netstat

NETSTAT(1)                 BSD General Commands Manual                NETSTAT(1)

NAME
     netstat — show network status and statistics

SYNOPSIS
     netstat  [--libxo] [-46AaLnPRSTWx] [-f protocol_family | -p protocol]
              [-M core] [-N system]

     netstat -i | -I interface
              [--libxo] [-46abdhnW] [-f address_family] [-M core] [-N system]

     netstat -w wait
              [--libxo] [-I interface] [-46d] [-M core] [-N system] [-q howmany]

     netstat -s
              [--libxo] [-46sz] [-f protocol_family | -p protocol] [-M core]
              [-N system]

     netstat -i | -I interface -s
              [--libxo] [-46s] [-f protocol_family | -p protocol] [-M core]
              [-N system]

     netstat -m
              [--libxo] [-M core] [-N system]

     netstat -B
              [--libxo] [-z] [-I interface]

     netstat -r
              [--libxo] [-46nW] [-F fibnum] [-f address_family]

     netstat -rs
              [--libxo] [-s] [-M core] [-N system]

     netstat -g
              [--libxo] [-46W] [-f address_family]

     netstat -gs
              [--libxo] [-46s] [-f address_family] [-M core] [-N system]

     netstat -Q
              [--libxo]

DESCRIPTION
     The netstat command symbolically displays the contents of various network-
     related data structures.  There are a number of output formats, depending
     on the options for the information presented.

     netstat [-46AaLnRSTWx] [-f protocol_family | -p protocol] [-M core]
             [-N system]
             Display a list of active sockets (protocol control blocks) for each
             network protocol.

             The default display for active sockets shows the local and remote
             addresses, send and receive queue sizes (in bytes), protocol, and
             the internal state of the protocol.  Address formats are of the
             form “host.port” or “network.port” if a socket's address specifies
             a network but no specific host address.  When known, the host and
             network addresses are displayed symbolically according to the
             databases hosts(5) and networks(5), respectively.  If a symbolic
             name for an address is unknown, or if the -n option is specified,
             the address is printed numerically, according to the address
             family.  For more information regarding the Internet IPv4 “dot
             format”, refer to inet(3).  Unspecified, or “wildcard”, addresses
             and ports appear as “*”.

             --libxo
                     Generate output via libxo(3) in a selection of different
                     human and machine readable formats.  See xo_parse_args(3)
                     for details on command line arguments.

             -4      Show IPv4 only.  See GENERAL OPTIONS.

             -6      Show IPv6 only.  See GENERAL OPTIONS.

             -A      Show the address of a protocol control block (PCB)
                     associated with a socket; used for debugging.

             -a      Show the state of all sockets; normally sockets used by
                     server processes are not shown.

             -L      Show the size of the various listen queues.  The first
                     count shows the number of unaccepted connections, the
                     second count shows the amount of unaccepted incomplete
                     connections, and the third count is the maximum number of
                     queued connections.

             -n      Do not resolve numeric addresses and port numbers to names.
                     See GENERAL OPTIONS.

             -P      Display the log ID for each socket.

             -R      Display the flowid and flowtype for each socket.  flowid is
                     a 32 bit hardware specific identifier for each flow.
                     flowtype defines which protocol fields are hashed to
                     produce the id.  A complete listing is available in
                     sys/mbuf.h under M_HASHTYPE_*.

             -S      Show network addresses as numbers (as with -n) but show
                     ports symbolically.

             -T      Display diagnostic information from the TCP control block.
                     Fields include the number of packets requiring
                     retransmission, received out-of-order, and those
                     advertising a zero-sized window.

             -W      Avoid truncating addresses even if this causes some fields
                     to overflow.

             -x      Display socket buffer and TCP timer statistics for each
                     internet socket.

