Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Thursday, June 13, 2019
 
 

tcpstat(8)

Name

tcpstat - report statistics on TCP and UDP traffic

Synopsis

tcpstat [-cegkLmnrt] [-a 
address[,address...]] [-A 
address[,address...]]
	    [-d d|u] [-E all|event[,event...]] [-i interface[,interface...]]
[-i pid[,pid]] [-l nlines]
	    [-p port[,port...]] [-P port[
,port...]] [-s key | -S key] 
	[-T protocol[,protocol...]]
	    [-u R|K|M|G|T|P] [-x opt[
=val][,opt[=val]...]]
	    [-z zonename[,zonename...
]] [interval [count]]

Description

The tcpstat utility gathers and reports statistics on TCP and UDP traffic, error events, and MIB events based on the selected output mode and sort order. tcpstat provides options to gather and report statistics only on traffic matching specified source or destination address, interface, process ID, source or destination port, and zonename.

Options

The following options are supported:

–a address[,address...]

Filter on source address.

–A address[,address...]

Filter on destination address.

–c

Print new reports below previous reports instead of overprinting them.

–d d|u

Print a timestamp for each report in either standard date format (-d d) or in seconds since epoch, that is, Unix time (-d u).

–e

Display packet error events.

–E all|event[,event...]

Display comma-separated list of TCP and UDP MIB events or all of them, event names are case-insensitive. For a full set of available events, run the tcpstat -L command.

–g

Group by traffic flow.

–i pid[,pid...]

Filter on pid.

–k

Display statistics in packets.

–l nlines

The number of lines of data to output per report.

–L

List all available protocol events.

–m

Produce machine-parsable output.

–n

Show network addresses as numbers. Do not resolve IP addresses to hostnames.

–p port[,port...]

Filter on source port name.

–P

Filter on destination port name.

–r

Only display data for packets being received.

–s key | –S key

Sort in ascending (–S) or descending (–s) order by key, where the keys are as follows:

  • zone - zonename

  • pid - process ID

  • proto - transport-layer protocol

  • source - source IP address

  • sport - source port

  • dest - destination IP address

  • dport - destination port

  • bytes - amount of data

By default, the data of protocol traffic is sorted in descending order by bytes. The data of protocol events or error events is grouped by flow tuples in descending order.

–t

Only display data for packets being transmitted.

–u R|K|M|G|T|P

If used, allows choosing the unit in which to display all statistics, for example, R: raw count, K: Kilobits, M:Megabits, T: Terabits, P: Petabits. If not used, then different units, as appropriate, are used to display the statistics, using the format xy.zU, where x, y, and z are numbers and U is the appropriate unit.

–T protocol[ ,protocol...]

Specify which transport-layer protocol to display. The acceptable options are tcp or udp. By default, data is displayed for all supported transport-layer protocols.

–x opt=val[,opt=val]

Enable or modify a DTrace runtime option or D compiler option. The full list of options is found in dtrace(8). For this utility, the aggsize and aggrate options will be most useful. The utility will display an error message similar to the following if you need to modify one of these options:

Data dropped.  Consider using '-x aggsize=8k' option.

The default for aggsize is 512k. The default for aggrate is 1Hz.

–z zonename[ ,zonename...]

Filters on zonename.

Output

The following list defines the column headings and the meanings of an tcpstat report:

ZONE

The name of the zone associated with this network traffic.

PID

The process ID associated with this network traffic.

PROTO

The protocol associated with this network traffic.

SADDR

The source IP address or hostname associated with this network traffic.

SPORT

The source port associated with this network traffic.

DADDR

The destination IP address or hostname associated with this network traffic.

DPORT

The destination port associated with this network traffic.

RATE

The rate of network traffic or packet error events over the sampling interval. The rate is shown in bytes, but may be changed to packets with –k. In non-parsable mode, the rate will be scaled as necessary (optionally adjusted per –u option) and shown with K, M, G, T, or P suffixes. In parsable mode, an unscaled rate is always shown.

EVENT

The name of protocol events.

