tcpstat - report statistics on TCP and UDP traffic
tcpstat [-cegkLmnrt] [-a address[,address...]] [-A address[,address...]] [-d d|u] [-E all|event[,event...]] [-i interface[,interface...]] [-i pid[,pid]] [-l nlines] [-p port[,port...]] [-P port[ ,port...]] [-s key | -S key] [-T protocol[,protocol...]] [-u R|K|M|G|T|P] [-x opt[ =val][,opt[=val]...]] [-z zonename[,zonename... ]] [interval [count]]
The tcpstat utility gathers and reports statistics on TCP and UDP traffic, error events, and MIB events based on the selected output mode and sort order. tcpstat provides options to gather and report statistics only on traffic matching specified source or destination address, interface, process ID, source or destination port, and zonename.
The following options are supported:
Filter on source address.
Filter on destination address.
Print new reports below previous reports instead of overprinting them.
Print a timestamp for each report in either standard date format (-d d) or in seconds since epoch, that is, UNIX time (-d u).
Display packet error events.
Display comma-separated list of TCP and UDP MIB events or all of them, event names are case-insensitive. For a full set of available events, run the tcpstat -L command.
Group by traffic flow.
Filter on pid.
Display statistics in packets.
The number of lines of data to output per report.
List all available protocol events.
Produce machine-parsable output.
Show network addresses as numbers. Do not resolve IP addresses to hostnames.
Filter on source port name.
Filter on destination port name.
Only display data for packets being received.
Sort in ascending (–S) or descending (–s) order by key, where the keys are as follows:
zone - zonename
pid - process ID
proto - transport-layer protocol
source - source IP address
sport - source port
dest - destination IP address
dport - destination port
bytes - amount of data
By default, the data of protocol traffic is sorted in descending order by bytes. The data of protocol events or error events is grouped by flow tuples in descending order.
Only display data for packets being transmitted.
If used, allows choosing the unit in which to display all statistics, for example, R: raw count, K: Kilobits, M:Megabits, T: Terabits, P: Petabits. If not used, then different units, as appropriate, are used to display the statistics, using the format xy.zU, where x, y, and z are numbers and U is the appropriate unit.
Specify which transport-layer protocol to display. The acceptable options are tcp or udp. By default, data is displayed for all supported transport-layer protocols.
Enable or modify a DTrace runtime option or D compiler option. The full list of options is found in dtrace(8). For this utility, the aggsize and aggrate options will be most useful. The utility will display an error message similar to the following if you need to modify one of these options:
Data dropped. Consider using '-x aggsize=8k' option.
The default for aggsize is 512k. The default for aggrate is 1Hz.
Filters on zonename.
The following list defines the column headings and the meanings of an tcpstat report:
The name of the zone associated with this network traffic.
The process ID associated with this network traffic.
The protocol associated with this network traffic.
The source IP address or hostname associated with this network traffic.
The source port associated with this network traffic.
The destination IP address or hostname associated with this network traffic.
The destination port associated with this network traffic.
The rate of network traffic or packet error events over the sampling interval. The rate is shown in bytes, but may be changed to packets with –k. In non-parsable mode, the rate will be scaled as necessary (optionally adjusted per –u option) and shown with K, M, G, T, or P suffixes. In parsable mode, an unscaled rate is always shown.
The name of protocol events.
The rate of packet error events over the sampling interval. In regular output, the rate is reported in bytes (no suffix), kilobytes (K), megabytes (M), gigabytes(G), terabytes (T), or petabytes (P) per second. In machine-parsable output, the rate is given in bytes per second. The –u option can be used to specify a fixed unit for this number.
The rate of network traffic in packets over the sampling interval. In regular output, the rate is reported in packets per second (no suffix), kilo packets per second (K), mega packets per second (M), giga packets per second (G), tera packets per second (T), or peta packets per second (P). In machine-parsable output, the rate is given in packets per second. The –u option can be used to specify a fixed unit for this number.
The rate of packet error events in packets over the sampling interval. In regular output, the rate is reported in packets per second (no suffix), kilo packets per second (K), mega packets per second (M), giga packets per second (G), tera packets per second (T), or peta packets per second (P). In machine-parsable output, the rate is given in packets per second. The –u option can be used to specify a fixed unit for this number.
The name of protocol events.
The following operands are supported:
Specifies the number of times that the statistics are to be repeated. By default, tcpstat reports statistics until a termination signal is received.
Specifies the sampling interval in seconds; the default interval is 5 seconds.
The following exit values are returned:
Successful completion.
An error occurred.
The following command reports the five most active traffic flows.
$ ./tcpstat -l 5 ZONE PID PROTO SADDR SPORT DADDR DPORT BYTES global 28919 TCP duff.cs.uni.edu 65398 adc-twvpn-1.orac 443 33.0 zone1 6940 TCP duff-dry.cs.uni. 6868 duff.cs.uni.edu 61318 8.0 zone1 6940 TCP duff.cs.uni.edu 61318 duff-dry.cs.uni. 6868 8.0 global 8350 TCP duff-dry.cs.uni. 6868 duff.cs.uni.edu 61318 8.0 global 8350 TCP duff.cs.uni.edu 61318 duff-dry.cs.uni. 6868 8.0 Total: bytes in: 16.0 bytes out: 49.0Example 2 Displaying a Timestamp
The following command reports the top network traffic with a timestamp in standard date format. New reports are printed below previous reports, and the interval is set to ten seconds.
