1.\" Copyright (c) 1983, 1990, 1992, 1993 2.\" The Regents of the University of California. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. Neither the name of the University nor the names of its contributors 13.\" may be used to endorse or promote products derived from this software 14.\" without specific prior written permission. 15.\" 16.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 17.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 20.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 24.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 25.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 26.\" SUCH DAMAGE. 27.\" 28.\" @(#)netstat.1 8.8 (Berkeley) 4/18/94 29.\" $FreeBSD: src/usr.bin/netstat/netstat.1,v 1.22.2.13 2003/05/03 22:10:02 keramida Exp $ 30.\" 31.Dd April 21, 2018 32.Dt NETSTAT 1 33.Os 34.Sh NAME 35.Nm netstat 36.Nd show network status 37.Sh DESCRIPTION 38The 39.Nm 40command symbolically displays the contents of various network-related 41data structures. 42There are a number of output formats, 43depending on the options for the information presented. 44.Bl -tag -width indent 45.It Xo 46.Bk -words 47.Nm 48.Op Fl AaLlnPSW 49.Op Fl c Ar cpu 50.Op Fl f Ar protocol_family | Fl p Ar protocol 51.Op Fl M Ar core 52.Op Fl N Ar system 53.Ek 54.Xc 55Display a list of active sockets 56(protocol control blocks) 57for each network protocol, 58for a particular 59.Ar protocol_family , 60or for a single 61.Ar protocol . 62If 63.Fl A 64is also present, 65show the address of a protocol control block (PCB) 66associated with a socket; used for debugging. 67If 68.Fl a 69is also present, 70show the state of all sockets; 71normally sockets used by server processes are not shown. 72If 73.Fl L 74is also present, 75show the size of the various listen queues. 76The first count shows the number of unaccepted connections, 77the second count shows the amount of unaccepted incomplete connections, 78and the third count is the maximum number of queued connections. 79If 80.Fl S 81is also present, 82show network addresses as numbers (as with 83.Fl n ) 84but show ports symbolically. 85.It Xo 86.Bk -words 87.Nm 88.Fl i | I Ar interface 89.Op Fl aBbdhnt 90.Op Fl f Ar address_family 91.Op Fl M Ar core 92.Op Fl N Ar system 93.Ek 94.Xc 95Show the state of all network interfaces or a single 96.Ar interface 97which have been auto-configured 98(interfaces statically configured into a system, but not 99located at boot time are not shown). 100An asterisk 101.Pq Dq Li * 102after an interface name indicates that the interface is 103.Dq down . 104If 105.Fl a 106is also present, multicast addresses currently in use are shown 107for each Ethernet interface and for each IP interface address. 108Multicast addresses are shown on separate lines following the interface 109address with which they are associated. 110If 111.Fl b 112is also present, show the number of bytes in and out. 113If 114.Fl d 115is also present, show the number of dropped packets. 116If 117.Fl h 118is also present, print all counters in human readable form. 119If 120.Fl t 121is also present, show the contents of watchdog timers. 122If 123.Fl B 124is also present, the maximum buffer sizes are displayed instead 125of current buffer usage. 126.It Xo 127.Bk -words 128.Nm 129.Fl w Ar wait 130.Op Fl I Ar interface 131.Op Fl dh 132.Op Fl M Ar core 133.Op Fl N Ar system 134.Ek 135.Xc 136At intervals of 137.Ar wait 138seconds, 139display the information regarding packet 140traffic on all configured network interfaces 141or a single 142.Ar interface . 143If 144.Fl d 145is also present, show the number of dropped packets. 146If 147.Fl h 148is also present, print counters in human readable form. 149.It Xo 150.Bk -words 151.Nm 152.Fl s Op Fl s 153.Op Fl z 154.Op Fl f Ar protocol_family | Fl p Ar protocol 155.Op Fl M Ar core 156.Op Fl N Ar system 157.Ek 158.Xc 159Display system-wide statistics for each network protocol, 160for a particular 161.Ar protocol_family , 162or for a single 163.Ar protocol . 164If 165.Fl s 166is repeated, counters with a value of zero are suppressed. 