NETSTAT(1M) Maintenance Commands NETSTAT(1M) NNAAMMEE netstat - show network status SSYYNNOOPPSSIISS nneettssttaatt [--aannuuvvRR] [--ff _a_d_d_r_e_s_s___f_a_m_i_l_y] [--PP _p_r_o_t_o_c_o_l] nneettssttaatt --gg [--nnvv] [--ff _a_d_d_r_e_s_s___f_a_m_i_l_y] nneettssttaatt --pp [--nn] [--ff _a_d_d_r_e_s_s___f_a_m_i_l_y] nneettssttaatt --ss [--ff _a_d_d_r_e_s_s___f_a_m_i_l_y] [--PP _p_r_o_t_o_c_o_l] [--TT u | d ] [_i_n_t_e_r_v_a_l [_c_o_u_n_t]] nneettssttaatt --mm [--TT u | d ] [--vv] [_i_n_t_e_r_v_a_l [_c_o_u_n_t]] nneettssttaatt --ii [--II _i_n_t_e_r_f_a_c_e] [--aann] [--ff _a_d_d_r_e_s_s___f_a_m_i_l_y] [--TT u | d ] [_i_n_t_e_r_v_a_l [_c_o_u_n_t]] nneettssttaatt --rr [--aannvvRR] [--ff _a_d_d_r_e_s_s___f_a_m_i_l_y | _f_i_l_t_e_r] nneettssttaatt --MM [--nnss] [--ff _a_d_d_r_e_s_s___f_a_m_i_l_y] nneettssttaatt --DD [--II _i_n_t_e_r_f_a_c_e] [--ff _a_d_d_r_e_s_s___f_a_m_i_l_y] DDEESSCCRRIIPPTTIIOONN The nneettssttaatt command displays the contents of certain network-related data structures in various formats, depending on the options you select. The nneettssttaatt command has the several forms shown in the SYNOPSIS section, above, listed as follows: o The first form of the command (with no required arguments) displays a list of active sockets for each protocol. o The second, third, and fourth forms (--gg, --pp, and --ss options) display information from various network data structures. o The fifth form (--mm option) displays STREAMS memory statistics. o The sixth form (--ii option) shows the state of the interfaces. o The seventh form (--rr option) displays the routing table. o The eighth form (--MM option) displays the multicast routing table. o The ninth form (--DD option) displays the state of DDHHCCPP on one or all interfaces. These forms are described in greater detail below. With no arguments (the first form), nneettssttaatt displays connected sockets for PPFF__IINNEETT, PPFF__IINNEETT66, and PPFF__UUNNIIXX, unless modified otherwise by the --ff option. OOPPTTIIOONNSS --aa Show the state of all sockets, all routing table entries, or all interfaces, both physical and logical. Normally, listener sockets used by server processes are not shown. Under most conditions, only interface, host, network, and default routes are shown and only the status of physical interfaces is shown. --ff _a_d_d_r_e_s_s___f_a_m_i_l_y Limit all displays to those of the specified _a_d_d_r_e_s_s___f_a_m_i_l_y. The value of _a_d_d_r_e_s_s___f_a_m_i_l_y can be one of the following: iinneett For the AAFF__IINNEETT address family showing IPv4 information. iinneett66 For the AAFF__IINNEETT66 address family showing IPv6 information. uunniixx For the AAFF__UUNNIIXX address family. --ff _f_i_l_t_e_r With --rr only, limit the display of routes to those matching the specified filter. A filter rule consists of a _k_e_y_w_o_r_d:_v_a_l_u_e pair. The known keywords and the value syntax are: aaff::{iinneett|iinneett66|uunniixx|_n_u_m_b_e_r} Selects an address family. This is identical to --ff _a_d_d_r_e_s_s___f_a_m_i_l_y and both syntaxes are supported. oouuttiiff:{_n_a_m_e|_i_f_I_n_d_e_x|aannyy|nnoonnee} Selects an output interface. You can specify the interface by name (such as hhmmee00) or by iiffIInnddeexx number (for example, 22). If aannyy is used, the filter matches all routes having a specified interface (anything other than null). If nnoonnee is used, the filter matches all routes having a null interface. Note that you can view the index number (_i_f_I_n_d_e_x) for an interface with the --aa option of iiffccoonnffiigg(1M). ddsstt:{_i_p_-_a_d_d_r_e_s_s[/_m_a_s_k]|aannyy|nnoonnee} Selects a destination IP address. If specified with a mask length, then any routes with matching or longer (more specific) masks are selected. If aannyy is used, then all but addresses but 0 are selected. If nnoonnee is used, then address 0 is selected. ffllaaggss::[++ --]?