netstat commands and output on AIX, HP-UX, Darwin, OSF/1
I'm merging some code I got 6 months ago for checking the "netstat" output for what ports are being used - both for active connections and listen-ports.
For that, I need the "netstat" commands to put into the client code, and an example of the output so I can tell the client-module how to interpret the data.
I'm only interested in TCP ports. I have the data I need for Linux, Solaris and the BSD variants, but I would like them also for AIX, HP-UX, Darwin and OSF/1.
So I need:
The "netstat" command to run to get the set of TCP ports currently in use, including ports used for incoming connections. Typically this will be some sort of "netstat -na", with some extra options to get only the TCP sockets. Note that it may be necessary to run two commands to get both IPv4 and IPv6 ports. On the BSD's, I noticed that connections to the loopback interface register as IPv6 sockets, not IPv4.
A sample of the output, so I can see which columns the various data go into.
Anyone there who could get me this info ?
Thanks, Henrik
PS: This lets you setup rules in hobbit-clients to track eg the number of connections to your webserver, and put this into a graph so you can see the activity over the day. It can also alert you if there is a port 25 open on a server where it shouldn't be, or if the number of connections to your ssh daemon goes above 20.
On Wed, Apr 19, 2006 at 10:34:06PM +0200, Henrik Stoerner wrote:
I'm only interested in TCP ports. I have the data I need for Linux, Solaris and the BSD variants, but I would like them also for AIX, HP-UX, Darwin and OSF/1.
OK, I've got Darwin (twice - you guys are *fast*). Any others ?
Henrik
Not sure if this is exactly what you need, but here's netstat for HP-UX.
uname -srv
HP-UX B.10.20 A
netstat -np tcp
tcp: 2763301 packets sent 930771 data packets (624793792 bytes) 713 data packets (957508 bytes) retransmitted 1216788 ack-only packets (107037 delayed) 0 URG only packets 0 window probe packets 0 window update packets 615029 control packets 2932146 packets received 1742996 acks (for 615692641 bytes) 65419 duplicate acks 0 acks for unsent data 1104985 packets (75993691 bytes) received in-sequence 1562 completely duplicate packets (1824 bytes) 0 packets with some dup. data (0 bytes duped) 54176 out-of-order packets (0 bytes) 0 packets (0 bytes) of data after window 0 window probes 32788 window update packets 3 packets received after close 0 discarded for bad checksums 0 discarded for bad header offset fields 0 discarded because packet too short 54177 connection requests 499971 connection accepts 554130 connections established (including accepts) 585205 connections closed (including 41 drops) 16 embryonic connections dropped 1720424 segments updated rtt (of 1781132 attempts) 7259 retransmit timeouts 0 connections dropped by rexmit timeout 0 persist timeouts 5403 keepalive timeouts 1993 keepalive probes sent 0 connections dropped by keepalive
On 4/19/06, Henrik Stoerner <henrik at hswn.dk> wrote:
I'm only interested in TCP ports. I have the data I need for Linux, Solaris and the BSD variants, but I would like them also for AIX, HP-UX, Darwin and OSF/1.
So I need:
The "netstat" command to run to get the set of TCP ports currently in use, including ports used for incoming connections. Typically this will be some sort of "netstat -na", with some extra options to get only the TCP sockets. Note that it may be necessary to run two commands to get both IPv4 and IPv6 ports. On the BSD's, I noticed that connections to the loopback interface register as IPv6 sockets, not IPv4.
A sample of the output, so I can see which columns the various data go into.
Anyone there who could get me this info ?
