1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
|
.\" Copyright (c) 1983, 1990, 1992, 1993
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 4. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" @(#)netstat.1 8.8 (Berkeley) 4/18/94
.\" $FreeBSD$
.\"
.Dd February 22, 2010
.Dt NETSTAT 1
.Os
.Sh NAME
.Nm netstat
.Nd show network status
.Sh DESCRIPTION
The
.Nm
command symbolically displays the contents of various network-related
data structures.
There are a number of output formats,
depending on the options for the information presented.
.Bl -tag -width indent
.It Xo
.Bk -words
.Nm
.Op Fl AaLnSTWx
.Op Fl f Ar protocol_family | Fl p Ar protocol
.Op Fl M Ar core
.Op Fl N Ar system
.Ek
.Xc
Display a list of active sockets
(protocol control blocks)
for each network protocol,
for a particular
.Ar protocol_family ,
or for a single
.Ar protocol .
If
.Fl A
is also present,
show the address of a protocol control block (PCB)
associated with a socket; used for debugging.
If
.Fl a
is also present,
show the state of all sockets;
normally sockets used by server processes are not shown.
If
.Fl L
is also present,
show the size of the various listen queues.
The first count shows the number of unaccepted connections,
the second count shows the amount of unaccepted incomplete connections,
and the third count is the maximum number of queued connections.
If
.Fl S
is also present,
show network addresses as numbers (as with
.Fl n )
but show ports symbolically.
If
.Fl x
is present, display socket buffer and tcp timer statistics for each internet socket.
When
.Fl T
is present, display information from the TCP control block, including
retransmits, out-of-order packets received, and zero-sized windows advertised.
.It Xo
.Bk -words
.Nm
.Fl i | I Ar interface
.Op Fl abdhnW
.Op Fl f Ar address_family
.Op Fl M Ar core
.Op Fl N Ar system
.Ek
.Xc
Show the state of all network interfaces or a single
.Ar interface
which have been auto-configured
(interfaces statically configured into a system, but not
located at boot time are not shown).
An asterisk
.Pq Dq Li *
after an interface name indicates that the interface is
.Dq down .
If
.Fl a
is also present, multicast addresses currently in use are shown
for each Ethernet interface and for each IP interface address.
Multicast addresses are shown on separate lines following the interface
address with which they are associated.
If
.Fl b
is also present, show the number of bytes in and out.
If
.Fl d
is also present, show the number of dropped packets.
If
.Fl h
is also present, print all counters in human readable form.
If
.Fl W
is also present, print interface names using a wider field size.
.It Xo
.Bk -words
.Nm
.Fl w Ar wait
.Op Fl I Ar interface
.Op Fl d
.Op Fl M Ar core
.Op Fl N Ar system
.Op Fl q Ar howmany
.Ek
.Xc
At intervals of
.Ar wait
seconds,
display the information regarding packet
traffic on all configured network interfaces
or a single
.Ar interface .
If
.Fl q
is also present, exit after
.Ar howmany
outputs.
If
.Fl d
is also present, show the number of dropped packets.
.It Xo
.Bk -words
.Nm
.Fl s Op Fl s
.Op Fl z
.Op Fl f Ar protocol_family | Fl p Ar protocol
.Op Fl M Ar core
.Op Fl N Ar system
.Ek
.Xc
Display system-wide statistics for each network protocol,
for a particular
.Ar protocol_family ,
or for a single
.Ar protocol .
If
.Fl s
is repeated, counters with a value of zero are suppressed.
If
.Fl z
is also present, reset statistic counters after displaying them.
.It Xo
.Bk -words
.Nm
.Fl i | I Ar interface Fl s
.Op Fl f Ar protocol_family | Fl p Ar protocol
.Op Fl M Ar core
.Op Fl N Ar system
.Ek
.Xc
Display per-interface statistics for each network protocol,
for a particular
.Ar protocol_family ,
or for a single
.Ar protocol .
.It Xo
.Bk -words
.Nm
.Fl m
.Op Fl M Ar core
.Op Fl N Ar system
.Ek
.Xc
Show statistics recorded by the memory management routines
.Pq Xr mbuf 9 .
The network manages a private pool of memory buffers.
.It Xo
.Bk -words
.Nm
.Fl B
.Op Fl z
.Op Fl I Ar interface
.Ek
.Xc
Show statistics about
.Xr bpf 4
peers.
This includes information like
how many packets have been matched, dropped and received by the
bpf device, also information about current buffer sizes and device
states.
.It Xo
.Bk -words
.Nm
.Fl r
.Op Fl AanW
.Op Fl f Ar address_family
.Op Fl M Ar core
.Op Fl N Ar system
.Ek
.Xc
Display the contents of all routing tables,
or a routing table for a particular
.Ar address_family .
If
.Fl A
is also present,
show the contents of the internal Patricia tree
structures; used for debugging.
