Internet Security Professional Reference, Second Edition
(Publisher: Macmillan Computer Publishing)
Author(s): Authors Multiple
ISBN: 156205760x
Publication Date: 07/16/97

Previous Table of Contents Next


In the output of netstat shown in the preceding example, columns of information are shown. These columns and their meanings are listed in table 1.9.

Table 1.9
netstat Column Headings

Column Description

Name The name of the configured interface
Mtu The maximum transmission unit for the interface
Net/Dest The network that this interface serves
Address The IP Address of the interface
Ipkts The number of received packets
Ierrs The number of packets that have been mangled when received
Opkts The number of transmitted packets
Oerrs The number of packets that were damaged when transmitted
Collisions The number of collisions recorded by this interface on the network

Keep in mind that the notion of errors is somewhat ill-defined according to many of the manual pages for netstat, calling into question the validity of the values in the error columns. In addition, with the tables always being updated, the information presented is, like the output of ps, only a snapshot of the status at any given interval.

One of the common uses of netstat is to find out if there are any network memory allocation problems. This is achieved using the command netstat -m, as shown here:

$ netstat -m
streams allocation:
                        config   alloc     free       total     max   fail
streams                   292      93       199       53882    112    0
queues                   1424     452       972      122783    552    0
mblks                    5067     279    478820      190677    706    0
dblks                    4054     279    377515      804030    706    0
class 0,      4 bytes     652      55       597      475300    277    0
class 1,     16 bytes     652       8       644     2404108     62    0
class 2,     64 bytes     768      22       746     9964817    232    0
class 3,    128 bytes     872     138       734     1223784    386    0
class 4,    256 bytes     548      34       514      230688     75    0
class 5,    512 bytes     324      12       312       92565     76    0
class 6,   1024 bytes     107       0       107     1226009     49    0
class 7,   2048 bytes      90       0        90      182978     67    0
class 8,   4096 bytes      41      10        31        3781     13    0
total configured streams memory: 1166.73KB
streams memory in use: 98.44KB
maximum streams memory used: 409.22KB
$

This output is from an SCO Unix 3.2 version 4.2 system. If there are any non-zero values in the fail column, then it is important to readjust the number configured. When the configured number of data blocks is reached, a failure is generated. This means that a TCP/IP application or service could not get the needed resources. The only way to correct this problem in the short term is to reboot the machine. Over the long run, the only way to prevent these failures is to adjust the values and relink the kernel. The output of netstat -m on a SunOS system is similar in content to the SCO systems.

The netstat command also can be used to list all the sockets that are on the system using the -a option. This option is illustrated here:

$ netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address       Foreign Address        (state)
ip         0      0  *.*                 *.*
tcp        0  28672  oreo.20             topgun.4450            ESTABLISHED
tcp        0    286  oreo.telnet         topgun.4449            ESTABLISHED
tcp        0      0  oreo.ftp            topgun.4438            ESTABLISHED
tcp        0      0  oreo.1725           gateway.telnet         ESTABLISHED
tcp        0      0  *.printer           *.*                    LISTEN
tcp        0      0  *.pop               *.*                    LISTEN
tcp        0      0  *.smtp              *.*                    LISTEN
tcp        0      0  *.finger            *.*                    LISTEN
tcp        0      0  *.exec              *.*                    LISTEN
tcp        0      0  *.login             *.*                    LISTEN
tcp        0      0  *.shell             *.*                    LISTEN
tcp        0      0  *.telnet            *.*                    LISTEN
tcp        0      0  *.ftp               *.*                    LISTEN
udp        0      0  *.snmp              *.*
udp        0      0  *.who               *.*
$

This output shows the status of the currently connected sockets and to what they are connected. For the TCP sockets, the status of the socket is reported in the output. The state is one of the following listed in table 1.10.

Table 1.10
TCP Socket Explanations

State Meaning

CLOSED The socket is not being used.
LISTEN The socket is listening for an incoming connection.
SYN_SENT The socket is actively trying to establish a connection.
SYN_RECIEVED The initial synchronization of the connection is underway.
ESTABLISHED The connection has been established.
CLOSE_WAIT The remote has shut down: we are waiting for the socket to close.
FIN_WAIT_1 The socket is closed, and the connection is being shut down.
CLOSING The socket is closed, and the remote is being shutdown. The acknowledgment of the close is pending.
LAST_ACK The rmote has shut down and closed. They are waiting for us to acknowledge the close.
FIN_WAIT_2 The socket is closed, and we are waiting for the remote to shut down.
TIME_WAIT The socket is waiting after the close for the remote shutdown transmission.

With this information, it is easy to tell what state the connection is in and how to trace the connection through the various stages of operation.


Previous Table of Contents Next