                     The -x flag causes netstat to output all the information
                     recorded about data stored in the socket buffers.  The
                     fields are:

                     R-MBUF    Number of mbufs in the receive queue.
                     S-MBUF    Number of mbufs in the send queue.
                     R-CLUS    Number of clusters, of any type, in the receive
                               queue.
                     S-CLUS    Number of clusters, of any type, in the send
                               queue.
                     R-HIWA    Receive buffer high water mark, in bytes.
                     S-HIWA    Send buffer high water mark, in bytes.
                     R-LOWA    Receive buffer low water mark, in bytes.
                     S-LOWA    Send buffer low water mark, in bytes.
                     R-BCNT    Receive buffer byte count.
                     S-BCNT    Send buffer byte count.
                     R-BMAX    Maximum bytes that can be used in the receive
                               buffer.
                     S-BMAX    Maximum bytes that can be used in the send
                               buffer.
                     rexmt     Time, in seconds, to fire Retransmit Timer, or 0
                               if not armed.
                     persist   Time, in seconds, to fire Retransmit Persistence,
                               or 0 if not armed.
                     keep      Time, in seconds, to fire Keep Alive, or 0 if not
                               armed.
                     2msl      Time, in seconds, to fire 2*msl TIME_WAIT Timer,
                               or 0 if not armed.
                     delack    Time, in seconds, to fire Delayed ACK Timer, or 0
                               if not armed.
                     rcvtime   Time, in seconds, since last packet received.

             -f protocol_family
                     Filter by protocol_family.  See GENERAL OPTIONS.

             -p protocol
                     Filter by protocol.  See GENERAL OPTIONS.

             -M      Use an alternative core.  See GENERAL OPTIONS.

             -N      Use an alternative kernel image.  See GENERAL OPTIONS.

     netstat -i | -I interface [-46abdhnW] [-f address_family] [-M core]
             [-N system]
             Show the state of all network interfaces or a single interface
             which have been auto-configured (interfaces statically configured
             into a system, but not located at boot time are not shown).  An
             asterisk (“*”) after an interface name indicates that the interface
             is “down”.

             When netstat is invoked with -i (all interfaces) or -I interface,
             it provides a table of cumulative statistics regarding packets
             transferred, errors, and collisions.  The network addresses of the
             interface and the maximum transmission unit (“mtu”) are also
             displayed.

             -4      Show IPv4 only.  See GENERAL OPTIONS.

             -6      Show IPv6 only.  See GENERAL OPTIONS.

             -a      Multicast addresses currently in use are shown for each
                     Ethernet interface and for each IP interface address.
                     Multicast addresses are shown on separate lines following
                     the interface address with which they are associated.

             -b      Show the number of bytes in and out.

             -d      Show the number of dropped packets.

             -h      Print all counters in human readable form.

             -n      Do not resolve numeric addresses and port numbers to names.
                     See GENERAL OPTIONS.

             -W      Avoid truncating interface names even if this causes some
                     fields to overflow.  GENERAL OPTIONS.

             -f protocol_family
                     Filter by protocol_family.  See GENERAL OPTIONS.

     netstat -w wait [-I interface] [-46d] [-M core] [-N system] [-q howmany]
             At intervals of wait seconds, display the information regarding
             packet traffic on all configured network interfaces or a single
             interface.

             When netstat is invoked with the -w option and a wait interval
             argument, it displays a running count of statistics related to
             network interfaces.  An obsolescent version of this option used a
             numeric parameter with no option, and is currently supported for
             backward compatibility.  By default, this display summarizes
             information for all interfaces.  Information for a specific
             interface may be displayed with the -I interface option.

             -I interface
                     Only show information regarding interface

             -4      Show IPv4 only.  See GENERAL OPTIONS.

             -6      Show IPv6 only.  See GENERAL OPTIONS.

             -d      Show the number of dropped packets.

             -M      Use an alternative core.  See GENERAL OPTIONS.

             -N      Use an alternative kernel image.  See GENERAL OPTIONS.

             -q      Exit after howmany outputs.

     netstat -s [-46sz] [-f protocol_family | -p protocol] [-M core] [-N system]
             Display system-wide statistics for each network protocol.

             -4      Show IPv4 only.  See GENERAL OPTIONS.

             -6      Show IPv6 only.  See GENERAL OPTIONS.

             -s      If -s is repeated, counters with a value of zero are
                     suppressed.

             -z      Reset statistic counters after displaying them.