[AABBDDGGHHLLMMSSUU]++ Selects routes tagged with the specified flags. By default, the flags as specified must be set in order to match. With a leading ++, the flags specified must be set but others are ignored. With a leading --, the flags specified must not be set and others are permitted. You can specify multiple instances of --ff to specify multiple filters. For example: % netstat -nr -f outif:hme0 -f outif:hme1 -f dst:10.0.0.0/8 The preceding command displays routes within network 10.0.0.0/8, with mask length 8 or greater, and an output interface of either hhmmee00 or hhmmee11, and excludes all other routes. --gg Show the multicast group memberships for all interfaces. If the --vv option is included, source-specific membership information is also displayed. See DISPLAYS, below. --ii Show the state of the interfaces that are used for IIPP traffic. Normally this shows statistics for the physical interfaces. When combined with the --aa option, this will also report information for the logical interfaces. See iiffccoonnffiigg(1M). --mm Show the STREAMS memory statistics. --nn Show network addresses as numbers. nneettssttaatt normally displays addresses as symbols. This option may be used with any of the display formats. --pp Show the net to media tables. See DISPLAYS, below. --rr Show the routing tables. Normally, only interface, host, network, and default routes are shown, but when this option is combined with the --aa option, all routes will be displayed, including cache. If you have not set up a multicast route, --rraa might not show any multicast routing entries, although the kernel will derive such an entry if needed. --ss Show per-protocol statistics. When used with the --MM option, show multicast routing statistics instead. When used with the --aa option, per-interface statistics will be displayed, when available, in addition to statistics global to the system. See DISPLAYS, below. --TT uu | dd Display a time stamp. Specify uu for a printed representation of the internal representation of time. See ttiimmee(2). Specify dd for standard date format. See ddaattee(1). --uu When specified, for each network endpoint nneettssttaatt will print the list of the processes currently have an open file descriptor pointing to that endpoint. nneettssttaatt will list the username, process id, and the program for each process in that list. --vv Verbose. Show additional information for the sockets, STREAMS memory statistics, routing table, and multicast group memberships. --II _i_n_t_e_r_f_a_c_e Show the state of a particular interface. _i_n_t_e_r_f_a_c_e can be any valid interface such as hhmmee00 or eerrii00. Normally, the status and statistics for physical interfaces are displayed. When this option is combined with the --aa option, information for the logical interfaces is also reported. --MM Show the multicast routing tables. When used with the --ss option, show multicast routing statistics instead. --PP _p_r_o_t_o_c_o_l Limit display of statistics or state of all sockets to those applicable to _p_r_o_t_o_c_o_l. The protocol can be one of iipp, iippvv66, iiccmmpp, iiccmmppvv66, iiccmmpp, iiccmmppvv66, iiggmmpp, uuddpp, ttccpp, rraawwiipp. rraawwiipp can also be specified as rraaww. The command accepts protocol options only as all lowercase. --DD Show the status of DDHHCCPP configured interfaces. --RR This modifier displays extended security attributes for sockets and routing table entries. The --RR modifier is available only if the system is configured with the Solaris Trusted Extensions feature. With --rr only, this option displays the routing entries' gateway security attributes. See rroouuttee(1M) for more information on security attributes. When displaying socket information using the first form of the command, this option displays additional information for Multi- Level Port(MLP) sockets. This includes: o The label for the peer if the socket is connected. o The following flags can be appended to the socket's "State" output: PP The socket is a MLP on zone-private IP addresses. SS