Using netstat to troubleshoot linux networks
The netstat command is a useful tool for checking your network configuration and activity. It is in fact a collection of several tools lumped together. We discuss each of its functions in the following sections.
Displaying the Routing Table
When you invoke netstat with the ?r
flag, it displays the kernel routing table. For example:
# netstat -r Routing Table: IPv4 Destination Gateway Flags Ref Use Interface ---------------------- -------------------- ----- ----- ---------- --------- default dns-gw UG 1 355 smurf schlumpf U 1 153 eth0 BASE-ADDRESS.MCAST.NET schlumpf U 1 0 eth0 localhost localhost UH 1 0
Using the -n
options maes netstat print addresses as dotted quad IP numbers rather than the symbolic host and network names. This option is especially useful when you want to avoid address lookups over the network (eg, to a DNS or NIS server). For example:
# netstat -n TCP: IPv4 Local Address Remote Address Swind Send-Q Rwind Recv-Q State -------------------- -------------------- ----- ------ ----- ------ ----------- 213.64.10.2.37626 213.64.10.2.33326 49152 0 49152 0 ESTABLISHED 213.64.10.2.33326 213.64.10.2.37626 49152 0 49152 0 ESTABLISHED
Displaying Interface Statistics
When invoked with the -i
flag, netstat displays statistics for the network interfaces currently configured. If the ?a
option is also given, it prints all interfaces present in the kernel, not only those that have been configured currently. For example:
# netstat -i Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs Collis Queue lo0 8232 loopback localhost 400 0 400 0 0 0 eth0 1500 schlumpf schlumpf 1730873 0 60662 0 0 0
- Collis / Opkts * 100
If we divide the number of Collision counts (Collis) with the number of out packets (Opkts), multiple with 100 and if the percentage is greater than 5-10% you may have a problem. The machine might be dropping packets if the input error is over 0.25% (Ierrs x 100)/Ierrs.
Show the address resolution (ARP) tables
Displaying Connections:
netstat supports a set of options to display active or passive sockets. The options -t
, -u
, -w
, and -x
show active TCP, UDP, RAW, or Unix socket connections. If you provide the -a
flag in addition, sockets that are waiting for a connection (ie, listening) are displayed as well. This display will give you a list of all servers that are currently running on your system. For example:
# netstat -ta Active Internet Connections Proto Recv-Q Send-Q Local Address Foreign Address (State) tcp 0 0 *:domain *:* LISTEN tcp 0 0 *:time *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 0 pico:smtp smurf:1040 ESTABLISHED tcp 0 0 *:telnet *:* LISTEN tcp 0 0 localhost:1046 schlumpf:telnet ESTABLISHED tcp 0 0 *:chargen *:* LISTEN tcp 0 0 *:daytime *:* LISTEN tcp 0 0 *:discard *:* LISTEN tcp 0 0 *:echo *:* LISTEN tcp 0 0 *:shell *:* LISTEN tcp 0 0 *:login *:* LISTEN
This output shows most servers simply waiting for an incoming connection. However, the fourth line shows an incoming SMTP connection, and the sixth line tells you there is an outgoing telnet connection.
Using the -a
flag by itself will display all sockets.