1netstat(1M) System Administration Commands netstat(1M)
2
3
4
6 netstat - show network status
7
9 netstat [-anvR] [-f address_family] [-P protocol]
10
11
12 netstat -g [-nv] [-f address_family]
13
14
15 netstat -p [-n] [-f address_family]
16
17
18 netstat -s [-f address_family] [-P protocol]
19 [-T u | d ] [interval [count]]
20
21
22 netstat -m [-T u | d ] [-v] [interval [count]]
23
24
25 netstat -i [-I interface] [-an] [-f address_family]
26 [-T u | d ] [interval [count]]
27
28
29 netstat -r [-anvR] [-f address_family | filter]
30
31
32 netstat -M [-ns] [-f address_family]
33
34
35 netstat -D [-I interface] [-f address_family]
36
37
39 The netstat command displays the contents of certain network-related
40 data structures in various formats, depending on the options you
41 select.
42
43
44 The netstat command has the several forms shown in the SYNOPSIS sec‐
45 tion, above, listed as follows:
46
47 o The first form of the command (with no required arguments)
48 displays a list of active sockets for each protocol.
49
50 o The second, third, and fourth forms (-g, -p, and -s options)
51 display information from various network data structures.
52
53 o The fifth form (-m option) displays STREAMS memory statis‐
54 tics.
55
56 o The sixth form (-i option) shows the state of the inter‐
57 faces.
58
59 o The seventh form (-r option) displays the routing table.
60
61 o The eighth form (-M option) displays the multicast routing
62 table.
63
64 o The ninth form (-D option) displays the state of DHCP on one
65 or all interfaces.
66
67
68 These forms are described in greater detail below.
69
70
71 With no arguments (the first form), netstat displays connected sockets
72 for PF_INET, PF_INET6, and PF_UNIX, unless modified otherwise by the -f
73 option.
74
76 -a
77
78 Show the state of all sockets, all routing table entries, or all
79 interfaces, both physical and logical. Normally, listener sockets
80 used by server processes are not shown. Under most conditions, only
81 interface, host, network, and default routes are shown and only the
82 status of physical interfaces is shown.
83
84
85 -f address_family
86
87 Limit all displays to those of the specified address_family. The
88 value of address_family can be one of the following:
89
90 inet For the AF_INET address family showing IPv4 information.
91
92
93 inet6 For the AF_INET6 address family showing IPv6 information.
94
95
96 unix For the AF_UNIX address family.
97
98
99
100 -f filter
101
102 With -r only, limit the display of routes to those matching the
103 specified filter. A filter rule consists of a keyword:value pair.
104 The known keywords and the value syntax are:
105
106 af:{inet|inet6|unix|number}
107
108 Selects an address family. This is identical to -f address_fam‐
109 ily and both syntaxes are supported.
110
111
112 outif:{name|ifIndex|any|none}
113
114 Selects an output interface. You can specify the interface by
115 name (such as hme0) or by ifIndex number (for example, 2). If
116 any is used, the filter matches all routes having a specified
117 interface (anything other than null). If none is used, the fil‐
118 ter matches all routes having a null interface. Note that you
119 can view the index number (ifIndex) for an interface with the
120 -a option of ifconfig(1M).
121
122
123 dst:{ip-address[/mask]|any|none}
124
125 Selects a destination IP address. If specified with a mask
126 length, then any routes with matching or longer (more specific)
127 masks are selected. If any is used, then all but addresses but
128 0 are selected. If none is used, then address 0 is selected.
129
130
131 flags:[+ -]?[ABDGHLMSU]+
132
133 Selects routes tagged with the specified flags. By default, the
134 flags as specified must be set in order to match. With a lead‐
135 ing +, the flags specified must be set but others are ignored.
136 With a leading -, the flags specified must not be set and oth‐
137 ers are permitted.
138
139 You can specify multiple instances of -f to specify multiple fil‐
140 ters. For example:
141
142 % netstat -nr -f outif:hme0 -f outif:hme1 -f dst:10.0.0.0/8
143
144
145 The preceding command displays routes within network 10.0.0.0/8,
146 with mask length 8 or greater, and an output interface of either
147 hme0 or hme1, and excludes all other routes.
148
149
150 -g
151
152 Show the multicast group memberships for all interfaces. If the -v
153 option is included, source-specific membership information is also
154 displayed. See DISPLAYS, below.
155
156
157 -i
158
159 Show the state of the interfaces that are used for IP traffic. Nor‐
160 mally this shows statistics for the physical interfaces. When com‐
161 bined with the -a option, this will also report information for the
162 logical interfaces. See ifconfig(1M).
163
164
165 -m
166
167 Show the STREAMS memory statistics.
168
169
170 -n
171
172 Show network addresses as numbers. netstat normally displays
173 addresses as symbols. This option may be used with any of the dis‐
174 play formats.