The socket is a MLP on IP addresses shared between zones. OOPPEERRAANNDDSS _i_n_t_e_r_v_a_l Display statistics accumulated since last display every _i_n_t_e_r_v_a_l seconds, repeating forever, unless _c_o_u_n_t is specified. When invoked with _i_n_t_e_r_v_a_l, the first row of netstat output shows statistics accumulated since last reboot. The following options support _i_n_t_e_r_v_a_l: --ii, --mm, --ss and --MMss. Some values are configuration parameters and are just redisplayed at each interval. _c_o_u_n_t Display interface statistics the number of times specified by _c_o_u_n_t, at the interval specified by _i_n_t_e_r_v_a_l. DDIISSPPLLAAYYSS AAccttiivvee SSoocckkeettss ((FFiirrsstt FFoorrmm)) The display for each active socket shows the local and remote address, the send and receive queue sizes (in bytes), the send and receive windows (in bytes), and the internal state of the protocol. The symbolic format normally used to display socket addresses is either: hhoossttnnaammee._p_o_r_t when the name of the host is specified, or _n_e_t_w_o_r_k._p_o_r_t if a socket address specifies a network but no specific host. The numeric host address or network number associated with the socket is used to look up the corresponding symbolic hostname or network name in the _h_o_s_t_s or _n_e_t_w_o_r_k_s database. If the network or hostname for an address is not known, or if the --nn option is specified, the numerical network address is shown. Unspecified, or "wildcard", addresses and ports appear as an asterisk (**). For more information regarding the Internet naming conventions, refer to iinneett(7P) and iinneett66(7P). For SCTP sockets, because an endpoint can be represented by multiple addresses, the verbose option (--vv) displays the list of all the local and remote addresses. _T_C_P _S_o_c_k_e_t_s The possible state values for TTCCPP sockets are as follows: BBOOUUNNDD Bound, ready to connect or listen. CCLLOOSSEEDD Closed. The socket is not being used. CCLLOOSSIINNGG Closed, then remote shutdown; awaiting acknowledgment. CCLLOOSSEE__WWAAIITT Remote shutdown; waiting for the socket to close. EESSTTAABBLLIISSHHEEDD Connection has been established. FFIINN__WWAAIITT__11 Socket closed; shutting down connection. FFIINN__WWAAIITT__22 Socket closed; waiting for shutdown from remote. IIDDLLEE Idle, opened but not bound. LLAASSTT__AACCKK Remote shutdown, then closed; awaiting acknowledgment. LLIISSTTEENN Listening for incoming connections. SSYYNN__RREECCEEIIVVEEDD Initial synchronization of the connection under way. SSYYNN__SSEENNTT Actively trying to establish connection. TTIIMMEE__WWAAIITT Wait after close for remote shutdown retransmission. _S_C_T_P _S_o_c_k_e_t_s The possible state values for SCTP sockets are as follows: CCLLOOSSEEDD Closed. The socket is not being used. LLIISSTTEENN Listening for incoming associations. EESSTTAABBLLIISSHHEEDD Association has been established. CCOOOOKKIIEE__WWAAIITT IINNIITT has been sent to the peer, awaiting acknowledgment. CCOOOOKKIIEE__EECCHHOOEEDD State cookie from the INIT-ACK has been sent to the peer, awaiting acknowledgement. SSHHUUTTDDOOWWNN__PPEENNDDIINNGG SSHHUUTTDDOOWWNN has been received from the upper layer, awaiting acknowledgement of all outstanding DDAATTAA from the peer. SSHHUUTTDDOOWWNN__SSEENNTT All outstanding data has been acknowledged in the SSHHUUTTDDOOWWNN__SSEENNTT state. SSHHUUTTDDOOWWNN has been sent to the peer, awaiting acknowledgement. SSHHUUTTDDOOWWNN__RREECCEEIIVVEEDD SSHHUUTTDDOOWWNN has been received from the peer, awaiting acknowledgement of all outstanding DDAATTAA. SSHHUUTTDDOOWWNN__AACCKK__SSEENNTT All outstanding data has been acknowledged in the SSHHUUTTDDOOWWNN__RREECCEEIIVVEEDD state. SSHHUUTTDDOOWWNN__AACCKK has been sent to the peer. NNeettwwoorrkk DDaattaa SSttrruuccttuurreess ((SSeeccoonndd TThhrroouugghh FFiifftthh FFoorrmmss)) The form of the display depends upon which of the --gg, --mm, --pp, or --ss options you select. --gg