1 NETSTAT(1M) Maintenance Commands NETSTAT(1M)
2
3
4
5 NAME
6 netstat - show network status
7
8 SYNOPSIS
9 netstat [-anvR] [-f address_family] [-P protocol]
10
11
12 netstat -g [-nv] [-f address_family]
13
14
15 netstat -p [-n] [-f address_family]
16
17
18 netstat -s [-f address_family] [-P protocol]
19 [-T u | d ] [interval [count]]
20
21
22 netstat -m [-T u | d ] [-v] [interval [count]]
23
24
25 netstat -i [-I interface] [-acn] [-f address_family]
26 [-T u | d ] [interval [count]]
27
28
29 netstat -r [-acnvR] [-f address_family | filter]
30
31
32 netstat -M [-cns] [-f address_family]
33
34
35 netstat -D [-I interface] [-f address_family]
36
37
38 DESCRIPTION
39 The netstat command displays the contents of certain network-related
40 data structures in various formats, depending on the options you
41 select.
42
43 The netstat command has the several forms shown in the SYNOPSIS
44 section, above, listed as follows:
45
46 o The first form of the command (with no required arguments)
47 displays a list of active sockets for each protocol.
48
49 o The second, third, and fourth forms (-g, -p, and -s options)
50 display information from various network data structures.
51
52 o The fifth form (-m option) displays STREAMS memory
53 statistics.
54
55 o The sixth form (-i option) shows the state of the
56 interfaces.
57
58 o The seventh form (-r option) displays the routing table.
59
60 o The eighth form (-M option) displays the multicast routing
61 table.
62
63 o The ninth form (-D option) displays the state of DHCP on one
64 or all interfaces.
65
66 These forms are described in greater detail below.
67
68 With no arguments (the first form), netstat displays connected sockets
69 for PF_INET, PF_INET6, and PF_UNIX, unless modified otherwise by the -f
70 option.
71
72 OPTIONS
73 -a
74
75 Show the state of all sockets, all routing table entries, or all
76 interfaces, both physical and logical. Normally, listener sockets
77 used by server processes are not shown. Under most conditions, only
78 interface, host, network, and default routes are shown and only the
79 status of physical interfaces is shown.
80
81
82 -c
83
84 Print IPv4 networks using CIDR (x.y.z.a/NN) notation with the -i,
85 -r, and -M options. IPv6 networks default to this, but due to
86 backward compatibility, IPv4 ones do not without this flag. A
87 noncontiguous IPv4 netmask will print "/NM" if this flag is
88 enabled.
89
90
91 -f address_family
92
93 Limit all displays to those of the specified address_family. The
94 value of address_family can be one of the following:
95
96 inet
97 For the AF_INET address family showing IPv4 information.
98
99
100 inet6
101 For the AF_INET6 address family showing IPv6 information.
102
103
104 unix
105 For the AF_UNIX address family.
106
107
108
109 -f filter
110
111 With -r only, limit the display of routes to those matching the
112 specified filter. A filter rule consists of a keyword:value pair.
113 The known keywords and the value syntax are:
114
115 af:{inet|inet6|unix|number}
116
117 Selects an address family. This is identical to -f
118 address_family and both syntaxes are supported.
119
120
121 outif:{name|ifIndex|any|none}
122
123 Selects an output interface. You can specify the interface by
124 name (such as hme0) or by ifIndex number (for example, 2). If
125 any is used, the filter matches all routes having a specified
126 interface (anything other than null). If none is used, the
127 filter matches all routes having a null interface. Note that
128 you can view the index number (ifIndex) for an interface with
129 the -a option of ifconfig(1M).
130
131
132 dst:{ip-address[/mask]|any|none}
133
134 Selects a destination IP address. If specified with a mask
135 length, then any routes with matching or longer (more specific)
136 masks are selected. If any is used, then all but addresses but
137 0 are selected. If none is used, then address 0 is selected.
138
139
140 flags:[+ -]?[ABDGHLMSU]+
141
142 Selects routes tagged with the specified flags. By default, the
143 flags as specified must be set in order to match. With a
144 leading +, the flags specified must be set but others are
145 ignored. With a leading -, the flags specified must not be set
146 and others are permitted.
147
148 You can specify multiple instances of -f to specify multiple
149 filters. For example:
150
151 % netstat -nr -f outif:hme0 -f outif:hme1 -f dst:10.0.0.0/8
152
153
154 The preceding command displays routes within network 10.0.0.0/8,
155 with mask length 8 or greater, and an output interface of either
156 hme0 or hme1, and excludes all other routes.
157
158
159 -g
160
161 Show the multicast group memberships for all interfaces. If the -v
162 option is included, source-specific membership information is also
163 displayed. See DISPLAYS, below.
