1 NETSTAT(1M) Maintenance Commands NETSTAT(1M)
2
3
4
5 NAME
6 netstat - show network status
7
8 SYNOPSIS
9 netstat [-anuvR] [-f address_family] [-P protocol]
10
11
12 netstat -g [-nv] [-f address_family]
13
14
15 netstat -p [-n] [-f address_family]
16
17
18 netstat -s [-f address_family] [-P protocol]
19 [-T u | d ] [interval [count]]
20
21
22 netstat -m [-T u | d ] [-v] [interval [count]]
23
24
25 netstat -i [-I interface] [-an] [-f address_family]
26 [-T u | d ] [interval [count]]
27
28
29 netstat -r [-anvR] [-f address_family | filter]
30
31
32 netstat -M [-ns] [-f address_family]
33
34
35 netstat -D [-I interface] [-f address_family]
36
37
38 DESCRIPTION
39 The netstat command displays the contents of certain network-related
40 data structures in various formats, depending on the options you
41 select.
42
43 The netstat command has the several forms shown in the SYNOPSIS
44 section, above, listed as follows:
45
46 o The first form of the command (with no required arguments)
47 displays a list of active sockets for each protocol.
48
49 o The second, third, and fourth forms (-g, -p, and -s options)
50 display information from various network data structures.
51
52 o The fifth form (-m option) displays STREAMS memory
53 statistics.
54
55 o The sixth form (-i option) shows the state of the
56 interfaces.
57
58 o The seventh form (-r option) displays the routing table.
59
60 o The eighth form (-M option) displays the multicast routing
61 table.
62
63 o The ninth form (-D option) displays the state of DHCP on one
64 or all interfaces.
65
66 These forms are described in greater detail below.
67
68 With no arguments (the first form), netstat displays connected sockets
69 for PF_INET, PF_INET6, and PF_UNIX, unless modified otherwise by the -f
70 option.
71
72 OPTIONS
73 -a
74
75 Show the state of all sockets, all routing table entries, or all
76 interfaces, both physical and logical. Normally, listener sockets
77 used by server processes are not shown. Under most conditions, only
78 interface, host, network, and default routes are shown and only the
79 status of physical interfaces is shown.
80
81
82 -f address_family
83
84 Limit all displays to those of the specified address_family. The
85 value of address_family can be one of the following:
86
87 inet
88 For the AF_INET address family showing IPv4 information.
89
90
91 inet6
92 For the AF_INET6 address family showing IPv6 information.
93
94
95 unix
96 For the AF_UNIX address family.
97
98
99
100 -f filter
101
102 With -r only, limit the display of routes to those matching the
103 specified filter. A filter rule consists of a keyword:value pair.
104 The known keywords and the value syntax are:
105
106 af:{inet|inet6|unix|number}
107
108 Selects an address family. This is identical to -f
109 address_family and both syntaxes are supported.
110
111
112 outif:{name|ifIndex|any|none}
113
114 Selects an output interface. You can specify the interface by
115 name (such as hme0) or by ifIndex number (for example, 2). If
116 any is used, the filter matches all routes having a specified
117 interface (anything other than null). If none is used, the
118 filter matches all routes having a null interface. Note that
119 you can view the index number (ifIndex) for an interface with
120 the -a option of ifconfig(1M).
121
122
123 dst:{ip-address[/mask]|any|none}
124
125 Selects a destination IP address. If specified with a mask
126 length, then any routes with matching or longer (more specific)
127 masks are selected. If any is used, then all but addresses but
128 0 are selected. If none is used, then address 0 is selected.
129
130
131 flags:[+ -]?[ABDGHLMSU]+
132
133 Selects routes tagged with the specified flags. By default, the
134 flags as specified must be set in order to match. With a
135 leading +, the flags specified must be set but others are
136 ignored. With a leading -, the flags specified must not be set
137 and others are permitted.
138
139 You can specify multiple instances of -f to specify multiple
140 filters. For example:
141
142 % netstat -nr -f outif:hme0 -f outif:hme1 -f dst:10.0.0.0/8
143
144
145 The preceding command displays routes within network 10.0.0.0/8,
146 with mask length 8 or greater, and an output interface of either
147 hme0 or hme1, and excludes all other routes.
148
149
150 -g
151
152 Show the multicast group memberships for all interfaces. If the -v
153 option is included, source-specific membership information is also
154 displayed. See DISPLAYS, below.
155
156
157 -i
158
159 Show the state of the interfaces that are used for IP traffic.
160 Normally this shows statistics for the physical interfaces. When
161 combined with the -a option, this will also report information for
162 the logical interfaces. See ifconfig(1M).
163
164
165 -m
166
167 Show the STREAMS memory statistics.
168
169
170 -n
171
172 Show network addresses as numbers. netstat normally displays
173 addresses as symbols. This option may be used with any of the
174 display formats.
