.
-c, --continuous
This will cause netstat to print the selected information every second
continuously. The values are just increments of the last print out.
-e, --extend
Display additional information. Use this option twice for maximum
detail.
-o, --timers
Include information related to networking timers.
-p, --program
Show the PID and name of the program to which each socket belongs.
-l, --listening
Show only listening sockets. (These are omitted by default.)
-a, --all
Show both listening and non-listening sockets. With the --interfaces
option, show interfaces that are not marked
-F
Print routing information from the FIB. (This is the default.)
-C
Print routing information from the route cache. UP.
OUTPUT
Active Internet connections (TCP, UDP, raw)
Proto
The protocol (tcp, udp, raw) used by the socket.
Recv-Q
The count of bytes not copied by the user program connected to this
socket.
Send-Q
The count of bytes not acknowledged by the remote host.
Local Address
Address and port number of the local end of the socket. Unless the
--numeric (-n) option is specified, the socket address is resolved to
its canonical host name (FQDN), and the port number is translated into
the corresponding service name.
Foreign Address
Address and port number of the remote end of the socket. Analogous to
"Local Address."
State
The state of the socket. Since there are no states in raw mode and usu-
ally no states used in UDP, this column may be left blank. Normally
this can be one of several values:
ESTABLISHED
The socket has an established connection.
SYN_SENT
The socket is actively attempting to establish a connection.
SYN_RECV
A connection request has been received from the network.
FIN_WAIT1
The socket is closed, and the connection is shutting down.
FIN_WAIT2
Connection is closed, and the socket is waiting for a shutdown
from the remote end.
TIME_WAIT
The socket is waiting after close to handle packets still in the
network.
CLOSED The socket is not being used.
CLOSE_WAIT
The remote end has shut down, waiting for the socket to close.
LAST_ACK
The remote end has shut down, and the socket is closed. Waiting
for acknowledgement.
LISTEN The socket is listening for incoming connections. Such sockets
are not included in the output unless you specify the --listen-
ing (-l) or --all (-a) option.
CLOSING
Both sockets are shut down but we still don't have all our data
sent.
UNKNOWN
The state of the socket is unknown.
User
The username or the user id (UID) of the owner of the socket.
PID/Program name
Slash-separated pair of the process id (PID) and process name of the
process that owns the socket. --program causes this column to be
included. You will also need superuser privileges to see this informa-
tion on sockets you don't own. This identification information is not
yet available for IPX sockets.
Timer
(this needs to be written)
Active UNIX domain Sockets
Proto
The protocol (usually unix) used by the socket.
RefCnt
The reference count (i.e. attached processes via this socket).
Flags
The flags displayed is SO_ACCEPTON (displayed as ACC), SO_WAITDATA (W)
or SO_NOSPACE (N). SO_ACCECPTON is used on unconnected sockets if
their corresponding processes are waiting for a connect request. The
other flags are not of normal interest.
Type
There are several types of socket access:
SOCK_DGRAM
The socket is used in Datagram (connectionless) mode.
SOCK_STREAM
This is a stream (connection) socket.
SOCK_RAW
The socket is used as a raw socket.
SOCK_RDM
This one serves reliably-delivered messages.
SOCK_SEQPACKET
This is a sequential packet socket.
SOCK_PACKET
Raw interface access socket.
UNKNOWN
Who ever knows what the future will bring us - just fill in here
:-)
State
This field will contain one of the following Keywords:
FREE The socket is not allocated
LISTENING
The socket is listening for a connection request. Such sockets
are only included in the output if you specify the --listening
(-l) or --all (-a) option.
CONNECTING
The socket is about to establish a connection.
CONNECTED
The socket is connected.
DISCONNECTING
The socket is disconnecting.
(empty)
The socket is not connected to another one.
UNKNOWN
This state should never happen.
PID/Program name
Process ID (PID) and process name of the process that has the socket
open. More info available in Active Internet connections section writ-
ten above.
Path
This is the path name as which the corresponding processes attached to
the socket.
Active IPX sockets
(this needs to be done by somebody who knows it)
Active NET/ROM sockets
(this needs to be done by somebody who knows it)
Active AX.25 sockets
(this needs to be done by somebody who knows it)
NOTES
Starting with Linux release 2.2 netstat -i does not show interface
statistics for alias interfaces. To get per alias interface counters
you need to setup explicit rules using the ipchains(8) command.
FILES
/etc/services -- The services translation file
/proc -- Mount point for the proc filesystem, which gives access to
kernel status information via the following files.
/proc/net/dev -- device information
/proc/net/raw -- raw socket information
/proc/net/tcp -- TCP socket information
/proc/net/udp -- UDP socket information
/proc/net/igmp -- IGMP multicast information
/proc/net/unix -- Unix domain socket information
/proc/net/ipx -- IPX socket information
/proc/net/ax25 -- AX25 socket information
/proc/net/appletalk -- DDP (appletalk) socket information
/proc/net/nr -- NET/ROM socket information
/proc/net/route -- IP routing information
/proc/net/ax25_route -- AX25 routing information
/proc/net/ipx_route -- IPX routing information
/proc/net/nr_nodes -- NET/ROM nodelist
/proc/net/nr_neigh -- NET/ROM neighbours
/proc/net/ip_masquerade -- masqueraded connections
/proc/net/snmp -- statistics
RELATED
route(8), ifconfig(8), ipchains(8), iptables(8), proc(5)
BUGS
Occasionally strange information may appear if a socket changes as it
is viewed. This is unlikely to occur.
CATEGORY