Americas

  • United States
sandra_henrystocker
Unix Dweeb

How to create netstat aliases to help focus on network activity

How-To
Apr 17, 20236 mins
Linux

The netstat command can display an overwhelming amount of network statistics. Ready to make your focus a little easier with a series of aliases?

Yellow ethernet cables plugged into a rack

The netstat command provides a tremendous amount on information on network activity. With the -s option (netstat -s), it will display summaries for various protocols such as packets received, active connections, failed connections and a lot more. While the data is extensive enough to make you dizzy, the more you get used to what the command’s output looks like, the more you’ll become familiar with what to expect and maybe even get better at spotting what’s unusual. In this post, we’re going to look at various portions of the netstat -s command’s output using crafted aliases to make it easier.

What kind of stats does the netstat -s command provide?

To list the various types of statistics the netstat -s command provides, I ran a command like that shown below to list the protocols it displays. The grep -v “^ “ portion of the command selects only lines that don’t start with a blank. Since the details are all indented, this command shows just the protocols.

$ netstat -s | grep -v "^ "
Ip:
Icmp:
IcmpMsg:
Tcp:
Udp:
UdpLite:
TcpExt:
IpExt:
MPTcpExt:

The following command shows the protocol headings with their line numbers included by requiring colons and omitting lines with tabs. The line numbers will help isolate the sections for the aliases.

$ netstat -s | nl | grep "[A-Za-z]:$" | grep -Pv 't '
     1	Ip:
    10	Icmp:
    19	IcmpMsg:
    22	Tcp:
    33	Udp:
    41	UdpLite:
    42	TcpExt:
    93	IpExt:
   104	MPTcpExt:

This command counts the overall lines on the output:

$ netstat -s | w -l
104

From the above output, I could determine the starting line and the length of each section and create the aliases for each as well.

 start  section         lines   	head command
 ======================================================
     1	Ip:		1-9		head -9
    10	Icmp:		10-18		head -18 | tail -9
    19	IcmpMsg:	19-21		head -21 | tail -3
    22	Tcp:		22-32		head -32 | tail -11
    33	Udp:            33-40		head -40 | tail -8
    41	UdpLite:	41-41		head -41 | tail -1
    42	TcpExt:	        42-92		head -88 | tail -47
    93	IpExt:	        93-103		head -99 | tail -11
   104	MPTcpExt:	104-104	        head -100 | tail -1

After this, it was fairly easy to construct aliases like these because I knew where each section began and ended.

alias Ip='netstat -s | head -9'
alias Icmp='netstat -s | head -18 | tail -9'

On the other hand, knowing that the number of lines in each section might not always be the same, I resorted to building a script that would construct the aliases for me. A key component in this script is the case statement, which contains commands to be run for each section of the netstat -s output.

Note that each section of the script collects its starting point and calculates the ending point for the prior protocol (the line before its beginning). Only MPTcpExt section defines its own alias and does this by calculating the lines in the file containing the netstat -s output.