Thanks, Henrik
On Wed, Apr 19, 2006 at 05:28:48PM -0400, Gary B. wrote:
Not sure if this is exactly what you need, but here's netstat for HP-UX.
uname -srv
HP-UX B.10.20 A
netstat -np tcp
tcp: 2763301 packets sent
That's not what I was after. I want the list of active connections. Something like:
$ netstat -na -t
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:1984 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:32770 127.0.0.1:43114 ESTABLISHED
tcp 0 0 172.16.10.100:33038 172.16.10.3:22 ESTABLISHED
tcp6 0 0 :::389 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
From AIX 5.1:
gogen02:root:/ # netstat -na Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 *.21 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp4 0 0 *.111 *.* LISTEN tcp4 0 0 *.515 *.* LISTEN tcp4 0 0 *.523 *.* LISTEN tcp4 0 0 *.50000 *.* LISTEN tcp4 0 0 *.1169 *.* LISTEN tcp4 0 0 *.1581 *.* LISTEN tcp4 0 0 *.6000 *.* LISTEN tcp4 0 0 *.6112 *.* LISTEN tcp4 0 0 *.32768 *.* LISTEN tcp4 0 0 *.32769 *.* LISTEN tcp4 0 0 *.32771 *.* LISTEN tcp4 0 0 *.32784 *.* LISTEN tcp4 0 0 *.32785 *.* LISTEN tcp4 0 0 *.32786 *.* LISTEN tcp4 0 0 *.9090 *.* LISTEN tcp4 0 0 *.13722 *.* LISTEN tcp4 0 0 *.13724 *.* LISTEN tcp4 0 0 *.13782 *.* LISTEN tcp4 0 0 *.13783 *.* LISTEN tcp4 0 2704 172.17.1.225.22 192.168.9.40.2852 ESTABLISHED udp4 0 0 *.111 *.* udp4 0 0 *.177 *.* udp4 0 0 *.514 *.* udp4 0 0 *.523 *.* udp4 0 0 *.32768 *.* udp4 0 0 *.32769 *.*
Henrik Stoerner wrote:
On Wed, Apr 19, 2006 at 05:28:48PM -0400, Gary B. wrote:
Not sure if this is exactly what you need, but here's netstat for HP-UX.
uname -srv
HP-UX B.10.20 A
netstat -np tcp
tcp: 2763301 packets sent
That's not what I was after. I want the list of active connections. Something like:
$ netstat -na -t Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:1984 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:32770 127.0.0.1:43114 ESTABLISHED tcp 0 0 172.16.10.100:33038 172.16.10.3:22 ESTABLISHED tcp6 0 0 :::389 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTENTo unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
-- Rich Smrcina VM Assist, Inc. Main: (262)392-2026 Cell: (414)491-6001 Ans Service: (360)715-2467 rich.smrcina at vmassist.com
Catch the WAVV! http://www.wavv.org WAVV 2007 - Green Bay, WI - May 18-22, 2007
Yeah, at least this version of HP-UX doesn't have a flag for just tcp connections in that format. That's according to the man page anyway.
netstat -an | grep tcp
<copy/paste>
Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) </copy/paste> tcp 0 0 192.168.232.122.3691 192.168.232.122.1712 TIME_WAIT tcp 0 48 192.168.232.122.22 172.21.96.30.33910 ESTABLISHED tcp 0 0 192.168.232.122.22 172.21.96.22.29275 ESTABLISHED tcp 0 0 127.0.0.1.6010 *.* LISTEN tcp 0 0 192.168.232.122.22 172.21.96.70.2535 ESTABLISHED tcp 0 0 127.0.0.1.6011 *.* LISTEN tcp 0 0 192.168.232.122.22 172.21.96.70.2459 ESTABLISHED tcp 0 0 *.2131 *.* LISTEN tcp 0 0 *.2112 *.* LISTEN tcp 0 0 *.2111 *.* LISTEN tcp 0 0 *.2110 *.* LISTEN tcp 0 0 *.2109 *.