167If 168.Fl z 169is also present, reset statistic counters after displaying them. 170.It Xo 171.Bk -words 172.Nm 173.Fl i | I Ar interface Fl s 174.Op Fl f Ar protocol_family | Fl p Ar protocol 175.Op Fl M Ar core 176.Op Fl N Ar system 177.Ek 178.Xc 179Display per-interface statistics for each network protocol, 180for a particular 181.Ar protocol_family , 182or for a single 183.Ar protocol . 184.It Xo 185.Bk -words 186.Nm 187.Fl m 188.Op Fl M Ar core 189.Op Fl N Ar system 190.Ek 191.Xc 192Show statistics recorded by the memory management routines 193.Pq Xr mbuf 9 . 194The network manages a private pool of memory buffers. 195.It Xo 196.Bk -words 197.Nm 198.Fl r 199.Op Fl AalnW 200.Op Fl f Ar address_family 201.Op Fl M Ar core 202.Op Fl N Ar system 203.Ek 204.Xc 205Display the contents of all routing tables, 206or a routing table for a particular 207.Ar address_family . 208If 209.Fl A 210is also present, 211show the contents of the internal Patricia tree 212structures; used for debugging. 213If 214.Fl a 215is also present, 216show protocol-cloned routes 217(routes generated by an 218.Dv RTF_PRCLONING 219parent route); 220normally these routes are not shown. 221When 222.Fl W 223or 224.Fl l 225is also present, 226show the path MTU, 227MSL, 228initial window size 229and MPLS label operations 230for each route. 231.It Xo 232.Bk -words 233.Nm 234.Fl rs 235.Op Fl s 236.Op Fl M Ar core 237.Op Fl N Ar system 238.Ek 239.Xc 240Display routing statistics. 241If 242.Fl s 243is repeated, counters with a value of zero are suppressed. 244.It Xo 245.Bk -words 246.Nm 247.Fl g 248.Op Fl lW 249.Op Fl f Ar address_family 250.Op Fl M Ar core 251.Op Fl N Ar system 252.Ek 253.Xc 254Show information related to multicast (group address) routing. 255By default, show the IP Multicast virtual-interface and routing tables. 256.It Xo 257.Bk -words 258.Nm 259.Fl gs 260.Op Fl s 261.Op Fl f Ar address_family 262.Op Fl M Ar core 263.Op Fl N Ar system 264.Ek 265.Xc 266Show multicast routing statistics. 267If 268.Fl s 269is repeated, counters with a value of zero are suppressed. 270.El 271.Pp 272Some options have the general meaning: 273.Bl -tag -width flag 274.It Fl c Ar cpu 275On SMP systems the route table is replicated. This option allows 276the route table for a specific cpu to be accessed and exists 277primarily for debugging purposes. 278.It Fl f Ar address_family , Fl f Ar protocol_family , Fl p Ar protocol 279Limit display to those records 280of the specified 281.Ar address_family , 282.Ar protocol_family 283or a single 284.Ar protocol . 285The following address families, protocol families and protocols are recognized: 286.Pp 287.Bl -tag -width ".Cm netgraph , ng Pq Dv AF_NETGRAPH" -compact 288.It Em Family 289.Em Protocols 290.It Cm inet Pq Dv AF_INET PF_INET 291.Cm carp , divert , icmp , igmp , ip , pim , tcp , udp 292.It Cm inet6 Pq Dv AF_INET6 PF_INET6 293.Cm carp , icmp6 , ip6 , rip6 , tcp , udp 294.It Cm netgraph , ng Pq Dv AF_NETGRAPH PF_NETGRAPH 295.Cm ctrl , data 296.It Cm unix Pq Dv AF_UNIX PF_UNIX 297.It Cm link Pq Dv AF_LINK PF_LINK 298.It Cm mpls Pq Dv AF_MPLS PF_MPLS 299.El 300.Pp 301The program will complain if 302.Ar protocol 303is unknown or if there is no statistics routine for it. 304.It Fl l 305The 306.Fl l 307option is equivalent to 308.Fl W . 309.It Fl M 310Extract values associated with the name list from the specified core 311instead of the default 312.Pa /dev/kmem . 313.It Fl N 314Extract the name list from the specified system instead of the default, 315which is the kernel image the system has booted from. 316.It Fl n 317Show network addresses and ports as numbers. 318Normally 319.Nm 320attempts to resolve addresses and ports, 321and display them symbolically. 322.It Fl P 323Display additional protocol-specific information. For TCP the current 324transmit window, unacked sequence space, and RTT is displayed. 325.It Fl W 326Wide display. 327In certain displays, add columns and avoid truncating 328addresses even if this causes some fields to overflow. 329.El 330.Pp 331The default display, for active sockets, shows the local 332and remote addresses, send and receive queue sizes (in bytes), protocol, 333and the internal state of the protocol. 