Manual Pages

Table of Contents


na_netstat - Shows network status.


netstat [ -anx ]

netstat -mnrs

netstat -i | -I interface [ -dn ] [ -f { wide | normal } ]

netstat -w interval [ -i | -I interface ] [ -dn ]

netstat [ -p protocol ]

netstat [ -p ip6 -I interface ]

netstat [ -p icmp6 -I interface ]

netstat [ -T ]


The netstat command symbolically displays the contents of various network-related data structures. There are a number of output formats, depending on the options for the information presented. The first form of the command displays a list of active sockets for each protocol.

The second form presents the contents of one of the other network data structures according to the option selected.

The third form will display cumulative statistics for all interfaces or, with an interface specified using the -I option, cumulative statistics for that interface. It will also display the sum of the cumulative statistics for all configured network interfaces.

The fourth form continuously displays information regarding packet traffic on the interface that was configured first, or with an interface specified using the -I option, packet traffic for that interface. It will also display the sum of the cumulative traffic information for all configured network interfaces.

The fifth form displays statistics about the protocol specified by protocol.

The sixth form displays statistics about the TCP offload engine.


Show the state of all sockets; normally sockets used by server processes are not shown.

This option displays the network context that each socket belongs to--"lg" for nonMP context and a positive integer for MP context. This option has effect only for TCP sockets and when -a option is specified.

This option displays the total number of bytes sent and received over each socket. For big numbers, a letter such as `K', `M', `G', `T', and `P' is suffixed--'K' for kilobytes, `M' for megabytes, and so on. This has effect only for TCP connections and when -a option is specified.

This option displays the congestion window and the slow start threshold size for each socket. This has effect only for TCP connections.

This option displays the time since the last upcall was made by the network stack and time since the last read was done on the socket. This has effect only for TCP connections.

Applicable only to the first form of this command. Shows extended state information for TCP connections in the ESTABLISHED state. This includes information on whether MAC address and interface caching ("Fastpath") is in use for this connection (On, Off, or Partial). Partial is not a settable value, it is set automatically under certain conditions. It means that fastpath uses interface caching but not mac caching (this will allow most of the benefits of fastpath even in a Windows NT
route environment). For more information on Fastpath, see the description of the option ip.fastpath.enable in the na_options (1) man page.

With either interface display (option -i or an interval, as described below), show the number of dropped packets.

-I interface
Show information only about this interface. When used in the third form with an interval specified as described below, information about the indicated interface is highlighted in a separated column. (The default interface highlighted is the first interface configured into the system.)

Show the state of interfaces which have been configured.

If the argument is wide then print the output assuming a wide screen. If the argument is normal then format output so as to fit it within 80 columns. This option has an effect only when used along with the -i option. The default on the console/telnet is normal while the default via rsh is wide.

Show statistics recorded by the memory management routines for the network's private pool of buffers.

Show network addresses as numbers. netstat normally interprets addresses and attempts to display them symbolically. This option may be used with any of the display formats that display network addresses.

-p protocol
Show statistics about protocol, which is one of tcp, udp, ip, icmp, ip6, or icmp6. A null response typically means that there are no interesting numbers to report. The program will complain if protocol is unknown or if there is no statistics routine for it.

Show per-protocol statistics. If this option is repeated, counters with a value of zero are suppressed.

Show the routing tables. When -s is also present, show routing statistics instead.

Show the TCP offload engine statistics.

-w wait
Show network interface statistics at intervals of wait seconds.


The default display, for TCP sockets, shows the local and remote addresses, send window and send queue size (in bytes), receive window and receive queue sizes (in bytes), and the state of the connection. For UDP sockets, it shows the local and remote addresses, and the send and receive queue size (in bytes). Address formats are of the form ``host.port'' or ``network.port'' if a socket's address specifies a network but no specific host address. If known, the host and network addresses are displayed symbolically according to the data bases /etc/hosts and /etc/networks, respectively. If a symbolic name for an address is not known, or if the -n option is specified, the address is printed numerically, according to the address family. Unspecified, or ``wildcard'', addresses and ports appear as ``*''.

