Special Edition Using Linux, Fourth Edition:Configuring a TCP/IP Network

-->

Monitoring a TCP/IP Network with netstat

The netstat program is an invaluable tool in monitoring your TCP/IP network. It can display the kernel routing table, the status of active network connections, and useful statistics about each network interface. Table 24.6 describes the common command-line arguments for netstat ; a few additional arguments are targeted for advanced users. Refer to the man page for more information.

**Table 24.6** Common Command-Line Arguments for the netstat Program

Argument	Description

`-a`	Shows information about all Internet connections, including those that are just listening.
`-i`	Shows statistics for all network devices.
`-c`	Shows continually updating network status. This makes `netstat` output a network status listing once per second until it’s interrupted.
`-n`	Shows remote and local addresses and port information in numeric/raw form rather than resolve host names and service names.
`-o`	Shows the timer state expiration time and backoff state of each network connection.
`-r`	Shows the kernel routing table.
`-t`	Shows only TCP socket information, including those that are just listening.
`-u`	Shows only UDP socket information.
`-v`	Shows the version information for `netstat.`
`-w`	Shows raw socket information.
`-x`	Shows UNIX domain socket information.

Displaying Active Network Connections

Running netstat with no command-line arguments generates a listing of the active network connections on your machine. The following demonstrates the default output from netstat :


$ netstat

Active Internet connections

Proto Recv-Q Send-Q Local Address     Foreign Address        (State)

tcp     0    0 linux1.burwell.com:1266 server.burwell.:telnet ESTABLISHED

Active UNIX domain sockets

Proto RefCnt Flags      Type           State       Path

unix 1       [ ACC ]    SOCK_STREAM    LISTENING   /dev/printer

unix 2       [ ]        SOCK_STREAM    CONNECTED   /dev/log

unix 2       [ ]        SOCK_STREAM    CONNECTED

unix 1       [ ACC ]    SOCK_STREAM    LISTENING   /dev/log

The first section shows an active TCP protocol connection from port 1266 on linux1.burwell.com to the telnet port on server.burwell.com by user burt. Table 24.7 describes the fields in the Active Internet Connections listing.

**Table 24.7** Active Internet Connection Fields

Field	Description

`Proto`	The protocol used by this connection, TCP, or UDP.
`Recv-Q`	The number of bytes received on this socket but not yet copied by the user program.
`Send-Q`	The number of bytes sent to the remote host that haven’t been acknowledged.
`Local Address`	Local host name and port number assigned to this connection. The socket IP address is resolved to the canonical host name for that address, and the port number is translated into the service name unless the `-n` flag is used.
`Foreign Address`	The foreign host name and port number assigned to this connection. The `-n` flag affects this field as it does the `Local Address` field.
`State`	The current state of the socket. It can be in one of the following states:
	`ESTABLISHED`	The connection is fully established.
	`SYN_SENT`	The socket is now trying to make a connection to a remote host.
	`SYN_RECV`	The connection is being initialized.
	`FIN_WAIT1`	The socket has been closed and is waiting for the connection to shut down.
	`FIN_WAIT2`	The connection has been closed. The socket is waiting for a shutdown from the remote host.
	`TIME_WAIT`	The socket is closed and is waiting for a remote host shutdown retransmission.
	`CLOSED`	The socket isn’t in use.
	`CLOSE_WAIT`	The remote host has shut down its connection. The local host is waiting for the socket to close.
	`LAST_ACK`	The remote connection is shut down and the socket is closed. The local host is waiting for an acknowledgment.
	`LISTEN`	The socket is listening for the incoming connection attempt.
	`UNKNOWN`	The state of the socket isn’t known.
`User`	The login ID of the user who owns the socket.

Table of Contents