164
165
166 -i
167
168 Show the state of the interfaces that are used for IP traffic.
169 Normally this shows statistics for the physical interfaces. When
170 combined with the -a option, this will also report information for
171 the logical interfaces. See ifconfig(1M).
172
173
174 -m
175
176 Show the STREAMS memory statistics.
177
178
179 -n
180
181 Show network addresses as numbers. netstat normally displays
182 addresses as symbols. This option may be used with any of the
183 display formats.
184
185
186 -p
187
188 Show the net to media tables. See DISPLAYS, below.
189
190
191 -r
192
193 Show the routing tables. Normally, only interface, host, network,
194 and default routes are shown, but when this option is combined with
195 the -a option, all routes will be displayed, including cache. If
196 you have not set up a multicast route, -ra might not show any
197 multicast routing entries, although the kernel will derive such an
198 entry if needed.
199
200
201 -s
202
203 Show per-protocol statistics. When used with the -M option, show
204 multicast routing statistics instead. When used with the -a option,
205 per-interface statistics will be displayed, when available, in
206 addition to statistics global to the system. See DISPLAYS, below.
207
208
209 -T u | d
210
211 Display a time stamp.
212
213 Specify u for a printed representation of the internal
214 representation of time. See time(2). Specify d for standard date
215 format. See date(1).
216
217
218 -v
219
220 Verbose. Show additional information for the sockets, STREAMS
221 memory statistics, routing table, and multicast group memberships.
222
223
224 -I interface
225
226 Show the state of a particular interface. interface can be any
227 valid interface such as hme0 or eri0. Normally, the status and
228 statistics for physical interfaces are displayed. When this option
229 is combined with the -a option, information for the logical
230 interfaces is also reported.
231
232
233 -M
234
235 Show the multicast routing tables. When used with the -s option,
236 show multicast routing statistics instead.
237
238
239 -P protocol
240
241 Limit display of statistics or state of all sockets to those
242 applicable to protocol. The protocol can be one of ip, ipv6, icmp,
243 icmpv6, icmp, icmpv6, igmp, udp, tcp, rawip. rawip can also be
244 specified as raw. The command accepts protocol options only as all
245 lowercase.
246
247
248 -D
249
250 Show the status of DHCP configured interfaces.
251
252
253 -R
254
255 This modifier displays extended security attributes for sockets and
256 routing table entries. The -R modifier is available only if the
257 system is configured with the Solaris Trusted Extensions feature.
258
259 With -r only, this option displays the routing entries' gateway
260 security attributes. See route(1M) for more information on security
261 attributes.
262
263 When displaying socket information using the first form of the
264 command, this option displays additional information for Multi-
265 Level Port(MLP) sockets. This includes:
266
267 o The label for the peer if the socket is connected.
268
269 o The following flags can be appended to the socket's
270 "State" output:
271
272
273 P
274 The socket is a MLP on zone-private IP addresses.
275
276
277 S
278 The socket is a MLP on IP addresses shared between
279 zones.
280
281 OPERANDS
282 interval
283 Display statistics accumulated since last display every
284 interval seconds, repeating forever, unless count is
285 specified. When invoked with interval, the first row of
286 netstat output shows statistics accumulated since last
287 reboot.
288
289 The following options support interval: -i, -m, -s and -Ms.
290 Some values are configuration parameters and are just
291 redisplayed at each interval.
292
293
294 count
295 Display interface statistics the number of times specified
296 by count, at the interval specified by interval.
297
298
299 DISPLAYS
300 Active Sockets (First Form)
301 The display for each active socket shows the local and remote address,
302 the send and receive queue sizes (in bytes), the send and receive
303 windows (in bytes), and the internal state of the protocol.
304
305 The symbolic format normally used to display socket addresses is
306 either:
307
308 hostname.port
309
310 when the name of the host is specified, or
311
312 network.port
313
314 if a socket address specifies a network but no specific host.
315
316 The numeric host address or network number associated with the socket
317 is used to look up the corresponding symbolic hostname or network name
318 in the hosts or networks database.
319
320 If the network or hostname for an address is not known, or if the -n
321 option is specified, the numerical network address is shown.
322 Unspecified, or "wildcard", addresses and ports appear as an asterisk
323 (*). For more information regarding the Internet naming conventions,
324 refer to inet(7P) and inet6(7P).
325
326 For SCTP sockets, because an endpoint can be represented by multiple
327 addresses, the verbose option (-v) displays the list of all the local
328 and remote addresses.
