[apple/network_cmds.git] / netstat.tproj / netstat.1

.\" Copyright (c) 1983, 1990, 1992, 1993
.\"     The Regents of the University of California.  All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\"    must display the following acknowledgement:
.\"     This product includes software developed by the University of
.\"     California, Berkeley and its contributors.
.\" 4. Neither the name of the University nor the names of its contributors
.\"    may be used to endorse or promote products derived from this software
.\"    without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\"     @(#)netstat.1   8.8 (Berkeley) 4/18/94
.\" $FreeBSD: src/usr.bin/netstat/netstat.1,v 1.22.2.7 2001/08/10 09:07:09 ru Exp $
.\"
.Dd June 15, 2001
.Dt NETSTAT 1
.Os Darwin
.Sh NAME
.Nm netstat
.Nd show network status
.Sh SYNOPSIS
.Nm
.Op Fl AaLlnW
.Op Fl f Ar address_family | Fl p Ar protocol
.Nm
.Op Fl gilns
.Op Fl f Ar address_family
.Nm
.Fl i | I Ar interface
.Op Fl w Ar wait
.Op Fl abdgt
.Nm
.Fl s Op Fl s
.Op Fl f Ar address_family | Fl p Ar protocol
.Op Fl w Ar wait
.Nm
.Fl i | I Ar interface Fl s
.Op Fl f Ar address_family | Fl p Ar protocol
.Nm
.Fl m
.Op Fl m
.Nm
.Fl r
.Op Fl Aaln
.Op Fl f Ar address_family
.Nm
.Fl rs
.Op Fl s
.\"-----------------------------------------------------------------------------------------
.Sh DESCRIPTION
.\"-----------------------------------------------------------------------------------------
The
.Nm
command symbolically displays the contents of various network-related data structures.
There are a number of output formats, depending on the options for the information presented.
The first form of the command displays a list of active sockets for each protocol.
The second form presents the contents of one of the other network data structures according
to the option selected. Using the third form, with a
.Ar wait
interval specified,
.Nm
will continuously display the information regarding packet traffic on the configured network
interfaces.  The fourth form displays statistics for the specified protocol or address family. If a
.Ar wait
interval is specified, the protocol information over the last interval seconds will be displayed.
The fifth form displays per-interface statistics for the specified protocol or address family.
The sixth form displays
.Xr mbuf 9
statistics.  The seventh form displays routing table for the specified address family.  The
eighth form displays routing statistics.
.Pp
The options have the following meaning:
.Bl -tag -width flag
.It Fl A
With the default display, show the address of any protocol control blocks associated with
sockets; used for debugging.
.It Fl a
With the default display, show the state of all sockets; normally sockets used by server
processes are not shown. With the routing table display (option
.Fl r ,
as described below), show protocol-cloned routes (routes generated by a
.Dv RTF_PRCLONING
parent route); normally these routes are not shown.
.It Fl b
With the interface display (option
.Fl i ,
as described below), show the number of bytes in and out.
.It Fl d
With either interface display (option
.Fl i
or an interval, as described below), show the number of dropped packets.
.It Fl f Ar address_family
Limit statistics or address control block reports to those of the specified
.Ar address family  .
The following address families are recognized:
.Ar inet  ,
for
.Dv AF_INET  ,
.Ar inet6  ,
for
.Dv AF_INET6
and
.Ar unix  ,
for
.Dv AF_UNIX  .
.It Fl g
Show information related to multicast (group address) routing.  By default, show the
IP Multicast virtual-interface and routing tables. If the
.Fl s
option is also present, show multicast routing statistics.
.It Fl I Ar interface
Show information about the specified interface; used with a
.Ar wait
interval as described below.
If the
.Fl s
option is present, show per-interface protocol statistics on the
.Ar interface
for the specified
.Ar address_family
or
.Ar protocol ,
or for all protocol families.