175
176
177 -p
178
179 Show the net to media tables. See DISPLAYS, below.
180
181
182 -r
183
184 Show the routing tables. Normally, only interface, host, network,
185 and default routes are shown, but when this option is combined with
186 the -a option, all routes will be displayed, including cache. If
187 you have not set up a multicast route, -ra might not show any
188 multicast routing entries, although the kernel will derive such an
189 entry if needed.
190
191
192 -s
193
194 Show per-protocol statistics. When used with the -M option, show
195 multicast routing statistics instead. When used with the -a option,
196 per-interface statistics will be displayed, when available, in
197 addition to statistics global to the system. See DISPLAYS, below.
198
199
200 -T u | d
201
202 Display a time stamp.
203
204 Specify u for a printed representation of the internal
205 representation of time. See time(2). Specify d for standard date
206 format. See date(1).
207
208
209 -u
210
211 When specified, for each network endpoint netstat will print the
212 list of the processes currently have an open file descriptor
213 pointing to that endpoint. netstat will list the username, process
214 id, and the program for each process in that list.
215
216
217 -v
218
219 Verbose. Show additional information for the sockets, STREAMS
220 memory statistics, routing table, and multicast group memberships.
221
222
223 -I interface
224
225 Show the state of a particular interface. interface can be any
226 valid interface such as hme0 or eri0. Normally, the status and
227 statistics for physical interfaces are displayed. When this option
228 is combined with the -a option, information for the logical
229 interfaces is also reported.
230
231
232 -M
233
234 Show the multicast routing tables. When used with the -s option,
235 show multicast routing statistics instead.
236
237
238 -P protocol
239
240 Limit display of statistics or state of all sockets to those
241 applicable to protocol. The protocol can be one of ip, ipv6, icmp,
242 icmpv6, icmp, icmpv6, igmp, udp, tcp, rawip. rawip can also be
243 specified as raw. The command accepts protocol options only as all
244 lowercase.
245
246
247 -D
248
249 Show the status of DHCP configured interfaces.
250
251
252 -R
253
254 This modifier displays extended security attributes for sockets and
255 routing table entries. The -R modifier is available only if the
256 system is configured with the Solaris Trusted Extensions feature.
257
258 With -r only, this option displays the routing entries' gateway
259 security attributes. See route(1M) for more information on security
260 attributes.
261
262 When displaying socket information using the first form of the
263 command, this option displays additional information for Multi-
264 Level Port(MLP) sockets. This includes:
265
266 o The label for the peer if the socket is connected.
267
268 o The following flags can be appended to the socket's
269 "State" output:
270
271
272 P
273 The socket is a MLP on zone-private IP addresses.
274
275
276 S
277 The socket is a MLP on IP addresses shared between
278 zones.
279
280 OPERANDS
281 interval
282 Display statistics accumulated since last display every
283 interval seconds, repeating forever, unless count is
284 specified. When invoked with interval, the first row of
285 netstat output shows statistics accumulated since last
286 reboot.
287
288 The following options support interval: -i, -m, -s and -Ms.
289 Some values are configuration parameters and are just
290 redisplayed at each interval.
291
292
293 count
294 Display interface statistics the number of times specified
295 by count, at the interval specified by interval.
296
297
298 DISPLAYS
299 Active Sockets (First Form)
300 The display for each active socket shows the local and remote address,
301 the send and receive queue sizes (in bytes), the send and receive
302 windows (in bytes), and the internal state of the protocol.
303
304 The symbolic format normally used to display socket addresses is
305 either:
306
307 hostname.port
308
309 when the name of the host is specified, or
310
311 network.port
312
313 if a socket address specifies a network but no specific host.
314
315 The numeric host address or network number associated with the socket
316 is used to look up the corresponding symbolic hostname or network name
317 in the hosts or networks database.
318
319 If the network or hostname for an address is not known, or if the -n
320 option is specified, the numerical network address is shown.
321 Unspecified, or "wildcard", addresses and ports appear as an asterisk
322 (*). For more information regarding the Internet naming conventions,
323 refer to inet(7P) and inet6(7P).
324
325 For SCTP sockets, because an endpoint can be represented by multiple
326 addresses, the verbose option (-v) displays the list of all the local
327 and remote addresses.