If
.Fl a
is also present,
show protocol-cloned routes
(routes generated by an
.Dv RTF_PRCLONING
parent route);
normally these routes are not shown.
When
.Fl W
is also present,
show the path MTU
for each route,
and print interface
names with a wider
field size.
.It Xo
.Bk -words
.Nm
.Fl rs
.Op Fl s
.Op Fl M Ar core
.Op Fl N Ar system
.Ek
.Xc
Display routing statistics.
If
.Fl s
is repeated, counters with a value of zero are suppressed.
.It Xo
.Bk -words
.Nm
.Fl g
.Op Fl W
.Op Fl f Ar address_family
.Op Fl M Ar core
.Op Fl N Ar system
.Ek
.Xc
Display the contents of the multicast virtual interface tables,
and multicast forwarding caches.
Entries in these tables will appear only when the kernel is
actively forwarding multicast sessions.
This option is applicable only to the
.Cm inet
and
.Cm inet6
address families.
.It Xo
.Bk -words
.Nm
.Fl gs
.Op Fl s
.Op Fl f Ar address_family
.Op Fl M Ar core
.Op Fl N Ar system
.Ek
.Xc
Show multicast routing statistics.
If
.Fl s
is repeated, counters with a value of zero are suppressed.
.It Xo
.Bk -words
.Nm
.Fl Q
.Ek
.Xc
Show
.Xr netisr 9
statistics.
.El
.Pp
Some options have the general meaning:
.Bl -tag -width flag
.It Fl f Ar address_family , Fl p Ar protocol
Limit display to those records
of the specified
.Ar address_family
or a single
.Ar protocol .
The following address families and protocols are recognized:
.Pp
.Bl -tag -width ".Cm netgraph , ng Pq Dv AF_NETGRAPH" -compact
.It Em Family
.Em Protocols
.It Cm inet Pq Dv AF_INET
.Cm divert , icmp , igmp , ip , ipsec , pim, sctp , tcp , udp
.It Cm inet6 Pq Dv AF_INET6
.Cm icmp6 , ip6 , ipsec6 , rip6 , tcp , udp
.It Cm pfkey Pq Dv PF_KEY
.Cm pfkey
.It Cm atalk Pq Dv AF_APPLETALK
.Cm ddp
.It Cm netgraph , ng Pq Dv AF_NETGRAPH
.Cm ctrl , data
.It Cm ipx Pq Dv AF_IPX
.Cm ipx , spx
.\".It Cm ns Pq Dv AF_NS
.\".Cm idp , ns_err , spp
.\".It Cm iso Pq Dv AF_ISO
.\".Cm clnp , cltp , esis , tp
.It Cm unix Pq Dv AF_UNIX
.It Cm link Pq Dv AF_LINK
.El
.Pp
The program will complain if
.Ar protocol
is unknown or if there is no statistics routine for it.
.It Fl M
Extract values associated with the name list from the specified core
instead of the default
.Pa /dev/kmem .
.It Fl N
Extract the name list from the specified system instead of the default,
which is the kernel image the system has booted from.
.It Fl n
Show network addresses and ports as numbers.
Normally
.Nm
attempts to resolve addresses and ports,
and display them symbolically.
.It Fl W
In certain displays, avoid truncating addresses even if this causes
some fields to overflow.
.El
.Pp
The default display, for active sockets, shows the local
and remote addresses, send and receive queue sizes (in bytes), protocol,
and the internal state of the protocol.
Address formats are of the form
.Dq host.port
or
.Dq network.port
if a socket's address specifies a network but no specific host address.
When known, the host and network addresses are displayed symbolically
according to the databases
.Xr hosts 5
and
.Xr networks 5 ,
respectively.
If a symbolic name for an address is unknown, or if
the
.Fl n
option is specified, the address is printed numerically, according
to the address family.
For more information regarding
the Internet IPv4
.Dq dot format ,
refer to
.Xr inet 3 .
Unspecified,
or
.Dq wildcard ,
addresses and ports appear as
.Dq Li * .
.Pp
The interface display provides a table of cumulative
statistics regarding packets transferred, errors, and collisions.
The network addresses of the interface
and the maximum transmission unit
.Pq Dq mtu
are also displayed.
.Pp
The routing table display indicates the available routes and their status.
Each route consists of a destination host or network, and a gateway to use
in forwarding packets.
The flags field shows a collection of information about the route stored
as binary choices.
The individual flags are discussed in more detail in the
.Xr route 8
and
.Xr route 4
manual pages.
