Scribd
Upload
106 views

Network Analysis: Netstat - S For Network Statistics

The document discusses using the netstat command to analyze network performance and diagnose network issues. Netstat provides statistics on network traffic, open connections, and TCP/IP states. Key things to check include error rates, collision rates, number of open connections, and connections in specific states like ESTABLISHED or FIN_WAIT. Real-world tests of file transfers and simulated server load can also help analyze network performance.

Uploaded by

John Xu
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
106 views

Network Analysis: Netstat - S For Network Statistics

The document discusses using the netstat command to analyze network performance and diagnose network issues. Netstat provides statistics on network traffic, open connections, and TCP/IP states. Key things to check include error rates, collision rates, number of open connections, and connections in specific states like ESTABLISHED or FIN_WAIT. Real-world tests of file transfers and simulated server load can also help analyze network performance.

Uploaded by

John Xu
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 4

Netstat

Network Analysis
The problem with netstat is there is a staggering amount of information available. Try netstat -s for
network statistics.
#netstat -s
RAWIP
rawipInDatagrams = 0 rawipInErrors = 0
rawipInCksumErrs = 0 rawipOutDatagrams = 0
rawipOutErrors = 0

UDP
udpInDatagrams =17227479 udpInErrors = 0
udpOutDatagrams =17210476 udpOutErrors = 0

TCP tcpRtoAlgorithm = 4 tcpRtoMin = 400


tcpRtoMax = 60000 tcpMaxConn = -1
tcpActiveOpens =121449 tcpPassiveOpens =123593
tcpAttemptFails = 1198 tcpEstabResets = 469
tcpCurrEstab = 89 tcpOutSegs =99321141
tcpOutDataSegs =94129579 tcpOutDataBytes =1737821124
tcpRetransSegs = 6771 tcpRetransBytes =4047173
tcpOutAck =5190950 tcpOutAckDelayed =2633452
tcpOutUrg = 134 tcpOutWinUpdate = 12831
tcpOutWinProbe = 26 tcpOutControl =491560
tcpOutRsts = 2614 tcpOutFastRetrans = 352
tcpInSegs =106046901
tcpInAckSegs =94153690 tcpInAckBytes =1737971355
tcpInDupAck =363643 tcpInAckUnsent = 0
tcpInInorderSegs =100156017 tcpInInorderBytes =278299936
tcpInUnorderSegs = 2077 tcpInUnorderBytes =2975624
tcpInDupSegs = 16862 tcpInDupBytes =1618160
tcpInPartDupSegs = 6 tcpInPartDupBytes = 3844
tcpInPastWinSegs = 8 tcpInPastWinBytes = 47840
tcpInWinProbe = 884 tcpInWinUpdate = 26
tcpInClosed = 20 tcpRttNoUpdate = 2988
tcpRttUpdate =93909335 tcpTimRetrans = 5873
tcpTimRetransDrop = 22 tcpTimKeepalive = 47189
tcpTimKeepaliveProbe= 15890 tcpTimKeepaliveDrop = 31
tcpListenDrop = 0 tcpListenDropQ0 = 0
tcpHalfOpenDrop = 0 tcpOutSackRetrans = 497

IPv4 ipForwarding = 2 ipDefaultTTL = 255


ipInReceives =101796067 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 0 ipForwProhibits = 0
ipInUnknownProtos = 0 ipInDiscards = 0
ipInDelivers =123153971 ipOutRequests =94246439
ipOutDiscards = 0 ipOutNoRoutes = 0
ipReasmTimeout = 60 ipReasmReqds = 0
ipReasmOKs = 0 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 0 ipFragFails = 0
ipFragCreates = 0 ipRoutingDiscards = 0
tcpInErrs = 1 udpNoPorts =1343350
udpInCksumErrs = 0 udpInOverflows = 80
rawipInOverflows = 0 ipsecInSucceeded = 0
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 3360

The statistics shown here are a small portion of first few screens of data! I am not an expert in all the
parameters, but a quick look at the error parameters such as tcpInErrs gives me an idea of the overall
health of the network.

