1276 Chapter 61
Here is an abridged example of the output that we see when using netstat to list all
Internet domain sockets on the system:$ netstat -a --inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:50000 *:* LISTEN
tcp 0 0 *:55000 *:* LISTEN
tcp 0 0 localhost:smtp *:* LISTEN
tcp 0 0 localhost:32776 localhost:58000 TIME_WAIT
tcp 34767 0 localhost:55000 localhost:32773 ESTABLISHED
tcp 0 115680 localhost:32773 localhost:55000 ESTABLISHED
udp 0 0 localhost:61000 localhost:60000 ESTABLISHED
udp 684 0 *:60000 *:*For each Internet domain socket, we see the following information:z Proto: This is the socket protocol—for example, tcp or udp.
z Recv-Q: This is the number of bytes in the socket receive buffer that are as yet
unread by the local application. For UDP sockets, this field counts not just
data, but also bytes in UDP headers and other metadata.
z Send-Q: This is the number of bytes queued for transmission in the socket send
buffer. As with the Recv-Q field, for UDP sockets, this field includes bytes in
UDP headers and other metadata.
z Local Address: This is the address to which the socket is bound, expressed in the
form host-IP-address:port. By default, both components of the address are dis-
played as names, unless the numeric values can’t be resolved to corresponding
host and service names. An asterisk (*) in the host part of the address means
the wildcard IP address.
z Foreign Address: This is the address of the peer socket to which this socket is
bound. The string *:* indicates no peer address.
z State: This is the current state of the socket. For a TCP socket, this state is one
of those described in Section 61.6.3.For further details, see the netstat(8) manual page.
Various Linux-specific files in the directory /proc/net allow a program to read
much of the same information that is displayed by netstat. These files are named
tcp, udp, tcp6, udp6, and unix, with the obvious purposes. For further details, see the
proc(5) manual page.61.8 Using tcpdump to Monitor TCP Traffic
The tcpdump program is a useful debugging tool that allows the superuser to moni-
tor the Internet traffic on a live network, generating a real-time textual equivalent
of diagrams such as Figure 61-3. Despite its name, tcpdump can be used to display
traffic for all kinds of TCP/IP packets (e.g., TCP segments, UDP datagrams, and
ICMP packets). For each network packet, tcpdump displays information such as
timestamps, the source and destination IP addresses, and further protocol-specific
details. It is possible to select the packets to be monitored by protocol type, source