Network Statistics (netstat)

Posted By Sagar Patil

netstat displays the  contents  of  various  network-related  data structures in  depending on the options selected.

netstat  <option/s>

multiple options can be given at one time.

Options

-a – displays the state of all sockets.
-r – shows the system routing tables
-i – gives statistics on a per-interface basis.
-m – displays information from the network memory buffers. On Solaris, this shows statistics
         forSTREAMS
-p [proto] – retrieves statistics for the specified protocol
  -s – shows per-protocol statistics. (some implementations allow -ss to remove fileds with a value of 0 (zero) from the display.)
-D – display the status of DHCP configured interfaces.
-n do not lookup hostnames, display only IP addresses.
-d (with -i) displays dropped packets per interface.
-I [interface] retrieve information about only the specified interface.
-v be verbose

 

$netstat -rn

Routing Table: IPv4
  Destination           Gateway               Flags  Ref   Use   Interface
——————– ——————– —– —– —— ———
192.168.1.0         192.168.1.11           U        1   1444      le0
224.0.0.0             192.168.1.11           U        1   0            le0
default                  192.168.1.1           UG       1   68276 
127.0.0.1             127.0.0.1               UH       1  10497     lo0

This shows the output on a Solaris machine who’s IP address is 192.168.1.11 with a default router at 192.168.1.1

Results and Solutions:

A.) Network availability

The command as above is mostly useful in troubleshooting network accessibility issues . When  outside network is not accessible from a machine check the following

1. if the default router ip  address is correct

2.  you can ping it from your machine.

3. If router address is incorrect  it can be changed  with route add  commnad . See man route  for more info .

route command examples:
$route add default <hostname>
$route add 192.0.2.32  <gateway_name>

If the router address is correct but still you can’t ping it  there may be some  network cable /hub/switch problem  and you have to try and eliminate the faulty component .

B.) Network Response

$ netstat -i
Name     Mtu     Net/Dest     Address     Ipkts     Ierrs     Opkts     Oerrs     Collis     Queue
lo0     8232     loopback     localhost     77814     0     77814     0     0     0
hme0     1500     server1     server1     10658566     3     4832511     0     279257     0

This option is used to diagnose the network problems when  the connectivity is there but  it is slow in response .

Values to look at:

    * Collisions (Collis)
    * Output packets (Opkts)
    * Input errors (Ierrs)
    * Input packets (Ipkts)

The above values will give information to workout

i.  Network collision rate as follows :

Network collision rate = Output collision counts / Output packets

Network-wide collision rate greater than 10 percent  will indicate

    *  Overloaded network,
    *  Poorly configured network,
    *  Hardware problems. 

ii.  Input packet error rate as follows :

Input Packet Error Rate = Ierrs / Ipkts.

If the input error rate is high (over 0.25 percent), the host is dropping packets. Hub/switch cables etc needs to be checked for potential problems.

C.  Network socket &  TCP Cconnection state

Netstat gives important   information about network socket and tcp state . This is very useful in
finding out the open , closed and  waiting network tcp connection .

Network states returned by  netstat are following :

     CLOSED               —-  Closed.  The socket  is  not  being used.
     LISTEN                 —-  Listening for incoming connections.
     SYN_SENT           —-  Actively trying to  establish  connection.
     SYN_RECEIVED  —- Initial synchronization of the connection under way.
     ESTABLISHED     —-  Connection has been established.
     CLOSE_WAIT      —-  Remote shut down; waiting  for  the socket to close.
     FIN_WAIT_1        —-  Socket closed; shutting  down  connection.
     CLOSING             —-  Closed,   then   remote   shutdown; awaiting acknowledgement.
     LAST_ACK          —-   Remote  shut  down,  then   closed ;awaiting acknowledgement.
     FIN_WAIT_2        —-  Socket closed; waiting for shutdown from remote.
     TIME_WAIT         —-  Wait after close for  remote  shutdown retransmission.

Example: #netstat -a

Local Address Remote Address Swind   Send-Q Rwind Recv-Q State 
*.* *.* 0 0 24576 0 IDLE
*.22 *.* 0 0 24576 0 LISTEN
*.22 *.* 0 0 24576 0 LISTEN
*.* *.* 0 0 24576 0 IDLE
*.32771 *.* 0 0 24576 0 LISTEN
*.4045 *.* 0 0 24576 0 LISTEN
*.25 *.* 0 0 24576 0 LISTEN
*.5987 *.* 0 0 24576 0 LISTEN
*.898 *.* 0 0 24576 0 LISTEN
*.32772 *.* 0 0 24576 0 LISTEN
*.32775 *.* 0 0 24576 0 LISTEN
*.32776 *.* 0 0 24576 0 LISTEN
*.* *.* 0 0 24576 0 IDLE
192.168.1.184.22 192.168.1.186.50457 41992 0 24616 0 ESTABLISHED
192.168.1.184.22 192.168.1.186.56806 38912 0 24616 0 ESTABLISHED
192.168.1.184.22 192.168.1.183.58672 18048 0 24616 0 ESTABLISHED

if  you see a lots of connections in FIN_WAIT state  tcp/ip parameters   have to be tuned  because the connections  are not being closed and they gets accumulating . After some time system may run out of resource . TCP parameter can be tuned to define a time out so that connections can be released and used by new connection.  

Leave a Reply

You must be logged in to post a comment.

Top of Page

Top menu