329
330 TCP Sockets
331 The possible state values for TCP sockets are as follows:
332
333 BOUND
334 Bound, ready to connect or listen.
335
336
337 CLOSED
338 Closed. The socket is not being used.
339
340
341 CLOSING
342 Closed, then remote shutdown; awaiting acknowledgment.
343
344
345 CLOSE_WAIT
346 Remote shutdown; waiting for the socket to close.
347
348
349 ESTABLISHED
350 Connection has been established.
351
352
353 FIN_WAIT_1
354 Socket closed; shutting down connection.
355
356
357 FIN_WAIT_2
358 Socket closed; waiting for shutdown from remote.
359
360
361 IDLE
362 Idle, opened but not bound.
363
364
365 LAST_ACK
366 Remote shutdown, then closed; awaiting acknowledgment.
367
368
369 LISTEN
370 Listening for incoming connections.
371
372
373 SYN_RECEIVED
374 Initial synchronization of the connection under way.
375
376
377 SYN_SENT
378 Actively trying to establish connection.
379
380
381 TIME_WAIT
382 Wait after close for remote shutdown retransmission.
383
384
385 SCTP Sockets
386 The possible state values for SCTP sockets are as follows:
387
388 CLOSED
389 Closed. The socket is not being used.
390
391
392 LISTEN
393 Listening for incoming associations.
394
395
396 ESTABLISHED
397 Association has been established.
398
399
400 COOKIE_WAIT
401 INIT has been sent to the peer, awaiting
402 acknowledgment.
403
404
405 COOKIE_ECHOED
406 State cookie from the INIT-ACK has been sent to
407 the peer, awaiting acknowledgement.
408
409
410 SHUTDOWN_PENDING
411 SHUTDOWN has been received from the upper layer,
412 awaiting acknowledgement of all outstanding DATA
413 from the peer.
414
415
416 SHUTDOWN_SENT
417 All outstanding data has been acknowledged in the
418 SHUTDOWN_SENT state. SHUTDOWN has been sent to
419 the peer, awaiting acknowledgement.
420
421
422 SHUTDOWN_RECEIVED
423 SHUTDOWN has been received from the peer, awaiting
424 acknowledgement of all outstanding DATA.
425
426
427 SHUTDOWN_ACK_SENT
428 All outstanding data has been acknowledged in the
429 SHUTDOWN_RECEIVED state. SHUTDOWN_ACK has been
430 sent to the peer.
431
432
433 Network Data Structures (Second Through Fifth Forms)
434 The form of the display depends upon which of the -g, -m, -p, or -s
435 options you select.
436
437 -g
438 Displays the list of multicast group membership.
439
440
441 -m
442 Displays the memory usage, for example, STREAMS mblks.
443
444
445 -p
446 Displays the net to media mapping table. For IPv4, the address
447 resolution table is displayed. See arp(1M). For IPv6, the
448 neighbor cache is displayed.
449
450
451 -s
452 Displays the statistics for the various protocol layers.
453
454
455
456 The statistics use the MIB specified variables. The defined values for
457 ipForwarding are:
458
459 forwarding (1)
460 Acting as a gateway.
461
462
463 not-forwarding (2)
464 Not acting as a gateway.
465
466
467
468 The IPv6 and ICMPv6 protocol layers maintain per-interface statistics.
469 If the -a option is specified with the -s option, then the per-
470 interface statistics as well as the total sums are displayed.
471 Otherwise, just the sum of the statistics are shown.
472
473 For the second, third, and fourth forms of the command, you must
474 specify at least -g, -p, or -s. You can specify any combination of
475 these options. You can also specify -m (the fifth form) with any set of
476 the -g, -p, and -s options. If you specify more than one of these
477 options, netstat displays the information for each one of them.
478
479 Interface Status (Sixth Form)
480 The interface status display lists information for all current
481 interfaces, one interface per line. If an interface is specified using
482 the -I option, it displays information for only the specified
483 interface.
484
485 The list consists of the interface name, mtu (maximum transmission
486 unit, or maximum packet size)(see ifconfig(1M)), the network to which
487 the interface is attached, addresses for each interface, and counter
488 associated with the interface. The counters show the number of input
489 packets, input errors, output packets, output errors, and collisions,
490 respectively. For Point-to-Point interfaces, the Net/Dest field is the
491 name or address on the other side of the link.
492
493 If the -a option is specified with either the -i option or the -I
494 option, then the output includes names of the physical interface(s),
495 counts for input packets and output packets for each logical interface,
496 plus additional information.
497
498 If the -n option is specified, the list displays the IP address instead
499 of the interface name.
500
501 If an optional interval is specified, the output will be continually
502 displayed in interval seconds until interrupted by the user or until
503 count is reached. See OPERANDS.
504
505 The physical interface is specified using the -I option. When used with
506 the interval operand, output for the -I option has the following
507 format:
508
509 input eri0 output input (Total) output
510 packets errs packets errs colls packets errs packets errs colls
511 227681 0 659471 1 502 261331 0 99597 1 502
512 10 0 0 0 0 10 0 0 0 0
513 8 0 0 0 0 8 0 0 0 0
514 10 0 2 0 0 10 0 2 0 0
515
516
517 If the input interface is not specified, the first interface of address
518 family inet or inet6 will be displayed.
