These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX02/Ifconfig And Netstat

Classnotes | UNIX02 | RecentChanges | Preferences


ifconfig is a command-line utility to configure and query network interfaces. Here, if stands for "interface", since it can be any number of interfaces which this tool configures (such as ethernet, PPP, SLIP, etc.) If we had wanted to, we could have configured our networking using this tool and route almost entirely! Its normal invocation is this:

 ifconfig interface [address [parameters]]

interface is the interface name, and address is the IP address to be assigned to the interface. This may be either an IP address in dotted quad notation or a name that ifconfig will look up in /etc/hosts.

If ifconfig is invoked with only the interface name, it displays that interface's configuration. When invoked without any parameters, it displays all interfaces you have configured so far; a -a option forces it to show the inactive ones as well. A sample invocation for the Ethernet interface eth0 may look like this:

 # ifconfig eth0
 eth0      Link encap 10Mbps Ethernet  HWaddr 00:00:C0:90:B3:42
           inet addr Bcast Mask
           UP BROADCAST RUNNING  MTU 1500  Metric 0
           RX packets 3136 errors 217 dropped 7 overrun 26
           TX packets 1752 errors 25 dropped 0 overrun 0

The MTU and Metric fields show the current MTU and metric value for that interface. The metric value is traditionally used by some operating systems to compute the cost of a route. Linux doesn't use this value yet, but defines it for compatibility, nevertheless.

The RX and TX lines show how many packets have been received or transmitted error free, how many errors occurred, how many packets were dropped (probably because of low memory), and how many were lost because of an overrun. Receiver overruns usually occur when packets come in faster than the kernel can service the last interrupt. The flag values printed by ifconfig roughly correspond to the names of its command-line options.

ifconfig accepts many different command line options which can be found using the man page for ifconifg. However, the two we will focus on for now are:


This option makes an interface accessible to the IP layer. This option is implied when an address is given on the command line. It may also be used to reenable an interface that has been taken down temporarily using the down option.
This option corresponds to the flags UP and RUNNING.


This option marks an interface inaccessible to the IP layer. This effectively disables any IP traffic through the interface. Note that this option will also automatically delete all routing entries that use this interface.


netstat is a useful tool for checking your network configuration and activity. It is in fact a collection of several tools lumped together.

Displaying the Routing Table

When you invoke netstat with the -r flag, it displays the kernel routing table in the way we've been doing with route. Invoking it may produce:

 # netstat -nr
 Kernel IP routing table
 Destination   Gateway      Genmask         Flags  MSS Window  irtt Iface     *   UH       0 0          0 lo    *     U        0 0          0 eth0   UG       0 0          0 eth0

The -n option makes netstat print addresses as dotted quad IP numbers rather than the symbolic host and network names. This option is especially useful when you want to avoid address lookups over the network (e.g., to a DNS or NIS server).

The second column of netstat's output shows the gateway to which the routing entry points. If no gateway is used, an asterisk is printed instead. The third column shows the "generality" of the route, i.e., the network mask for this route. When given an IP address to find a suitable route for, the kernel steps through each of the routing table entries, taking the bitwise AND of the address and the genmask before comparing it to the target of the route.

The fourth column displays the following flags that describe the route:

  • G - The route uses a gateway.
  • U - The interface to be used is up.
  • H - Only a single host can be reached through the route. For example, this is the case for the loopback entry
  • D - This route is dynamically created. It is set if the table entry has been generated by a routing daemon like gated or by an ICMP redirect message.
  • M - This route is set if the table entry was modified by an ICMP redirect message.
  • ! - The route is a reject route and datagrams will be dropped.

The next three columns show the MSS, Window and irtt that will be applied to TCP connections established via this route. The MSS is the Maximum Segment Size and is the size of the largest datagram the kernel will construct for transmission via this route. The Window is the maximum amount of data the system will accept in a single burst from a remote host. The acronym irtt stands for "initial round trip time." The TCP protocol ensures that data is reliably delivered between hosts by retransmitting a datagram if it has been lost. The TCP protocol keeps a running count of how long it takes for a datagram to be delivered to the remote end, and an acknowledgement to be received so that it knows how long to wait before assuming a datagram needs to retransmitted; this process is called the round-trip time. The initial round-trip time is the value that the TCP protocol will use when a connection is first established. For most network types, the default value is okay, but for some slow networks, notably certain types of amateur packet radio networks, the time is too short and causes unnecessary retransmission. The irtt value can be set using the route command. Values of zero in these fields mean that the default is being used.

Finally, the last field displays the network interface that this route will use.

Displaying Interface Statistics

When invoked with the -i flag, netstat displays statistics for the network interfaces currently configured. If the -a option is also given, it prints all interfaces present in the kernel, not only those that have been configured currently. The output from netstat might look something like this:

 # netstat -i
 Kernel Interface table
 lo      0   0   3185      0      0      0   3185      0      0      0 BLRU
 eth0 1500   0 972633     17     20    120 628711    217      0      0 BRU

The MTU and Met fields show the current MTU and metric values for that interface. The RX and TX columns show how many packets have been received or transmitted error-free (RX-OK/TX-OK) or damaged (RX-ERR/TX-ERR); how many were dropped (RX-DRP/TX-DRP); and how many were lost because of an overrun (RX-OVR/TX-OVR).

The last column shows the flags that have been set for this interface. These characters are one-character versions of the long flag names that are printed when you display the interface configuration with ifconfig:

  • B - A broadcast address has been set.
  • L - This interface is a loopback device.
  • M - All packets are received (promiscuous mode).
  • O - ARP is turned off for this interface.
  • P - This is a point-to-point connection.
  • R - Interface is running.
  • U - Interface is up.

Displaying Connections

netstat supports a set of options to display active or passive sockets. The options -t, -u, -w, and -x show active TCP, UDP, RAW, or Unix socket connections. If you provide the -a flag in addition, sockets that are waiting for a connection (i.e., listening) are displayed as well. This display will give you a list of all servers that are currently running on your system.

Invoking netstat -ta it may produce this output:

 sam@rygel:~$ netstat -ta
 Active Internet connections (servers and established)
 Proto Recv-Q Send-Q Local Address           Foreign Address         State
 tcp        0      0 *:bootpc                *:*                     LISTEN
 tcp        0      0 *:sunrpc                *:*                     LISTEN
 tcp        0      0 *:ssh                   *:*                     LISTEN
 tcp        0      0 pc272-19.physics.Ar:ssh ESTABLISHED

This output shows most servers simply waiting for an incoming connection. However, the fourth connection is an ssh connection from one machine to another.

Using the -a flag by itself will display all sockets from all families.

Classnotes | UNIX02 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited April 25, 2003 10:57 pm (diff)
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.