175
176
177 -p
178
179 Show the net to media tables. See DISPLAYS, below.
180
181
182 -r
183
184 Show the routing tables. Normally, only interface, host, network,
185 and default routes are shown, but when this option is combined with
186 the -a option, all routes will be displayed, including cache. If
187 you have not set up a multicast route, -ra might not show any mul‐
188 ticast routing entries, although the kernel will derive such an
189 entry if needed.
190
191
192 -s
193
194 Show per-protocol statistics. When used with the -M option, show
195 multicast routing statistics instead. When used with the -a option,
196 per-interface statistics will be displayed, when available, in
197 addition to statistics global to the system. See DISPLAYS, below.
198
199
200 -T u | d
201
202 Display a time stamp.
203
204 Specify u for a printed representation of the internal representa‐
205 tion of time. See time(2). Specify d for standard date format. See
206 date(1).
207
208
209 -v
210
211 Verbose. Show additional information for the sockets, STREAMS mem‐
212 ory statistics, routing table, and multicast group memberships.
213
214
215 -I interface
216
217 Show the state of a particular interface. interface can be any
218 valid interface such as hme0 or eri0. Normally, the status and sta‐
219 tistics for physical interfaces are displayed. When this option is
220 combined with the -a option, information for the logical interfaces
221 is also reported.
222
223
224 -M
225
226 Show the multicast routing tables. When used with the -s option,
227 show multicast routing statistics instead.
228
229
230 -P protocol
231
232 Limit display of statistics or state of all sockets to those appli‐
233 cable to protocol. The protocol can be one of ip, ipv6, icmp,
234 icmpv6, icmp, icmpv6, igmp, udp, tcp, rawip. rawip can also be
235 specified as raw. The command accepts protocol options only as all
236 lowercase.
237
238
239 -D
240
241 Show the status of DHCP configured interfaces.
242
243
244 -R
245
246 This modifier displays extended security attributes for sockets and
247 routing table entries. The -R modifier is available only if the
248 system is configured with the Solaris Trusted Extensions feature.
249
250 With -r only, this option displays the routing entries' gateway
251 security attributes. See route(1M) for more information on security
252 attributes.
253
254 When displaying socket information using the first form of the com‐
255 mmand, this option displays additional information for Multi-Level
256 Port(MLP) sockets. This includes:
257
258 o The label for the peer if the socket is connected.
259
260 o The following flags can be appended to the socket's
261 "State" output:
262
263
264 P The socket is a MLP on zone-private IP addresses.
265
266
267 S The socket is a MLP on IP addresses shared between
268 zones.
269
270
271
272
274 interval Display statistics accumulated since last display every
275 interval seconds, repeating forever, unless count is speci‐
276 fied. When invoked with interval, the first row of netstat
277 output shows statistics accumulated since last reboot.
278
279 The following options support interval: -i, -m, -s and -Ms.
280 Some values are configuration parameters and are just
281 redisplayed at each interval.
282
283
284 count Display interface statistics the number of times specified
285 by count, at the interval specified by interval.
286
287
289 Active Sockets (First Form)
290 The display for each active socket shows the local and remote address,
291 the send and receive queue sizes (in bytes), the send and receive win‐
292 dows (in bytes), and the internal state of the protocol.
293
294
295 The symbolic format normally used to display socket addresses is
296 either:
297
298 hostname.port
299
300
301
302
303 when the name of the host is specified, or
304
305 network.port
306
307
308
309
310 if a socket address specifies a network but no specific host.
311
312
313 The numeric host address or network number associated with the socket
314 is used to look up the corresponding symbolic hostname or network name
315 in the hosts or networks database.
316
317
318 If the network or hostname for an address is not known, or if the -n
319 option is specified, the numerical network address is shown. Unspeci‐
320 fied, or "wildcard", addresses and ports appear as an asterisk (*). For
321 more information regarding the Internet naming conventions, refer to
322 inet(7P) and inet6(7P).
323
324
325 For SCTP sockets, because an endpoint can be represented by multiple
326 addresses, the verbose option (-v) displays the list of all the local
327 and remote addresses.
