Netstat is a command line utility to display network
connections (Incoming and Outgoing), routing tables, and a network interface
statistic. This Utility available on
Unix, Unix-like and Windows-NT based OS.
Netstat will also display active TCP connections, ports on
which the computer is listening, Ethernet statistics, the IP routing table,
IPv4 statistics (for the IP, ICMP, TCP UP protocols), and IPv6 statistics (for
the IPv6,ICMPv6, TCP over IPv6, and UDP over IPv6 protocols), used without
parameters, netstat displays active TCP connections.
Parameters
- -a Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.
- -e Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.
- -n Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
- -o Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p.
- -p Protocol Shows connections for the protocol specified by Protocol. In this case, the Protocol can be tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display statistics by protocol,Protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6.
- -s Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 protocol for Windows XP is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols.
- -r Displays the contents of the IP routing table. This is equivalent to the route print command.
- Interval Redisplays the selected information every Interval seconds. Press CTRL+C to stop the redisplay. If this parameter is omitted, netstat prints the selected information only once.
- /? Displays help at the command prompt.
Note: Below commands will majorly used in Unix and Unix-based
OS.
Displaying the Routing Table
When we invoke netstat with –r flag it displays the kernel
routing table in the way we been doing with route.
# netstat –nr
Kernel IP routing table
Destination
Gateway Genmask Flags
MSS Window irtt Iface
127.0.0.1
* 255.255.255.255
UH 0 0 0 lo
172.16.1.0
* 255.255.255.0 U
0 0 0 eth0
172.16.2.0
172.16.1.1 255.255.255.0 UG
0 0 0 eth0
The –n option makes netstat print address a dotted quad IP
numbers rather than the symbolic host network names. This option is especially useful when we want
to avoid address lookups over the network.
The second column of netstat output shows the gateway to
which the routing entry points. If no
gateway is used, an asterisk is printed instead. The third column shows the generality of the
route, i.e., the network mask for this route.
When given an IP address to find a suitable rout for the kernel steps
through each of the routing table entries, taking the bitwise AND of the
address and genmask before comparing it to the target of the route.
The fourth column displays the following flags describe the
route:
- G The route uses a gateway
- U The interface to be used in up
- H Only a single host can be reached through the route. For example, this is the case for the loopback entry 127.0.0.1
- D This route is dynamically created. It is set if the table entry has been generated by a routing daemon like gated or by an ICMP redirect message.
- M This route is set if the table entry was modified by an ICMP redirect message.
- ! The route is a reject route and datagrams will be dropped.
Displaying Interface Statistics
When invoked with the –i flag, netstat display statistics
for the network interfaces currently configured. If option –a is also given, it prints all
interfaces persent in the kernel, not only those that have been configured
currently.
# netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flags
lo 0 0 3185 0 0 0 3185 0 0 0 BLRU
eth0 1500 0 972633 17 20 120 628711 217 0 0 BRU
The MTU and Met fields show the current MTU and
metric values for the interface. The RX
and TX columns show how many packets have been received or transmitted error –free
(RX-OK/TX-OK) or damaged (RX-ERR/TX-ERR), how many were dropped
(RX-DRP/TX-DRP), and how many were lost because of an overrun (RX-OVR/TX-OVR).
The last column shows the flags that have been for this
interface. These characters are
one-character versions of the long flag names that are printed when you display
the interface configuration with ifconfig.
- B A broadcast address has been set.
- L This interface is a loopback device.
- M All packets are received.
- O ARP is truned off for this interface.
- P This is point-to-point connection.
- R Interface is running
- U Interface is up.
Displaying Connections
Netstat supports a set of options to display active or
passive sockets. The options –t, -u, -w,
and –x show active TCP, UDP, RAW, or Unix socket connections. If you provide the –a flag in addition,
sockets that are waiting for a connection are displayed as well. This display will given us a list of all
servers that currently running on your system.
Invoking netstat –ta
$ netstat -ta
Active Internet Connections
Proto Recv-Q Send-Q Local Address Foreign Address (State)
tcp 0 0 *:domain *:* LISTEN
tcp 0 0 *:time *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 vlager:smtp vstout:1040 ESTABLISHED
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 localhost:1046 vbardolino:telnet ESTABLISHED
tcp 0 0 *:chargen *:* LISTEN
tcp 0 0 *:daytime *:* LISTEN
tcp 0 0 *:discard *:* LISTEN
tcp 0 0 *:echo *:* LISTEN
tcp 0 0 *:shell *:* LISTEN
tcp 0 0 *:login *:* LISTEN
Using the –a flag by itself will display all sockets from
all families.
Other Statistics
- Proto: The name of the protocol (TCP or UDP).
- Local Address: The IP address of the local computer and the port number being used. The name of the local computer that corresponds to the IP address and the name of the port is shown unless the –n parameter is specified. If the port is not yet established, the port number is shown as a asterisk (*).
- Foreign Address: The IP address and port number of the remote computer to which the socket is connected. The names that corresponds to the IP address and the port are shown unless the –n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).
- State: Indicates the state of TCP connection. The possible states are as follows:
1. CLOSE_WAIT
2. CLOSED
3. ESTABLISHED
4. FIN_WAIT_1
5. FIN_WAIT_2
6. LAST_ACK
7. LISTEN
8. SYN_RECEIVED
9. SYN_SEND
10. TIMED_WAIT
0 Comments