You can also use netstat -a to examine for each port the number of bytes still waiting in the queue for
transmission and number of received bytes not copied to the application process by your server:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:netbios-ssn *:* LISTEN
tcp 0 0 *:webcache *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 S34KLJ142:smtp *:* LISTEN
tcp 0 0 *:https *:* LISTEN
tcp 0 0 200.7.1.142:netbios-ssn 200.7.1.26:1352 ESTABLISHED
tcp 0 0 200.7.1.142:33568 200.1.34.117:1521
tcp 0 180 200.7.1.142:ssh 200.7.1.25:1404 ESTABLISHED

Note that ssh still has 180 bytes of data to transmit in its queue. Not a problem, but this could be a
problem if the value is very large (meaning that the ssh data cannot be transmited fast enough, so it has
to be queued).
I also find it quite useful to use simple real-world benchmarks to analyze network performance, such as
the time required to transfer a 10 megabyte file (should be 10-15 seconds on a 10 Mbit network), or
using the apachebench ab -c1000 -n10 [url] command to simulate 10 clients sending a total of 1000
http requests to a server.

Network Response
$ netstat -i
Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs Collis Queue lo0 8232 loopback localhost 77814
0 77814 0 0 0 hme0 1500 server1 server1 10658566 3 4832511 0 279257 0 This option is used to
diagnose the network problems when  the connectivity is there but  it is slow in response .

Values to look at:


· Collisions (Collis)
· Output packets (Opkts)
· Input errors (Ierrs)
· Input packets (Ipkts)
The above values will give information to workout
i.  Network collision rate as follows :
Network collision rate = Output collision counts / Output packets
 Network-wide collision rate greater than 10 percent  will indicate
·  Overloaded network,
·  Poorly configured network,
·  Hardware problems. 
ii.  Input packet error rate as follows :
 Input Packet Error Rate = Ierrs / Ipkts.
If the input error rate is high (over 0.25 percent), the host is dropping packets. Hub/switch cables etc
needs to be checked for potential problems.
C. Network socket &  TCP Cconnection state

Netstat gives important   information about network socket and tcp state . This is very useful in
finding out the open , closed and waiting network tcp connection .

Network states returned by  netstat are following :

     CLOSED               ----  Closed.  The socket  is  not  being used.
     LISTEN                 ----  Listening for incoming connections.
     SYN_SENT           ----  Actively trying to  establish  connection.
     SYN_RECEIVED  ---- Initial synchronization of the connection under way.
     ESTABLISHED     ----  Connection has been established.
     CLOSE_WAIT      ----  Remote shut down; waiting  for  the socket to close.
     FIN_WAIT_1        ----  Socket closed; shutting  down  connection.
     CLOSING             ----  Closed,   then   remote   shutdown; awaiting acknowledgement.
     LAST_ACK          ----   Remote  shut  down,  then   closed ;awaiting acknowledgement.
     FIN_WAIT_2        ----  Socket closed; waiting for shutdown from remote.
     TIME_WAIT         ----  Wait after close for  remote  shutdown retransmission.
     
 
Example:

 #netstat -a
192.168.1.184.22192.168.1.183.58672180480246160ESTABLISHED
if  you see
192.168.1.184.22192.168.1.186.56806389120246160ESTABLISHED
a lots of

192.168.1.184.22192.168.1.186.50457419920246160ESTABLISHED

*.**.*00245760IDLE

*.32776*.*00245760LISTEN

*.32775*.*00245760LISTEN

*.32772*.*00245760LISTEN

*.898*.*00245760LISTEN

*.5987*.*00245760LISTEN

*.25*.*00245760LISTEN

*.4045*.*00245760LISTEN

*.32771*.*00245760LISTEN

*.**.*00245760IDLE

*.22*.*00245760LISTEN

*.22*.*00245760LISTEN

*.**.*00245760IDLE

Local AddressRemote AddressSwind   Send-QRwind Recv-QState 

 
connections in FIN_WAIT state  tcp/ip parameters   have to be tuned  because the

connections  are not being closed and they gets accumulating . After some time system may run out of
resource . TCP parameter can be tuned to define a time out so that connections can be released and
used by new connection.  

You might also like