* LISTEN tcp 0 0 *.2019 *.* LISTEN tcp 0 0 *.2013 *.* LISTEN tcp 0 0 *.2012 *.* LISTEN tcp 0 0 *.2011 *.* LISTEN tcp 0 0 192.168.232.122.32769 192.168.232.122.2008 CLOSE_WAIT tcp 0 0 192.168.232.122.2008 192.168.232.122.32769 FIN_WAIT_2 tcp 0 0 *.2007 *.* LISTEN tcp 0 0 *.2000 *.* LISTEN tcp 0 0 *.1999 *.* LISTEN tcp 0 0 *.1998 *.* LISTEN tcp 0 0 *.1997 *.* LISTEN tcp 0 0 *.32769 *.* LISTEN tcp 0 0 192.168.232.122.32768 192.168.232.122.1996 CLOSE_WAIT tcp 0 0 192.168.232.122.1996 192.168.232.122.32768 FIN_WAIT_2 tcp 0 0 *.1987 *.* LISTEN tcp 0 0 *.1986 *.* LISTEN tcp 0 0 *.1985 *.* LISTEN tcp 0 0 *.1984 *.* LISTEN tcp 0 0 *.1983 *.* LISTEN tcp 0 0 *.1982 *.* LISTEN tcp 0 0 *.1981 *.* LISTEN tcp 0 0 *.1980 *.* LISTEN tcp 0 0 *.32768 *.* LISTEN tcp 0 0 127.0.0.1.1103 127.0.0.1.1254 ESTABLISHED tcp 0 0 127.0.0.1.1254 127.0.0.1.1103 ESTABLISHED tcp 0 0 127.0.0.1.1103 127.0.0.1.1252 ESTABLISHED tcp 0 0 127.0.0.1.1252 127.0.0.1.1103 ESTABLISHED tcp 0 0 127.0.0.1.1103 127.0.0.1.1245 ESTABLISHED tcp 0 0 127.0.0.1.1245 127.0.0.1.1103 ESTABLISHED tcp 0 0 127.0.0.1.1103 127.0.0.1.1244 ESTABLISHED tcp 0 0 127.0.0.1.1244 127.0.0.1.1103 ESTABLISHED tcp 0 0 *.1243 *.* LISTEN tcp 0 0 *.1242 *.* LISTEN tcp 0 0 *.1180 *.* LISTEN tcp 0 0 *.1147 *.* LISTEN tcp 0 0 *.1142 *.* LISTEN tcp 0 0 *.1788 *.* LISTEN tcp 0 0 *.1103 *.* LISTEN tcp 0 0 192.168.232.122.1712 192.168.232.122.1102 ESTABLISHED tcp 0 0 192.168.232.122.1102 192.168.232.122.1712 ESTABLISHED
<SNIP>
tcp 0 0 *.1006 *.* LISTEN tcp 0 0 *.* *.* CLOSED tcp 0 0 *.1001 *.* LISTEN tcp 0 0 *.997 *.* LISTEN tcp 0 0 *.993 *.* LISTEN tcp 0 0 *.111 *.* LISTEN tcp 0 0 *.2121 *.* LISTEN
phoebus_ROOT~# uname -a OSF1 phoebus V4.0 1229 alpha
phoebus_ROOT~# netstat -an
printing 1 hashtable with 512 buckets
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 194.57.34.158.3494 129.175.64.15.631
ESTABLISHED
tcp 0 4 194.57.34.158.23 129.175.65.105.4017
ESTABLISHED
tcp 0 0 127.0.0.1.4005 127.0.0.1.2301 TIME_WAIT
tcp 0 0 127.0.0.1.4006 127.0.0.1.2301 TIME_WAIT
tcp 0 0 127.0.0.1.4007 127.0.0.1.2301 TIME_WAIT
tcp 0 0 127.0.0.1.4008 127.0.0.1.2301 TIME_WAIT
tcp 0 0 127.0.0.1.4009 127.0.0.1.2301 TIME_WAIT
tcp 0 0 127.0.0.1.4010 127.0.0.1.2301 TIME_WAIT
tcp 0 0 *.6000 *.* LISTEN
tcp 0 0 *.1032 *.* LISTEN
tcp 0 0 *.1700 *.* LISTEN
tcp 0 0 *.631 *.* LISTEN
tcp 0 0 *.1030 *.* LISTEN
tcp 0 0 *.1029 *.* LISTEN
tcp 0 0 *.6112 *.* LISTEN
tcp 0 0 *.10402 *.* LISTEN
tcp 0 0 *.10401 *.* LISTEN
tcp 0 0 *.79 *.* LISTEN
tcp 0 0 *.512 *.* LISTEN
tcp 0 0 *.513 *.* LISTEN
tcp 0 0 *.514 *.* LISTEN
tcp 0 0 *.23 *.* LISTEN
tcp 0 0 *.21 *.* LISTEN
tcp 0 0 *.2301 *.* LISTEN
tcp 0 0 *.30000 *.* LISTEN
tcp 0 0 *.25 *.* LISTEN
tcp 0 0 127.0.0.1.1025 *.* LISTEN
tcp 0 0 194.57.34.158.1025 *.* LISTEN
tcp 0 0 127.0.0.1.1024 *.* LISTEN
tcp 0 0 194.57.34.158.1024 *.* LISTEN
tcp 0 0 *.111 *.* LISTEN
Henrik Stoerner wrote:
I'm merging some code I got 6 months ago for checking the "netstat" output for what ports are being used - both for active connections and listen-ports.
