How to Use the Command 'sockstat' (with examples)
- Netbsd
- December 17, 2024
The sockstat
command is a utility used predominantly on Unix-like operating systems to provide a snapshot of open Internet or UNIX domain sockets, both IPv4 and IPv6. It is especially useful for system administrators and developers who need to track socket usage in real-time, offering an invaluable insight into network operations on a particular system. The command in question is a rewrite for NetBSD 3.0 from FreeBSD’s sockstat
, designed to encapsulate a diverse range of network-related functionalities.
Use case 1: Show information for IPv4, IPv6 and Unix sockets for both listening and connected sockets
Code:
sockstat
Motivation: When managing a server, it’s crucial to know which sockets are open and which services are using them. This kind of inventory can help in troubleshooting network issues, ensuring that unwanted services are not running and that all necessary services are up and operating over their designated sockets.
Explanation:
The command sockstat
with no additional arguments lists all open sockets, including both Internet and UNIX domain sockets. It provides a straightforward overview of the system’s socket status.
Example output:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 834 3 tcp4 192.168.1.2:22 192.168.1.100:52340
daemon httpd 671 6 tcp6 ::1:80 *:*
Use case 2: Show information for IPv[4]/IPv[6] sockets [l]istening on specific [p]orts using a specific [P]rotocol
Code:
sockstat -4 -l -P tcp -p 80
Motivation: In environments where security is critical, knowing exactly which ports are open and which protocol they are using is imperative. A system administrator might use this command to verify that a web server is listening for connections on port 80 over TCP, for example.
Explanation:
-4
: Restricts the display to IPv4 sockets.-l
: Filters the output to show only listening sockets.-Ptcp
: Specifies that we are interested in the TCP protocol.-p 80
: Further narrows down the output to sockets listening on port 80.
Example output:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
daemon httpd 671 6 tcp4 *:80 *:*
Use case 3: Also show [c]onnected sockets, showing [u]nix sockets
Code:
sockstat -cu
Motivation: Connected sockets indicate active connections between two endpoints. Viewing this information, particularly in conjunction with Unix sockets, is instrumental in identifying live communication channels which can be significant for performance monitoring or investigating suspected unauthorized connections.
Explanation:
-c
: Instructs the command to display connected sockets, not just listening ones.-u
: Includes Unix domain sockets in addition to Internet sockets.
Example output:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
user chatapp 4321 7 unix /tmp/chatapp.sock -
Use case 4: Only show [n]umeric output, without resolving symbolic names for addresses and ports
Code:
sockstat -n
Motivation: On systems with extensive DNS traffic or complex network structures, the use of symbolic names can add latency or ambiguity. Numeric output provides clear and immediate socket information, which is often preferable for scripting or exporting this data into other network tools.
Explanation:
-n
: Configuressockstat
to present numeric output for addresses and ports, avoiding resolution into hostnames or service names.
Example output:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root sshd 834 3 tcp4 192.168.1.2:22 192.168.1.100:52340
Use case 5: Only list sockets of the specified address [f]amily
Code:
sockstat -f inet6
Motivation: With the growing need to support IPv6, managing systems that cater to both IPv4 and IPv6 requires tools to segregate these. Focusing on specific address families can simplify troubleshooting and management tasks on dual-stack networks.
Explanation:
-f inet6
: Limits the output to only include IPv6 sockets, which is particularly useful when transitioning or verifying IPv6 network configurations.
Example output:
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
daemon webserver 9021 3 tcp6 ::1:8080 *:*
Conclusion:
The sockstat
command offers a comprehensive suite of options to investigate socket usage in Unix-like operating systems, offering precision and depth necessary for administrative or development purposes. By utilizing its flexible syntax, users can filter the socket information to suit their current needs, whether it’s looking for specific port usage, checking connected sockets, or restricting output to numeric form. These examples reflect common real-world situations where sockstat
might be applied, illustrating the practical utility of this command in maintaining and monitoring system health.