328
329 TCP Sockets
330 The possible state values for TCP sockets are as follows:
331
332 BOUND Bound, ready to connect or listen.
333
334
335 CLOSED Closed. The socket is not being used.
336
337
338 CLOSING Closed, then remote shutdown; awaiting acknowledgment.
339
340
341 CLOSE_WAIT Remote shutdown; waiting for the socket to close.
342
343
344 ESTABLISHED Connection has been established.
345
346
347 FIN_WAIT_1 Socket closed; shutting down connection.
348
349
350 FIN_WAIT_2 Socket closed; waiting for shutdown from remote.
351
352
353 IDLE Idle, opened but not bound.
354
355
356 LAST_ACK Remote shutdown, then closed; awaiting acknowledgment.
357
358
359 LISTEN Listening for incoming connections.
360
361
362 SYN_RECEIVED Initial synchronization of the connection under way.
363
364
365 SYN_SENT Actively trying to establish connection.
366
367
368 TIME_WAIT Wait after close for remote shutdown retransmission.
369
370
371 SCTP Sockets
372 The possible state values for SCTP sockets are as follows:
373
374 CLOSED Closed. The socket is not being used.
375
376
377 LISTEN Listening for incoming associations.
378
379
380 ESTABLISHED Association has been established.
381
382
383 COOKIE_WAIT INIT has been sent to the peer, awaiting acknowl‐
384 edgment.
385
386
387 COOKIE_ECHOED State cookie from the INIT-ACK has been sent to
388 the peer, awaiting acknowledgement.
389
390
391 SHUTDOWN_PENDING SHUTDOWN has been received from the upper layer,
392 awaiting acknowledgement of all outstanding DATA
393 from the peer.
394
395
396 SHUTDOWN_SENT All outstanding data has been acknowledged in the
397 SHUTDOWN_SENT state. SHUTDOWN has been sent to the
398 peer, awaiting acknowledgement.
399
400
401 SHUTDOWN_RECEIVED SHUTDOWN has been received from the peer, awaiting
402 acknowledgement of all outstanding DATA.
403
404
405 SHUTDOWN_ACK_SENT All outstanding data has been acknowledged in the
406 SHUTDOWN_RECEIVED state. SHUTDOWN_ACK has been
407 sent to the peer.
408
409
410 Network Data Structures (Second Through Fifth Forms)
411 The form of the display depends upon which of the -g, -m, -p, or -s
412 options you select.
413
414 -g Displays the list of multicast group membership.
415
416
417 -m Displays the memory usage, for example, STREAMS mblks.
418
419
420 -p Displays the net to media mapping table. For IPv4, the address
421 resolution table is displayed. See arp(1M). For IPv6, the neigh‐
422 bor cache is displayed.
423
424
425 -s Displays the statistics for the various protocol layers.
426
427
428
429 The statistics use the MIB specified variables. The defined values for
430 ipForwarding are:
431
432 forwarding(1) Acting as a gateway.
433
434
435 not-forwarding(2) Not acting as a gateway.
436
437
438
439 The IPv6 and ICMPv6 protocol layers maintain per-interface statistics.
440 If the -a option is specified with the -s option, then the per-inter‐
441 face statistics as well as the total sums are displayed. Otherwise,
442 just the sum of the statistics are shown.
443
444
445 For the second, third, and fourth forms of the command, you must spec‐
446 ify at least -g, -p, or -s. You can specify any combination of these
447 options. You can also specify -m (the fifth form) with any set of the
448 -g, -p, and -s options. If you specify more than one of these options,
449 netstat displays the information for each one of them.
450
451 Interface Status (Sixth Form)
452 The interface status display lists information for all current inter‐
453 faces, one interface per line. If an interface is specified using the
454 -I option, it displays information for only the specified interface.
455
456
457 The list consists of the interface name, mtu (maximum transmission
458 unit, or maximum packet size)(see ifconfig(1M)), the network to which
459 the interface is attached, addresses for each interface, and counter
460 associated with the interface. The counters show the number of input
461 packets, input errors, output packets, output errors, and collisions,
462 respectively. For Point-to-Point interfaces, the Net/Dest field is the
463 name or address on the other side of the link.
464
465
466 If the -a option is specified with either the -i option or the -I
467 option, then the output includes names of the physical interface(s),
468 counts for input packets and output packets for each logical interface,
469 plus additional information.
470
471
472 If the -n option is specified, the list displays the IP address instead
473 of the interface name.
474
475
476 If an optional interval is specified, the output will be continually
477 displayed in interval seconds until interrupted by the user or until
478 count is reached. See OPERANDS.
479
480
481 The physical interface is specified using the -I option. When used with
482 the interval operand, output for the -I option has the following for‐
483 mat:
484
485 input eri0 output input (Total) output
486 packets errs packets errs colls packets errs packets errs colls
487 227681 0 659471 1 502 261331 0 99597 1 502
488 10 0 0 0 0 10 0 0 0 0
489 8 0 0 0 0 8 0 0 0 0
490 10 0 2 0 0 10 0 2 0 0
491
492
493
494
495 If the input interface is not specified, the first interface of address
496 family inet or inet6 will be displayed.
