netstat Command

Edit online

Purpose

Shows network status.

Syntax

To Display Active Sockets for Each Protocol or Routing Table Information

/bin/netstat -n ] [{-A  -a } |  {  -r  -C  -i  -I  Interface } ] [  -f  AddressFamily] [ [  -p  Protocol ] |  [ -@  WparName ] ]  [ Interval ]

To Display the Contents of a Network Data Structure

/bin/netstat -m -M | -s -ss -u -v ] [  -f AddressFamily ] [ [  -p  Protocol ] |  [ -@  WparName] ] [ Interval]

To Display the Virtual Interface Table and Multicast Forwarding Cache

/bin/netstat -g

To Display the Packet Counts Throughout the Communications Subsystem

/bin/netstat -D

To Display the Network Buffer Cache Statistics

/bin/netstat -c

To Display the Data Link Provider Interface Statistics

/bin/netstat -P

To Clear the Associated Statistics

/bin/netstat [ -Zc | -Zi | -Zm | -Zs ]

Description

The netstat command symbolically displays the contents of various network-related data structures for active connections. The Interval parameter, which is specified in seconds, continuously displays information regarding packet traffic on the configured network interfaces. The Interval parameter takes no flags.

Flags

Item Description
-A Shows the address of any protocol control blocks associated with the sockets. This flag acts with the default display and is used for debugging purposes.
-a Shows the state of all sockets. If this flag is not specified, sockets that are used by server processes that are not bound to an interface are not shown.
-c Shows the statistics of the Network Buffer Cache.

The Network Buffer Cache is a list of network buffers that contain data objects that can be transmitted to networks. The Network Buffer Cache grows dynamically as data objects are added to or removed from it. The Network Buffer Cache is used by some network kernel interfaces for performance enhancement on the network I/O. The netstat -c command prints the following statistic:

Network Buffer Cache Statistics:
Current total cache buffer size: 0
Maximum total cache buffer size: 0
Current total cache data size: 0
Maximum total cache data size: 0
Current number of cache: 0
Maximum number of cache: 0
Number of cache with data: 0
Number of searches in cache: 0
Number of cache hit: 0
Number of cache miss: 0
Number of cache newly added: 0
Number of cache updated: 0
Number of cache removed: 0
Number of successful cache accesses: 0
Number of unsuccessful cache accesses: 0
Number of cache validation: 0
Current total cache data size in private segments: 0
Maximum total cache data size in private segments: 0
Current total number of private segments: 0
Maximum total number of private segments: 0
Current number of free private segments: 0
Current total NBC_NAMED_FILE entries: 0
Maximum total NBC_NAMED_FILE entries: 0
-C Shows the routing tables, including the user-configured and current costs of each route. The user-configured cost is set by using the -hopcount flag of the route command. The current cost can be different than the user-configured cost if Dead Gateway Detection has changed the cost of the route.
In addition to the costs of the route, it also shows the weight and policy information associated with each route. These fields are applicable only when the Multipath Routing Feature is used. The policy information displays the routing policy that has been currently selected to choose between the multiple routes available. The policies available are:
  • Default - Weighted Round Robin (WRR)
  • Hashed (HSH)
  • Random (RND)
  • Weighted Random (WRND)
  • Lowest Utilization (LUT)

If multiple routes are present for the same destination (multipath routes), one of these routes display the policy value of WRR, HSH, RND, WRND, or LUT. All the other routes in this set display the policy information as -"-. This means that all the routes in this set are using the same routing policy displayed by the first route.