Displays the list of multicast group membership. --mm Displays the memory usage, for example, STREAMS mblks. --pp Displays the net to media mapping table. For IPv4, the address resolution table is displayed. See aarrpp(1M). For IPv6, the neighbor cache is displayed. --ss Displays the statistics for the various protocol layers. The statistics use the MIB specified variables. The defined values for iippFFoorrwwaarrddiinngg are: ffoorrwwaarrddiinngg((11)) Acting as a gateway. nnoott--ffoorrwwaarrddiinngg((22)) Not acting as a gateway. The IPv6 and ICMPv6 protocol layers maintain per-interface statistics. If the --aa option is specified with the --ss option, then the per- interface statistics as well as the total sums are displayed. Otherwise, just the sum of the statistics are shown. For the second, third, and fourth forms of the command, you must specify at least --gg, --pp, or --ss. You can specify any combination of these options. You can also specify --mm (the fifth form) with any set of the --gg, --pp, and --ss options. If you specify more than one of these options, nneettssttaatt displays the information for each one of them. IInntteerrffaaccee SSttaattuuss ((SSiixxtthh FFoorrmm)) The interface status display lists information for all current interfaces, one interface per line. If an interface is specified using the --II option, it displays information for only the specified interface. The list consists of the interface name, mmttuu (maximum transmission unit, or maximum packet size)(see iiffccoonnffiigg(1M)), the network to which the interface is attached, addresses for each interface, and counter associated with the interface. The counters show the number of input packets, input errors, output packets, output errors, and collisions, respectively. For Point-to-Point interfaces, the Net/Dest field is the name or address on the other side of the link. If the --aa option is specified with either the --ii option or the --II option, then the output includes names of the physical interface(s), counts for input packets and output packets for each logical interface, plus additional information. If the --nn option is specified, the list displays the IP address instead of the interface name. If an optional _i_n_t_e_r_v_a_l is specified, the output will be continually displayed in _i_n_t_e_r_v_a_l seconds until interrupted by the user or until _c_o_u_n_t is reached. See OPERANDS. The physical interface is specified using the --II option. When used with the _i_n_t_e_r_v_a_l operand, output for the --II option has the following format: input eri0 output input (Total) output packets errs packets errs colls packets errs packets errs colls 227681 0 659471 1 502 261331 0 99597 1 502 10 0 0 0 0 10 0 0 0 0 8 0 0 0 0 8 0 0 0 0 10 0 2 0 0 10 0 2 0 0 If the input interface is not specified, the first interface of address family iinneett or iinneett66 will be displayed. RRoouuttiinngg TTaabbllee ((SSeevveenntthh FFoorrmm)) The routing table display lists the available routes and the status of each. Each route consists of a destination host or network, and a gateway to use in forwarding packets. The _f_l_a_g_s column shows the status of the route. These flags are as follows: UU Indicates route is uupp. GG Route is to a gateway. HH Route is to a host and not a network. MM Redundant route established with the --mmuullttiirrtt option. SS Route was established using the --sseettssrrcc option. DD Route was created dynamically by a redirect. If the --aa option is specified, there will be routing entries with the following flags: AA Combined routing and address resolution entries. BB Broadcast addresses. LL Local addresses for the host. Interface routes are created for each interface attached to the local host; the gateway field for such entries shows the address of the outgoing interface. The uussee column displays the number of packets sent using a combined routing and address resolution (AA) or a broadcast (BB) route. For