Go to main content

Administering TCP/IP Networks, IPMP, and IP Tunnels in Oracle® Solaris 11.3

Exit Print View

Updated: March 2019
 
 

Observing Network Traffic With the ipstat and tcpstat Commands

Two new commands for observing various types of network traffic on a server are introduced in this release: ipstat and tcpstat.

The ipstat command is used to gather and report statistics about IP traffic on a server based on the selected output mode and sort order that is specified in the command syntax. This command enables you to observe network traffic at the IP layer, aggregated on source, destination, higher-layer protocol, and interface. Use this command when you want to observe the amount of traffic between one server and other servers.

The tcpstat command is used to gather and report statistics on TCP and UDP traffic on a server based on the selected output mode and sort order that is specified in the command syntax. This command enables you to observe network traffic at the transport layer, specifically for TCP and UDP. In addition to the source and destination IP addresses, you can observe the source and destination TCP or UDP ports, the PID of the process that is sending or receiving the traffic, and the name of the zone in which that process is running.

    The following are some of the ways in which you can use the tcpstat command:

  • Identify the largest sources of TCP and UDP traffic on a server.

  • Examine the traffic that is being generated by a particular process.

  • Examine the traffic that is being generated from a particular zone.

  • Determine which process is bound to a local port.

Note -  The previous list is not exhaustive. There are several other ways in which you can use the tcpstat command. See the tcpstat(1M) man page for more information.

    To use the ipstat and tcpstat commands, one of the following privileges is required:

  • Assume the root role

  • Be explicitly assigned the dtrace_kernel privilege

  • Be assigned either the Network Management or the Network Observability rights profile

The following examples show various ways in which you can use these two commands to observe network traffic. For detailed information, see the tcpstat(1M) and ipstat(1M) man pages.

The following example shows output from the ipstat command when run with the –c option. Use the –c option to print newer reports after previous reports, without overwriting the previous report. The number 3 in this example specifies the interval for displaying data, which is the same as if the command were invoked as ipstat 3.

# ipstat -c 3
SOURCE                     DEST                       PROTO    INT        BYTES
zucchini                   antares                    TCP      net0       72.0
zucchini                   antares                    SCTP     net0       64.0
antares                    zucchini                   SCTP     net0       56.0
amadeus.foo.example.com    203.0.113.255              UDP      net0       40.0
antares                    zucchini                   TCP      net0       40.0
zucchini                   antares                    UDP      net0       16.0
antares                    zucchini                   UDP      net0       16.0
Total: bytes in: 192.0  bytes out: 112.0

By comparison, the following example shows output of the tcpstat command when used with the –c option:

# tcpstat -c 3
ZONE         PID PROTO  SADDR             SPORT DADDR             DPORT   BYTES
global    100680 UDP    antares           62763 agamemnon          1023   76.0
global    100680 UDP    antares             775 agamemnon          1023   38.0
global    100680 UDP    antares             776 agamemnon          1023   37.0
global    100680 UDP    agamemnon          1023 antares           62763   26.0
global    104289 UDP    zucchini          48655 antares            6767   16.0
global    104289 UDP    clytemnestra      51823 antares            6767   16.0
global    104289 UDP    antares            6767 zucchini          48655   16.0
global    104289 UDP    antares            6767 clytemnestra      51823   16.0
global    100680 UDP    agamemnon          1023 antares             776   13.0
global    100680 UDP    agamemnon          1023 antares             775   13.0
global    104288 TCP    zucchini          33547 antares            6868    8.0
global    104288 TCP    clytemnestra      49601 antares            6868    8.0
global    104288 TCP    antares            6868 zucchini          33547    8.0
global    104288 TCP    antares            6868 clytemnestra      49601    8.0
Total: bytes in: 101.0  bytes out: 200.0

The following additional examples show other ways in which you can observe traffic on your network by using the ipstat and tcpstat commands.

Example 13  Observing the Five Most Active IP Traffic Flows by Using the ipstat Command

The following example reports the five most active IP traffic flows. The –l nlines option specifies how many lines of data to output per report.

# ipstat -l 5
SOURCE                     DEST                       PROTO    IFNAME     BYTES
charybdis.foo.example.com  achilles.exampl            UDP      net0        6.6K
eratosthenes.example.com   aeneas.example.c           TCP      tun0        6.1K
achilles.exampl            charybdis.foo.example.com  UDP      net0      964.0
aeneas.example.c           eratosthenes.example.com   TCP      tun0      563.0
odysseus.example.          255.255.255.255            UDP      net0       66.0
Total: bytes in: 12.6K bytes out:  2.2K
Example 14  Displaying a Time Stamp by Using the ipstat Command

The following example reports the top IP traffic with a time stamp in standard date format (–d d). You can specify that the timestamp be printed in seconds, or UNIX time (–d u). The interval is set to 10 seconds.

# ipstat -d d -c 10
Monday, March 26, 2012 08:34:07 PM EDT
SOURCE                     DEST                       PROTO    IFNAME     BYTES
charybdis.foo.example.com  achilles.exampl            UDP      net0       15.1K
eratosthenes.example.com   aeneas.example.c           TCP      tun0       13.9K
achilles.exampl            charybdis.foo.example.com  UDP      net0        2.4K
aeneas.example.c           eratosthenes.example.com   TCP      tun0        1.5K
odysseus.example.          255.255.255.255            UDP      net0       66.0
cassiopeia.foo.example.com aeneas.example.c           TCP      tun0       29.0
aeneas.example.c           cassiopeia.foo.example.com TCP      tun0       20.0
Total: bytes in: 29.1K bytes out:  3.8K
Example 15  Observing the Five Most Active Traffic Flows by Using the tcpstat Command

The following example reports the five most active TCP traffic flows for a server:

# tcpstat -l 5
ZONE            PID PROTO  SADDR            SPORT DADDR            DPORT   BYTES
global        28919 TCP    achilles.exampl  65398 aristotle.exampl   443   33.0
zone1          6940 TCP    ajax.example.com  6868 achilles.exampl  61318    8.0
zone1          6940 TCP    achilles.exampl  61318 ajax.example.com  6868    8.0
global         8350 TCP    ajax.example.com  6868 achilles.exampl  61318    8.0
global         8350 TCP    achilles.exampl  61318 ajax.example.com  6868    8.0
Total: bytes in: 16.0  bytes out: 49.0
Example 16  Displaying Timestamp Information by Using the tcpstat Command

In the following example, the tcpstat command is used to display timestamp information for TCP network traffic on a server in standard date format:

# tcpstat -d d -c 10
Saturday, March 31, 2012 07:48:05 AM EDT
ZONE            PID PROTO  SADDR            SPORT DADDR            DPORT   BYTES
global         2372 TCP    penelope.example 58094 polyphemus.examp    80   37.0
zone1          6940 TCP    ajax.example.com  6868 achilles.exampl  61318    8.0
zone1          6940 TCP    achilles.exampl  61318 ajax.example.com  6868    8.0
global         8350 TCP    ajax.example.com  6868 achilles.exampl  61318    8.0
global         8350 TCP    achilles.exampl  61318 ajax.example.com  6868    8.0
Total: bytes in: 16.0  bytes out: 53.0
Copyright © 2011, 2019, Oracle and/or its affiliates. All rights reserved. 
Previous
Next