Is there documentation for /proc/net/netstat and /proc/net/snmp

documentationnetstatproc

There is a long list of stats in /proc/net/netstat and /proc/net/snmp, both of which I think come from the net-tools project. Is there any official or unofficial documentation about these fields? Or even a good source of networking terminology that would help identify them?

Some seem pretty clear:

SyncookiesSent
SyncookieFailed
TCPTimeouts
TCPKeepalive

Others less clear:

ActiveOpens
PassiveOpens

Some fully cryptic to me:

EmbryonicRsts
RcvPruned 
... many more ...

Update: I've found definitions in the source but still wondering where these descriptions go. Are they compiled and published anywhere?

Best Answer

The /proc/net/* files are generated by the kernel: the entries are in net/ipv4/proc.c in the kernel source, and the entry list is found in include/uapi/linux/snmp.h. It grabs the values from various MIB databases that the kernel keeps.

According to the snmp.h header file, the MIB definitions come from the following documents:

RFC 1213: MIB-II
RFC 2011 (updates 1213): SNMPv2-MIB-IP
RFC 2863: Interfaces Group MIB
RFC 2465: IPv6 MIB: General Group
draft-ietf-ipv6-rfc2011-update-10.txt: MIB for IP: IP Statistics Tables

ActiveOpens is from RFC 1213 (page 47):

tcpActiveOpens OBJECT-TYPE
          SYNTAX  Counter
          ACCESS  read-only
          STATUS  mandatory
          DESCRIPTION
                  "The number of times TCP connections have made a
                  direct transition to the SYN-SENT state from the
                  CLOSED state."
          ::= { tcp 5 }

If you can't find the netstat entry in the RFCs, you'll have to search around. Quite a few of the items are not listed in detail in these documents. If you want more than the brief summary, you'll have to search the kernel source for some of the entries that you described.

EmbryonicRsts is modified in net/ipv4/tcp_minisocks.c (line 796 in 4.16.0), and appears to count invalid SYN resets on non-fast opened connections. This is probably not likely to occur unless you're in a SYN cookie flood.

Related Solutions

Faster interface for info from /proc/net/tcp

Here is a link to libnetfilter_conntrack. You would have to re-write your program in a language that can support calling C functions from a library directly. But I think this library will have the hooks you need to get the data you want much faster than parsing through that text file.

This is what the iptstate program uses to accomplish its task.

Accounting for /proc/net/dev reported traffic

When dealing with applications that are using up network bandwidth the best tool I've come across for tying back utilization to specific apps has got to be nethogs.

You can use ip link show or netstat -i to find out your network interface names.

$ netstat -i
Kernel Interface table
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
em1       1500        0      0      0 0             0      0      0      0 BMU
lo       65536    81375      0      0 0         81375      0      0      0 LRU
virbr0    1500        0      0      0 0             0      0      0      0 BMU
wlp3s0    1500  2264942      0      0 0       2376236      0      0      0 BMRU

My wireless on my Fedora 19 laptop is wlp3s0, so we tell nethogs to watch that:

$ sudo nethogs wlp3s0

As you let nethogs run it will start to show you the applications that are consuming your network bandwidth.

Best Answer

Related Solutions

Faster interface for info from /proc/net/tcp

Accounting for /proc/net/dev reported traffic

Related Question