ERR-BYTES

The rate of packet error events over the sampling interval. In regular output, the rate is reported in bytes (no suffix), kilobytes (K), megabytes (M), gigabytes(G), terabytes (T), or petabytes (P) per second. In machine-parsable output, the rate is given in bytes per second. The –u option can be used to specify a fixed unit for this number.

PKTS

The rate of network traffic in packets over the sampling interval. In regular output, the rate is reported in packets per second (no suffix), kilo packets per second (K), mega packets per second (M), giga packets per second (G), tera packets per second (T), or peta packets per second (P). In machine-parsable output, the rate is given in packets per second. The –u option can be used to specify a fixed unit for this number.

ERR-PKTS

The rate of packet error events in packets over the sampling interval. In regular output, the rate is reported in packets per second (no suffix), kilo packets per second (K), mega packets per second (M), giga packets per second (G), tera packets per second (T), or peta packets per second (P). In machine-parsable output, the rate is given in packets per second. The –u option can be used to specify a fixed unit for this number.

EVENT

The name of protocol events.

Operands

The following operands are supported:

count

Specifies the number of times that the statistics are to be repeated. By default, tcpstat reports statistics until a termination signal is received.

interval

Specifies the sampling interval in seconds; the default interval is 5 seconds.

Exit Status

The following exit values are returned:

0

Successful completion.

1

An error occurred.

Examples

Example 1 Reporting the Five Most Active Traffic Flows

The following command reports the five most active traffic flows.

$ ./tcpstat -l 5
ZONE            PID PROTO  SADDR            SPORT DADDR            DPORT   BYTES
global        28919 TCP    duff.cs.uni.edu  65398 adc-twvpn-1.orac   443   33.0 
zone1          6940 TCP    duff-dry.cs.uni.  6868 duff.cs.uni.edu  61318    8.0 
zone1          6940 TCP    duff.cs.uni.edu  61318 duff-dry.cs.uni.  6868    8.0 
global         8350 TCP    duff-dry.cs.uni.  6868 duff.cs.uni.edu  61318    8.0 
global         8350 TCP    duff.cs.uni.edu  61318 duff-dry.cs.uni.  6868    8.0 
Total: bytes in: 16.0  bytes out: 49.0 

Example 2 Displaying a Timestamp

The following command reports the top network traffic with a timestamp in standard date format. New reports are printed below previous reports, and the interval is set to ten seconds.

$ ./tcpstat -d d -c 10
Saturday, March 31, 2012 07:48:05 AM EDT
ZONE            PID PROTO  SADDR            SPORT DADDR            DPORT   BYTES
global         2372 TCP    heineken.splat.u 58094 rmdc-proxy.oracl    80   37.0 
zone1          6940 TCP    duff-dry.cs.uni.  6868 duff.cs.uni.edu  61318    8.0 
zone1          6940 TCP    duff.cs.uni.edu  61318 duff-dry.cs.uni.  6868    8.0 
global         8350 TCP    duff-dry.cs.uni.  6868 duff.cs.uni.edu  61318    8.0 
global         8350 TCP    duff.cs.uni.edu  61318 duff-dry.cs.uni.  6868    8.0 
Total: bytes in: 16.0  bytes out: 53.0
Example 3 Specifying a DTrace Runtime Option

The following command sets the DTrace runtime option aggsize to 1K. As this is too small for the collected data, an error is displayed to indicate that data has been dropped.

$ ./tcpstat -x aggsize=1k -c 1
Please wait...
ZONE            PID PROTO  SADDR            SPORT DADDR            DPORT   BYTES
zone1          6940 TCP    duff.cs.uni.edu  61318 duff-dry.cs.uni.  6868    8.0 
global         8350 TCP    duff-dry.cs.uni.  6868 duff.cs.uni.edu  61318    8.0 
global         8350 TCP    duff.cs.uni.edu  61318 duff-dry.cs.uni.  6868    8.0 
Data dropped.  Consider using '-x aggsize=2k' option.
Total: bytes in:  0.0  bytes out:  0.0 
Example 4 Generating Machine-Parsable Output

The following command displays the data in one-second intervals in a machine-parsable format with a Unix-format timestamp.

