netstat commands and output on AIX, HP-UX, Darwin, OSF/1
list Henrik Størner
I'm merging some code I got 6 months ago for checking the "netstat"
output for what ports are being used - both for active connections
and listen-ports.
For that, I need the "netstat" commands to put into the client code,
and an example of the output so I can tell the client-module how to
interpret the data.
I'm only interested in TCP ports. I have the data I need for Linux,
Solaris and the BSD variants, but I would like them also for AIX,
HP-UX, Darwin and OSF/1.
So I need:
* The "netstat" command to run to get the set of TCP ports currently
in use, including ports used for incoming connections. Typically
this will be some sort of "netstat -na", with some extra options
to get only the TCP sockets.
Note that it may be necessary to run two commands to get both
IPv4 and IPv6 ports. On the BSD's, I noticed that connections
to the loopback interface register as IPv6 sockets, not IPv4.
* A sample of the output, so I can see which columns the various
data go into.
Anyone there who could get me this info ?
Thanks,
Henrik
PS: This lets you setup rules in hobbit-clients to track eg the
number of connections to your webserver, and put this into
a graph so you can see the activity over the day. It can
also alert you if there is a port 25 open on a server where
it shouldn't be, or if the number of connections to your
ssh daemon goes above 20.
list Henrik Størner
▸
On Wed, Apr 19, 2006 at 10:34:06PM +0200, Henrik Stoerner wrote:
I'm only interested in TCP ports. I have the data I need for Linux, Solaris and the BSD variants, but I would like them also for AIX, HP-UX, Darwin and OSF/1.
OK, I've got Darwin (twice - you guys are *fast*). Any others ? Henrik
list Gary B.
Not sure if this is exactly what you need, but here's netstat for HP-UX.
# uname -srv
HP-UX B.10.20 A
# netstat -np tcp
tcp:
2763301 packets sent
930771 data packets (624793792 bytes)
713 data packets (957508 bytes) retransmitted
1216788 ack-only packets (107037 delayed)
0 URG only packets
0 window probe packets
0 window update packets
615029 control packets
2932146 packets received
1742996 acks (for 615692641 bytes)
65419 duplicate acks
0 acks for unsent data
1104985 packets (75993691 bytes) received in-sequence
1562 completely duplicate packets (1824 bytes)
0 packets with some dup. data (0 bytes duped)
54176 out-of-order packets (0 bytes)
0 packets (0 bytes) of data after window
0 window probes
32788 window update packets
3 packets received after close
0 discarded for bad checksums
0 discarded for bad header offset fields
0 discarded because packet too short
54177 connection requests
499971 connection accepts
554130 connections established (including accepts)
585205 connections closed (including 41 drops)
16 embryonic connections dropped
1720424 segments updated rtt (of 1781132 attempts)
7259 retransmit timeouts
0 connections dropped by rexmit timeout
0 persist timeouts
5403 keepalive timeouts
1993 keepalive probes sent
0 connections dropped by keepalive
▸
#
On 4/19/06, Henrik Stoerner <user-ce4a2c883f75@xymon.invalid> wrote:
I'm only interested in TCP ports. I have the data I need for Linux, Solaris and the BSD variants, but I would like them also for AIX, HP-UX, Darwin and OSF/1. So I need: * The "netstat" command to run to get the set of TCP ports currently in use, including ports used for incoming connections. Typically this will be some sort of "netstat -na", with some extra options to get only the TCP sockets. Note that it may be necessary to run two commands to get both IPv4 and IPv6 ports. On the BSD's, I noticed that connections to the loopback interface register as IPv6 sockets, not IPv4. * A sample of the output, so I can see which columns the various data go into. Anyone there who could get me this info ? Thanks, Henrik
list Henrik Størner
▸
On Wed, Apr 19, 2006 at 05:28:48PM -0400, Gary B. wrote:
Not sure if this is exactly what you need, but here's netstat for HP-UX.