The weight field is a user-configured weight associated with the route that will be used for Weighted Round-Robin and Weighted Random Policies. For more information about these policies, see the no command.
-D Shows the number of packets received, transmitted, and dropped in the communications subsystem.
Note: In the statistics output, a N/A displayed in a field value indicates the count is not applicable. For the NFS/RPC statistics, the number of incoming packets that pass through RPC are the same packets that pass through NFS, so these numbers are not summed in the NFS/RPC Total field, thus the N/A. NFS has no outgoing packet or outgoing packet drop counters specific to NFS and RPC. Therefore, individual counts have a field value of N/A, and the cumulative count is stored in the NFS/RPC Total field.
-f AddressFamily Limits reports of statistics or address control blocks to those items specified by the AddressFamily variable. The following address families are recognized:
inet
Indicates the AF_INET address family.
inet6
Indicates the AF_INET6 address family.
unix
Indicates the AF_UNIX address family.
-g Shows Virtual Interface Table and Multicast Forwarding Cache information. If used in conjunction with the -s flag, it will show the multicast routing information.
-i Shows the state of all configured interfaces. See Interface Display
Note: The collision count for Ethernet interfaces is not supported.
-I Interface Shows the state of the configured interface specified by the Interface variable.
-M Shows network memory's mbuf cluster pool statistics.
-m Shows statistics recorded by the memory management routines.
-n Shows network addresses as numbers. When this flag is not specified, the netstat command interprets addresses where possible and displays them symbolically. This flag can be used with any of the display formats.
-o Used in conjunction with the -a flag to display detailed data about a socket, such as socket options, flags, and buffer statistics.
-p Protocol Shows statistics about the value specified for the Protocol variable, which is either a well-known name for a protocol or an alias for it. Some protocol names and aliases are listed in the /etc/networks file.
-P Shows the statistics of the Data Link Provider Interface (DLPI). The netstat -P command prints the following statistic: 
DLPI statistics:
Number of received packets = 0
Number of transmitted packets = 0
Number of received bytes = 0
Number of transmitted bytes = 0
Number of incoming pkts discard = 0
Number of outgoing pkts discard = 0
Number of times no buffers = 0
Number of successful binds = 0
Number of unknown message types = 0
Status of phys level promisc = 0
Status of sap level promisc = 0
Status of multi level promisc = 0
Number of enab_multi addresses = 0

If DLPI is not loaded, it displays:

can't find symbol: dl_stats
-r Shows the routing tables. When used with the -s flag, the-r flag shows routing statistics. See Routing Table Display.
-s Shows statistics for each protocol.
-ss Displays all the non-zero protocol statistics and provides a concise display.
-u Displays information about domain sockets.
-v Shows statistics for CDLI-based communications adapters. This flag causes the netstat command to run the statistics commands for the netstat, tokstat, and fddistat commands. No flags are issued to these device driver commands. See the specific device driver statistics command to obtain descriptions of the statistical output.
-Zc Clear network buffer cache statistics.
-Zi Clear interface statistics.
-Zm Clear network memory allocator statistics.
-Zs Clear protocol statistics. To clear statistics for a specific protocol, use -p <protocol>. For example, to clear TCP statistics, type netstat -Zs -p tcp.
-@ WparName Displays the network statistics associated with workload partition (WparName). If no WparName is specified, then show the network statistics for all workload partitions.
Notes:
  1. The -C, -D, -c, -g, -m, -M, -P, -r , -v, and -Z flags are not supported in the global environment when used in conjunction with the -@ WparName option.
  2. The -C, -D, -c, -g, -m, -M, -P, -r , -v, and -Z flags are not supported in system workload partitions.

Default Display

The default display for active sockets shows the following items:
  • Local and remote addresses
  • Send and receive queue sizes (in bytes)
  • Protocol
  • Internal state of the protocol

Internet address formats are of the form host.port or network.port if a socket's address specifies a network but no specific host address. The host address is displayed symbolically if the address can be resolved to a symbolic host name, while network addresses are displayed symbolically according to the /etc/networks file.

If a symbolic name for a host is not known or if the -n flag is used, the address is printed numerically, according to the address family. Unspecified addresses and ports appear as an * (asterisk).

Interface Display (netstat -i)

The interface display format provides a table of cumulative statistics for the following items:

  • Errors
  • Collisions
    Note: The collision count for Ethernet interfaces is not supported.
  • Packets transferred

The interface display also provides the interface name, number, and address as well as the maximum transmission units (MTUs).

Routing Table Display (netstat -r)

The routing table display indicates the available routes and their statuses. Each route consists of a destination host or network and a gateway to use in forwarding packets.