328
329 TCP Sockets
330 The possible state values for TCP sockets are as follows:
331
332 BOUND
333 Bound, ready to connect or listen.
334
335
336 CLOSED
337 Closed. The socket is not being used.
338
339
340 CLOSING
341 Closed, then remote shutdown; awaiting acknowledgment.
342
343
344 CLOSE_WAIT
345 Remote shutdown; waiting for the socket to close.
346
347
348 ESTABLISHED
349 Connection has been established.
350
351
352 FIN_WAIT_1
353 Socket closed; shutting down connection.
354
355
356 FIN_WAIT_2
357 Socket closed; waiting for shutdown from remote.
358
359
360 IDLE
361 Idle, opened but not bound.
362
363
364 LAST_ACK
365 Remote shutdown, then closed; awaiting acknowledgment.
366
367
368 LISTEN
369 Listening for incoming connections.
370
371
372 SYN_RECEIVED
373 Initial synchronization of the connection under way.
374
375
376 SYN_SENT
377 Actively trying to establish connection.
378
379
380 TIME_WAIT
381 Wait after close for remote shutdown retransmission.
382
383
384 SCTP Sockets
385 The possible state values for SCTP sockets are as follows:
386
387 CLOSED
388 Closed. The socket is not being used.
389
390
391 LISTEN
392 Listening for incoming associations.
393
394
395 ESTABLISHED
396 Association has been established.
397
398
399 COOKIE_WAIT
400 INIT has been sent to the peer, awaiting
401 acknowledgment.
402
403
404 COOKIE_ECHOED
405 State cookie from the INIT-ACK has been sent to
406 the peer, awaiting acknowledgement.
407
408
409 SHUTDOWN_PENDING
410 SHUTDOWN has been received from the upper layer,
411 awaiting acknowledgement of all outstanding DATA
412 from the peer.
413
414
415 SHUTDOWN_SENT
416 All outstanding data has been acknowledged in the
417 SHUTDOWN_SENT state. SHUTDOWN has been sent to
418 the peer, awaiting acknowledgement.
419
420
421 SHUTDOWN_RECEIVED
422 SHUTDOWN has been received from the peer, awaiting
423 acknowledgement of all outstanding DATA.
424
425
426 SHUTDOWN_ACK_SENT
427 All outstanding data has been acknowledged in the
428 SHUTDOWN_RECEIVED state. SHUTDOWN_ACK has been
429 sent to the peer.
430
431
432 Network Data Structures (Second Through Fifth Forms)
433 The form of the display depends upon which of the -g, -m, -p, or -s
434 options you select.
435
436 -g
437 Displays the list of multicast group membership.
438
439
440 -m
441 Displays the memory usage, for example, STREAMS mblks.
442
443
444 -p
445 Displays the net to media mapping table. For IPv4, the address
446 resolution table is displayed. See arp(1M). For IPv6, the
447 neighbor cache is displayed.
448
449
450 -s
451 Displays the statistics for the various protocol layers.
452
453
454
455 The statistics use the MIB specified variables. The defined values for
456 ipForwarding are:
457
458 forwarding(1)
459 Acting as a gateway.
460
461
462 not-forwarding(2)
463 Not acting as a gateway.
464
465
466
467 The IPv6 and ICMPv6 protocol layers maintain per-interface statistics.
468 If the -a option is specified with the -s option, then the per-
469 interface statistics as well as the total sums are displayed.
470 Otherwise, just the sum of the statistics are shown.
471
472 For the second, third, and fourth forms of the command, you must
473 specify at least -g, -p, or -s. You can specify any combination of
474 these options. You can also specify -m (the fifth form) with any set of
475 the -g, -p, and -s options. If you specify more than one of these
476 options, netstat displays the information for each one of them.
477
478 Interface Status (Sixth Form)
479 The interface status display lists information for all current
480 interfaces, one interface per line. If an interface is specified using
481 the -I option, it displays information for only the specified
482 interface.
483
484 The list consists of the interface name, mtu (maximum transmission
485 unit, or maximum packet size)(see ifconfig(1M)), the network to which
486 the interface is attached, addresses for each interface, and counter
487 associated with the interface. The counters show the number of input
488 packets, input errors, output packets, output errors, and collisions,
489 respectively. For Point-to-Point interfaces, the Net/Dest field is the
490 name or address on the other side of the link.
491
492 If the -a option is specified with either the -i option or the -I
493 option, then the output includes names of the physical interface(s),
494 counts for input packets and output packets for each logical interface,
495 plus additional information.
496
497 If the -n option is specified, the list displays the IP address instead
498 of the interface name.
499
500 If an optional interval is specified, the output will be continually
501 displayed in interval seconds until interrupted by the user or until
502 count is reached. See OPERANDS.
503
504 The physical interface is specified using the -I option. When used with
505 the interval operand, output for the -I option has the following
506 format:
507
508 input eri0 output input (Total) output
509 packets errs packets errs colls packets errs packets errs colls
510 227681 0 659471 1 502 261331 0 99597 1 502
511 10 0 0 0 0 10 0 0 0 0
512 8 0 0 0 0 8 0 0 0 0
513 10 0 2 0 0 10 0 2 0 0
514
515
516 If the input interface is not specified, the first interface of address
517 family inet or inet6 will be displayed.