#!/bin/bash

# save netstat -s output in file
netstat -s > netstat-s
# count lines
lines=`wc -l netstat-s | awk '{print $1}'`

n=0

while IFS= read -r line
do
    ((n=n+1))
    w=`echo $line | wc -w`
    if [ $w == 1 ]; then
        # echo $line $n
	protocol=`echo $line | sed 's/://'`
	case $protocol in
	  Ip) Ip=$n;;
	  Icmp) Icmp=$n; Ip2=`expr $n - 1`;
	    echo alias IP="'netstat -s | head -$Ip2'";;
	  IcmpMsg) IcmpMsg=$n; Icmp2=`expr $n - 1`
	    len=`expr $IcmpMsg - $Icmp`;
	    echo alias Icmp="'netstat -s | head -$Icmp2 | tail -$len'";;
	  Tcp) Tcp=$n; IcmpMsg2=`expr $n - 1`;
	    len=`expr $Tcp - $IcmpMsg`;
	    echo alias IcmpMsg="'netstat -s | head -$IcmpMsg2 | tail -$len'";;
	  Udp) Udp=$n; Tcp2=`expr $n - 1`;
	    len=`expr $Udp - $Tcp`;
	    echo alias Tcp="'netstat -s | head -$Tcp2 | tail -$len'";;
	  UdpLite) UdpLite=$n; Udp2=`expr $n - 1`;
	    len=`expr $UdpLite - $Udp`;
	    echo alias Udp="'netstat -s | head -$Udp2 | tail -$len'";;
	  TcpExt) TcpExt=$n; UdpLite2=`expr $n - 1`;
	    len=`expr $TcpExt - $UdpLite`;
	    echo alias UdpLite="'netstat -s | head -$UdpLite2 | tail -$len'";;
	  IpExt) IpExt=$n; TcpExt2=`expr $n - 1`;
	    len=`expr $IpExt - $TcpExt`;
	    echo alias TcpExt="'netstat -s | head -$TcpExt2 | tail -$len'";;
	  MPTcpExt) MPTcpExt=$n; IpExt2=`expr $n - 1`;
	    len=`expr $MPTcpExt - $IpExt`;
	    echo alias IpExt="'netstat -s | head -$IpExt2 | tail -$len'";
	    len=`expr $n - $MPTcpExt + 1`;
	    echo alias MPTcpExt="'netstat -s | head -$MPTcpExt | tail -$len'";;
	    # rest=`expr $lines - $MPTcpExt`; echo $rest;;
	esac
    fi
done 

On running the script, I got the following output – a list of the aliases that I then added to my ~/.bashrc file and regenerate as needed. They could have been added to a separate file that I sourced whenever I wanted to used them.

alias IP='netstat -s | head -9'
alias Icmp='netstat -s | head -18 | tail -9'
alias IcmpMsg='netstat -s | head -21 | tail -3'
alias Tcp='netstat -s | head -32 | tail -11'
alias Udp='netstat -s | head -40 | tail -8'
alias UdpLite='netstat -s | head -41 | tail -1'
alias TcpExt='netstat -s | head -92 | tail -51'
alias IpExt='netstat -s | head -103 | tail -11'
alias MPTcpExt='netstat -s | head -104 | tail -1'

Using the aliases will allow me to look at any section of the netstat -s command very easily. Note that you should expect to see considerable changes every time you use these aliases, because the number of connections and packets grows very quickly. In addition, since the number of lines in the netstat -s will not necessarily remain the same, regenerating the aliases from time to time is a good idea.

Here are some examples of the output the aliases will provide:

$ Ip
Ip:
    Forwarding: 2
    511618 total packets received
    159 with invalid addresses
    0 forwarded
    0 incoming packets discarded
    502163 incoming packets delivered
    247145 requests sent out
    2 outgoing packets dropped
$ Tcp
Tcp:
    5124 active connection openings
    26 passive connection openings
    0 failed connection attempts
    6 connection resets received
    1 connections established
    333116 segments received
    235631 segments sent out
    519 segments retransmitted
    6 bad segments received
    3558 resets sent
$ Udp
Udp:
    111008 packets received
    6 packets to unknown port received
    0 packet receive errors
    12794 packets sent
    0 receive buffer errors
    0 send buffer errors
    IgnoredMulti: 58026

Wrap-up

The netstat command provides a huge number of network stats. With the -s option, it displays network statistics in nine different categories. The aliases included in this post should make becoming familiar with these statistics easier.

sandra_henrystocker
Unix Dweeb

Sandra Henry-Stocker has been administering Unix systems for more than 30 years. She describes herself as "USL" (Unix as a second language) but remembers enough English to write books and buy groceries. She lives in the mountains in Virginia where, when not working with or writing about Unix, she's chasing the bears away from her bird feeders.

The opinions expressed in this blog are those of Sandra Henry-Stocker and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.