497
498 Routing Table (Seventh Form)
499 The routing table display lists the available routes and the status of
500 each. Each route consists of a destination host or network, and a gate‐
501 way to use in forwarding packets. The flags column shows the status of
502 the route. These flags are as follows:
503
504 U Indicates route is up.
505
506
507 G Route is to a gateway.
508
509
510 H Route is to a host and not a network.
511
512
513 M Redundant route established with the -multirt option.
514
515
516 S Route was established using the -setsrc option.
517
518
519 D Route was created dynamically by a redirect.
520
521
522
523 If the -a option is specified, there will be routing entries with the
524 following flags:
525
526 A Combined routing and address resolution entries.
527
528
529 B Broadcast addresses.
530
531
532 L Local addresses for the host.
533
534
535
536 Interface routes are created for each interface attached to the local
537 host; the gateway field for such entries shows the address of the out‐
538 going interface.
539
540
541 The use column displays the number of packets sent using a combined
542 routing and address resolution (A) or a broadcast (B) route. For a
543 local (L) route, this count is the number of packets received, and for
544 all other routes it is the number of times the routing entry has been
545 used to create a new combined route and address resolution entry.
546
547
548 The interface entry indicates the network interface utilized for the
549 route.
550
551 Multicast Routing Tables (Eighth Form)
552 The multicast routing table consists of the virtual interface table and
553 the actual routing table.
554
555 DHCP Interface Information (Ninth Form)
556 The DHCP interface information consists of the interface name, its cur‐
557 rent state, lease information, packet counts, and a list of flags.
558
559
560 The states correlate with the specifications set forth in RFC 2131.
561
562
563 Lease information includes:
564
565 o when the lease began;
566
567 o when lease renewal will begin; and
568
569 o when the lease will expire.
570
571
572 The flags currently defined include:
573
574 BOOTP The interface has a lease obtained through BOOTP (IPv4
575 only).
576
577
578 BUSY The interface is busy with a DHCP transaction.
579
580
581 PRIMARY The interface is the primary interface. See dhcpinfo(1) and
582 ifconfig(1M).
583
584
585 FAILED The interface is in failure state and must be manually
586 restarted.
587
588
589
590 Packet counts are maintained for the number of packets sent, the number
591 of packets received, and the number of lease offers declined by the
592 DHCP client. All three counters are initialized to zero and then incre‐
593 mented while obtaining a lease. The counters are reset when the period
594 of lease renewal begins for the interface. Thus, the counters represent
595 either the number of packets sent, received, and declined while obtain‐
596 ing the current lease, or the number of packets sent, received, and
597 declined while attempting to obtain a future lease.
598
600 /etc/default/inet_type DEFAULT_IP setting
601
602
604 See attributes(5) for descriptions of the following attributes:
605
606
607
608
609 ┌─────────────────────────────┬─────────────────────────────┐
610 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
611 ├─────────────────────────────┼─────────────────────────────┤
612 │Availability │SUNWcsu │
613 └─────────────────────────────┴─────────────────────────────┘
614
616 arp(1M), dhcpinfo(1), dhcpagent(1M), ifconfig(1M), iostat(1M),
617 kstat(1M), mibiisa(1M), savecore(1M), vmstat(1M), hosts(4),
618 inet_type(4), networks(4), protocols(4), services(4), attributes(5),
619 dhcp(5), kstat(7D), inet(7P), inet6(7P)
620
621
622 Droms, R., RFC 2131, Dynamic Host Configuration Protocol, Network Work‐
623 ing Group, March 1997.
624
625
626 Droms, R. RFC 3315, Dynamic Host Configuration Protocol for IPv6
627 (DHCPv6). Cisco Systems. July 2003.
628
630 When displaying interface information, netstat honors the DEFAULT_IP
631 setting in /etc/default/inet_type. If it is set to IP_VERSION4, then
632 netstat will omit information relating to IPv6 interfaces, statistics,
633 connections, routes and the like.
634
635
636 However, you can override the DEFAULT_IP setting in
637 /etc/default/inet_type on the command-line. For example, if you have
638 used the command-line to explicitly request IPv6 information by using
639 the inet6 address family or one of the IPv6 protocols, it will override
640 the DEFAULT_IP setting.
641
642
643 If you need to examine network status information following a kernel
644 crash, use the mdb(1) utility on the savecore(1M) output.
645
646
647 The netstat utility obtains TCP statistics from the system by opening
648 /dev/tcp and issuing queries. Because of this, netstat might display an
649 extra, unused connection in IDLE state when reporting connection sta‐
650 tus.
651
652
653 Previous versions of netstat had undocumented methods for reporting
654 kernel statistics published using the kstat(7D) facility. This func‐
655 tionality has been removed. Use kstat(1M) instead.
656
657
658 netstat restricts its output to information that is relevant to the
659 zone in which netstat runs. (This is true for both shared-IP and exclu‐
660 sive-IP zones.)
661
662
663
664SunOS 5.11 16 Jun 2009 netstat(1M)