518
519 Routing Table (Seventh Form)
520 The routing table display lists the available routes and the status of
521 each. Each route consists of a destination host or network, and a
522 gateway to use in forwarding packets. The flags column shows the status
523 of the route. These flags are as follows:
524
525 U
526 Indicates route is up.
527
528
529 G
530 Route is to a gateway.
531
532
533 H
534 Route is to a host and not a network.
535
536
537 M
538 Redundant route established with the -multirt option.
539
540
541 S
542 Route was established using the -setsrc option.
543
544
545 D
546 Route was created dynamically by a redirect.
547
548
549
550 If the -a option is specified, there will be routing entries with the
551 following flags:
552
553 A
554 Combined routing and address resolution entries.
555
556
557 B
558 Broadcast addresses.
559
560
561 L
562 Local addresses for the host.
563
564
565 Interface routes are created for each interface attached to the local
566 host; the gateway field for such entries shows the address of the
567 outgoing interface.
568
569 The use column displays the number of packets sent using a combined
570 routing and address resolution (A) or a broadcast (B) route. For a
571 local (L) route, this count is the number of packets received, and for
572 all other routes it is the number of times the routing entry has been
573 used to create a new combined route and address resolution entry.
574
575 The interface entry indicates the network interface utilized for the
576 route.
577
578 Multicast Routing Tables (Eighth Form)
579 The multicast routing table consists of the virtual interface table and
580 the actual routing table.
581
582 DHCP Interface Information (Ninth Form)
583 The DHCP interface information consists of the interface name, its
584 current state, lease information, packet counts, and a list of flags.
585
586 The states correlate with the specifications set forth in RFC 2131.
587
588 Lease information includes:
589
590 o when the lease began;
591
592 o when lease renewal will begin; and
593
594 o when the lease will expire.
595
596
597 The flags currently defined include:
598
599 BOOTP
600 The interface has a lease obtained through BOOTP (IPv4
601 only).
602
603
604 BUSY
605 The interface is busy with a DHCP transaction.
606
607
608 PRIMARY
609 The interface is the primary interface. See dhcpinfo(1) and
610 ifconfig(1M).
611
612
613 FAILED
614 The interface is in failure state and must be manually
615 restarted.
616
617
618 Packet counts are maintained for the number of packets sent, the number
619 of packets received, and the number of lease offers declined by the
620 DHCP client. All three counters are initialized to zero and then
621 incremented while obtaining a lease. The counters are reset when the
622 period of lease renewal begins for the interface. Thus, the counters
623 represent either the number of packets sent, received, and declined
624 while obtaining the current lease, or the number of packets sent,
625 received, and declined while attempting to obtain a future lease.
626
627 FILES
628 /etc/default/inet_type
629 DEFAULT_IP setting
630
631
632 SEE ALSO
633 arp(1M), dhcpinfo(1), dhcpagent(1M), ifconfig(1M), iostat(1M),
634 kstat(1M), mibiisa(1M), ndp(1M), savecore(1M), vmstat(1M), hosts(4),
635 inet_type(4), networks(4), protocols(4), services(4), attributes(5),
636 dhcp(5), kstat(7D), inet(7P), inet6(7P)
637
638
639 Droms, R., RFC 2131, Dynamic Host Configuration Protocol, Network
640 Working Group, March 1997.
641
642
643 Droms, R. RFC 3315, Dynamic Host Configuration Protocol for IPv6
644 (DHCPv6). Cisco Systems. July 2003.
645
646 NOTES
647 When displaying interface information, netstat honors the DEFAULT_IP
648 setting in /etc/default/inet_type. If it is set to IP_VERSION4, then
649 netstat will omit information relating to IPv6 interfaces, statistics,
650 connections, routes and the like.
651
652 However, you can override the DEFAULT_IP setting in
653 /etc/default/inet_type on the command-line. For example, if you have
654 used the command-line to explicitly request IPv6 information by using
655 the inet6 address family or one of the IPv6 protocols, it will override
656 the DEFAULT_IP setting.
657
658 If you need to examine network status information following a kernel
659 crash, use the mdb(1) utility on the savecore(1M) output.
660
661 The netstat utility obtains TCP statistics from the system by opening
662 /dev/tcp and issuing queries. Because of this, netstat might display an
663 extra, unused connection in IDLE state when reporting connection
664 status.
665
666 Previous versions of netstat had undocumented methods for reporting
667 kernel statistics published using the kstat(7D) facility. This
668 functionality has been removed. Use kstat(1M) instead.
669
670 netstat restricts its output to information that is relevant to the
671 zone in which netstat runs. (This is true for both shared-IP and
672 exclusive-IP zones.)
673
674
675
676 July 12, 2016 NETSTAT(1M)