$ ./tcpstat -d d -c 10 Saturday, March 31, 2012 07:48:05 AM EDT ZONE PID PROTO SADDR SPORT DADDR DPORT BYTES global 2372 TCP heineken.splat.u 58094 rmdc-proxy.oracl 80 37.0 zone1 6940 TCP duff-dry.cs.uni. 6868 duff.cs.uni.edu 61318 8.0 zone1 6940 TCP duff.cs.uni.edu 61318 duff-dry.cs.uni. 6868 8.0 global 8350 TCP duff-dry.cs.uni. 6868 duff.cs.uni.edu 61318 8.0 global 8350 TCP duff.cs.uni.edu 61318 duff-dry.cs.uni. 6868 8.0 Total: bytes in: 16.0 bytes out: 53.0Example 3 Specifying a DTrace Runtime Option
The following command sets the DTrace runtime option aggsize to 1K. As this is too small for the collected data, an error is displayed to indicate that data has been dropped.
$ ./tcpstat -x aggsize=1k -c 1 Please wait... ZONE PID PROTO SADDR SPORT DADDR DPORT BYTES zone1 6940 TCP duff.cs.uni.edu 61318 duff-dry.cs.uni. 6868 8.0 global 8350 TCP duff-dry.cs.uni. 6868 duff.cs.uni.edu 61318 8.0 global 8350 TCP duff.cs.uni.edu 61318 duff-dry.cs.uni. 6868 8.0 Data dropped. Consider using '-x aggsize=2k' option. Total: bytes in: 0.0 bytes out: 0.0Example 4 Generating Machine-Parsable Output
The following command displays the data in one-second intervals in a machine-parsable format with a UNIX-format timestamp.
$ ./tcpstat -d u -m 1 timestamp:1333144286 global:TCP:2372:adc-proxy.oracle.com:80:harp.blat.uni.edu:44403:21083 global:TCP:2372:adc-proxy.oracle.com:80:harp.blat.uni.edu:59012:3136 global:TCP:2372:adc-proxy.oracle.com:80:harp.blat.uni.edu:37122:925 global:TCP:2372:harp.blat.uni.edu:59012:adc-proxy.oracle.com:80:670 global:TCP:2372:adc-proxy.oracle.com:80:harp.blat.uni.edu:64848:478 global:TCP:2372:adc-proxy.oracle.com:80:harp.blat.uni.edu:43355:425 global:TCP:2372:harp.blat.uni.edu:37122:adc-proxy.oracle.com:80:414 global:TCP:2372:harp.blat.uni.edu:44403:adc-proxy.oracle.com:80:403 zone1:TCP:6940:duff-dry.cs.uni.edu:6868:duff.cs.uni.edu:61318:8 zone1:TCP:6940:duff.cs.uni.edu:61318:duff-dry.cs.uni.edu:6868:8 global:TCP:8350:duff-dry.cs.uni.edu:6868:duff.cs.uni.edu:61318:8 global:TCP:8350:duff.cs.uni.edu:61318:duff-dry.cs.uni.edu:6868:8 total:TCP:26063:1503 timestamp:1333144287 zone1:TCP:6940:duff-dry.cs.uni.edu:6868:duff.cs.uni.edu:61318:8 zone1:TCP:6940:duff.cs.uni.edu:61318:duff-dry.cs.uni.edu:6868:8 global:TCP:8350:duff-dry.cs.uni.edu:6868:duff.cs.uni.edu:61318:8 global:TCP:8350:duff.cs.uni.edu:61318:duff-dry.cs.uni.edu:6868:8 total:16:16Example 5 Reporting TCP Related Packet Error Events
The following command reports the events for TCP packet errors. New reports are printed below previous reports, and the interval is set to ten seconds.
$ ./tcpstat -e -T tcp -c 10 ZONE PID PROTO SADDR SPORT DADDR DPORT ERR-PKTS EVENT global 100574 TCP dhcp-santaclara1 59198 impel 22 1 tcpInErrs global 100574 TCP impel 22 agnew 22 1 tcpAttemptFails Total packets: 2Example 6 Reporting all TCP and UDP Events
The following command reports the traffic flows for all the TCP and UDP events.
$ ./tcpstat -E all ZONE PID PROTO SADDR SPORT DADDR DPORT PKTS EVENT global 100519 TCP x4600m2-sfb-01.u 35688 impel 22 1 tcpRttUpdate global 100519 TCP x4600m2-sfb-01.u 35688 impel 22 1 tcpInAckSegs global 100519 TCP impel 22 x4600m2-sfb-01.u 35688 1 tcpOutDataSegs global 100485 UDP 10.5.238.52 58711 10.255.255.255 111 1 udpInData Total packets: 4Example 7 Reporting TCP Related Events
$ ./tcpstat -E all -T udp -n ZONE PID PROTO SADDR SPORT DADDR DPORT PKTS EVENT global 100519 TCP 10.132.148.89 39443 10.134.71.92 22 5 tcpInInorderSegs global 100519 TCP 10.132.148.89 39443 10.134.71.92 22 1 tcpInAckSegs global 100519 TCP 10.132.148.89 39443 10.134.71.92 22 1 tcpRttUpdate global 100519 TCP 10.134.71.92 22 10.132.148.8 39443 4 tcpOutAck global 100519 TCP 10.134.71.92 22 10.132.148.89 39443 1 tcpOutDataSegs Total packets: 12
See attributes(7) for descriptions of the following attributes:
|
dtrace(8), ipstat(8), netstat(8)
The data presented are not sampled data. The values represent an accurate count of the network traffic. In the event that data are dropped, an error message will be displayed to indicate this.