A route is given in the format A.B.C.D/XX, which presents two pieces of information. A.B.C.D indicates the destination address and XX indicates the netmask associated with the route. The netmask is represented by the number of bits set. For example, the route 9.3.252.192/26 has a netmask of 255.255.255.192, which has 26 bits set.

The routing table contains the following fields:

Item Description
WPAR Displays the name of the workload partition to which this route belongs. This field is only present when the -@ flag is used with the -r flag. For routes belonging to the global system, Global is displayed in this column.
Flags The flags field of the routing table shows the state of the route:
A
An Active Dead Gateway Detection is enabled on the route.
U
Up.
H
The route is to a host rather than to a network.
G
The route is to a gateway.
D
The route was created dynamically by a redirect.
M
The route has been modified by a redirect.
L
The link-level address is present in the route entry.
c
Access to this route creates a cloned route.
W
The route is a cloned route.
1
Protocol specific routing flag #1.
2
Protocol specific routing flag #2.
3
Protocol specific routing flag #3.
b
The route represents a broadcast address.
e
Has a binding cache entry.
l
The route represents a local address.
m
The route represents a multicast address.
P
Pinned route.
R
Host or net unreachable.
S
Manually added.
u
Route usable.
s
The Group Routing stopsearch option is enabled on the route.

Direct routes are created for each interface attached to the local host.
Gateway The gateway field for these entries shows the address of the outgoing interface.
Refs Gives the current number of active uses for the route. Connection-oriented protocols hold on to a single route for the duration of a connection, while connectionless protocols obtain a route while sending to the same destination.
Use Provides a count of the number of packets sent using that route.
PMTU Gives the Path Maximum Transfer Unit (PMTU). AIX® 5.3 does not display the PMTU column.
Interface Indicates the network interfaces utilized for the route.
Exp Displays the time (in minutes) remaining before the route expires.
Groups Provides a list of group IDs associated with that route.
Netmasks Lists the netmasks applied on the system.
Route Tree for Protocol Family Specifies the active address families for existing routes. Supported values for this field are:
1
Specifies the UNIX address family.
2
Specifies the Internet address family (for example, TCP and UDP).

For more information on other address families, refer to the /usr/include/sys/socket.h file.

When the -@ flag is used with the netstat -r command and no WparName parameter is specified, all of the routes in the system’s route table are displayed. If the WparName parameter is specified and the WPAR-specific routing is enabled for that WPAR, only the routes associated with that WPAR are displayed. If the WparName parameter is specified and the WPAR specific routing is disabled for that WPAR, the routes associated with the global system are displayed.

When a value is specified for the Interval parameter, the netstat command displays a running count of statistics related to network interfaces. This display contains two columns: a column for the primary interface (the first interface found during autoconfiguration) and a column summarizing information for all interfaces.

The primary interface may be replaced with another interface by using the -I flag. The first line of each screen of information contains a summary of statistics accumulated since the system was last restarted. The subsequent lines of output show values accumulated over intervals of the specified length.

Security

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

  1. To display routing table information for an Internet interface, enter the following command: 
    netstat -r -f inet

    This produces the following output:

    Routing tables
Destination   Gateway      Flags Refs Use  PMTU If  Exp Groups Netmasks:
(root node)
(0)0 ffff f000 0
(0)0 ffff f000 0
(0)0 8123 262f 0 0 0 0 0
(root node)

Route Tree for Protocol Family 2:
(root node)
default        129.35.38.47   UG    0  564   -   tr0   -
loopback       127.0.0.1      UH    1  202   -   lo0   -
129.35.32      129.35.41.172  U     4   30   -   tr0   -   +staff
129.35.32.117  129.35.41.172  UGHW  0   13  1492 tr0   30
192.100.61     192.100.61.11  U     1  195   -   en0   -
(root node)

Route Tree for Protocol Family 6:
(root node)
(root node)

    The -r -f inet flags indicate a request for routing table information for all configured Internet interfaces. The network interfaces are listed in the Interface column; en designates a Standard Ethernet interface, while tr specifies a Token-Ring interface. Gateway addresses are in dotted decimal format.

