In the same vein as the "Useful Command-line" questions (for Windows, Linux, and Mac) , I think it would be handy to have "useful ways to use utility x" questions. Man pages tell you what parameters do, but not necessarily why you would use them, what the result means, what useful things the command does that you'd never know without extensive experimentation, or how to get the answer you really want.
I'd like to know about netstat. It would appear that I should be able to figure which processes are using bandwidth, and, indeed, how fast the system is using bandwidth. It also looks useful for detecting unwanted connections (likely virii), and it gives all sorts of routing information (that I only had to play with when trying to make a Sharp Zaurus PDA use TCP/IP over USB.) In other words, it sounds like a gold mine, and I was hoping some of you would share nuggets of information you've found.
Please include the version of netstat and your OS in your reply. It would be nice to see some sample output and know what it means. I've marked this question as community wiki, and I hope you'll do the same in your answers, so that other people, knowing a different OS, can put down a near equivalent command if they know, in the same answer, and then we can vote on which answers are the most useful.
Show local listening TCP/UDP ports, and the process they belong to:
Netstat routing tables
[This was tested on Mac OS X 10.5.7. I suspect the result is nearly the same on all platforms, as it was indicated to work on Solaris.]
will give you a routing table.
is the same, but will give you raw IPs instead of looking up machine names. Its output looks like this (only longer):
Columns:
Destination and Gateway: The destination is an address (or address range) we might want to send information to. All data sent to that destination will go to the associated gateway. The gateway knows where to send the data to for its next 'hop' on the journey. If we wish to send data to a destination that has no entry in the routing table, it will go through the default gateway.
Flags: The man/info page lists all the flags. Here are what the settings on my default gateway mean:
That's curious that it claims to be manually added, as it came over DHCP.
Refs: "The refcnt field gives the current number of active uses of the route. Connection oriented protocols normally hold on to a single route for the duration of a connection while connectionless protocols obtain a route while sending to the same destination." (Man page)
Use: "The use field provides a count of the number of packets sent using that route."
Netif: "The interface entry indicates the network interface utilized for the route."
On my Mac,
Expire: From a manpage for a different version of netstat: "Displays the time (in minutes) remaining before the route expires."
In windows:
Shows number of TCP/IP connections. Useful if you are troubleshooting high network systems that are running out of TCP ports and need to increase MaxUserPorts.
Check CommandLineFu's Netstat Page for some useful ways to use netstat in bash.
Rate of Transmission/Reception
On the Mac [OS X 10.5.7]:
[See chuck's answer for notes about use on Solaris and Linux.]
The output looks like so:
This shows how many packets and bytes were transferred in a given interval of time. (10 seconds in this example). I was connected to youtube and was downloading over 1 MB every interval, until I closed the browser tab and the rate bottomed out.
This could prove useful if you are waiting for an upload or download to finish. Monitor the rate, and when it drops dramatically, you know it is done.
Note that the command above shows you all throughput on all interfaces. To scope it to a particular interface (WiFi in this example), use the
-Iflag, as so:Windows:
Shows active TCP connections , but no UDP activity.
Shows all active TCP connections, as well as listening TCP and UDP connections. Does not show outbound UDP activity here.
Windows
Display the process using the connection
Windows 7 (possibly since earlier, though):
lists active sessions with associated PIDs
or to save a step
(from an elevated CMD prompt) gives the process name
I'm sure I am reinventing the wheel but here is a simple Perl script to run netstat and sort the output so that the IPs currently mostly connected come out on top. This is best used with the 'watch' program for updates in 2-second intervals.
Update: significant rewrite 2013-02-11 to get rid of many problems and display hostnames
Sample output:
Solaris: