network_cmds-396.6.tar.gz

[apple/network_cmds.git] / netstat.tproj / netstat.1

.\" Copyright (c) 2012 Apple Inc. All rights reserved.
.\"
.\" @APPLE_OSREFERENCE_LICENSE_HEADER_START@
.\" 
.\" This file contains Original Code and/or Modifications of Original Code
.\" as defined in and that are subject to the Apple Public Source License
.\" Version 2.0 (the 'License'). You may not use this file except in
.\" compliance with the License. The rights granted to you under the License
.\" may not be used to create, or enable the creation or redistribution of,
.\" unlawful or unlicensed copies of an Apple operating system, or to
.\" circumvent, violate, or enable the circumvention or violation of, any
.\" terms of an Apple operating system software license agreement.
.\" 
.\" Please obtain a copy of the License at
.\" http://www.opensource.apple.com/apsl/ and read it before using this file.
.\"
.\" The Original Code and all software distributed under the License are
.\" distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
.\" EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
.\" INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
.\" FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
.\" Please see the License for the specific language governing rights and
.\" limitations under the License.
.\" 
.\" @APPLE_OSREFERENCE_LICENSE_HEADER_END@
.\"
.\" Copyright (c) 1983, 1990, 1992, 1993
.\"	The Regents of the University of California.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\"    must display the following acknowledgement:
.\"	This product includes software developed by the University of
.\"	California, Berkeley and its contributors.
.\" 4. Neither the name of the University nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"	@(#)netstat.1	8.8 (Berkeley) 4/18/94
.\" $FreeBSD: src/usr.bin/netstat/netstat.1,v 1.22.2.7 2001/08/10 09:07:09 ru Exp $
.\"
.Dd June 15, 2001
.Dt NETSTAT 1
.Os Darwin
.Sh NAME
.Nm netstat
.Nd show network status
.Sh SYNOPSIS
.Nm
.Op Fl AaLlnW
.Op Fl f Ar address_family | Fl p Ar protocol
.Nm
.Op Fl gilns
.Op Fl v
.Op Fl f Ar address_family
.Op Fl I Ar interface
.Nm
.Fl i | I Ar interface
.Op Fl w Ar wait
.Op Fl c Ar queue
.Op Fl abdgqRt
.Nm
.Fl s Op Fl s
.Op Fl f Ar address_family | Fl p Ar protocol
.Op Fl w Ar wait
.Nm
.Fl i | I Ar interface Fl s
.Op Fl f Ar address_family | Fl p Ar protocol
.Nm
.Fl m
.Op Fl m
.Nm
.Fl r
.Op Fl Aaln
.Op Fl f Ar address_family
.Nm
.Fl rs
.Op Fl s
.\"-----------------------------------------------------------------------------------------
.Sh DESCRIPTION
.\"-----------------------------------------------------------------------------------------
The
.Nm
command symbolically displays the contents of various network-related data structures.
There are a number of output formats, depending on the options for the information presented.
The first form of the command displays a list of active sockets for each protocol.
The second form presents the contents of one of the other network data structures according
to the option selected. Using the third form, with a
.Ar wait
interval specified,
.Nm
will continuously display the information regarding packet traffic on the configured network
interfaces.  The fourth form displays statistics for the specified protocol or address family. If a
.Ar wait
interval is specified, the protocol information over the last interval seconds will be displayed.
The fifth form displays per-interface statistics for the specified protocol or address family.
The sixth form displays
.Xr mbuf 9
statistics.  The seventh form displays routing table for the specified address family.  The
eighth form displays routing statistics.
.Pp
The options have the following meaning:
.Bl -tag -width flag
.It Fl A
With the default display, show the address of any protocol control blocks associated with
sockets and the flow hash; used for debugging.
.It Fl a
With the default display, show the state of all sockets; normally sockets used by server
processes are not shown. With the routing table display (option
.Fl r ,
as described below), show protocol-cloned routes (routes generated by a
.Dv RTF_PRCLONING
parent route); normally these routes are not shown.
.It Fl b
With the interface display (option
.Fl i ,
as described below), show the number of bytes in and out.
.It Fl c Ar queue
With the queue statistics (option
.Fl q ,
as described below), show only those for the specified
.Ar queue .
.It Fl d
With either interface display (option
.Fl i
or an interval, as described below), show the number of dropped packets.
.It Fl f Ar address_family
Limit statistics or address control block reports to those of the specified
.Ar address family  .
The following address families are recognized:
.Ar inet  ,
for
.Dv AF_INET  ,
.Ar inet6  ,
for
.Dv AF_INET6
and
.Ar unix  ,
for
.Dv AF_UNIX  .
.It Fl g
Show information related to multicast (group address) membership.  If the
.Fl s
option is also present, show extended interface group management statistics.  If the
.Fl v
option is specified, show link-layer memberships; they are suppressed by default.
Source lists for each group will also be printed.  Specifiying
.Fl v
twice will print the control plane timers for each interface and the source list counters
for each group.  If the
.Fl i
is specified, only that interface will be shown.  If the
.Fl f
is specified, only information for the address family will be displayed.
.It Fl I Ar interface
Show information about the specified interface; used with a
.Ar wait
interval as described below.
If the
.Fl s
option is present, show per-interface protocol statistics on the
.Ar interface
for the specified
.Ar address_family
or
.Ar protocol ,
or for all protocol families.
.It Fl i
Show the state of interfaces which have been auto-configured (interfaces statically
configured into a system, but not located at boot time are not shown).  If the
.Fl a
options is also present, multicast addresses currently in use are shown for each
Ethernet interface and for each IP interface address.  Multicast addresses are shown
on separate lines following the interface address with which they are associated.
If the
.Fl s
option is present, show per-interface statistics on all interfaces for the specified
.Ar address_family
or
.Ar protocol ,
or for all protocol families.
.It Fl L
Show the size of the various listen queues.  The first count shows the number of
unaccepted connections.  The second count shows the amount of unaccepted incomplete
connections.  The third count is the maximum number of queued connections.
.It Fl l
Print full IPv6 address.
.It Fl m
Show statistics recorded by the memory management routines (the network stack manages a private pool of memory buffers). More detailed information about the buffers, which includes their cache related statistics, can be obtained by using
.Fl mm
or
.Fl m
.Fl m
option.
.It Fl n
Show network addresses as numbers (normally
.Nm
interprets addresses and attempts to display them symbolically).  This option may be
used with any of the display formats.
.It Fl p Ar protocol
Show statistics about
.Ar protocol ,
which is either a well-known name for a protocol or an alias for it.  Some protocol
names and aliases are listed in the file
.Pa /etc/protocols .
The special protocol name
.Dq bdg
is used to show bridging statistics.  A null response typically means that there are
no interesting numbers to report.  The program will complain if
.Ar protocol
is unknown or if there is no statistics routine for it.
.It Fl q
Show network interface send queue statistics.  By default all queues are displayed, unless
specified with
.Fl c .
This option requires specifying an interface with
.Fl I
option.  More detailed information about the queues, which includes their queueing algorithm related statistics, can be obtained by using
.Fl qq
or
.Fl q
.Fl q
option.
.It Fl r
Show the routing tables.  Use with
.Fl a
to show protocol-cloned routes.  When
.Fl s
is also present, show routing statistics instead.  When
.Fl l
is also present,
.Nm
assumes more columns are there and the maximum transmission unit
.Pq Dq mtu
are also displayed.
.It Fl R
Show reachability information.  Use with
.Fl i
to show link-layer reachability information for a given interface.
.It Fl s
Show per-protocol statistics.  If this option is repeated, counters with a value of
zero are suppressed.
.It Fl v
Increase verbosity level.
.It Fl W
In certain displays, avoid truncating addresses even if this causes some fields to
overflow.
.It Fl w Ar wait
Show network interface or protocol statistics at intervals of
.Ar wait
seconds.
.It Fl x
Show extended link-layer reachability information in addition to that shown by
the
.Fl R
flag.
.El
.Pp
.\"-------------------------------------------------------------------------------
.Sh OUTPUT
.\"-------------------------------------------------------------------------------
The default display, for active sockets, shows the local and remote addresses,
send and receive queue sizes (in bytes), protocol, and the internal state of
the protocol.  Address formats are of the form
.Dq host.port
or
.Dq network.port
if a socket's address specifies a network but no specific host address.
If known, the host and network addresses are displayed symbolically
according to the databases
.Pa /etc/hosts
and
.Pa /etc/networks ,
respectively.  If a symbolic name for an address is unknown, or if the
.Fl n
option is specified, the address is printed numerically, according to the
address family.  For more information regarding the Internet
.Dq dot format ,
refer to
.Xr inet 3 ) .
Unspecified,
or
.Dq wildcard ,
addresses and ports appear as
.Dq * .
.Pp
Internet domain socket states:
.Bl -column X LISTEN
CLOSED:  The socket is not in use.
.Pp
LISTEN:  The socket is listening for incoming connections.  Unconnected
listening sockets like these are only displayed when using the -a option.
.Pp
SYN_SENT:  The socket is actively trying to establish a connection to a
remote peer.
.Pp
SYN_RCVD:  The socket has passively received a connection request from a
remote peer.