334Address formats are of the form 335.Dq host.port 336or 337.Dq network.port 338if a socket's address specifies a network but no specific host address. 339When known, the host and network addresses are displayed symbolically 340according to the databases 341.Xr hosts 5 342and 343.Xr networks 5 , 344respectively. 345If a symbolic name for an address is unknown, or if 346the 347.Fl n 348option is specified, the address is printed numerically, according 349to the address family. 350For more information regarding 351the Internet IPv4 352.Dq dot format , 353refer to 354.Xr inet 3 . 355Unspecified, 356or 357.Dq wildcard , 358addresses and ports appear as 359.Dq Li * . 360.Pp 361The interface display provides a table of cumulative 362statistics regarding packets transferred, errors, and collisions. 363The network addresses of the interface 364and the maximum transmission unit 365.Pq Dq mtu 366are also displayed. 367.Pp 368The routing table display indicates the available routes and their status. 369Each route consists of a destination host or network, and a gateway to use 370in forwarding packets. 371The flags field shows a collection of information about the route stored 372as binary choices. 373The individual flags are discussed in more detail in the 374.Xr route 8 375and 376.Xr route 4 377manual pages. 378The mapping between letters and flags is: 379.Bl -column ".Li W" ".Dv RTF_WASCLONED" 380.It Li 1 Ta Dv RTF_PROTO1 Ta "Protocol specific routing flag #1" 381.It Li 2 Ta Dv RTF_PROTO2 Ta "Protocol specific routing flag #2" 382.It Li 3 Ta Dv RTF_PROTO3 Ta "Protocol specific routing flag #3" 383.It Li B Ta Dv RTF_BLACKHOLE Ta "Just discard pkts (during updates)" 384.It Li b Ta Dv RTF_BROADCAST Ta "The route represents a broadcast address" 385.It Li C Ta Dv RTF_CLONING Ta "Generate new routes on use" 386.It Li c Ta Dv RTF_PRCLONING Ta "Protocol-specified generate new routes on use" 387.It Li D Ta Dv RTF_DYNAMIC Ta "Created dynamically (by redirect)" 388.It Li G Ta Dv RTF_GATEWAY Ta "Destination requires forwarding by intermediary" 389.It Li H Ta Dv RTF_HOST Ta "Host entry (net otherwise)" 390.It Li L Ta Dv RTF_LLINFO Ta "Valid protocol to link address translation" 391.It Li M Ta Dv RTF_MODIFIED Ta "Modified dynamically (by redirect)" 392.It Li m Ta Dv RTF_MPLSOPS Ta "MPLS label operations" 393.It Li R Ta Dv RTF_REJECT Ta "Host or net unreachable" 394.It Li S Ta Dv RTF_STATIC Ta "Manually added" 395.It Li U Ta Dv RTF_UP Ta "Route usable" 396.It Li W Ta Dv RTF_WASCLONED Ta "Route was generated as a result of cloning" 397.It Li X Ta Dv RTF_XRESOLVE Ta "External daemon translates proto to link address" 398.El 399.Pp 400Direct routes are created for each 401interface attached to the local host; 402the gateway field for such entries shows the address of the outgoing interface. 403The refcnt field gives the 404current number of active uses of the route. 405Connection oriented 406protocols normally hold on to a single route for the duration of 407a connection while connectionless protocols obtain a route while sending 408to the same destination. 409The use field provides a count of the number of packets 410sent using that route. 411The interface entry indicates the network interface utilized for the route. 412.Pp 413When 414.Nm 415is invoked with the 416.Fl w 417option and a 418.Ar wait 419interval argument, it displays a running count of statistics related to 420network interfaces. 421An obsolescent version of this option used a numeric parameter 422with no option, and is currently supported for backward compatibility. 423By default, this display summarizes information for all interfaces. 424Information for a specific interface may be displayed with the 425.Fl I 426option. 427.Sh SEE ALSO 428.Xr fstat 1 , 429.Xr nfsstat 1 , 430.Xr ps 1 , 431.Xr sockstat 1 , 432.Xr carp 4 , 433.Xr inet 4 , 434.Xr inet6 4 , 435.Xr route 4 , 436.Xr unix 4 , 437.Xr hosts 5 , 438.Xr networks 5 , 439.Xr protocols 5 , 440.Xr services 5 , 441.Xr iostat 8 , 442.Xr route 8 , 443.Xr trpt 8 , 444.Xr vmstat 8 , 445.Xr mbuf 9 446.Sh HISTORY 447The 448.Nm 449command appeared in 450.Bx 4.2 . 451.Pp 452IPv6 support was added by WIDE/KAME project. 453.Sh BUGS 454The notion of errors is ill-defined. 455