netstat tips and tricks

untagged

In the same vein as the "Useful Command-line" questions (for Windows, Linux, and Mac) , I think it would be handy to have "useful ways to use utility x" questions. Man pages tell you what parameters do, but not necessarily why you would use them, what the result means, what useful things the command does that you'd never know without extensive experimentation, or how to get the answer you really want.

I'd like to know about netstat. It would appear that I should be able to figure which processes are using bandwidth, and, indeed, how fast the system is using bandwidth. It also looks useful for detecting unwanted connections (likely virii), and it gives all sorts of routing information (that I only had to play with when trying to make a Sharp Zaurus PDA use TCP/IP over USB.) In other words, it sounds like a gold mine, and I was hoping some of you would share nuggets of information you've found.

Please include the version of netstat and your OS in your reply. It would be nice to see some sample output and know what it means. I've marked this question as community wiki, and I hope you'll do the same in your answers, so that other people, knowing a different OS, can put down a near equivalent command if they know, in the same answer, and then we can vote on which answers are the most useful.


Solution 1:

Show local listening TCP/UDP ports, and the process they belong to:

sudo netstat -tulpn

Solution 2:

Netstat routing tables

[This was tested on Mac OS X 10.5.7. I suspect the result is nearly the same on all platforms, as it was indicated to work on Solaris.]

netstat -r

will give you a routing table.

netstat -nr

is the same, but will give you raw IPs instead of looking up machine names. Its output looks like this (only longer):

Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            192.168.40.250     UGSc       19        1    en1
127                127.0.0.1          UCS         0        0    lo0
127.0.0.1          127.0.0.1          UH          1     3140    lo0
169.254            link#5             UCS         0        0    en1
169.254.33.92      127.0.0.1          UHS         0        0    lo0
192.168.40         link#5             UCS        11        0    en1
192.168.40.1       0:17:f2:ca:a0:94   UHLW        0        0    en1   1150
...

Internet6:
Destination                             Gateway                         Flags      Netif Expire
::1                                     link#1                          UHL         lo0
fe80::%lo0/64                           fe80::1%lo0                     Uc          lo0
fe80::1%lo0                             link#1                          UHL         lo0
fe80::%en0/64                           link#4                          UC          en0
...
ff02::/32                               link#7                          UC          en2
ff02::/32                               link#8                          UC          en3

Columns:

Destination and Gateway: The destination is an address (or address range) we might want to send information to. All data sent to that destination will go to the associated gateway. The gateway knows where to send the data to for its next 'hop' on the journey. If we wish to send data to a destination that has no entry in the routing table, it will go through the default gateway.

Flags: The man/info page lists all the flags. Here are what the settings on my default gateway mean:

UGSc
U       - RTF_UP           Route usable
 G      - RTF_GATEWAY      Destination requires forwarding by intermediary
  S     - RTF_STATIC       Manually added
   c    - RTF_PRCLONING    Protocol-specified generate new routes on use

That's curious that it claims to be manually added, as it came over DHCP.

Refs: "The refcnt field gives the current number of active uses of the route. Connection oriented protocols normally hold on to a single route for the duration of a connection while connectionless protocols obtain a route while sending to the same destination." (Man page)

Use: "The use field provides a count of the number of packets sent using that route."

Netif: "The interface entry indicates the network interface utilized for the route."

On my Mac,

  • lo0 is the loopback interface.
  • en0 is ethernet.
  • en1 is wireless.
  • en2 and en3 are used by a virtual machine.

Expire: From a manpage for a different version of netstat: "Displays the time (in minutes) remaining before the route expires."

Solution 3:

Check CommandLineFu's Netstat Page for some useful ways to use netstat in bash.

Solution 4:

In windows:

c:>netstat -a | find /c "TCP"
68

Shows number of TCP/IP connections. Useful if you are troubleshooting high network systems that are running out of TCP ports and need to increase MaxUserPorts.

Related

Scrollback not working in terminal window (ssh session)
TortoiseSVN missing file in update
Will Active Directory Allow You to Add Two Computers of the Same Name?
Which AD permission is required to allow impersonation of an account?
Backing up qcow2 kvm guests
How to determine disc spindown time
FTP doesn't allow /usr/sbin/nologin user
Is ServerManager module available on Windows 7?
debian: FATAL -> Failed to fork
How do you restart the Task Scheduler service without rebooting the server?
Sun Grid Engine huhohshdhjha
Heat Sink compound and older desktops and workstations