Using netstat to troubleshoot linux networks

The netstat command is a useful tool for checking your network configuration and activity. It is in fact a collection of several tools lumped together. We discuss each of its functions in the following sections.

Displaying the Routing Table

When you invoke netstat with the ?r flag, it displays the kernel routing table. For example:

# netstat -r
Routing Table: IPv4
Destination            Gateway              Flags Ref   Use        Interface
---------------------- -------------------- ----- ----- ---------- ---------
default                dns-gw               UG    1     355
smurf                  schlumpf             U     1     153        eth0
BASE-ADDRESS.MCAST.NET schlumpf             U     1     0          eth0
localhost              localhost            UH    1     0

Using the -n options maes netstat print addresses as dotted quad IP numbers rather than the symbolic host and network names. This option is especially useful when you want to avoid address lookups over the network (eg, to a DNS or NIS server). For example:

# netstat -n
TCP: IPv4
Local Address        Remote Address       Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ----- ------ ----- ------ -----------
213.64.10.2.37626    213.64.10.2.33326    49152 0      49152 0      ESTABLISHED
213.64.10.2.33326    213.64.10.2.37626    49152 0      49152 0      ESTABLISHED

Displaying Interface Statistics

When invoked with the -i flag, netstat displays statistics for the network interfaces currently configured. If the ?a option is also given, it prints all interfaces present in the kernel, not only those that have been configured currently. For example:

# netstat -i
Name  Mtu  Net/Dest Address   Ipkts   Ierrs Opkts Oerrs Collis Queue
lo0   8232 loopback localhost 400     0     400   0     0      0
eth0  1500 schlumpf schlumpf  1730873 0     60662 0     0      0
      Collis / Opkts * 100

If we divide the number of Collision counts (Collis) with the number of out packets (Opkts), multiple with 100 and if the percentage is greater than 5-10% you may have a problem. The machine might be dropping packets if the input error is over 0.25% (Ierrs x 100)/Ierrs.

Show the address resolution (ARP) tables

Displaying Connections:

netstat supports a set of options to display active or passive sockets. The options -t, -u, -w, and -x show active TCP, UDP, RAW, or Unix socket connections. If you provide the -a flag in addition, sockets that are waiting for a connection (ie, listening) are displayed as well. This display will give you a list of all servers that are currently running on your system. For example:

# netstat -ta
Active Internet Connections
Proto Recv-Q Send-Q Local Address Foreign Address (State)
tcp 0 0 *:domain *:* LISTEN  
tcp 0 0 *:time *:* LISTEN  
tcp 0 0 *:smtp *:* LISTEN  
tcp 0 0 pico:smtp smurf:1040 ESTABLISHED  
tcp 0 0 *:telnet *:* LISTEN  
tcp 0 0 localhost:1046 schlumpf:telnet ESTABLISHED  
tcp 0 0 *:chargen *:* LISTEN  
tcp 0 0 *:daytime *:* LISTEN  
tcp 0 0 *:discard *:* LISTEN  
tcp 0 0 *:echo *:* LISTEN  
tcp 0 0 *:shell *:* LISTEN  
tcp 0 0 *:login *:* LISTEN

This output shows most servers simply waiting for an incoming connection. However, the fourth line shows an incoming SMTP connection, and the sixth line tells you there is an outgoing telnet connection.

Using the -a flag by itself will display all sockets.