lsg32.htm

linux-unix130.linux.and.unix.ebooks130 linux and unix ebookslinuxLearning Linux - Collection of 12 E

tcp 11212 0 tpci.1035 treijs.1036 ESTABL.



tcp 0 0 tpci.1021 reboc.1024 TIME_WAIT



tcp 0 0 *.1028 *.* LISTEN



tcp 0 0 *.* *.* CLOSED



tcp 0 0 *.6000 *.* LISTEN



tcp 0 0 *.listen *.* LISTEN



tcp 0 0 *.1024 *.* LISTEN



tcp 0 0 *.sunrpc *.* LISTEN



tcp 0 0 *.smtp *.* LISTEN



tcp 0 0 *.time *.* LISTEN



tcp 0 0 *.echo *.* LISTEN



tcp 0 0 *.finger *.* LISTEN



tcp 0 0 *.exec *.* LISTEN



tcp 0 0 *.telnet *.* LISTEN



tcp 0 0 *.ftp *.* LISTEN



tcp 0 0 *.* *.* CLOSED</FONT></PRE>



<P>In the preceding sample extract, three TCP connections are active, as identified by the state ESTABL. One has data being sent (as shown in the Send-Q column), while another has incoming data in the queue. The network names and port numbers of the connection ends is shown whenever possible. An asterisk means no end point has yet been associated with that address.



<BR>



<P>One connection is waiting to be hung up, identified by TIME_WAIT in the state column. After thirty seconds, these sessions are terminated and the connection freed. Any row with LISTEN as the state has no connection at the moment, and is waiting.



<BR>



<P>You can use the -a option by itself to display a complete list of all connections. The output, which is quite lengthy, looks the same, but includes all connections (active and passive):



<BR>



<PRE>



<FONT COLOR="#000080">$ netstat -a



Active Internet connections (including servers)



Proto Recv-Q Send-Q Local Address Foreign Address (state)



ip 0 0 *.* *.*



tcp 0 2124 tpci.login merlin.1034 ESTABL.



tcp 0 0 tpci.1034 prudie.login ESTABL.



tcp 11212 0 tpci.1035 treijs.1036 ESTABL.



tcp 0 0 tpci.1021 reboc.1024 TIME_WAIT



tcp 0 0 *.1028 *.* LISTEN



tcp 0 0 *.* *.* CLOSED



tcp 0 0 *.6000 *.* LISTEN



tcp 0 0 *.listen *.* LISTEN



tcp 0 0 *.1024 *.* LISTEN



tcp 0 0 *.sunrpc *.* LISTEN



tcp 0 0 *.smtp *.* LISTEN



tcp 0 0 *.time *.* LISTEN



tcp 0 0 *.echo *.* LISTEN



tcp 0 0 *.finger *.* LISTEN



tcp 0 0 *.exec *.* LISTEN



tcp 0 0 *.telnet *.* LISTEN



tcp 0 0 *.ftp *.* LISTEN



tcp 0 0 *.* *.* CLOSED



udp 0 0 *.60000 *.*



udp 0 0 *.177 *.*



udp 0 0 *.1039 *.*



udp 0 0 *.1038 *.*



udp 0 0 localhost.1036 localhost.syslog



udp 0 0 *.1034 *.*



udp 0 0 *.* *.*



udp 0 0 *.1027 *.*



udp 0 0 *.1026 *.*



udp 0 0 *.sunrpc *.*



udp 0 0 *.1025 *.*



udp 0 0 *.time *.*



udp 0 0 *.daytime *.*



udp 0 0 *.chargen *.*



udp 0 0 *.route *.*



udp 0 0 *.* *.*</FONT></PRE>



<P>The output is similar to that for the -ta options shown previously, except the UDP (User Datagram Protocol) connections have been added. UDP sessions have no state column because they do not have an end-to-end connection.



<BR>



<BR>



<A NAME="E69E211"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>Network Interface Statistics</B></FONT></CENTER></H4>



<BR>



<P>The behavior of the network interface (such as the network interface card) can be shown by using the -i option to the netstat command. This information quickly shows you whether major problems exist with the network connection.



<BR>



<P>The netstat -i command displays the name of the interface (Iface), the maximum number of characters a packet can contain (MTU), the metric value (not used with Linux), and a set of columns for the number of packets received without problem (RX-OK), received with errors (RX-ERR), received but dropped (RX-DRP), and received but lost due to overrun (RX-OVR). The transmitted packets have similar columns. The last column contains a list of flags set for the interface. The following is a sample output from a netstat -i command:



<BR>



<PRE>



<FONT COLOR="#000080">$ netstat -i



Kernel Interface table



Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flags



lo 2000 0 231 0 0 0 231 0 0 0 BLRU



eth0 1500 0 1230 2 9 12 1421 3 2 1 BRU</FONT></PRE>



<P>This extract shows two interfaces in use: an Ethernet device (/dev/eth0) and the loopback driver (lo0). In this case, you can see the Ethernet interface has had a few bad packet receptions. This is normal because of the nature of the Ethernet system, although if the numbers become too high a percentage of the total packets sent, you should start diagnostic methods to find out why.



