How to Use Sockstat and Netstat Commands on FreeBSD

This article will explain how to use the sockstat and netstat commands on FreeBSD. To make it easier for readers to understand these two basic commands, we have tried to write this article simply without reducing the details in explaining these two commands.


List of contents:
1. Understanding Sockstat and Netstat
2. How to Use Sockstat
3. How to Use Netstat


1. Understanding Sockstat and Netstat

For a system administrator, these two commands are very important, just imagine if we were faced with a server computer, we would definitely not know what applications were being run by the server computer. With the help of sockstat and netstat, a system administrator can find out the socket port and applications/programs being run by the server computer, so that we can carry out maintenance according to the applications currently running on the server computer.

Sockstat is a versatile command line utility used to display network port sockets and programs open or in use in FreeBSD. If you use the FreeBSD operating system, the sockstat command does not need to be installed. By default Sockstat is installed on FreeBSD, so you just have to use it.

The sockstat command can also list open sockets based on protocol version, connection status and on which port the daemon or program is running. With sockstat it is also possible to display inter-process communication sockets, known as Unix domain sockets or IPC. The Sockstat command combined with the grep filter or with the awk through pipeline utility turns out to be a powerful tool for local network management.

Meanwhile, netstat is used to view network status including open ports, TCP/UDP connections, and others. The network statistics (netstat) command can also be used for troubleshooting and configuration, which can also serve as a monitoring tool for connections over the network. Incoming and outgoing connections, routing tables, reading ports and statistics of protocols in use.


2. How to Use Sockstat

Before we practice how to use sockstat, here is a list of commands you can use to work with sockstat.

DESCRIPTION
The sockstat command lists open Internet or UNIX domain sockets.

The following options are available:

-4 Show AF_INET (IPv4) sockets.

-6 Show AF_INET6 (IPv6) sockets.

-C Display the congestion control module, if applicable. This
is currently only implemented for TCP.

-c Show connected sockets.

-i Display the inp_gencnt.

-j jail Show only sockets belonging to the specified jail ID or name.

-L Only show Internet sockets if the local and foreign addresses
are not in the loopback network prefix 127.0.0.0/8, or do not
contain the IPv6 loopback address ::1.

-l Show listening sockets.

-n Do not resolve numeric UIDs to user names.

-p ports Only show Internet sockets if the local or foreign port
number is on the specified list. The ports argument is a
comma-separated list of port numbers and ranges specified as
first and last port separated by a dash.

-P protocols
Only show sockets of the specified protocols. The protocols
argument is a comma-separated list of protocol names, as they
are defined in protocols(5).

-q Quiet mode, do not print the header line.

-S Display the protocol stack, if applicable. This is currently
only implemented for TCP.

-s Display the protocol state, if applicable. This is currently
only implemented for SCTP and TCP.

-U Display the remote UDP encapsulation port number, if
applicable. This is currently only implemented for SCTP and
TCP.

-u Show AF_LOCAL (UNIX) sockets.

-v Verbose mode.

-w Use wider field size for displaying addresses.


The following is an example of using the sockstat command.

a. View all open ports

root@ns1:~ # sockstat
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 45933 4 tcp4 192.168.5.2:22 192.168.5.4:59217
root sshd 45933 8 stream (not connected)
root sshd 815 4 tcp6 *:22 *:*
root sshd 815 5 tcp4 *:22 *:*
unbound unbound 760 3 udp4 192.168.5.2:53 *:*
unbound unbound 760 4 tcp4 192.168.5.2:53 *:*
unbound unbound 760 5 udp4 192.168.5.2:853 *:*
unbound unbound 760 6 tcp4 192.168.5.2:853 *:*
_tor tor 1014 5 tcp4 192.168.5.2:9050 *:*
_tor tor 1014 6 udp4 192.168.5.2:9053 *:*
root syslogd 751 6 udp6 *:514 *:*
root syslogd 751 7 udp4 *:514 *:*
ldap slapd 542 6 stream /var/run/openldap/ldapi
ldap slapd 542 7 tcp4 *:389 *:*


In the example above we can explain it as follows.
USER: Owner or user who owns the socket/port.
COMMAND: Program that opens sockets/ports.
PID: The process ID of the command that owns the socket.
FD: Socket file descriptor number.
PROTO: The transport protocol (usually TCP/UDP) is associated with an open socket or socket type in the case of unix domain sockets (datagram, stream, or seqpac) for UNIX sockets.
LOCAL ADDRESS: IP Address and port used by the socket
FOREIGN ADDRESS : The remote IP address to which the socket is connected.


