Understand the Network

The following chapter takes a deeper look at network utilisation.

netbar [Tools CD] - Display Network Traffic graphically

netbar displays two bar-graphs for each network interface.

  • The left one is the input bandwidth, the right one the output bandwidth.

  • The green area shows the used bandwidth and the blue area shows the available one.

On each bar-graph, a red marker shows the maximum bandwidth observed during the last period, and a dashed black & white marker shows the average bandwidth during the same period.

At the bottom of the bars, input and output rates are displayed numerically, the value can be selected between last (green), average (white) and maximum (red) with the mouse middle button. Between the bar-graphs, a white line displays the error rate while a red line displays the collision rate.

The display mode can be toggled between logarithmic and linear with the left mouse button. In linear mode, scaling is automatic.

A thin white line is showing the reported maximum interface speed, if this line spans the whole two bars, the interface is in full-duplex mode, while if the line is limited to the half of the bars, the interface is in half-duplex mode. All values are in bits per second.

netbar – sample output

netsum [Tools CD] – Displays Network Traffic

netsum is a netstat like tool, however, its display output is in kilobytes per second, packets per second, errors, collisions, and multicast.

netsum – sample output

nicstat [Tools CD] - Print Statistics for Network Interfaces

nicstat prints statistics for the network interfaces such as kilobytes per second read and written, packets per second read and written, average packet size, estimated utilisation in percent and interface saturation.

nicstat – sample output

netstat – Network Wizard

If you are looking at understanding network behavior on a running system, your first stop may be the command netstat. netstat gives fast answers to question:

  • How many TCP/IP sockets are open on my system?

  • Who communicates with whom? And with what parameters?

The netstat command has many options that will satisfy everyone's needs. Please refer to netstat(1) for details.

netstat Usage Scenario – List open Sockets

Often, one will want to look at the list of network sockets on a system. The netstat command delivers this type of information for the protocol TCP with the following command:

  • netstat -af inet -P tcp

If you are interested in the protocol UDP, replace tcp with udp, i.e.

  • netstat -af inet -P udp

As an example, let's run the following command and capture the output:

  • netstat -af inet -P tcp

netstat – sample output list TCP network sockets

The command outputs one line per socket in the system. Included information is about:

  • Local Address: the local socket endpoint with interface and protocol port.

  • Remote Address: the remote socket endpoint with interface and protocol port.

  • Swind: sending window size in bytes.

  • Send-Q: sending queue size in bytes.

  • Rwind: receiving window size in bytes.

  • Recv-Q: receiving queue size in bytes.

  • State: protocol state (i.e. LISTEN, IDLE, TIME_WAIT, etc...).

tcptop/tcptop_snv [DtraceToolkit] – network “ top”

tcptop (Solaris 10) and tcptop_snv (OpenSolaris) display top TCP network packets by process. To do so, the tool analyses TCP network packets and prints the responsible PID and UID, plus standard details such as IP address and port. The utility can help identify which processes are causing TCP traffic.

You can start the tool with the command tcptop on Solaris 10 and tcptop_snv on OpenSolaris. Let's study the output of tcptop_snv. For that, start tcptop_snv in one window and in another one, generate some network traffic with the command:

  • scp /kernel/genunix localhost:/tmp

The output should be similar to this screen:

tcptop_snv – sample output

tcpsnoop/tcpsnoop_snv [DtraceToolkit] – Network Snooping

tcpsnoop (Solaris 10) and tcpsnoop_snv (OpenSolaris) snoops TCP network packets by process. The tool operates in a similar way than tcptop and tcptop_snv, however information is displayed continuously.

You can start the tool with the command tcpsnoop on Solaris 10 and tcpsnoop_snv on OpenSolaris. Let's study the output of tcpsnoop_snv. For that, start tcpsnoop_snv in one window and in another one, generate some network traffic with the command:

  • scp /kernel/genunix localhost:/tmp

The output should be similar to this screen:

tcpsnoop_snv – sample output

nfsstat – NFS statistics

nfsstat displays statistical information about the NFS and RPC (Remote Procedure Call) interfaces to the kernel. It can be used to view client and/or server side statistics broken down by NFS version (2, 3 or 4).

Thomas Bastian was a coauthor of an earlier version of this document. The earlier version of this page has been published in the "The Developers Edge" in 2009.