.It Fl i
Show the state of interfaces which have been auto-configured (interfaces statically
configured into a system, but not located at boot time are not shown).  If the
.Fl a
options is also present, multicast addresses currently in use are shown for each
Ethernet interface and for each IP interface address.  Multicast addresses are shown
on separate lines following the interface address with which they are associated.
If the
.Fl s
option is present, show per-interface statistics on all interfaces for the specified
.Ar address_family
or
.Ar protocol ,
or for all protocol families.
.It Fl L
Show the size of the various listen queues.  The first count shows the number of
unaccepted connections.  The second count shows the amount of unaccepted incomplete
connections.  The third count is the maximum number of queued connections.
.It Fl l
Print full IPv6 address.
.It Fl m
Show statistics recorded by the memory management routines (the network stack manages a private pool of memory buffers). More detailed information about the buffers, which includes their cache related statistics, can be obtained by using
.Fl mm
or
.Fl m
.Fl m
option.
.It Fl n
Show network addresses as numbers (normally
.Nm
interprets addresses and attempts to display them symbolically).  This option may be
used with any of the display formats.
.It Fl p Ar protocol
Show statistics about
.Ar protocol ,
which is either a well-known name for a protocol or an alias for it.  Some protocol
names and aliases are listed in the file
.Pa /etc/protocols .
The special protocol name
.Dq bdg
is used to show bridging statistics.  A null response typically means that there are
no interesting numbers to report.  The program will complain if
.Ar protocol
is unknown or if there is no statistics routine for it.
.It Fl r
Show the routing tables.  Use with
.Fl a
to show protocol-cloned routes.  When
.Fl s
is also present, show routing statistics instead.  When
.Fl l
is also present,
.Nm
assumes more columns are there and the maximum transmission unit
.Pq Dq mtu
are also displayed.
.It Fl s
Show per-protocol statistics.  If this option is repeated, counters with a value of
zero are suppressed.
.It Fl W
In certain displays, avoid truncating addresses even if this causes some fields to
overflow.
.It Fl w Ar wait
Show network interface or protocol statistics at intervals of
.Ar wait
seconds.
.El
.Pp
.\"-------------------------------------------------------------------------------
.Sh OUTPUT
.\"-------------------------------------------------------------------------------
The default display, for active sockets, shows the local and remote addresses,
send and receive queue sizes (in bytes), protocol, and the internal state of
the protocol.  Address formats are of the form
.Dq host.port
or
.Dq network.port
if a socket's address specifies a network but no specific host address.
If known, the host and network addresses are displayed symbolically
according to the databases
.Pa /etc/hosts
and
.Pa /etc/networks ,
respectively.  If a symbolic name for an address is unknown, or if the
.Fl n
option is specified, the address is printed numerically, according to the
address family.  For more information regarding the Internet
.Dq dot format ,
refer to
.Xr inet 3 ) .
Unspecified,
or
.Dq wildcard ,
addresses and ports appear as
.Dq * .
.Pp
Internet domain socket states:
.Bl -column X LISTEN
CLOSED:  The socket is not in use.
.Pp
LISTEN:  The socket is listening for incoming connections.  Unconnected
listening sockets like these are only displayed when using the -a option.
.Pp
SYN_SENT:  The socket is actively trying to establish a connection to a
remote peer.
.Pp
SYN_RCVD:  The socket has passively received a connection request from a
remote peer.
.Pp
ESTABLISHED:  The socket has an established connection between a local
application and a remote peer.
.Pp
CLOSE_WAIT:  The socket connection has been closed by the remote peer,
and the system is waiting for the local application to close its half of
the connection.
.Pp
LAST_ACK:  The socket connection has been closed by the remote peer, the
local application has closed its half of the connection, and the system
is waiting for the remote peer to acknowledge the close.
.Pp
FIN_WAIT_1:  The socket connection has been closed by the local
application, the remote peer has not yet acknowledged the close, and the
system is waiting for it to close its half of the connection.