             -f protocol_family
                     Filter by protocol_family.  See GENERAL OPTIONS.

             -p protocol
                     Filter by protocol.  See GENERAL OPTIONS.

             -M      Use an alternative core.  See GENERAL OPTIONS.

             -N      Use an alternative kernel image See GENERAL OPTIONS.

     netstat -i | -I interface -s [-46s] [-f protocol_family | -p protocol]
             [-M core] [-N system]
             Display per-interface statistics for each network protocol.

             -4      Show IPv4 only See GENERAL OPTIONS.

             -6      Show IPv6 only See GENERAL OPTIONS.

             -s      If -s is repeated, counters with a value of zero are
                     suppressed.

             -f protocol_family
                     Filter by protocol_family.  See GENERAL OPTIONS.

             -p protocol
                     Filter by protocol.  See GENERAL OPTIONS.

             -M      Use an alternative core See GENERAL OPTIONS.

             -N      Use an alternative kernel image See GENERAL OPTIONS.

     netstat -m [-M core] [-N system]
             Show statistics recorded by the memory management routines
             (mbuf(9)).  The network manages a private pool of memory buffers.

             -M      Use an alternative core See GENERAL OPTIONS.

             -N      Use an alternative kernel image See GENERAL OPTIONS.

     netstat -B [-z] [-I interface]
             Show statistics about bpf(4) peers.  This includes information like
             how many packets have been matched, dropped and received by the bpf
             device, also information about current buffer sizes and device
             states.

             The bpf(4) flags displayed when netstat is invoked with the -B
             option represent the underlying parameters of the bpf peer.  Each
             flag is represented as a single lower case letter.  The mapping
             between the letters and flags in order of appearance are:

             p    Set if listening promiscuously
             i    BIOCIMMEDIATE has been set on the device
             f    BIOCGHDRCMPLT status: source link addresses are being filled
                  automatically
             s    BIOCGSEESENT status: see packets originating locally and
                  remotely on the interface.
             a    Packet reception generates a signal
             l    BIOCLOCK status: descriptor has been locked

             For more information about these flags, please refer to bpf(4).

             -z      Reset statistic counters after displaying them.

     netstat -r [-46AnW] [-F fibnum] [-f address_family] [-M core] [-N system]
             Display the contents of routing tables.

             When netstat is invoked with the routing table option -r, it lists
             the available routes and their status.  Each route consists of a
             destination host or network, and a gateway to use in forwarding
             packets.  The flags field shows a collection of information about
             the route stored as binary choices.  The individual flags are
             discussed in more detail in the route(8) and route(4) manual pages.
             The mapping between letters and flags is:

             1    RTF_PROTO1       Protocol specific routing flag #1
             2    RTF_PROTO2       Protocol specific routing flag #2
             3    RTF_PROTO3       Protocol specific routing flag #3
             B    RTF_BLACKHOLE    Just discard pkts (during updates)
             b    RTF_BROADCAST    The route represents a broadcast address
             D    RTF_DYNAMIC      Created dynamically (by redirect)
             G    RTF_GATEWAY      Destination requires forwarding by
                                   intermediary
             H    RTF_HOST         Host entry (net otherwise)
             L    RTF_LLINFO       Valid protocol to link address translation
             M    RTF_MODIFIED     Modified dynamically (by redirect)
             R    RTF_REJECT       Host or net unreachable
             S    RTF_STATIC       Manually added
             U    RTF_UP           Route usable
             X    RTF_XRESOLVE     External daemon translates proto to link
                                   address

             Direct routes are created for each interface attached to the local
             host; the gateway field for such entries shows the address of the
             outgoing interface.  The refcnt field gives the current number of
             active uses of the route.  Connection oriented protocols normally
             hold on to a single route for the duration of a connection while
             connectionless protocols obtain a route while sending to the same
             destination.  The use field provides a count of the number of
             packets sent using that route.  The interface entry indicates the
             network interface utilized for the route.

             -4      Show IPv4 only.  See GENERAL OPTIONS.

             -6      Show IPv6 only.  See GENERAL OPTIONS.

