KEMBAR78
Netstat Network Analysis Guide | PDF | Transmission Control Protocol | Network Socket
Scribd
Upload
133 views4 pages

Netstat Network Analysis Guide

The document discusses using the netstat command to analyze network performance and diagnose network issues. Netstat provides statistics on network traffic, open connections, and TCP/IP states. Key things to check include error rates, collision rates, number of open connections, and connections in specific states like ESTABLISHED or FIN_WAIT. Real-world tests of file transfers and simulated server load can also help analyze network performance.

Uploaded by

John Xu
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
133 views4 pages

Netstat Network Analysis Guide

The document discusses using the netstat command to analyze network performance and diagnose network issues. Netstat provides statistics on network traffic, open connections, and TCP/IP states. Key things to check include error rates, collision rates, number of open connections, and connections in specific states like ESTABLISHED or FIN_WAIT. Real-world tests of file transfers and simulated server load can also help analyze network performance.

Uploaded by

John Xu
Copyright
© Attribution Non-Commercial (BY-NC)
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 4

Netstat

Network Analysis
The problem with netstat is there is a staggering amount of information available. Try netstat -s for
network statistics.
#netstat -s
RAWIP
rawipInDatagrams = 0 rawipInErrors = 0
rawipInCksumErrs = 0 rawipOutDatagrams = 0
rawipOutErrors = 0

UDP
udpInDatagrams =17227479 udpInErrors = 0
udpOutDatagrams =17210476 udpOutErrors = 0

TCP tcpRtoAlgorithm = 4 tcpRtoMin = 400


tcpRtoMax = 60000 tcpMaxConn = -1
tcpActiveOpens =121449 tcpPassiveOpens =123593
tcpAttemptFails = 1198 tcpEstabResets = 469
tcpCurrEstab = 89 tcpOutSegs =99321141
tcpOutDataSegs =94129579 tcpOutDataBytes =1737821124
tcpRetransSegs = 6771 tcpRetransBytes =4047173
tcpOutAck =5190950 tcpOutAckDelayed =2633452
tcpOutUrg = 134 tcpOutWinUpdate = 12831
tcpOutWinProbe = 26 tcpOutControl =491560
tcpOutRsts = 2614 tcpOutFastRetrans = 352
tcpInSegs =106046901
tcpInAckSegs =94153690 tcpInAckBytes =1737971355
tcpInDupAck =363643 tcpInAckUnsent = 0
tcpInInorderSegs =100156017 tcpInInorderBytes =278299936
tcpInUnorderSegs = 2077 tcpInUnorderBytes =2975624
tcpInDupSegs = 16862 tcpInDupBytes =1618160
tcpInPartDupSegs = 6 tcpInPartDupBytes = 3844
tcpInPastWinSegs = 8 tcpInPastWinBytes = 47840
tcpInWinProbe = 884 tcpInWinUpdate = 26
tcpInClosed = 20 tcpRttNoUpdate = 2988
tcpRttUpdate =93909335 tcpTimRetrans = 5873
tcpTimRetransDrop = 22 tcpTimKeepalive = 47189
tcpTimKeepaliveProbe= 15890 tcpTimKeepaliveDrop = 31
tcpListenDrop = 0 tcpListenDropQ0 = 0
tcpHalfOpenDrop = 0 tcpOutSackRetrans = 497

IPv4 ipForwarding = 2 ipDefaultTTL = 255


ipInReceives =101796067 ipInHdrErrors = 0
ipInAddrErrors = 0 ipInCksumErrs = 0
ipForwDatagrams = 0 ipForwProhibits = 0
ipInUnknownProtos = 0 ipInDiscards = 0
ipInDelivers =123153971 ipOutRequests =94246439
ipOutDiscards = 0 ipOutNoRoutes = 0
ipReasmTimeout = 60 ipReasmReqds = 0
ipReasmOKs = 0 ipReasmFails = 0
ipReasmDuplicates = 0 ipReasmPartDups = 0
ipFragOKs = 0 ipFragFails = 0
ipFragCreates = 0 ipRoutingDiscards = 0
tcpInErrs = 1 udpNoPorts =1343350
udpInCksumErrs = 0 udpInOverflows = 80
rawipInOverflows = 0 ipsecInSucceeded = 0
ipsecInFailed = 0 ipInIPv6 = 0
ipOutIPv6 = 0 ipOutSwitchIPv6 = 3360

The statistics shown here are a small portion of first few screens of data! I am not an expert in all the
parameters, but a quick look at the error parameters such as tcpInErrs gives me an idea of the overall
health of the network.

You can also use netstat -a to examine for each port the number of bytes still waiting in the queue for
transmission and number of received bytes not copied to the application process by your server:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:netbios-ssn *:* LISTEN
tcp 0 0 *:webcache *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 S34KLJ142:smtp *:* LISTEN
tcp 0 0 *:https *:* LISTEN
tcp 0 0 200.7.1.142:netbios-ssn 200.7.1.26:1352 ESTABLISHED
tcp 0 0 200.7.1.142:33568 200.1.34.117:1521
tcp 0 180 200.7.1.142:ssh 200.7.1.25:1404 ESTABLISHED

Note that ssh still has 180 bytes of data to transmit in its queue. Not a problem, but this could be a
problem if the value is very large (meaning that the ssh data cannot be transmited fast enough, so it has
to be queued).
I also find it quite useful to use simple real-world benchmarks to analyze network performance, such as
the time required to transfer a 10 megabyte file (should be 10-15 seconds on a 10 Mbit network), or
using the apachebench ab -c1000 -n10 [url] command to simulate 10 clients sending a total of 1000
http requests to a server.

Network Response
$ netstat -i
Name Mtu Net/Dest Address Ipkts Ierrs Opkts Oerrs Collis Queue lo0 8232 loopback localhost 77814
0 77814 0 0 0 hme0 1500 server1 server1 10658566 3 4832511 0 279257 0 This option is used to
diagnose the network problems when  the connectivity is there but  it is slow in response .

Values to look at:


· Collisions (Collis)
· Output packets (Opkts)
· Input errors (Ierrs)
· Input packets (Ipkts)
The above values will give information to workout
i.  Network collision rate as follows :
Network collision rate = Output collision counts / Output packets
 Network-wide collision rate greater than 10 percent  will indicate
·  Overloaded network,
·  Poorly configured network,
·  Hardware problems. 
ii.  Input packet error rate as follows :
 Input Packet Error Rate = Ierrs / Ipkts.
If the input error rate is high (over 0.25 percent), the host is dropping packets. Hub/switch cables etc
needs to be checked for potential problems.
C. Network socket &  TCP Cconnection state

Netstat gives important   information about network socket and tcp state . This is very useful in
finding out the open , closed and waiting network tcp connection .

Network states returned by  netstat are following :

     CLOSED               ----  Closed.  The socket  is  not  being used.
     LISTEN                 ----  Listening for incoming connections.
     SYN_SENT           ----  Actively trying to  establish  connection.
     SYN_RECEIVED  ---- Initial synchronization of the connection under way.
     ESTABLISHED     ----  Connection has been established.
     CLOSE_WAIT      ----  Remote shut down; waiting  for  the socket to close.
     FIN_WAIT_1        ----  Socket closed; shutting  down  connection.
     CLOSING             ----  Closed,   then   remote   shutdown; awaiting acknowledgement.
     LAST_ACK          ----   Remote  shut  down,  then   closed ;awaiting acknowledgement.
     FIN_WAIT_2        ----  Socket closed; waiting for shutdown from remote.
     TIME_WAIT         ----  Wait after close for  remote  shutdown retransmission.
     
 
Example:

 #netstat -a
192.168.1.184.22192.168.1.183.58672180480246160ESTABLISHED
if  you see
192.168.1.184.22192.168.1.186.56806389120246160ESTABLISHED
a lots of

192.168.1.184.22192.168.1.186.50457419920246160ESTABLISHED

*.**.*00245760IDLE

*.32776*.*00245760LISTEN

*.32775*.*00245760LISTEN

*.32772*.*00245760LISTEN

*.898*.*00245760LISTEN

*.5987*.*00245760LISTEN

*.25*.*00245760LISTEN

*.4045*.*00245760LISTEN

*.32771*.*00245760LISTEN

*.**.*00245760IDLE

*.22*.*00245760LISTEN

*.22*.*00245760LISTEN

*.**.*00245760IDLE

Local AddressRemote AddressSwind   Send-QRwind Recv-QState 

 
connections in FIN_WAIT state  tcp/ip parameters   have to be tuned  because the

connections  are not being closed and they gets accumulating . After some time system may run out of
resource . TCP parameter can be tuned to define a time out so that connections can be released and
used by new connection.  

You might also like