519
520 Routing Table (Seventh Form)
521 The routing table display lists the available routes and the status of
522 each. Each route consists of a destination host or network, and a
523 gateway to use in forwarding packets. The flags column shows the status
524 of the route. These flags are as follows:
525
526 U
527 Indicates route is up.
528
529
530 G
531 Route is to a gateway.
532
533
534 H
535 Route is to a host and not a network.
536
537
538 M
539 Redundant route established with the -multirt option.
540
541
542 S
543 Route was established using the -setsrc option.
544
545
546 D
547 Route was created dynamically by a redirect.
548
549
550
551 If the -a option is specified, there will be routing entries with the
552 following flags:
553
554 A
555 Combined routing and address resolution entries.
556
557
558 B
559 Broadcast addresses.
560
561
562 L
563 Local addresses for the host.
564
565
566 Interface routes are created for each interface attached to the local
567 host; the gateway field for such entries shows the address of the
568 outgoing interface.
569
570 The use column displays the number of packets sent using a combined
571 routing and address resolution (A) or a broadcast (B) route. For a
572 local (L) route, this count is the number of packets received, and for
573 all other routes it is the number of times the routing entry has been
574 used to create a new combined route and address resolution entry.
575
576 The interface entry indicates the network interface utilized for the
577 route.
578
579 Multicast Routing Tables (Eighth Form)
580 The multicast routing table consists of the virtual interface table and
581 the actual routing table.
582
583 DHCP Interface Information (Ninth Form)
584 The DHCP interface information consists of the interface name, its
585 current state, lease information, packet counts, and a list of flags.
586
587 The states correlate with the specifications set forth in RFC 2131.
588
589 Lease information includes:
590
591 o when the lease began;
592
593 o when lease renewal will begin; and
594
595 o when the lease will expire.
596
597
598 The flags currently defined include:
599
600 BOOTP
601 The interface has a lease obtained through BOOTP (IPv4
602 only).
603
604
605 BUSY
606 The interface is busy with a DHCP transaction.
607
608
609 PRIMARY
610 The interface is the primary interface. See dhcpinfo(1) and
611 ifconfig(1M).
612
613
614 FAILED
615 The interface is in failure state and must be manually
616 restarted.
617
618
619 Packet counts are maintained for the number of packets sent, the number
620 of packets received, and the number of lease offers declined by the
621 DHCP client. All three counters are initialized to zero and then
622 incremented while obtaining a lease. The counters are reset when the
623 period of lease renewal begins for the interface. Thus, the counters
624 represent either the number of packets sent, received, and declined
625 while obtaining the current lease, or the number of packets sent,
626 received, and declined while attempting to obtain a future lease.
627
628 FILES
629 /etc/default/inet_type
630 DEFAULT_IP setting
631
632
633 SEE ALSO
634 arp(1M), dhcpinfo(1), dhcpagent(1M), ifconfig(1M), iostat(1M),
635 kstat(1M), mibiisa(1M), ndp(1M), savecore(1M), vmstat(1M), hosts(4),
636 inet_type(4), networks(4), protocols(4), services(4), attributes(5),
637 dhcp(5), kstat(7D), inet(7P), inet6(7P)
638
639
640 Droms, R., RFC 2131, Dynamic Host Configuration Protocol, Network
641 Working Group, March 1997.
642
643
644 Droms, R. RFC 3315, Dynamic Host Configuration Protocol for IPv6
645 (DHCPv6). Cisco Systems. July 2003.
646
647 NOTES
648 When displaying interface information, netstat honors the DEFAULT_IP
649 setting in /etc/default/inet_type. If it is set to IP_VERSION4, then
650 netstat will omit information relating to IPv6 interfaces, statistics,
651 connections, routes and the like.
652
653 However, you can override the DEFAULT_IP setting in
654 /etc/default/inet_type on the command-line. For example, if you have
655 used the command-line to explicitly request IPv6 information by using
656 the inet6 address family or one of the IPv6 protocols, it will override
657 the DEFAULT_IP setting.
658
659 If you need to examine network status information following a kernel
660 crash, use the mdb(1) utility on the savecore(1M) output.
661
662 The netstat utility obtains TCP statistics from the system by opening
663 /dev/tcp and issuing queries. Because of this, netstat might display an
664 extra, unused connection in IDLE state when reporting connection
665 status.
666
667 Previous versions of netstat had undocumented methods for reporting
668 kernel statistics published using the kstat(7D) facility. This
669 functionality has been removed. Use kstat(1M) instead.
670
671 netstat restricts its output to information that is relevant to the
672 zone in which netstat runs. (This is true for both shared-IP and
673 exclusive-IP zones.)
674
675
676
677 September 2, 2015 NETSTAT(1M)