The mapping between letters and flags is:
.Bl -column ".Li W" ".Dv RTF_WASCLONED"
.It Li 1 Ta Dv RTF_PROTO1 Ta "Protocol specific routing flag #1"
.It Li 2 Ta Dv RTF_PROTO2 Ta "Protocol specific routing flag #2"
.It Li 3 Ta Dv RTF_PROTO3 Ta "Protocol specific routing flag #3"
.It Li B Ta Dv RTF_BLACKHOLE Ta "Just discard pkts (during updates)"
.It Li b Ta Dv RTF_BROADCAST Ta "The route represents a broadcast address"
.It Li C Ta Dv RTF_CLONING Ta "Generate new routes on use"
.It Li c Ta Dv RTF_PRCLONING Ta "Protocol-specified generate new routes on use"
.It Li D Ta Dv RTF_DYNAMIC Ta "Created dynamically (by redirect)"
.It Li G Ta Dv RTF_GATEWAY Ta "Destination requires forwarding by intermediary"
.It Li H Ta Dv RTF_HOST Ta "Host entry (net otherwise)"
.It Li L Ta Dv RTF_LLINFO Ta "Valid protocol to link address translation"
.It Li M Ta Dv RTF_MODIFIED Ta "Modified dynamically (by redirect)"
.It Li R Ta Dv RTF_REJECT Ta "Host or net unreachable"
.It Li S Ta Dv RTF_STATIC Ta "Manually added"
.It Li U Ta Dv RTF_UP Ta "Route usable"
.It Li W Ta Dv RTF_WASCLONED Ta "Route was generated as a result of cloning"
.It Li X Ta Dv RTF_XRESOLVE Ta "External daemon translates proto to link address"
.El
.Pp
Direct routes are created for each
interface attached to the local host;
the gateway field for such entries shows the address of the outgoing interface.
The refcnt field gives the
current number of active uses of the route.
Connection oriented
protocols normally hold on to a single route for the duration of
a connection while connectionless protocols obtain a route while sending
to the same destination.
The use field provides a count of the number of packets
sent using that route.
The interface entry indicates the network interface utilized for the route.
.Pp
When
.Nm
is invoked with the
.Fl w
option and a
.Ar wait
interval argument, it displays a running count of statistics related to
network interfaces.
An obsolescent version of this option used a numeric parameter
with no option, and is currently supported for backward compatibility.
By default, this display summarizes information for all interfaces.
Information for a specific interface may be displayed with the
.Fl I
option.
.Pp
The
.Xr bpf 4
flags displayed when
.Nm
is invoked with the
.Fl B
option represent the underlying parameters of the bpf peer.
Each flag is
represented as a single lower case letter.
The mapping between the letters and flags in order of appearance are:
.Bl -column ".Li i"
.It Li p Ta Set if listening promiscuously
.It Li i Ta Dv BIOCIMMEDIATE No has been set on the device
.It Li f Ta Dv BIOCGHDRCMPLT No status: source link addresses are being
filled automatically
.It Li s Ta Dv BIOCGSEESENT No status: see packets originating locally and
remotely on the interface.
.It Li a Ta Packet reception generates a signal
.It Li l Ta Dv BIOCLOCK No status: descriptor has been locked
.El
.Pp
For more information about these flags, please refer to
.Xr bpf 4 .
.Pp
The
.Fl x
flag causes
.Nm
to output all the information recorded about data
stored in the socket buffers.
The fields are:
.Bl -column ".Li R-MBUF"
.It Li R-MBUF Ta Number of mbufs in the receive queue.
.It Li S-MBUF Ta Number of mbufs in the send queue.
.It Li R-CLUS Ta Number of clusters, of any type, in the receive
queue.
.It Li S-CLUS Ta Number of clusters, of any type, in the send queue.
.It Li R-HIWA Ta Receive buffer high water mark, in bytes.
.It Li S-HIWA Ta Send buffer high water mark, in bytes.
.It Li R-LOWA Ta Receive buffer low water mark, in bytes.
.It Li S-LOWA Ta Send buffer low water mark, in bytes.
.It Li R-BCNT Ta Receive buffer byte count.
.It Li S-BCNT Ta Send buffer byte count.
.It Li R-BMAX Ta Maximum bytes that can be used in the receive buffer.
.It Li S-BMAX Ta Maximum bytes that can be used in the send buffer.
.El
.Sh SEE ALSO
.Xr fstat 1 ,
.Xr nfsstat 1 ,
.Xr procstat 1 ,
.Xr ps 1 ,
.Xr sockstat 1 ,
.Xr bpf 4 ,
.Xr inet 4 ,
.Xr route 4 ,
.Xr unix 4 ,
.Xr hosts 5 ,
.Xr networks 5 ,
.Xr protocols 5 ,
.Xr services 5 ,
.Xr iostat 8 ,
.Xr route 8 ,
.Xr trpt 8 ,
.Xr vmstat 8 ,
.Xr mbuf 9
.Sh HISTORY
The
.Nm
command appeared in
.Bx 4.2 .
.Pp
IPv6 support was added by WIDE/KAME project.
.Sh BUGS
The notion of errors is ill-defined.
|