a local (LL) route, this count is the number of packets received, and for all other routes it is the number of times the routing entry has been used to create a new combined route and address resolution entry. The _i_n_t_e_r_f_a_c_e entry indicates the network interface utilized for the route. MMuullttiiccaasstt RRoouuttiinngg TTaabblleess ((EEiigghhtthh FFoorrmm)) The multicast routing table consists of the virtual interface table and the actual routing table. DDHHCCPP IInntteerrffaaccee IInnffoorrmmaattiioonn ((NNiinntthh FFoorrmm)) The DDHHCCPP interface information consists of the interface name, its current state, lease information, packet counts, and a list of flags. The states correlate with the specifications set forth in _R_F_C _2_1_3_1. Lease information includes: o when the lease began; o when lease renewal will begin; and o when the lease will expire. The flags currently defined include: BBOOOOTTPP The interface has a lease obtained through BBOOOOTTPP (IPv4 only). BBUUSSYY The interface is busy with a DDHHCCPP transaction. PPRRIIMMAARRYY The interface is the primary interface. See ddhhccppiinnffoo(1) and iiffccoonnffiigg(1M). FFAAIILLEEDD The interface is in failure state and must be manually restarted. Packet counts are maintained for the number of packets sent, the number of packets received, and the number of lease offers declined by the DDHHCCPP client. All three counters are initialized to zero and then incremented while obtaining a lease. The counters are reset when the period of lease renewal begins for the interface. Thus, the counters represent either the number of packets sent, received, and declined while obtaining the current lease, or the number of packets sent, received, and declined while attempting to obtain a future lease. FFIILLEESS //eettcc//ddeeffaauulltt//iinneett__ttyyppee DDEEFFAAUULLTT__IIPP setting SSEEEE AALLSSOO aarrpp(1M), ddhhccppiinnffoo(1), ddhhccppaaggeenntt(1M), iiffccoonnffiigg(1M), iioossttaatt(1M), kkssttaatt(1M), mmiibbiiiissaa(1M), nnddpp(1M), ssaavveeccoorree(1M), vvmmssttaatt(1M), hhoossttss(4), iinneett__ttyyppee(4), nneettwwoorrkkss(4), pprroottooccoollss(4), sseerrvviicceess(4), aattttrriibbuutteess(5), ddhhccpp(5), kkssttaatt(7D), iinneett(7P), iinneett66(7P) Droms, R., _R_F_C _2_1_3_1_, _D_y_n_a_m_i_c _H_o_s_t _C_o_n_f_i_g_u_r_a_t_i_o_n _P_r_o_t_o_c_o_l, Network Working Group, March 1997. Droms, R. _R_F_C _3_3_1_5_, _D_y_n_a_m_i_c _H_o_s_t _C_o_n_f_i_g_u_r_a_t_i_o_n _P_r_o_t_o_c_o_l _f_o_r _I_P_v_6 _(_D_H_C_P_v_6_). Cisco Systems. July 2003. NNOOTTEESS When displaying interface information, nneettssttaatt honors the DDEEFFAAUULLTT__IIPP setting in //eettcc//ddeeffaauulltt//iinneett__ttyyppee. If it is set to IIPP__VVEERRSSIIOONN44, then nneettssttaatt will omit information relating to IPv6 interfaces, statistics, connections, routes and the like. However, you can override the DDEEFFAAUULLTT__IIPP setting in //eettcc//ddeeffaauulltt//iinneett__ttyyppee on the command-line. For example, if you have used the command-line to explicitly request IPv6 information by using the iinneett66 address family or one of the IPv6 protocols, it will override the DDEEFFAAUULLTT__IIPP setting. If you need to examine network status information following a kernel crash, use the mmddbb(1) utility on the ssaavveeccoorree(1M) output. The nneettssttaatt utility obtains TCP statistics from the system by opening //ddeevv//ttccpp and issuing queries. Because of this, nneettssttaatt might display an extra, unused connection in IIDDLLEE state when reporting connection status. Previous versions of nneettssttaatt had undocumented methods for reporting kernel statistics published using the kkssttaatt(7D) facility. This functionality has been removed. Use kkssttaatt(1M) instead. nneettssttaatt restricts its output to information that is relevant to the zone in which nneettssttaatt runs. (This is true for both shared-IP and exclusive-IP zones.) July 12, 2016 NETSTAT(1M)