linux - netstat (8)
netstat - Display active network connections
netstat [[-a | [-t | -u | -w]] [-n | -o] | -x] [-c]
netstat -i [-a] [-c]
netstat -r [-c] [-n]
Netstat displays the status of network connections on
either TCP, UDP, RAW or UNIX sockets to the system. By
default, netstat only displays status on active sockets
which are not in the LISTEN state (i.e. connections to
active processes). To obtain information about the kernel
routing table, netstat may be invoked with the option -r
Netstat's display includes the following information for
The protocol (either TCP or UDP) used by the socket.
The count of bytes not copied by the user program con-
nected to this socket.
The count of bytes not acknoledged by the remote host.
The local address (local hostname) and port number of the
socket. Unless the -n switch is given, the socket address
is resolved to its canonical hostname, and the port number
is translated into the corresponding service name.
The remote address (remote hostname) and port number of he
socket. As with the local address:port, the -n switch
turns off hostname and service name resolution.
The state of the socket. Since there are no states in RAW
and usually no states used in UDP, this row may be left
The socket has an established connection.
The socket is actively attempting to establish a
The connection is being initialized.
The socket is closed, and the connection is shut-
Connection is closed, and the socket is waiting for
a shutdown from the remote end.
The socket is waiting after close for remote shut-
CLOSED The socket is not being used.
The remote end has shut down, waiting for the
socket to close.
The remote end shut down, and the socket is closed.
Waiting for acknowledgement.
LISTEN The socket is listening for incoming connections.
Both sockets are shut down but we still don't have
all our data sent.
The state of the socket is unknown.
If netstat is invoked with the option -o , additional
information will be displayed behind the state info.
These informations are shown like this: "rx-retransmission
byte count" "tx-retransmission byte count" "timer state"
"(time/backoff)". Timer state may now be either on or off.
The time (in seconds) being displayed is how long it will
take the timer to expire. All these options are subject to
be removed in later releases of the NET software.
Being invoked with the option -x , netstat displys a list
Netstat's display includes the following information for
The protocol (usually unix) used by the socket.
The reference count (i.e. attached processes via this
The only displayed flag is SO_ACCEPTON (displayed as ACC)
otherwise left blank. SO_ACCECPTON is used on unconnected
sockets if their corresponding processes are waiting for a
connect request. The other flags are not of normal inter-
est and not displayed.
There are several types of socket access:
The socket is used in Datagram (connectionless)
This is a stream (connection) socket.
The socket is used as a raw socket.
This one serves reliably-delivered messages.
This is a sequential packet socket.
RAW interface access socket.
Who ever knows, what the future will bring us -
just fill in here :-)
This field will contain one of the following Keywords:
The socket is listening for a connection request.
The socket is not connected to another one.
The socket is about to establish a connection.
The socket is connected.
The socket is disconnecting.
This state should never happen.
This displays the path name as which the corresponding
processes attached to the socket.
The network routing table (invoked with netstat -r ) shows
up the following information:
The destination adress of a resolved host or hand-entered
network is displayed. Unless the option -n is given, the
hosts or nets are resolved. An entry named "default" shows
up the default route for the kernel.
If there is no Asterisk ('*') displayed - any data will be
routed to the dedicated gateway.
Possible routeing flags are:
U This route is useable
G Destination is a gateway
H Destination is a Host entry
R Route will be reinstated after time-out
D This one is created dynamically (by redirection)
M This one is modified dynamically (by redirection)
How many times this route was used yet
This is the name of the Interface, where this route
The device statistics table (invoked with netstat -i )
displays information about the interfaces:
The name this interface.
Maximum size for transmission on this interface. This
should be the size of data transferred on this interface
without interface specific headers.
error free received packets for this interface.
buggy received packets.
dropped received packets (due to memory lack ?).
packets that we were unable to receive that fast way.
error free transmitted packets for this interface.
buggy transmitted packets.
dropped transmitteded packets.
packets that we were unable to transmit.
The following flags may occur on the given interfaces:
A This interface will receive all Multicast adresses.
B Broadcasts are ok here.
D Debugging is turned on..
M all packets are received (Promisc-Mode).
N Trailers are avoided.
O No Addres Resolution Protocol on this Interface.
P Interface is a Point-to-Point connection.
R Interface is running.
U Interface is up.
-a Display information about all internet sockets,
i.e. TCP, UDP, RAW and UNIX including those sockets
that are listening only.
-i Show network devices statistics.
-c Generate a continuous listing of network status:
network status is displayed every second until the
program is interrupted.
-n Causes netstat not to resolve hostnames and service
names when displaying remote and local address and
-o Display timer states, expiration times and backoff
-r Display kernel routing table.
-t Display information about TCP sockets only, includ-
ing those that are listening.
-u Display information about UDP sockets only.
-v Print version information.
-w Display information about raw sockets.
-x Display information about UNIX domain sockets.
/etc/services -- The services translation file
/proc/net/socket -- devices information
/proc/net/raw -- RAW socket information
/proc/net/tcp -- TCP socket information
/proc/net/udp -- UDP socket information
/proc/net/unix -- Unix domain socket information
Occasionally strange information may appear if a socket
changes as it is viewed. This is unlikely to occur.
The netstat user interface was written by Fred Baumgarten
<email@example.com> the man page basically
by Matt Welsh <firstname.lastname@example.org>. It was updated by Alan
Cox <Alan.Cox@linux.org> but could do with a bit more