The interface display specified by the -i or -I options provides a table of cumulative statistics regarding packets transferred, errors, and collisions. The network addresses of the interface and the maximum transmission unit (``mtu'') are also displayed. If the interface is currently down, then a ``*'' is appended to the interface name.

When an interval is specified, a summary of the interface information consisting of packets transferred, errors, and collisions is displayed.

The routing table display indicates the available routes and their status. Each route consists of a destination host or network and a gateway to use in forwarding packets. The flags field shows a collection of information about the route stored as binary choices; the flags are:

Protocol-specific routing flag #2 (for ARP entries, means that the entry is "published").

Use of this route will cause a new route to be generated and used.

The route was created dynamically by a redirect.

The route is to a gateway.

The route is to a host (otherwise, it's to a net).

The route includes valid protocol to link address translation.

The route was modified dynamically by a redirect.

The route has timed out.

The route was manually added with a route command (see na_route(1)).

The route is usable (``up'').

Direct routes are created for each interface attached to the local host when an IP address for the interface is configured or the node is rebooted. The gateway field for such entries shows the link number of the outgoing interface (direct routes have no next hop), and the interface field shows the name of the interface.

Host routes are created as needed for traffic to hosts that are on directly attached subnets, and these routes will time out based on the arp timeout. The gateway field for such entries is the MAC address of the host. Note that permanent host routes can also be created using the arp command. For more information about arp see the arp(1) manual page.

The refcnt field gives the current number of active uses of the route. Connection oriented protocols normally hold on to a single route for the duration of a connection while connectionless protocols obtain a route whenever they transmit to a destination. The use field provides a count of the number of packets sent using that route. The interface entry indicates the network interface utilized for the route.

When netstat is invoked with the -w option and an interval argument, it displays a running count of statistics related to network interfaces. An obsolescent version of this option used a numeric parameter with no option, and is currently supported for backward compatibility. This display consists of a column for the primary interface and a column summarizing information for all interfaces. The default primary interface is the first interface configured into the system. The primary interface may be replaced with another interface with the -I option. The first line of each screen of information contains a summary since the system was last rebooted. Subsequent lines of output show values accumulated over the preceding interval.

When netstat is invoked with the -T option, it displays the TCP offload engine statistics for all the TOE cards in the system. The statistics for each TOE device include TCP, IP, mbufs received and mbufs transmitted.


Each node in an HA pair maintains its own socket, routing, and interface tables. If a node is not in partner mode, the netstat command displays the information in the tables on the live node. If a node is in partner mode, it executes the netstat command on behalf of the failed node, which displays the information in the tables on the failed node.

However, in takeover mode, counters displayed by the netstat command represent the combined statistics of the live node and the failed node. For example, from the statistics, you cannot determine how many packets were received on behalf of the live node and how many packets were received on behalf of the failed node.

In takeover mode, network interface names used by the failed node are mapped to network interfaces on the live node. When you enter the netstat command in partner mode, the network interface names displayed are the network interface names on the failed node.

If you enter the netstat command in partner mode, you might see a plus sign (+) appended to some network interface names in the output. The plus sign indicates that the network interfaces are used as shared interfaces.

Statistics displayed by the netstat command are cumulative. That is, a giveback operation does not zero out the statistics. After giving back the virtual node's resources, the live node does not subtract the statistics about operations it performed on behalf of the failed node in takeover mode.


When run from a vfiler context, (for example, via the vfiler run command), netstat operates on the concerned vfiler. In this mode, only the -r and the -n options are allowed. As currently all vfilers in an ipspace share a routing table, netstat -r [-n] in a vfiler context prints the routing table of the vfiler's ipspace.


host name data base
network name data base


na_ifconfig(1), na_nfsstat(1), na_partner(1), na_sysstat(1), na_ipspace(1), na_vfiler(1), na_arp(1), na_hosts(5), na_networks(5)

Table of Contents