$ ./tcpstat -d u -m 1
timestamp:1333144286
global:TCP:2372:adc-proxy.oracle.com:80:harp.blat.uni.edu:44403:21083
global:TCP:2372:adc-proxy.oracle.com:80:harp.blat.uni.edu:59012:3136
global:TCP:2372:adc-proxy.oracle.com:80:harp.blat.uni.edu:37122:925
global:TCP:2372:harp.blat.uni.edu:59012:adc-proxy.oracle.com:80:670
global:TCP:2372:adc-proxy.oracle.com:80:harp.blat.uni.edu:64848:478
global:TCP:2372:adc-proxy.oracle.com:80:harp.blat.uni.edu:43355:425
global:TCP:2372:harp.blat.uni.edu:37122:adc-proxy.oracle.com:80:414
global:TCP:2372:harp.blat.uni.edu:44403:adc-proxy.oracle.com:80:403
zone1:TCP:6940:duff-dry.cs.uni.edu:6868:duff.cs.uni.edu:61318:8
zone1:TCP:6940:duff.cs.uni.edu:61318:duff-dry.cs.uni.edu:6868:8
global:TCP:8350:duff-dry.cs.uni.edu:6868:duff.cs.uni.edu:61318:8
global:TCP:8350:duff.cs.uni.edu:61318:duff-dry.cs.uni.edu:6868:8
total:TCP:26063:1503
timestamp:1333144287
zone1:TCP:6940:duff-dry.cs.uni.edu:6868:duff.cs.uni.edu:61318:8
zone1:TCP:6940:duff.cs.uni.edu:61318:duff-dry.cs.uni.edu:6868:8
global:TCP:8350:duff-dry.cs.uni.edu:6868:duff.cs.uni.edu:61318:8
global:TCP:8350:duff.cs.uni.edu:61318:duff-dry.cs.uni.edu:6868:8
total:16:16
Example 5 Reporting TCP Related Packet Error Events

The following command reports the events for TCP packet errors. New reports are printed below previous reports, and the interval is set to ten seconds.

$ ./tcpstat -e -T tcp -c 10
ZONE         PID PROTO  SADDR            SPORT DADDR  DPORT  ERR-PKTS           EVENT
global    100574 TCP    dhcp-santaclara1 59198 impel     22         1       tcpInErrs
global    100574 TCP    impel               22 agnew     22         1 tcpAttemptFails
Total packets: 2
Example 6 Reporting all TCP and UDP Events

The following command reports the traffic flows for all the TCP and UDP events.

$ ./tcpstat -E all
ZONE         PID PROTO  SADDR             SPORT DADDR             DPORT  PKTS           EVENT
global    100519 TCP    x4600m2-sfb-01.u  35688 impel                22     1    tcpRttUpdate
global    100519 TCP    x4600m2-sfb-01.u  35688 impel                22     1    tcpInAckSegs
global    100519 TCP    impel                22 x4600m2-sfb-01.u  35688     1  tcpOutDataSegs
global    100485 UDP    10.5.238.52       58711 10.255.255.255      111     1       udpInData
Total packets: 4
Example 7 Reporting TCP Related Events
$ ./tcpstat -E all -T udp -n
ZONE       PID PROTO SADDR          SPORT  DADDR          DPORT  PKTS            EVENT
global  100519 TCP   10.132.148.89  39443  10.134.71.92      22     5 tcpInInorderSegs
global  100519 TCP   10.132.148.89  39443  10.134.71.92      22     1     tcpInAckSegs
global  100519 TCP   10.132.148.89  39443  10.134.71.92      22     1     tcpRttUpdate
global  100519 TCP   10.134.71.92      22  10.132.148.8   39443     4        tcpOutAck
global  100519 TCP   10.134.71.92      22  10.132.148.89  39443     1   tcpOutDataSegs
Total packets: 12

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
system/core-os

See Also

dtrace(8), ipstat(8), netstat(8)

Notes

The data presented are not sampled data. The values represent an accurate count of the network traffic. In the event that data are dropped, an error message will be displayed to indicate this.