    Note: AIX 5.3 does not display the PMTU column.
  2. To display statistics for GRE Protocol, enter the following command: 
    netstat -s -p gre

    This produces the following output:

    GRE Interface gre0
        10 number of times gre_input got called
        8 number of times gre_output got called
        0 packets received with protocol not supported
        0 packets received with checksum on
        0 packets received with routing present
        0 packets received with key present
        0 packets received with sequence number present
        0 packets received with strict source route  present
        0 packets received with recursion control present
        0 packets received where reserved0 non-zero
        0 packets received where version non-zero
        0 packets discarded
        0 packets dropped due to network down
        0 packets dropped due to protocol not supported
        0 packets dropped due to error in ip output routine
        0 packets got by NAT
        0 packets got by NAT but not TCP packet
        0 packets got by NAT but with IP options
  3. To display statistics for the IPv4 over IPv6 tunnel (GIF tunnel), enter the following command: 
    netstat -s -p gif
    The command produces the following output: 
    GIF Interface gif0
44 total packets received
50 total packets sent
0 packets received with protocol not supported
0 packets received with checksum on
0 packets received with routing present
0 packets received with strict source route present
0 packets received where version non-zero
0 packets discarded
0 packets dropped due to network down
0 packets dropped due to protocol not supported
0 packets dropped due to error in ipv6 output routine
  4. To display interface information for an Internet interface, enter the following command: 
    netstat -i -f inet

    This produces the following output:

    Name Mtu    Network     Address           Ipkts  Ierrs  Opkts  Oerrs  Coll
lo0  16896  Link#1                        5161      0    5193      0     0
lo0  16896  127         localhost         5161      0    5193      0     0
lo0  16896  ::1                           5161      0    5193      0     0
en1  1500   Link#2      8.0.38.22.8.34    221240    0  100284      0     0
en1  1500   129.183.64  infoserv.frec.bul 221240    0  100284      0     0

    The -i -f inet flags indicate a request for the status of all configured Internet interfaces. The network interfaces are listed in the Name column; lo designates a loopback interface, en designates a Standard Ethernet interface, while tr specifies a Token-Ring interface.

  5. To display statistics for each protocol, enter the following command: 
    netstat -s -f inet

    This produces the following output:

    ip:
:
  44485 total packets received
  0 bad header checksums
  0 with size smaller than minimum
  0 with data size < data length
  0 with header length < data size
  0 with data length < header length
  0 with bad options
  0 with incorrect version number
  0 fragments received
  0 fragments dropped (dup or out of space)
  0 fragments dropped after timeout
  0 packets reassembled ok
  44485 packets for this host
  0 packets for unknown/unsupported protocol
  0 packets forwarded
  0 packets not forwardable
  0 redirects sent
  1506 packets sent from this host
  0 packets sent with fabricated ip header
  0 output packets dropped due to no bufs, etc.
  0 output packets discarded due to no route
  0 output datagrams fragmented
  0 fragments created
  0 datagrams that can't be fragmented
  0 IP Multicast packets dropped due to no receiver
  0 successful path MTU discovery cycles
  0 path MTU rediscovery cycles attempted
  0 path MTU discovery no-response estimates
  0 path MTU discovery response timeouts
  0 path MTU discovery decreases detected
  0 path MTU discovery packets sent
  0 path MTU discovery memory allocation failures
  0 ipintrq overflows

icmp:
  0 calls to icmp_error
  0 errors not generated 'cuz old message was icmp
  Output histogram:
    echo reply: 6
  0 messages with bad code fields
  0 messages < minimum length
  0 bad checksums
  0 messages with bad length
  Input histogram:
    echo: 19
  6 message responses generated

igmp:defect
  0 messages received
  0 messages received with too few bytes
  0 messages received with bad checksum
  0 membership queries received
  0 membership queries received with invalid field(s)
  0 membership reports received
  0 membership reports received with invalid field(s)
  0 membership reports received for groups to which we belong
  0 membership reports sent