.Pp
FIN_WAIT_2:  The socket connection has been closed by the local
application, the remote peer has acknowledged the close, and the system
is waiting for it to close its half of the connection.
.Pp
CLOSING:  The socket connection has been closed by the local application
and the remote peer simultaneously, and the remote peer has not yet
acknowledged the close attempt of the local application.
.Pp
TIME_WAIT:  The socket connection has been closed by the local
application, the remote peer has closed its half of the connection, and
the system is waiting to be sure that the remote peer received the last
acknowledgement.
.El
.Pp
The interface display provides a table of cumulative statistics regarding
packets transferred, errors, and collisions.  The network addresses of the
interface and the maximum transmission unit
.Pq Dq mtu
are also displayed.
.Pp
The routing table display indicates the available routes and their status.
Each route consists of a destination host or network and a gateway to use
in forwarding packets.  The flags field shows a collection of information
about the route stored as binary choices.  The individual flags are discussed
in more detail in the
.Xr route 8
and
.Xr route 4
manual pages.  The mapping between letters and flags is:
.Bl -column XXXX RTF_BLACKHOLE
1       RTF_PROTO1      Protocol specific routing flag #1
2       RTF_PROTO2      Protocol specific routing flag #2
3       RTF_PROTO3      Protocol specific routing flag #3
B       RTF_BLACKHOLE   Just discard packets (during updates)
b       RTF_BROADCAST   The route represents a broadcast address
C       RTF_CLONING     Generate new routes on use
c       RTF_PRCLONING   Protocol-specified generate new routes on use
D       RTF_DYNAMIC     Created dynamically (by redirect)
G       RTF_GATEWAY     Destination requires forwarding by intermediary
H       RTF_HOST        Host entry (net otherwise)
I       RTF_IFSCOPE     Route is associated with an interface scope
L       RTF_LLINFO      Valid protocol to link address translation
M       RTF_MODIFIED    Modified dynamically (by redirect)
m       RTF_MULTICAST   The route represents a multicast address
R       RTF_REJECT      Host or net unreachable
S       RTF_STATIC      Manually added
U       RTF_UP          Route usable
W       RTF_WASCLONED   Route was generated as a result of cloning
X       RTF_XRESOLVE    External daemon translates proto to link address
.El
.Pp
Direct routes are created for each interface attached to the local host;
the gateway field for such entries shows the address of the outgoing
interface.  The refcnt field gives the current number of active uses of
the route.  Connection oriented protocols normally hold on to a single
route for the duration of a connection while connectionless protocols
obtain a route while sending to the same destination.  The use field
provides a count of the number of packets sent using that route.  The
interface entry indicates the network interface utilized for the route.
A route which is marked with the RTF_IFSCOPE flag is instantiated for
the corresponding interface.
.Pp
When
.Nm netstat
is invoked with the
.Fl w
option and a
.Ar wait
interval argument, it displays a running count of statistics related to
network interfaces or protocols.  An obsolete version of this option used a numeric
parameter with no option, and is currently supported for backward
compatibility.  By default, this display summarizes information for all
interfaces.  Information for a specific interface may be displayed with the
.Fl I
option.
.Sh SEE ALSO
.Xr fstat 1 ,
.Xr nfsstat 1 ,
.Xr ps 1 ,
.Xr sockstat 1 ,
.Xr inet 4 ,
.Xr unix 4 ,
.Xr hosts 5 ,
.Xr networks 5 ,
.Xr protocols 5 ,
.Xr route 8 ,
.Xr services 5 ,
.Xr iostat 8 ,
.Xr trpt 8 ,
.Xr vmstat 8
.Sh HISTORY
The
.Nm netstat
command appeared in
.Bx 4.2 .
.Pp
IPv6 support was added by WIDE/KAME project.
.Sh BUGS
The notion of errors is ill-defined.