netstat -nrKernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 127.0.0.1 * 255.255.255.255 UH 0 0 0 lo 172.16.1.0 * 255.255.255.0 U 0 0 0 eth0 172.16.2.0 172.16.1.1 255.255.255.0 UG 0 0 0 eth0
-n option makes netstat
print addresses as dotted quad IP numbers rather than the symbolic
host and network names. This option is especially useful when you want
to avoid address lookups over the network (e.g., to a DNS or NIS
The second column of netstat’s output shows the gateway to which the routing entry points. If no gateway is used, an asterisk is printed instead. The third column shows the “generality” of the route, i.e., the network mask for this route. When given an IP address to find a suitable route for, the kernel steps through each of the routing table entries, taking the bitwise AND of the address and the genmask before comparing it to the target of the route.
The fourth column displays the following flags that describe the route:
The route uses a gateway.
The interface to be used is up.
Only a single host can be reached through the route. For example, this is the case for the loopback entry 127.0.0.1.
This route is set if the table entry was modified by an ICMP redirect message.
The route is a reject route and datagrams will be dropped.
The next three columns show the MSS, Window and irtt that will be
applied to TCP connections established via this route. The MSS is the
Maximum Segment Size and is the size of the largest datagram the
kernel will construct for transmission via this route. The Window is
the maximum amount of data the system will accept in a single burst
from a remote host. The acronym
irtt stands for
“initial round trip time.” The TCP protocol ensures that
data is reliably delivered between hosts by retransmitting a datagram
if it has been lost. The TCP protocol keeps a running count of how
long it takes for a datagram to be delivered to the remote end, and an
acknowledgement to be received so that it knows how long to wait
before assuming a datagram needs to retransmitted; this process is
called the round-trip time. The initial round-trip time is the value
that the TCP protocol will use when a connection is first
established. For most network types, the default value is okay, but
for some slow networks, notably certain types of amateur packet radio
networks, the time is too short and causes unnecessary
irtt value can be set using the
route command. Values of zero in these fields mean
that the default is being used.
Finally, the last field displays the network interface that this route will use.
When invoked with the
netstat displays statistics for the network
interfaces currently configured. If the
option is also given, it prints all interfaces
present in the kernel, not only those that have been configured
currently. On vstout, the
output from netstat will look like this:
netstat -iKernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flags lo 0 0 3185 0 0 0 3185 0 0 0 BLRU eth0 1500 0 972633 17 20 120 628711 217 0 0 BRU
Met fields show the
current MTU and metric values for that interface. The
TX columns show how many
packets have been received or transmitted error-free
TX-OK) or damaged
TX-ERR); how many were
TX-DRP); and how
many were lost because of an overrun
The last column shows the flags that have been set for this interface. These characters are one-character versions of the long flag names that are printed when you display the interface configuration with ifconfig:
A broadcast address has been set.
This interface is a loopback device.
All packets are received (promiscuous mode).
ARP is turned off for this interface.
This is a point-to-point connection.
Interface is running.
Interface is up.
netstat supports a set of options to display active
or passive sockets. The options
-x show active TCP, UDP, RAW, or Unix socket
connections. If you provide the
-a flag in
addition, sockets that are waiting for a connection (i.e., listening)
are displayed as well. This display will give you a list of all
servers that are currently running on your system.
Invoking netstat -ta on vlager produces this output:
netstat -taActive Internet Connections Proto Recv-Q Send-Q Local Address Foreign Address (State) tcp 0 0 *:domain *:* LISTEN tcp 0 0 *:time *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 0 vlager:smtp vstout:1040 ESTABLISHED tcp 0 0 *:telnet *:* LISTEN tcp 0 0 localhost:1046 vbardolino:telnet ESTABLISHED tcp 0 0 *:chargen *:* LISTEN tcp 0 0 *:daytime *:* LISTEN tcp 0 0 *:discard *:* LISTEN tcp 0 0 *:echo *:* LISTEN tcp 0 0 *:shell *:* LISTEN tcp 0 0 *:login *:* LISTEN
This output shows most servers simply waiting for an incoming connection. However, the fourth line shows an incoming SMTP connection from vstout, and the sixth line tells you there is an outgoing telnet connection to vbardolino.
-a flag by itself will display all
sockets from all families.
 You can tell whether a connection is
outgoing from the port numbers. The port number shown for the
calling host will always be a simple integer. On
the host being called, a well-known service port will be in use for
which netstat uses the symbolic name such as
smtp, found in