# uname -srv
HP-UX B.10.20 A
# netstat -np tcp
tcp:
2763301 packets sentThat's not what I was after. I want the list of active connections. Something like: $ netstat -na -t Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:1984 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:32770 127.0.0.1:43114 ESTABLISHED tcp 0 0 172.16.10.100:33038 172.16.10.3:22 ESTABLISHED tcp6 0 0 :::389 :::* LISTEN tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN
list Rich Smrcina
From AIX 5.1: gogen02:root:/ # netstat -na Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp 0 0 *.21 *.* LISTEN tcp4 0 0 *.22 *.* LISTEN tcp4 0 0 *.111 *.* LISTEN tcp4 0 0 *.515 *.* LISTEN tcp4 0 0 *.523 *.* LISTEN tcp4 0 0 *.50000 *.* LISTEN tcp4 0 0 *.1169 *.* LISTEN tcp4 0 0 *.1581 *.* LISTEN tcp4 0 0 *.6000 *.* LISTEN tcp4 0 0 *.6112 *.* LISTEN tcp4 0 0 *.32768 *.* LISTEN tcp4 0 0 *.32769 *.* LISTEN tcp4 0 0 *.32771 *.* LISTEN tcp4 0 0 *.32784 *.* LISTEN tcp4 0 0 *.32785 *.* LISTEN tcp4 0 0 *.32786 *.* LISTEN tcp4 0 0 *.9090 *.* LISTEN tcp4 0 0 *.13722 *.* LISTEN tcp4 0 0 *.13724 *.* LISTEN tcp4 0 0 *.13782 *.* LISTEN tcp4 0 0 *.13783 *.* LISTEN tcp4 0 2704 172.17.1.225.22 192.168.9.40.2852 ESTABLISHED udp4 0 0 *.111 *.* udp4 0 0 *.177 *.* udp4 0 0 *.514 *.* udp4 0 0 *.523 *.* udp4 0 0 *.32768 *.* udp4 0 0 *.32769 *.*
▸
Henrik Stoerner wrote:On Wed, Apr 19, 2006 at 05:28:48PM -0400, Gary B. wrote:Not sure if this is exactly what you need, but here's netstat for HP-UX. # uname -srv HP-UX B.10.20 A # netstat -np tcp tcp: 2763301 packets sentThat's not what I was after. I want the list of active connections. Something like: $ netstat -na -t Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:1984 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:32770 127.0.0.1:43114 ESTABLISHED tcp 0 0 172.16.10.100:33038 172.16.10.3:22 ESTABLISHED tcp6 0 0 :::389 :::* LISTEN tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN
--
Rich Smrcina VM Assist, Inc. Main: (262)392-2026 Cell: (XXX)XXX-XXXX Ans Service: (360)715-2467 user-61add9955ef9@xymon.invalid Catch the WAVV! http://www.wavv.org WAVV 2007 - Green Bay, WI - May 18-22, 2007
list Gary B.
Yeah, at least this version of HP-UX doesn't have a flag for just tcp connections in that format. That's according to the man page anyway. # netstat -an | grep tcp <copy/paste>
▸
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
</copy/paste>
tcp 0 0 192.168.XXX.XXX.XXXX 192.168.XXX.XXX.XXXX TIME_WAIT
tcp 0 48 192.168.232.122.22 172.21.96.30.33910
ESTABLISHED
tcp 0 0 192.168.232.122.22 172.21.96.22.29275
ESTABLISHED
tcp 0 0 127.0.0.1.6010 *.* LISTEN
tcp 0 0 192.168.232.122.22 172.21.96.70.2535
ESTABLISHED
tcp 0 0 127.0.0.1.6011 *.* LISTEN
tcp 0 0 192.168.232.122.22 172.21.96.70.2459
ESTABLISHED
tcp 0 0 *.2131 *.* LISTEN
tcp 0 0 *.2112 *.* LISTEN
tcp 0 0 *.2111 *.* LISTEN
tcp 0 0 *.2110 *.* LISTEN
tcp 0 0 *.2109 *.* LISTEN
tcp 0 0 *.2019 *.* LISTEN
tcp 0 0 *.2013 *.* LISTEN
tcp 0 0 *.2012 *.* LISTEN
tcp 0 0 *.2011 *.* LISTEN
tcp 0 0 192.168.232.122.32769 192.168.XXX.XXX.XXXX
CLOSE_WAIT
tcp 0 0 192.168.XXX.XXX.XXXX 192.168.232.122.32769
FIN_WAIT_2