.Pp
ESTABLISHED:  The socket has an established connection between a local
application and a remote peer.
.Pp
CLOSE_WAIT:  The socket connection has been closed by the remote peer,
and the system is waiting for the local application to close its half of
the connection.
.Pp
LAST_ACK:  The socket connection has been closed by the remote peer, the
local application has closed its half of the connection, and the system
is waiting for the remote peer to acknowledge the close.
.Pp
FIN_WAIT_1:  The socket connection has been closed by the local
application, the remote peer has not yet acknowledged the close, and the
system is waiting for it to close its half of the connection.
.Pp
FIN_WAIT_2:  The socket connection has been closed by the local
application, the remote peer has acknowledged the close, and the system
is waiting for it to close its half of the connection.
.Pp
CLOSING:  The socket connection has been closed by the local application
and the remote peer simultaneously, and the remote peer has not yet
acknowledged the close attempt of the local application.
.Pp
TIME_WAIT:  The socket connection has been closed by the local
application, the remote peer has closed its half of the connection, and
the system is waiting to be sure that the remote peer received the last
acknowledgement.
.El
.Pp
The interface display provides a table of cumulative statistics regarding
packets transferred, errors, and collisions.  The network addresses of the
interface and the maximum transmission unit
.Pq Dq mtu
are also displayed.
.Pp
The routing table display indicates the available routes and their status.
Each route consists of a destination host or network and a gateway to use
in forwarding packets.  The flags field shows a collection of information
about the route stored as binary choices.  The individual flags are discussed
in more detail in the
.Xr route 8
and
.Xr route 4
manual pages.  The mapping between letters and flags is:
.Bl -column XXXX RTF_BLACKHOLE
1	RTF_PROTO1	Protocol specific routing flag #1
2	RTF_PROTO2	Protocol specific routing flag #2
3	RTF_PROTO3	Protocol specific routing flag #3
B	RTF_BLACKHOLE	Just discard packets (during updates)
b	RTF_BROADCAST	The route represents a broadcast address
C	RTF_CLONING	Generate new routes on use
c	RTF_PRCLONING	Protocol-specified generate new routes on use
D	RTF_DYNAMIC	Created dynamically (by redirect)
G	RTF_GATEWAY	Destination requires forwarding by intermediary
H	RTF_HOST	Host entry (net otherwise)
I	RTF_IFSCOPE	Route is associated with an interface scope
i	RTF_IFREF	Route is holding a reference to the interface
L	RTF_LLINFO	Valid protocol to link address translation
M	RTF_MODIFIED	Modified dynamically (by redirect)
m	RTF_MULTICAST	The route represents a multicast address
R	RTF_REJECT	Host or net unreachable
r	RTF_ROUTER	Host is a default router
S	RTF_STATIC	Manually added
U	RTF_UP		Route usable
W	RTF_WASCLONED	Route was generated as a result of cloning
X	RTF_XRESOLVE	External daemon translates proto to link address
Y	RTF_PROXY	Proxying; cloned routes will not be scoped
.El
.Pp
Direct routes are created for each interface attached to the local host;
the gateway field for such entries shows the address of the outgoing
interface.  The refcnt field gives the current number of active uses of
the route.  Connection oriented protocols normally hold on to a single
route for the duration of a connection while connectionless protocols
obtain a route while sending to the same destination.  The use field
provides a count of the number of packets sent using that route.  The
interface entry indicates the network interface utilized for the route.
A route which is marked with the RTF_IFSCOPE flag is instantiated for
the corresponding interface.  A cloning route which is marked with the
RTF_PROXY flag will not generate new routes that are associated
with its interface scope.
.Pp
When
.Nm netstat
is invoked with the
.Fl w
option and a
.Ar wait
interval argument, it displays a running count of statistics related to
network interfaces or protocols.  An obsolete version of this option used a numeric
parameter with no option, and is currently supported for backward
compatibility.  By default, this display summarizes information for all
interfaces.  Information for a specific interface may be displayed with the
.Fl I
option.
.Sh SEE ALSO
.Xr fstat 1 ,
.Xr nfsstat 1 ,
.Xr ps 1 ,
.Xr inet 4 ,
.Xr unix 4 ,
.Xr hosts 5 ,
.Xr networks 5 ,
.Xr protocols 5 ,
.Xr route 8 ,
.Xr services 5 ,
.Xr iostat 8 ,
.Xr trpt 8 ,
.Xr vmstat 8
.Sh HISTORY
The
.Nm netstat
command appeared in
.Bx 4.2 .
.Pp
IPv6 support was added by WIDE/KAME project.
.Sh BUGS
The notion of errors is ill-defined.