tcp:
  1393 packets sent
    857 data packets (135315 bytes)
    0 data packets (0 bytes) retransmitted
    367 URG only packets
    0 URG only packets
    0 window probe packets
    0 window update packets
    170 control packets
  1580 packets received
    790 acks (for 135491 bytes)
    60 duplicate acks
    0 acks for unsent data
    638 packets (2064 bytes) received in-sequence
    0 completely duplicate packets (0 bytes)
    0 packets with some dup. data (0 bytes duped)
    117 out-of-order packets (0 bytes)
    0 packets (0 bytes) of data after window
    0 window probes
    60 window update packets
    0 packets received after close
    0 discarded for bad checksums
    0 discarded for bad header offset fields
  0 connection request
  58 connection requests
  61 connection accepts
  118 connections established (including accepts)
  121 connections closed (including 0 drops)
  0 embryonic connections dropped
  845 segments updated rtt (of 847 attempts)
  0 resends due to path MTU discovery
  0 path MTU discovery terminations due to retransmits
  0 retransmit timeouts
    0 connections dropped by rexmit timeout
  0 persist timeouts
  0 keepalive timeouts
    0 keepalive probes sent
    0 connections dropped by keepalive

udp:
  42886 datagrams received
:
  0 incomplete headers
  0 bad data length fields
  0 bad checksums
  0 dropped due to no socket
  42860 broadcast/multicast datagrams dropped due to no

socket
  0 socket buffer overflows
  26 delivered
  106 datagrams output

    ip specifies the Internet Protocol; icmp specifies the Information Control Message Protocol; tcp specifies the Transmission Control Protocol; udp specifies the User Datagram Protocol.

    Note: AIX 5.3 does not display the PMTU statistics for the IP protocol.
  6. To display device driver statistics, enter the following command: 
    netstat -v

    The netstat -v command displays the statistics for each CDLI-based device driver that is up. To see sample output for this command, see the tokstat command, the entstat command, or the fddistat command.

  7. To display information regarding an interface for which multicast is enabled, and to see group membership, enter the following command: 
    netstat -a -I interface

    For example, if an 802.3 interface was specified, the following output will be produced:

    Name  Mtu  Network Address      Ipkts  Ierrs  Opkts  Oerrs  Coll
et0   1492 <Link>                   0      0      2      0     0
et0   1492 9.4.37  hun-eth          0      0      2      0     0
                   224.0.0.1
                   02:60:8c:0a:02:e7
                   01:00:5e:00:00:01

    If instead of -I interface the flag -i is given, then all configured interfaces will be listed. The network interfaces are listed in the Name column; lo designates a loopback interface, et designates an IEEE 802.3 interface, tr designates a Token-Ring interface, while fi specifies an FDDI interface.

    The address column has the following meaning. A symbolic name for each interface is shown. Below this symbolic name, the group addresses of any multicast groups that have been joined on that interface are shown. Group address 224.0.0.1 is the special all-hosts-group to which all multicast interfaces belong. The MAC address of the interface (in colon notation) follows the group addresses, plus a list of any other MAC level addresses that are enabled on behalf of IP Multicast for the particular interface.

  8. To display the packet counts in the communication subsystem, enter the following command: 
    netstat -D

    The following output will be produced:

    Source                    Ipkts     Opkts     Idrops      Odrops
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
tok_dev0                   720       542       0          0
ent_dev0                   114         4       0          0
                   - - - - - - - - - - - - - - - - - - - - - - - - -
Devices Total              834       546       0          0
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
tok_dd0                    720       542       0          0
ent_dd0                    114         4       0          0
                   - - - - - - - - - - - - - - - - - - - - - - - - -
Drivers Total              834       546       0          0
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
tok_dmx0                   720       N/A       0          N/A
ent_dmx0                   114       N/A       0          N/A
                   - - - - - - - - - - - - - - - - - - - - - - - - -
Demuxer Total              834       N/A       0          N/A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IP                         773       767       0          0
TCP                        536       399       0          0
UDP                        229        93       0          0
                   - - - - - - - - - - - - - - - - - - - - - - - - -
Protocols Total           1538      1259       0          0
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
lo_if0                      69        69       0          0
en_if0                      22         8       0          0
tr_if0                     704       543       0          1
                   - - - - - - - - - - - - - - - - - - - - - - - - -
Net IF Total               795       620       0          1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NFS/RPC Client             519       N/A       0          N/A
NFS/RPC Server               0       N/A       0          N/A
NFS Client                 519       N/A       0          N/A
NFS Server                  0       N/A       0          N/A
                   - - - - - - - - - - - - - - - - - - - - - - - - -
NFS/RPC Total              N/A       519       0          0
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Note:  N/A -> Not Applicable)
  9. To display detailed data of active sockets, enter the following command: 
    netstat -aon
    Output similar to the following is displayed: 
    Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  *.13                   *.*                    LISTEN
      so_options: (ACCEPTCONN|REUSEADDR)
      q0len:0 qlen:0 qlimit:1000      so_state: (PRIV)
      timeo:0 uid:0
      so_special: (LOCKBALE|MEMCOMPRESS|DISABLE)
      so_special2: (PROC)
      sndbuf:
             hiwat:16384 lowat:4096 mbcnt:0 mbmax:65536
      rcvbuf:
             hiwat:16384 lowat:1 mbcnt:0 mbmax:65536
             sb_flags: (SEL)
      TCP:
             mss:512

tcp        0      0  *.21                   *.*                    LISTEN

      so_options: (ACCEPTCONN|REUSEADDR)
      q0len:0 qlen:0 qlimit:1000      so_state: (PRIV)
      timeo:0 uid:0
      so_special: (LOCKBALE|MEMCOMPRESS|DISABLE)
      so_special2: (PROC)
      sndbuf:
             hiwat:16384 lowat:4096 mbcnt:0 mbmax:65536
      rcvbuf:
             hiwat:16384 lowat:1 mbcnt:0 mbmax:65536
             sb_flags: (SEL)
      TCP:
      mss:512

...................
...................
  10. To display the routing table, enter the following command: 
    netstat -rn
    Output similar to the following is displayed: 
    Routing tables
Destination      Gateway           Flags   Refs     Use  If   PMTU Exp Groups

Route Tree for Protocol Family 2 (Internet):
default          9.3.149.65        UG        0       24  en0     -   -  
9.3.149.64       9.3.149.88        UHSb      0        0  en0     -   -  =>
9.3.149.64/27    9.3.149.88        U         1        0  en0     -   -  
9.3.149.88       127.0.0.1         UGHS      0        1  lo0     -   -  
9.3.149.95       9.3.149.88        UHSb      0        0  en0     -   -  
127/8            127.0.0.1         U        11      174  lo0     -   -  

Route Tree for Protocol Family 24 (Internet v6):
::1              ::1               UH        0        0  lo0     -   -
    Note: AIX 5.3 does not display the PMTU column.

    The character => at the end of the line means the line is a duplicate route of the route on the next line.

    The loopback route (9.3.149.88, 127.0.0.1) and the broadcast routes (with the flags field containing b indicating broadcast) are automatically created when an interface is configured. Two broadcast routes are added: one to the subnet address and one to the broadcast address of the subnet. The presence of the loopback routes and broadcast routes improve performance.

  11. To display the routing table of a workload partition named wpar1, enter the following command: 
    netstat –rn@ wpar1
    Output similar to the following is displayed: 
    Routing tables
WPAR Destination    Gateway         Flags      Refs      Use    If   Exp  Groups

Route Tree for Protocol Family 2 (Internet):
wpar1 default        9.4.150.1         UG        1     13936    en1    -    -  
wpar1 9.4.150.0      9.4.150.57        UHSb      0         0    en1    -    -  =>
wpar1 9.4.150/24     9.4.150.57        U         0         0    en0    -    -
wpar1 9.4.150.57     127.0.0.1         UGHS      0         0    lo0    -    -
wpar1 9.4.150.255    9.4.150.57        UHSb      0         3    en0    -    -