b. View Open IP4 Ports

root@ns1:~ # sockstat -4
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 922 4 tcp4 192.168.5.2:22 192.168.5.4:55525
www httpd 917 4 tcp4 *:80 *:*
www httpd 916 4 tcp4 *:80 *:*
www httpd 915 4 tcp4 *:80 *:*
www httpd 914 4 tcp4 *:80 *:*
www httpd 913 4 tcp4 *:80 *:*
root httpd 894 4 tcp4 *:80 *:*
root sshd 828 5 tcp4 *:22 *:*
root syslogd 760 7 udp4 *:514 *:*
ldap slapd 313 7 tcp4 *:389 *:*


c. View Open IP6 ports

root@ns1:~ # sockstat -6
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
www httpd 917 3 tcp6 *:80 *:*
www httpd 916 3 tcp6 *:80 *:*
www httpd 915 3 tcp6 *:80 *:*
www httpd 914 3 tcp6 *:80 *:*
www httpd 913 3 tcp6 *:80 *:*
root httpd 894 3 tcp6 *:80 *:*
root sshd 828 4 tcp6 *:22 *:*
root syslogd 760 6 udp6 *:514 *:*



d. Viewing Open TCP/UDP Protocols

oot@ns1:~ # sockstat -P tcp
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 922 4 tcp4 192.168.5.2:22 192.168.5.4:55525
www httpd 917 3 tcp6 *:80 *:*
www httpd 917 4 tcp4 *:80 *:*
www httpd 915 3 tcp6 *:80 *:*
www httpd 915 4 tcp4 *:80 *:*
www httpd 914 3 tcp6 *:80 *:*
www httpd 914 4 tcp4 *:80 *:*
www httpd 913 3 tcp6 *:80 *:*
www httpd 913 4 tcp4 *:80 *:*
root httpd 894 3 tcp6 *:80 *:*
root httpd 894 4 tcp4 *:80 *:*


root@ns1:~ # sockstat -P udp
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root syslogd 760 6 udp6 *:514 *:*
root syslogd 760 7 udp4 *:514 *:*



e. View Specific TCP/UDP Ports

root@ns1:~ # sockstat -P tcp -p 443
root@ns1:~ #
sockstat -P udp -p 53
root@ns1:~ #
sockstat -P tcp -p 443,53,80,21


f. View Open and Connected Ports

root@ns1:~ # sockstat -P tcp -p 22 -c
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 922 4 tcp4 192.168.5.2:22 192.168.5.4:55525


root@ns1:~ #
sockstat -P tcp -c
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 922 4 tcp4 192.168.5.2:22 192.168.5.4:55525


g. View UNIX Socket and Pipe Names

root@ns1:~ # sockstat -u
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 922 8 stream (not connected)
root syslogd 760 8 dgram /var/run/log
root syslogd 760 9 dgram /var/run/logpriv
root devd 549 4 stream /var/run/devd.pipe
root devd 549 5 seqpac /var/run/devd.seqpacket.pipe
root devd 549 8 dgram -> /var/run/logpriv
ldap slapd 313 6 stream /var/run/openldap/ldapi



h. View Programs/Applications That Open Ports

root@ns1:~ # sockstat -46 | grep nginx
root@ns1:~ #
sockstat -46 | grep ssh
root@ns1:~ #
sockstat -46 | grep unbound


i. View Connected Programs/Applications and Open Ports

root@ns1:~ # sockstat -46 -c| grep nginx
root@ns1:~ #
sockstat -46 -c | grep ssh

Apart from the commands exemplified above, you can also try other commands, such as those below.

root@ns1:~ # sockstat -46 -s -P TCP -p 22 -c
root@ns1:~ # sockstat -46 -c | egrep '22|389' | awk '{print $7}' | uniq -c | sort -nr
root@ns1:~ # sockstat -46 -c -p 22,389 | grep -v ADDRESS|awk '{print $7}' | uniq -c | sort -nr
root@ns1:~ # sockstat -46 -l -s
root@ns1:~ # sockstat -4 -l | grep :22



3. How to Use Netstat

Before we practice how to use sockstat, here is a list of commands that you can use to work with netstat.

usage: netstat [-46AaCcLnRSTWx] [-f protocol_family | -p protocol]
[-M core] [-N system]
netstat -i | -I interface [-46abdhnW] [-f address_family]
[-M core] [-N system]
netstat -w wait [-I interface] [-46d] [-M core] [-N system]
[-q howmany]
netstat -s [-46sz] [-f protocol_family | -p protocol]
[-M core] [-N system]
netstat -i | -I interface -s [-46s]
[-f protocol_family | -p protocol] [-M core] [-N system]
netstat -m [-M core] [-N system]
netstat -B [-z] [-I interface]
netstat -r [-46AnW] [-F fibnum] [-f address_family]
[-M core] [-N system]
netstat -rs [-s] [-M core] [-N system]
netstat -g [-46W] [-f address_family] [-M core] [-N system]
netstat -gs [-46s] [-f address_family] [-M core] [-N system]
netstat -Q

The following is an example of using the sockstat command.