tcp 0 0 *.2007 *.* LISTEN
tcp 0 0 *.2000 *.* LISTEN
tcp 0 0 *.1999 *.* LISTEN
tcp 0 0 *.1998 *.* LISTEN
tcp 0 0 *.1997 *.* LISTEN
tcp 0 0 *.32769 *.* LISTEN
tcp 0 0 192.168.232.122.32768 192.168.XXX.XXX.XXXX
CLOSE_WAIT
tcp 0 0 192.168.XXX.XXX.XXXX 192.168.232.122.32768
FIN_WAIT_2
tcp 0 0 *.1987 *.* LISTEN
tcp 0 0 *.1986 *.* LISTEN
tcp 0 0 *.1985 *.* LISTEN
tcp 0 0 *.1984 *.* LISTEN
tcp 0 0 *.1983 *.* LISTEN
tcp 0 0 *.1982 *.* LISTEN
tcp 0 0 *.1981 *.* LISTEN
tcp 0 0 *.1980 *.* LISTEN
tcp 0 0 *.32768 *.* LISTEN
tcp 0 0 127.0.0.1.1103 127.0.0.1.1254
ESTABLISHED
tcp 0 0 127.0.0.1.1254 127.0.0.1.1103
ESTABLISHED
tcp 0 0 127.0.0.1.1103 127.0.0.1.1252
ESTABLISHED
tcp 0 0 127.0.0.1.1252 127.0.0.1.1103
ESTABLISHED
tcp 0 0 127.0.0.1.1103 127.0.0.1.1245
ESTABLISHED
tcp 0 0 127.0.0.1.1245 127.0.0.1.1103
ESTABLISHED
tcp 0 0 127.0.0.1.1103 127.0.0.1.1244
ESTABLISHED
tcp 0 0 127.0.0.1.1244 127.0.0.1.1103
ESTABLISHED
tcp 0 0 *.1243 *.* LISTEN
tcp 0 0 *.1242 *.* LISTEN
tcp 0 0 *.1180 *.* LISTEN
tcp 0 0 *.1147 *.* LISTEN
tcp 0 0 *.1142 *.* LISTEN
tcp 0 0 *.1788 *.* LISTEN
tcp 0 0 *.1103 *.* LISTEN
tcp 0 0 192.168.XXX.XXX.XXXX 192.168.XXX.XXX.XXXX
ESTABLISHED
tcp 0 0 192.168.XXX.XXX.XXXX 192.168.XXX.XXX.XXXX
ESTABLISHED
<SNIP>
tcp 0 0 *.1006 *.* LISTEN
tcp 0 0 *.* *.* CLOSED
tcp 0 0 *.1001 *.* LISTEN
tcp 0 0 *.997 *.* LISTEN
tcp 0 0 *.993 *.* LISTEN
tcp 0 0 *.111 *.* LISTEN
tcp 0 0 *.2121 *.* LISTEN
list Stephane Caminade
phoebus_ROOT~# uname -a OSF1 phoebus V4.0 1229 alpha phoebus_ROOT~# netstat -an printing 1 hashtable with 512 buckets
▸
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 194.57.34.158.3494 129.175.64.15.631
ESTABLISHED
tcp 0 4 194.57.34.158.23 129.175.65.105.4017
ESTABLISHED
tcp 0 0 127.0.0.1.4005 127.0.0.1.2301 TIME_WAIT
tcp 0 0 127.0.0.1.4006 127.0.0.1.2301 TIME_WAIT
tcp 0 0 127.0.0.1.4007 127.0.0.1.2301 TIME_WAIT
tcp 0 0 127.0.0.1.4008 127.0.0.1.2301 TIME_WAIT
tcp 0 0 127.0.0.1.4009 127.0.0.1.2301 TIME_WAIT
tcp 0 0 127.0.0.1.4010 127.0.0.1.2301 TIME_WAIT
tcp 0 0 *.6000 *.* LISTEN
tcp 0 0 *.1032 *.* LISTEN
tcp 0 0 *.1700 *.* LISTEN
tcp 0 0 *.631 *.* LISTEN
tcp 0 0 *.1030 *.* LISTEN
tcp 0 0 *.1029 *.* LISTEN
tcp 0 0 *.6112 *.* LISTEN
tcp 0 0 *.10402 *.* LISTEN
tcp 0 0 *.10401 *.* LISTEN
tcp 0 0 *.79 *.* LISTEN
tcp 0 0 *.512 *.* LISTEN
tcp 0 0 *.513 *.* LISTEN
tcp 0 0 *.514 *.* LISTEN
tcp 0 0 *.23 *.* LISTEN
tcp 0 0 *.21 *.* LISTEN
tcp 0 0 *.2301 *.* LISTEN
tcp 0 0 *.30000 *.* LISTEN
tcp 0 0 *.25 *.* LISTEN
tcp 0 0 127.0.0.1.1025 *.* LISTEN
tcp 0 0 194.57.34.158.1025 *.* LISTEN
tcp 0 0 127.0.0.1.1024 *.* LISTEN
tcp 0 0 194.57.34.158.1024 *.* LISTEN
▸
tcp 0 0 *.111 *.* LISTEN
Henrik Stoerner wrote:I'm merging some code I got 6 months ago for checking the "netstat"
output for what ports are being used - both for active connections
and listen-ports.
For that, I need the "netstat" commands to put into the client code,
and an example of the output so I can tell the client-module how to
interpret the data.
I'm only interested in TCP ports. I have the data I need for Linux,
Solaris and the BSD variants, but I would like them also for AIX,
HP-UX, Darwin and OSF/1.
So I need:
* The "netstat" command to run to get the set of TCP ports currently
in use, including ports used for incoming connections. Typically
this will be some sort of "netstat -na", with some extra options
to get only the TCP sockets.
Note that it may be necessary to run two commands to get both
IPv4 and IPv6 ports. On the BSD's, I noticed that connections
to the loopback interface register as IPv6 sockets, not IPv4.
* A sample of the output, so I can see which columns the various
data go into.
Anyone there who could get me this info ?
Thanks,
Henrik
PS: This lets you setup rules in hobbit-clients to track eg the
number of connections to your webserver, and put this into
a graph so you can see the activity over the day. It can
also alert you if there is a port 25 open on a server where
it shouldn't be, or if the number of connections to your
ssh daemon goes above 20.
--
Stephane Caminade Administrateur Systèmes et Réseau \ <user-a265b6c42ffc@xymon.invalid> Institut d'Astrophysique Spatiale / tel : (XX) (X) XX XX XX XX Batiment 121, Universite Paris XI \ fax : (XX) (X) XX XX XX XX F-91405 ORSAY Cedex / www : http://www.medoc-ias.u-psud.fr/
list Marco Avvisano
Hi Enrik, may be useful to track also CloseWait, TimeWait and FinWait connections M. ----- Original Message ----- From: "Henrik Stoerner" <user-ce4a2c883f75@xymon.invalid> To: <user-ae9b8668bcde@xymon.invalid> Sent: Wednesday, April 19, 2006 10:34 PM Subject: [hobbit] netstat commands and output on AIX, HP-UX, Darwin, OSF/1
▸
I'm merging some code I got 6 months ago for checking the "netstat" output for what ports are being used - both for active connections and listen-ports. For that, I need the "netstat" commands to put into the client code, and an example of the output so I can tell the client-module how to interpret the data. I'm only interested in TCP ports. I have the data I need for Linux, Solaris and the BSD variants, but I would like them also for AIX, HP-UX, Darwin and OSF/1. So I need: * The "netstat" command to run to get the set of TCP ports currently in use, including ports used for incoming connections. Typically this will be some sort of "netstat -na", with some extra options to get only the TCP sockets. Note that it may be necessary to run two commands to get both IPv4 and IPv6 ports. On the BSD's, I noticed that connections to the loopback interface register as IPv6 sockets, not IPv4. * A sample of the output, so I can see which columns the various data go into. Anyone there who could get me this info ? Thanks, Henrik PS: This lets you setup rules in hobbit-clients to track eg the number of connections to your webserver, and put this into a graph so you can see the activity over the day. It can also alert you if there is a port 25 open on a server where it shouldn't be, or if the number of connections to your ssh daemon goes above 20.
list Gianluca Rossi
Hi Henrik, i send you the output for AIX 5.2 and 4.3. -- Gianluca
▸
Henrik Stoerner wrote:I'm merging some code I got 6 months ago for checking the "netstat"
output for what ports are being used - both for active connections
and listen-ports.