             -n      Do not resolve numeric addresses and port numbers to names.
                     See GENERAL OPTIONS.

             -W      Show the path MTU for each route, and print interface names
                     with a wider field size.

             -F      Display the routing table with the number fibnum.  If the
                     specified fibnum is -1 or -F is not specified, the default
                     routing table is displayed.

             -f      Display the routing table for a particular address_family.

             -M      Use an alternative core See GENERAL OPTIONS.

             -N      Use an alternative kernel image See GENERAL OPTIONS.

     netstat -rs [-s] [-M core] [-N system]
             Display routing statistics.

             -s      If -s is repeated, counters with a value of zero are
                     suppressed.

             -M      Use an alternative core See GENERAL OPTIONS.

             -N      Use an alternative kernel image See GENERAL OPTIONS.

     netstat -g [-46W] [-f address_family] [-M core] [-N system]
             Display the contents of the multicast virtual interface tables, and
             multicast forwarding caches.  Entries in these tables will appear
             only when the kernel is actively forwarding multicast sessions.
             This option is applicable only to the inet and inet6 address
             families.

             -4      Show IPv4 only See GENERAL OPTIONS.

             -6      Show IPv6 only See GENERAL OPTIONS.

             -W      Avoid truncating addresses even if this causes some fields
                     to overflow.

             -f protocol_family
                     Filter by protocol_family.  See GENERAL OPTIONS.

             -M      Use an alternative core See GENERAL OPTIONS.

             -N      Use an alternative kernel image See GENERAL OPTIONS.

     netstat -gs [-46s] [-f address_family] [-M core] [-N system]
             Show multicast routing statistics.

             -4      Show IPv4 only See GENERAL OPTIONS.

             -6      Show IPv6 only See GENERAL OPTIONS.

             -s      If -s is repeated, counters with a value of zero are
                     suppressed.

             -f protocol_family
                     Filter by protocol_family.  See GENERAL OPTIONS.

             -M      Use an alternative core See GENERAL OPTIONS.

             -N      Use an alternative kernel image See GENERAL OPTIONS.

     netstat -Q
             Show netisr(9) statistics.  The flags field shows available ISR
             handlers:

             C    NETISR_SNP_FLAGS_M2CPUID       Able to map mbuf to cpu id
             D    NETISR_SNP_FLAGS_DRAINEDCPU    Has queue drain handler
             F    NETISR_SNP_FLAGS_M2FLOW        Able to map mbuf to flow id

   GENERAL OPTIONS
     Some options have the general meaning:

     -4    Is shorthand for -f inet (Show only IPv4)

     -6    Is shorthand for -f inet6 (Show only IPv6)

     -f address_family, -p protocol
           Limit display to those records of the specified address_family or a
           single protocol.  The following address families and protocols are
           recognized:

           Family                      Protocols
           inet (AF_INET)              divert, icmp, igmp, ip, ipsec, pim, sctp,
                                       tcp, udp
           inet6 (AF_INET6)            icmp6, ip6, ipsec6, rip6, sctp, tcp, udp
           pfkey (PF_KEY)              pfkey
           netgraph, ng (AF_NETGRAPH)  ctrl, data
           unix (AF_UNIX)
           link (AF_LINK)

           The program will complain if protocol is unknown or if there is no
           statistics routine for it.

     -M    Extract values associated with the name list from the specified core
           instead of the default /dev/kmem.

     -N    Extract the name list from the specified system instead of the
           default, which is the kernel image the system has booted from.

     -n    Show network addresses and ports as numbers.  Normally netstat
           attempts to resolve addresses and ports, and display them
           symbolically.

SEE ALSO
     fstat(1), nfsstat(1), procstat(1), ps(1), sockstat(1), libxo(3),
     xo_parse_args(3), bpf(4), inet(4), route(4), unix(4), hosts(5),
     networks(5), protocols(5), services(5), iostat(8), route(8), trpt(8),
     vmstat(8), mbuf(9)

HISTORY
     The netstat command appeared in 4.2BSD.

     IPv6 support was added by WIDE/KAME project.

BUGS
     The notion of errors is ill-defined.

BSD                              March 22, 2018                              BSD