Two new commands for observing various types of network traffic on a server are introduced in this release: ipstat and tcpstat.
The ipstat command is used to gather and report statistics about IP traffic on a server based on the selected output mode and sort order that is specified in the command syntax. This command enables you to observe network traffic at the IP layer, aggregated on source, destination, higher-layer protocol, and interface. Use this command when you want to observe the amount of traffic between one server and other servers.
The tcpstat command is used to gather and report statistics on TCP and UDP traffic on a server based on the selected output mode and sort order that is specified in the command syntax. This command enables you to observe network traffic at the transport layer, specifically for TCP and UDP. In addition to the source and destination IP addresses, you can observe the source and destination TCP or UDP ports, the PID of the process that is sending or receiving the traffic, and the name of the zone in which that process is running.
The following are some of the ways in which you can use the tcpstat command:
Identify the largest sources of TCP and UDP traffic on a server.
Examine the traffic that is being generated by a particular process.
Examine the traffic that is being generated from a particular zone.
Determine which process is bound to a local port.
To use the ipstat and tcpstat commands, one of the following privileges is required:
Assume the root role
Be explicitly assigned the dtrace_kernel privilege
Be assigned either the Network Management or the Network Observability rights profile
The following examples show various ways in which you can use these two commands to observe network traffic. For detailed information, see the tcpstat (1M) and ipstat (1M) man pages.
The following example shows output from the ipstat command when run with the –c option. Use the –c option to print newer reports after previous reports, without overwriting the previous report. The number 3 in this example specifies the interval for displaying data, which is the same as if the command were invoked as ipstat 3.
# ipstat -c 3 SOURCE DEST PROTO INT BYTES zucchini antares TCP net0 72.0 zucchini antares SCTP net0 64.0 antares zucchini SCTP net0 56.0 amadeus.foo.example.com 10.6.54.255 UDP net0 40.0 antares zucchini TCP net0 40.0 zucchini antares UDP net0 16.0 antares zucchini UDP net0 16.0 Total: bytes in: 192.0 bytes out: 112.0
By comparison, the following example shows output of the tcpstat command when used with the –c option:
# tcpstat -c 3 ZONE PID PROTO SADDR SPORT DADDR DPORT BYTES global 100680 UDP antares 62763 agamemnon 1023 76.0 global 100680 UDP antares 775 agamemnon 1023 38.0 global 100680 UDP antares 776 agamemnon 1023 37.0 global 100680 UDP agamemnon 1023 antares 62763 26.0 global 104289 UDP zucchini 48655 antares 6767 16.0 global 104289 UDP clytemnestra 51823 antares 6767 16.0 global 104289 UDP antares 6767 zucchini 48655 16.0 global 104289 UDP antares 6767 clytemnestra 51823 16.0 global 100680 UDP agamemnon 1023 antares 776 13.0 global 100680 UDP agamemnon 1023 antares 775 13.0 global 104288 TCP zucchini 33547 antares 6868 8.0 global 104288 TCP clytemnestra 49601 antares 6868 8.0 global 104288 TCP antares 6868 zucchini 33547 8.0 global 104288 TCP antares 6868 clytemnestra 49601 8.0 Total: bytes in: 101.0 bytes out: 200.0
The following additional examples show other ways in which you can observe traffic on your network by using the ipstat and tcpstat commands.
Example 1-14 Observing the Five Most Active IP Traffic Flows by Using the ipstat CommandThe following example reports the five most active IP traffic flows. The –l nlines option specifies how many lines of data to output per report.
# ipstat -l 5 SOURCE DEST PROTO IFNAME BYTES charybdis.foo.example.com achilles.exampl UDP net0 6.6K eratosthenes.example.com aeneas.example.c TCP tun0 6.1K achilles.exampl charybdis.foo.example.com UDP net0 964.0 aeneas.example.c eratosthenes.example.com TCP tun0 563.0 odysseus.example. 255.255.255.255 UDP net0 66.0 Total: bytes in: 12.6K bytes out: 2.2KExample 1-15 Displaying a Time Stamp by Using the ipstat Command
The following example reports the top IP traffic with a time stamp in standard date format (–d d). You can specify that the timestamp be printed in seconds, or Unix time (–d u). The interval is set to 10 seconds.
# ipstat -d d -c 10 Monday, March 26, 2012 08:34:07 PM EDT SOURCE DEST PROTO IFNAME BYTES charybdis.foo.example.com achilles.exampl UDP net0 15.1K eratosthenes.example.com aeneas.example.c TCP tun0 13.9K achilles.exampl charybdis.foo.example.com UDP net0 2.4K aeneas.example.c eratosthenes.example.com TCP tun0 1.5K odysseus.example. 255.255.255.255 UDP net0 66.0 cassiopeia.foo.example.com aeneas.example.c TCP tun0 29.0 aeneas.example.c cassiopeia.foo.example.com TCP tun0 20.0 Total: bytes in: 29.1K bytes out: 3.8KExample 1-16 Observing the Five Most Active Traffic Flows by Using the tcpstat Command
The following example reports the five most active TCP traffic flows for a server:
# tcpstat -l 5 ZONE PID PROTO SADDR SPORT DADDR DPORT BYTES global 28919 TCP achilles.exampl 65398 aristotle.exampl 443 33.0 zone1 6940 TCP ajax.example.com 6868 achilles.exampl 61318 8.0 zone1 6940 TCP achilles.exampl 61318 ajax.example.com 6868 8.0 global 8350 TCP ajax.example.com 6868 achilles.exampl 61318 8.0 global 8350 TCP achilles.exampl 61318 ajax.example.com 6868 8.0 Total: bytes in: 16.0 bytes out: 49.0Example 1-17 Displaying Timestamp Information by Using the tcpstat Command
In the following example, the tcpstat command is used to display timestamp information for TCP network traffic on a server in standard date format:
# tcpstat -d d -c 10 Saturday, March 31, 2012 07:48:05 AM EDT ZONE PID PROTO SADDR SPORT DADDR DPORT BYTES global 2372 TCP penelope.example 58094 polyphemus.examp 80 37.0 zone1 6940 TCP ajax.example.com 6868 achilles.exampl 61318 8.0 zone1 6940 TCP achilles.exampl 61318 ajax.example.com 6868 8.0 global 8350 TCP ajax.example.com 6868 achilles.exampl 61318 8.0 global 8350 TCP achilles.exampl 61318 ajax.example.com 6868 8.0 Total: bytes in: 16.0 bytes out: 53.0