For that, I need the "netstat" commands to put into the client code, and an example of the output so I can tell the client-module how to interpret the data.
I'm only interested in TCP ports. I have the data I need for Linux, Solaris and the BSD variants, but I would like them also for AIX, HP-UX, Darwin and OSF/1.
So I need:
The "netstat" command to run to get the set of TCP ports currently in use, including ports used for incoming connections. Typically this will be some sort of "netstat -na", with some extra options to get only the TCP sockets. Note that it may be necessary to run two commands to get both IPv4 and IPv6 ports. On the BSD's, I noticed that connections to the loopback interface register as IPv6 sockets, not IPv4.
A sample of the output, so I can see which columns the various data go into.
Anyone there who could get me this info ?
Thanks, Henrik
PS: This lets you setup rules in hobbit-clients to track eg the number of connections to your webserver, and put this into a graph so you can see the activity over the day. It can also alert you if there is a port 25 open on a server where it shouldn't be, or if the number of connections to your ssh daemon goes above 20.
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
--
Stephane Caminade Administrateur Systèmes et Réseau \ <Stephane.Caminade at medoc-ias.u-psud.fr> Institut d'Astrophysique Spatiale / tel : (33) (1) 69 85 87 03 Batiment 121, Universite Paris XI \ fax : (33) (1) 69 85 86 75 F-91405 ORSAY Cedex / www : http://www.medoc-ias.u-psud.fr/
Hi Enrik, may be useful to track also CloseWait, TimeWait and FinWait connections
M.
----- Original Message ----- From: "Henrik Stoerner" <henrik at hswn.dk> To: <hobbit at hswn.dk> Sent: Wednesday, April 19, 2006 10:34 PM Subject: [hobbit] netstat commands and output on AIX, HP-UX, Darwin, OSF/1
I'm merging some code I got 6 months ago for checking the "netstat" output for what ports are being used - both for active connections and listen-ports.
For that, I need the "netstat" commands to put into the client code, and an example of the output so I can tell the client-module how to interpret the data.
I'm only interested in TCP ports. I have the data I need for Linux, Solaris and the BSD variants, but I would like them also for AIX, HP-UX, Darwin and OSF/1.
So I need:
The "netstat" command to run to get the set of TCP ports currently in use, including ports used for incoming connections. Typically this will be some sort of "netstat -na", with some extra options to get only the TCP sockets. Note that it may be necessary to run two commands to get both IPv4 and IPv6 ports. On the BSD's, I noticed that connections to the loopback interface register as IPv6 sockets, not IPv4.
A sample of the output, so I can see which columns the various data go into.
Anyone there who could get me this info ?
Thanks, Henrik
PS: This lets you setup rules in hobbit-clients to track eg the number of connections to your webserver, and put this into a graph so you can see the activity over the day. It can also alert you if there is a port 25 open on a server where it shouldn't be, or if the number of connections to your ssh daemon goes above 20.