For that, I need the "netstat" commands to put into the client code,
and an example of the output so I can tell the client-module how to
interpret the data.
I'm only interested in TCP ports. I have the data I need for Linux,
Solaris and the BSD variants, but I would like them also for AIX,
HP-UX, Darwin and OSF/1.
So I need:
* The "netstat" command to run to get the set of TCP ports currently
in use, including ports used for incoming connections. Typically
this will be some sort of "netstat -na", with some extra options
to get only the TCP sockets.
Note that it may be necessary to run two commands to get both
IPv4 and IPv6 ports. On the BSD's, I noticed that connections to the loopback interface register as IPv6 sockets, not IPv4.
* A sample of the output, so I can see which columns the various
data go into.
Anyone there who could get me this info ?
Thanks,
Henrik
PS: This lets you setup rules in hobbit-clients to track eg the
number of connections to your webserver, and put this into
a graph so you can see the activity over the day. It can also alert you if there is a port 25 open on a server where
it shouldn't be, or if the number of connections to your
ssh daemon goes above 20.
Attachments (1)
list Henrik Størner
On Thu, Apr 20, 2006 at 09:44:06AM +0200, Marco Avvisano wrote:
may be useful to track also CloseWait, TimeWait and FinWait connections
Of course. You can select which states to monitor, that is fully configurable. Henrik
list Mirko Saam
Hi Henrik, here is the output of "netstat -an" for AIX 5.3 and AIX 5.2. You might want to use something like netstat -an | tail +2 | egrep ^\(tcp\|Proto\) to sort out the first line, keep the second, sort out UDP traffic and the socket stuff. AIX netstat does not seem to provide this using flags :-( Regards, Mirko $ uname -an AIX hostname 3 5 00C4E1CA4C00 $ oslevel -r 5300-01 $ netstat -an
▸
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 *.21 *.* LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp 0 0 *.80 *.* LISTEN
tcp 0 0 *.443 *.* LISTEN
tcp4 0 0 *.523 *.* LISTEN
tcp4 0 0 *.657 *.* LISTEN
tcp4 0 0 *.50002 *.* LISTEN
tcp4 0 0 *.50006 *.* LISTEN
tcp4 0 0 127.0.0.1.1984 *.* LISTEN
tcp4 0 0 10.2.30.163.22 10.2.20.58.45801 ESTABLISHED
tcp4 0 0 127.0.0.1.6010 *.* LISTEN
tcp 0 0 *.11116 *.* LISTEN
tcp 0 0 *.11117 *.* LISTEN
tcp 0 0 *.11118 *.* LISTEN
tcp 0 0 127.0.0.1.8005 *.* LISTEN
tcp4 0 0 127.0.0.1.50002 127.0.0.1.52375 ESTABLISHED
tcp 0 0 127.0.0.1.52375 127.0.0.1.50002 ESTABLISHED
tcp4 0 0 127.0.0.1.50002 127.0.0.1.52376 ESTABLISHED
...
...
udp4 0 0 127.0.0.1.123 *.*
udp4 0 0 10.2.30.163.123 *.*
...
Active UNIX domain sockets
SADR/PCB Type Recv-Q Send-Q Inode Conn Ref
s Nextref Addr
f1000d0000da5800 stream 0 0 0 f1000d00002a7e80
0 0
f1000d0000db5180
f1000d0000997c00 dgram 0 0 f1000c00213c03f8 0
0 0 /dev/.SRC-unix/SRC22UkEd
f1000d0000992b80
f1000d0000989c00 dgram 0 0 f1000c00213d4bf8 0
0 0 /dev/.SRC-unix/SRC56UkEh
...
...
This message was sent using IMP, the Internet Messaging Program.