netstat output

Ultrix · March 1, 2010, 9:41am

I can't tell what the output of the netstat command means. Is there anywhere that has this information? I tried the man pages, but they weren't helpful.

pludi · March 1, 2010, 9:45am

Which OS, and which command exactly? Because on those systems that I have access to netstat outputs nice headers that should be easy to understand if you know a bit about networking.

Ultrix · March 1, 2010, 9:56am

I'm using Mac OS X Leopard. The output looks something like this (shortened for brevity's sake):

Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4      37      0  10.0.1.3.52023         textnews.news.ca.nntp  CLOSE_WAIT
udp4       0      0  10.20.1.118.ntp        *.*                    
udp4       0      0  *.58916                *.*                    
udp4       0      0  *.52844                *.*                    
udp4       0      0  *.58444                *.*                    
udp4       0      0  *.52618                *.*                    
udp4       0      0  *.55354                *.*                    
udp4       0      0  *.54759                *.*                    
udp4       0      0  *.*                    *.*                    
udp6       0      0  michael-gables-m.ntp   *.*                    
udp6       0      0  localhost.ntp          *.*                    
udp4       0      0  localhost.ntp          *.*                    
udp6       0      0  localhost.ntp          *.*                    
udp6       0      0  *.ntp                  *.*                    
udp4       0      0  *.ntp                  *.*                    
udp4   15489      0  *.ipp                  *.*                    
udp6       0      0  *.mdns                 *.*                    
udp4       0      0  *.mdns                 *.*                    
udp4       0      0  *.*                    *.*                    
udp4       0      0  *.*                    *.*                    
icm6       0      0  *.*                    *.*                    
Active LOCAL (UNIX) domain sockets
Address  Type   Recv-Q Send-Q    Inode     Conn     Refs  Nextref Addr
 430ecc0 stream      0      0        0  581fee0        0        0 /var/run/mDNSResponder
 581fee0 stream      0      0        0  430ecc0        0        0
 42ee110 stream      0      0        0  430eee0        0        0 /var/run/mDNSResponder
 430eee0 stream      0      0        0  42ee110        0        0
 42dab28 stream      0      0        0  411fb28        0        0 /var/run/mDNSResponder

I don't know what any of this means. I'm not much of a networking person, and I only know a little bit about TCP/IP (like what DNS and DHCP are), so this doesn't make much sense to me.

pludi · March 1, 2010, 3:50pm

Ok, lets take it one column at a time:

Proto is the protocol used. tcp and udp should be pretty self-explanatory. icm is short for ICMP, which is a network control protocol (pings use ICMP echo/reply messages). The number at the end specifies if it's IPv4 or IPv6
Recv-Q and Send-Q are the receiving and sending queues. If those aren't zero, you're either sending much faster than the other side can read, or you're not reading fast enough yourself.
Local Address is the local IP and port used, while Foreign Address is the remote site and port.
State is the state (duh) of the connection. LISTEN means there's a local server listening, ESTABLISHED ...well should be clear, CLOSE_WAIT means you're waiting for confirmation that the connection can be closed. For more details, read up on the TCP protocol.

The second part are UNIX domain sockets, which are a kind of IPC, acting like a network socket.

The Address is the memory address used
The queues mean pretty much the same as above
The Inode is just that. In keeping with "everything is a file", UNIX sockets can be addressed via the respective inode on the filesystem
Addr is the "address", the "file" used.

For a more in-depth explanation I'd have to read up on it again.