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
On Thu, Apr 20, 2006 at 09:44:06AM +0200, Marco Avvisano wrote:
may be useful to track also CloseWait, TimeWait and FinWait connections
Of course. You can select which states to monitor, that is fully configurable.
Henrik
Hi Henrik, i send you the output for AIX 5.2 and 4.3.
-- Gianluca
Henrik Stoerner wrote:
I'm merging some code I got 6 months ago for checking the "netstat" output for what ports are being used - both for active connections and listen-ports.
For that, I need the "netstat" commands to put into the client code, and an example of the output so I can tell the client-module how to interpret the data.
I'm only interested in TCP ports. I have the data I need for Linux, Solaris and the BSD variants, but I would like them also for AIX, HP-UX, Darwin and OSF/1.
So I need:
The "netstat" command to run to get the set of TCP ports currently in use, including ports used for incoming connections. Typically this will be some sort of "netstat -na", with some extra options to get only the TCP sockets. Note that it may be necessary to run two commands to get both IPv4 and IPv6 ports. On the BSD's, I noticed that connections to the loopback interface register as IPv6 sockets, not IPv4.
A sample of the output, so I can see which columns the various data go into.
Anyone there who could get me this info ?
Thanks, Henrik
PS: This lets you setup rules in hobbit-clients to track eg the number of connections to your webserver, and put this into a graph so you can see the activity over the day. It can also alert you if there is a port 25 open on a server where it shouldn't be, or if the number of connections to your ssh daemon goes above 20.
To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk
Hi Henrik,
here is the output of "netstat -an" for AIX 5.3 and AIX 5.2. You might want to use something like netstat -an | tail +2 | egrep ^\(tcp\|Proto\) to sort out the first line, keep the second, sort out UDP traffic and the socket stuff. AIX netstat does not seem to provide this using flags :-(
Regards, Mirko
$ uname -an AIX hostname 3 5 00C4E1CA4C00 $ oslevel -r 5300-01 $ netstat -an Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 *.21 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp 0 0 *.80 *.* LISTEN tcp 0 0 *.443 *.* LISTEN tcp4 0 0 *.523 *.* LISTEN tcp4 0 0 *.657 *.* LISTEN tcp4 0 0 *.50002 *.* LISTEN tcp4 0 0 *.50006 *.* LISTEN tcp4 0 0 127.0.0.1.1984 *.* LISTEN tcp4 0 0 10.2.30.163.22 10.2.20.58.45801 ESTABLISHED tcp4 0 0 127.0.0.1.6010 *.* LISTEN tcp 0 0 *.11116 *.* LISTEN tcp 0 0 *.11117 *.* LISTEN tcp 0 0 *.11118 *.* LISTEN tcp 0 0 127.0.0.1.8005 *.* LISTEN tcp4 0 0 127.0.0.1.50002 127.0.0.1.52375 ESTABLISHED tcp 0 0 127.0.0.1.52375 127.0.0.1.50002 ESTABLISHED tcp4 0 0 127.0.0.1.50002 127.0.0.1.52376 ESTABLISHED ... ... udp4 0 0 127.0.0.1.123 *.* udp4 0 0 10.2.30.163.123 *.* ... Active UNIX domain sockets SADR/PCB Type Recv-Q Send-Q Inode Conn Ref s Nextref Addr f1000d0000da5800 stream 0 0 0 f1000d00002a7e80 0 0 f1000d0000db5180 f1000d0000997c00 dgram 0 0 f1000c00213c03f8 0 0 0 /dev/.SRC-unix/SRC22UkEd f1000d0000992b80 f1000d0000989c00 dgram 0 0 f1000c00213d4bf8 0 0 0 /dev/.SRC-unix/SRC56UkEh ... ...
This message was sent using IMP, the Internet Messaging Program.
participants (7)
-
gmbfly98@gmail.com
-
grossi@acantho.net
-
henrik@hswn.dk
-
marco.avvisano@regione.toscana.it
-
rsmrcina@wi.rr.com
-
saam@tomikoni.de
-
stephane.caminade@ias.u-psud.fr