a. View all Ports and Connections

root@ns1:~ # netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 44 ns1.ssh 192.168.5.4.55525 ESTABLISHED
tcp4 0 0 *.http *.* LISTEN
tcp6 0 0 *.http *.* LISTEN
tcp4 0 0 *.ssh *.* LISTEN
tcp6 0 0 *.ssh *.* LISTEN
tcp4 0 0 *.ldap *.* LISTEN
udp4 0 0 *.syslog *.*
udp6 0 0 *.syslog *.*
Active UNIX domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
fffff80012530600 stream 0 0 0 0 0 0
fffff80012530c00 stream 0 0 fffff80012b6b7a0 0 0 0 /var/run/devd.pipe
fffff80012530d00 stream 0 0 fffff80012b697a0 0 0 0 /var/run/openldap/ldapi
fffff8001255ba00 dgram 0 0 0 fffff800126e8b00 0 0
fffff800126e8b00 dgram 0 0 fffff80012a201e8 0 fffff8001255ba00 0 /var/run/logpriv
fffff80012530700 dgram 0 0 fffff80012a205b8 0 0 0 /var/run/log
fffff80012530b00 seqpac 0 0 fffff80012b6b3d0 0 0 0 /var/run/devd.seqpacket.pipe

b. Viewing Open Connections

root@ns1:~ # netstat -na -f inet
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 44 192.168.5.2.22 192.168.5.4.15414 ESTABLISHED
tcp4 0 0 *.80 *.* LISTEN
tcp4 0 0 *.22 *.* LISTEN
tcp4 0 0 *.389 *.* LISTEN
udp4 0 0 *.514 *.*



c. Displays the Kernel Memory Used by the Network

root@ns1:~ # netstat -m
257/1018/1275 mbufs in use (current/cache/total)
256/506/762/109049 mbuf clusters in use (current/cache/total/max)
256/506 mbuf+clusters out of packet secondary zone in use (current/cache)
0/508/508/54524 4k (page size) jumbo clusters in use (current/cache/total/max)
0/0/0/16155 9k jumbo clusters in use (current/cache/total/max)
0/0/0/9087 16k jumbo clusters in use (current/cache/total/max)
576K/3298K/3874K bytes allocated to network (current/cache/total)
0/0/0 requests for mbufs denied (mbufs/clusters/mbuf+clusters)
0/0/0 requests for mbufs delayed (mbufs/clusters/mbuf+clusters)
0/0/0 requests for jumbo clusters delayed (4k/9k/16k)
0/0/0 requests for jumbo clusters denied (4k/9k/16k)
0 sendfile syscalls
0 sendfile syscalls completed without I/O request
0 requests for I/O initiated by sendfile
0 pages read by sendfile as part of a request
0 pages were valid at time of a sendfile request
0 pages were valid and substituted to bogus page
0 pages were requested for read ahead by applications
0 pages were read ahead by sendfile
0 times sendfile encountered an already busy page
0 requests for sfbufs denied
0 requests for sfbufs delayed


d. Displays Network Statistics

root@ns1:~ # netstat -i
Name Mtu Network Address Ipkts Ierrs Idrop Opkts Oerrs Coll
nfe0 1500 <Link#1> 00:24:21:88:69:24 65877 0 0 322 0 0
nfe0 - 192.168.5.0/2 ns1 259 - - 317 - -
lo0 16384 <Link#2> lo0 0 0 0 0 0 0
lo0 - localhost localhost 0 - - 0 - -
lo0 - fe80::%lo0/64 fe80::1%lo0 0 - - 0 - -
lo0 - your-net localhost 0 - - 0 - -

e. Displays Socket Information

root@ns1:~ # netstat -lx
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address R-MBUF S-MBUF R-CLUS S-CLUS R-HIWA S-HIWA R-LOWA S-LOWA R-BCNT S-BCNT R-BMAX S-BMAX rexmt persist keep 2msl delack rcvtime
tcp4 0 44 ns1.ssh 192.168.5.4.15414 0 1 0 0 65700 33580 1 2048 0 256 525600 268640 0.23 0.00 5321.34 0.00 0.00 0.00
Active UNIX domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
fffff8000b472100 stream 0 0 0 0 0 0
fffff8000b546b00 stream 0 0 fffff8000b6f5000 0 0 0 /var/run/devd.pipe
fffff8000b546c00 stream 0 0 fffff8000b46b3d0 0 0 0 /var/run/openldap/ldapi
fffff8000b472600 dgram 0 0 0 fffff8000b472b00 0 fffff8000b472800
fffff8000b472800 dgram 0 0 0 fffff8000b472b00 0 0
fffff8000b472b00 dgram 0 0 fffff8000bfcc3d0 0 fffff8000b472600 0 /var/run/logpriv
fffff8000b472d00 dgram 0 0 fffff8000bfcc7a0 0 0 0 /var/run/log
fffff8000b546a00 seqpac 0 0 fffff8000b51ab70 0 0 0 /var/run/devd.seqpacket.pipe


Although the netstat command is a powerful system administrator tool, you don't need to be a sysadmin to use it. As we have seen, netstat is useful in many scenarios, even if our goal is simply to secure everyday browsing activities.

But netstat should not be limited to the commands discussed here, options and flags can significantly expand the scope of what can be done with the netstat command.
Iwan Setiawan

I Like Adventure: Mahameru Mount, Rinjani Mount I Like Writer FreeBSD

Post a Comment

Previous Post Next Post