Re: "netstat -s"

From: Cameron Kerr (cameron.kerr_at_paradise.net.nz)
Date: 01/16/04 

Date: 17 Jan 2004 02:20:30 +1300

sidharth deshpande <sidharth.deshpande@fh-heidelberg.de> wrote:
> Hello group,
>
> I am looking for explanation of output generated by 'netstat -s'

My 'netstat -s' doesn't mention those at all, nor is it in the some
format.

> specifically explanation of each of these entries:-
> TCPPureAcks: 3568472
> TCPHPAcks: 2188686
> TCPRenoRecovery: 0
> TCPSackRecovery: 897
...

Hmmm, a lot of counters. I think the version I have (Debian Unstable) is
the modern version. As such, it would seem the output has been made a
bit more informational. Here's a sample of what I have. You can piece it
together if you like.

Ip:
    ...
Icmp:
    ...
Tcp:
    ...
Udp:
    ...
TcpExt:
    56 TCP sockets finished time wait in fast timer
    2984 delayed acks sent
    Quick ack mode was activated 5 times
    61 packets directly queued to recvmsg prequeue.
    747 of bytes directly received from backlog
    21366 of bytes directly received from prequeue
    91368 packet headers predicted
    ...

It seems (via a simple
"strace -o /dev/stderr -e open netstat -s > /dev/null"
that it gets its data from /proc/net/{snmp,netstat}

So digging around the kernel source in files related to that may turn up
more information.

In particular, rooting around for NET_INC_STATS or NET_ADD_STATS may be useful.

Also, RFC's may be useful here (try searching for TCP MIB)

Specifically, RFC1156 may be enlightening for you.
ftp://ftp.rfc-editor.org/in-notes/rfc1156.txt
However, I don't think it covers the Extended TCP stuff at all.

Perhaps a search for Linux MIB or linux_mib may be useful (esp in the
kernel source). It seems to pop up a few times.

Hmmm, yes, searching for linux_mib would be the right thing to search
for, except there doesn't appear to be any documenould be the right
thing to search for, except there doesn't appear to be any documentation
on it. This would appear to be because the linux_mib stuff is intended
for debugging purposes, and all the other netstat -s sections, such as
TCP, UDP, etc, are documented in their own MIB RFCs.

Oh well, you could always ask the Linux Kernel Mailing List. I think
they have the mailing list gatewayed to a newsgroup (it's a very busy
list, not that I've ever been a subscriber) 

-- 
Cameron Kerr
cameron.kerr@paradise.net.nz : http://nzgeeks.org/cameron/
Empowered by Perl!

Relevant Pages

  • Re: newbie question - intruders or trojans, or just normal
    ... ZA you wont have too much to worry about unless you surf those warez/hacker ... > ran netstat -an and it reported the following: ... > TCP xxx.168.1.xxx:3823 xxx.112.96.138:80 ESTABLISHED ... Sorry for the newbie question, but I did not want to take the ...
    (comp.security.misc)
  • Re: How mant socket states listed by netstat.
    ... I can confirm that the HP-UX 11.23 manpage for netstat does not list ... associated with TCP endpoints. ... Nor did I seem to see one in the HP-UX ...
    (comp.unix.programmer)
  • Re: epmap security concern
    ... I would say that your computer may be attacking other computers. ... port 135 [try netstat -an] used by blaster and it's variants, ... > have found the following suspicious connections. ... > TCP SERVER01:epmap ...
    (microsoft.public.win2000.security)
  • Re: detecting a closed TCP connection
    ... I don?t have a great deal of experience with TCP so this is just and idea, which I think will work as I have done something similar, under Linux. ... I ran the example Simple Data Server and Client VI?s from the Example finder. ... The second netstat was after I stop the client which in turn kills the server. ... You can see that the netstat commands show the ESTABLISHED status on Port 2055 so this could be your test. ...
    (comp.lang.labview)