<BR>



<P>You can obtain more specific information about one interface by using the -i option with a device name and a time interval, specified in seconds, such as netstat -i eth0 30, to obtain specific information about the behavior of the &quot;eth0&quot; (Ethernet) interface over the last thirty seconds. For example, the output below shows the activity of the Ethernet interface for the last 30 seconds:



<BR>



<PRE>



<FONT COLOR="#000080">$ netstat -i eth0 30



Kernel Interface table



Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flags



eth0 1500 0 2341 3 5 112 2111 5 8 8 BRU</FONT></PRE>



<P>The flags column in the netstat output matches the types of flags you saw with the ifconfig command. The meaning of the flags is shown in the following list:



<BR>







<TABLE  BORDERCOLOR=#000040 BORDER=1 CELLSPACING=2 WIDTH="100%" CELLPADDING=2 >



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



B



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



Broadcast address has been set</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



L



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



Loopback driver</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



M



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



Promiscuous mode</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



N



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



Trailers are avoided</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



O



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



ARP turned off</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



P



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



Point-to-point connection</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



R



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



Running</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



U



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



Interface is up</FONT>



</TABLE><P>As you can see in the extracts from the previous commands above, several of the flags can be combined into one block.



<BR>



<BR>



<A NAME="E69E212"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>Data Buffers</B></FONT></CENTER></H4>



<BR>



<P>Versions of netstat that are based on System V UNIX (instead of BSD UNIX) allow displays of data buffer statistics. Information about the TCP/IP data buffers can be obtained with the netstat command's -m option. Monitoring the behavior of the buffers is important, because they directly impact the performance of TCP/IP. The output of the netstat -m command differs depending on the version of Linux networking software in use, reflecting the different implementations of the TCP/IP code.



<BR>



<P>The netstat -m command output is shown below. In this version, entries are provided for the streamhead, queue, message descriptor table (mblks), data descriptor table (dblks), and the different classes of data descriptor tables. The columns show the number of blocks currently allocated (alloc), the number of columns free (free), the total number of blocks in use (total), the maximum number of blocks that were in use at one time (max), and the number of times a block was not available (fail).



<BR>



<PRE>



<FONT COLOR="#000080">$ netstat -m



streams allocation:



 config alloc free total max fail



streams 292 79 213 233 80 0



queues 1424 362 1062 516 368 0



mblks 5067 196 4871 3957 206 0



dblks 4054 196 3858 3957 206 0



class 0, 4 bytes 652 50 602 489 53 0



class 1, 16 bytes 652 2 650 408 4 0



class 2, 64 bytes 768 6 762 2720 14 0



class 3, 128 bytes 872 105 767 226 107 0



class 4, 256 bytes 548 21 527 36 22 0



class 5, 512 bytes 324 12 312 32 13 0



class 6, 1024 bytes 107 0 107 1 1 0



class 7, 2048 bytes 90 0 90 7 1 0



class 8, 4096 bytes 41 0 41 38 1 0



total configured streams memory: 1166.73KB



streams memory in use: 44.78KB



maximum streams memory used: 58.57KB</FONT></PRE>



<P>The failure column is important, and tt should always show zeros. If a larger number appears there, it means that the particular resource in question has been overtaxed and the number of blocks assigned to that resource should be increased (followed by a kernel rebuild and a reboot of the system to effect the changes).



<BR>



<BR>



<A NAME="E69E213"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>Routing Table Information</B></FONT></CENTER></H4>



<BR>



<P>Routing tables are continually updated to reflect connections to other machines. To obtain information about the routing tables, the netstat -r and -rs options are used (the latter generates statistics about the routing tables).



<BR>



<P>The output from netstat -r and netstat -rs commands are shown below. The columns show the destination machine, the address of the gateway to be used (an asterisk means no gateway to be used), the Genmask which specifies the generality of the route (which IP addresses can be matched to it), a set of flags, a metric value (not used), a reference counter (Refs) that specifies how many active connections may use <A NAME="I2"></A>that route simultaneously, the number of packets that have been sent over the route (Use), and the interface name.



<BR>



<PRE>



<FONT COLOR="#000080">$ netstat -r



Kernel routing table



Destination Gateway Genmask Flags Metric Ref Use Iface



loopback * 255.0.0.0 U 0 0 21 lo



big_system * 123.23.1.0 UGN 1 0 321 eth0



small_system * 165.213.14.0 UN 1 0 1213 eth0</FONT></PRE>



<P>The flags are used to show different characteristics of the route. The following are valid flags:



<BR>







<TABLE  BORDERCOLOR=#000040 BORDER=1 CELLSPACING=2 WIDTH="100%" CELLPADDING=2 >



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



D



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



Generated by ICMP</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



G



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



Uses a Gateway</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



H



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



Only a single host can be reached this way (such as loopback)</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



M



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



Modified by ICMP</FONT>



<TR>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



U



</FONT>



<TD VALIGN=top  BGCOLOR=#80FFFF ><FONT COLOR=#000080>



Interface is up</FONT>



</TABLE><P>You can combine the -s and -rs options with the -n option to display the IP addresses of the entries in the routing table, instead of the symbolic name (as shown above). The layout and information displayed by the netstat command will vary depending on the Linux implementations, as in the following example:



<BR>



<PRE>



<FONT COLOR="#000080">$ netstat -nr



Kernel routing table



Destination Gateway Genmask Flags Metric Ref Use Iface



127.0.0.1 * 255.0.0.0 U 0 0 21 lo



123.23.1.2 * 123.23.1.0 UGN 1 0 321 eth0



165.213.14.1m * 165.213.14.0 UN 1 0 1213 eth0</FONT></PRE>



<P>This flag saves you from having to figure out the symbolic to IP address translations yourself.



<BR>



<BR>



<A NAME="E69E214"></A>



<H4 ALIGN=CENTER>



<CENTER>



<FONT SIZE=4 COLOR="#FF0000"><B>Protocol Statistics</B></FONT></CENTER></H4>



<BR>