[I sent this around noon, but haven't seen it show up; apologies if you
see multiple copies]

Hi, Dave,

I'll help where I can...
Do you mean "network devices"? The "-/-I" output will print a line for
each "sockaddr" that has been attached to the device's descriptor in
This is AF_LINK (i.e., the MAC[ethernet]) address.
This is AF_INET6 (IPv6) - the dreaded 128-bit address, written as
16-bit hex chunks, with leading zeros elided, and "::" permitted once
to indicate a long string of zeros.
This is AF_INET (IPv4) - the usual "dotted-quad" IP address.
This is the AppleTalk address. The parenthetical '16' is the value of
AF_APPLETALK (given in /usr/include/sys/socket.h); 'netstat' prints the
AF_ value in parens, and the address as a hex string, if it doesn't
recognize the family (i.e., no-one bothered to educate 'netstat' about
AppleTalk).
You'll notice that the repeated values are always the same. This is
because each line refers to the same device. In some cases, some
values aren't printed (e.g., for the AF_INET line, the ierrs value
doesn't show up). This is because the value in question may not
directly relate to the AF entity [here, the ierrs count input errors of
some kind but those don't make sense for a higher-layer protocol like
IPv4; the device can't generally account for errors based on packet
type - if there's an error, the content is suspect; for AppleTalk, the
AF_ is unknown to 'netstat', so it goes ahead and displays the value].
I get this in plain ASCII (cf. my signature), so this doesn't come
through.
All of the lines are important. For example, a lot of bad checksum or
other discard reasons would indicate a serious problem - whether it's
hardware or some kind of DoS attack is in questoin. Some of the lines
are just "statistics", while others are error counters. Generally, you
can tell by the name. For diagnosing real problems, all may play a
role, but without a real problem, you can't predict which ones will.
This is not something you can do in one chapter of a book. This is
what's called ART, and it requires a lot of experience. One of the
best ways to do this is to look at lots of examples: e.g., take a
sample every hour, and review them daily. When you actually get
reports of a performance problem, try to narrow down the occurrence and
relate it to your stats.
Hard to tell. If by "incoming request" you mean the TCP packet with
the SYN bit set, then if such were rejected by the firewall, you
wouldn't see it as a request (the firewall gets to see the packet
before the TCP engine). If the firewall can reject a request after the
SYN packet has been passed, then this could be an explanation.

Hope that helps. Ask again if I've misunderstood or gone awry in the
above.

Regards,

Justin

--
/~\ The ASCII Justin C. Walker, Curmudgeon-at-Large
\ / Ribbon Campaign
X Help cure HTML Email
/ \


--
Justin C. Walker, Curmudgeon-At-Large *
Institute for General Semantics | If you're not confused,
| You're not paying attention
*--------------------------------------*-------------------------------*

Hi, Dave,

I'll help where I can...
Do you mean "network devices"? The "-/-I" output will print a line for
each "sockaddr" that has been attached to the device's descriptor in
This is AF_LINK (i.e., the MAC[ethernet]) address.
This is AF_INET6 (IPv6) - the dreaded 128-bit address, written as
16-bit hex chunks, with leading zeros elided, and "::" permitted once
to indicate a long string of zeros.
This is AF_INET (IPv4) - the usual "dotted-quad" IP address.
This is the AppleTalk address. The parenthetical '16' is the value of
AF_APPLETALK (given in /usr/include/sys/socket.h); 'netstat' prints the
AF_ value in parens, and the address as a hex string, if it doesn't
recognize the family (i.e., no-one bothered to educate 'netstat' about
AppleTalk).
You'll notice that the repeated values are always the same. This is
because each line refers to the same device. In some cases, some
values aren't printed (e.g., for the AF_INET line, the ierrs value
doesn't show up). This is because the value in question may not
directly relate to the AF entity [here, the ierrs count input errors of
some kind but those don't make sense for a higher-layer protocol like
IPv4; the device can't generally account for errors based on packet
type - if there's an error, the content is suspect; for AppleTalk, the
AF_ is unknown to 'netstat', so it goes ahead and displays the value].
I get this in plain ASCII (cf. my signature), so this doesn't come
through.
All of the lines are important. For example, a lot of bad checksum or
other discard reasons would indicate a serious problem - whether it's
hardware or some kind of DoS attack is in questoin. Some of the lines
are just "statistics", while others are error counters. Generally, you
can tell by the name. For diagnosing real problems, all may play a
role, but without a real problem, you can't predict which ones will.
This is not something you can do in one chapter of a book. This is
what's called ART, and it requires a lot of experience. One of the
best ways to do this is to look at lots of examples: e.g., take a
sample every hour, and review them daily. When you actually get
reports of a performance problem, try to narrow down the occurrence and
relate it to your stats.
Hard to tell. If by "incoming request" you mean the TCP packet with
the SYN bit set, then if such were rejected by the firewall, you
wouldn't see it as a request (the firewall gets to see the packet
before the TCP engine). If the firewall can reject a request after the
SYN packet has been passed, then this could be an explanation.

Hope that helps. Ask again if I've misunderstood or gone awry in the
above.

Regards,

Justin

--
/~\ The ASCII Justin C. Walker, Curmudgeon-at-Large
\ / Ribbon Campaign
X Help cure HTML Email
/ \

I'm not a netstat expert, but here's a couple of data points
There is only one device here - en0, the Ethernet interface known as
zero. That interface has both an IPv4 and IPv6 stack associated with it.

lo0 is the loop-back interface.
en1 is (usually) the Airport interface, but might just be a second card.

This set of report descriptions comes from the Tru64 Unix man page:
The network interface display format provides a table of cumulative
statis-
tics for the following:
+ Interface name
+ Maximum Transmission Unit (MTU)
+ Network Address
+ Packets received (Ipkts)
+ Packets received in error (Ierrs)
+ Packets transferred (Opkts)
+ Outgoing packets in error (Oerrs)
+ Collisions
Note that the collisions item has different meanings for
different
network interfaces.
+ Drops (optional with -d)
+ Timers (optional with -t)

Note that the -d option is listed/defined in the OS X man page, but the
-t option is only listed. (Man pages are not known for their accuracy
or completeness.)
Don't mix apples and oranges. This command generates TCP stats across
ALL interfaces.

This might map to en0 if that is the ONLY port with TCP/IP traffic, but
not necessarily. A box with both an Airport and an Ethernet for
instance, if the laptop runs hardwired some times, and wireless at
others.

As I recall, the counters are not zeroed except on boot.

I assume that you realize the counters are cumulative and you will need
to subtract them to get the "interval count." I believe that they are
also 32 bit counters, but they might be less. Somebody will have to
look at the code to find out.

Netstat, like ping and traceroute are very low level network debugging
tools. They are useful for trouble shooting, not tracking performance.
They are oriented at hardware issues, not traffic. While you can infer
performance issues with some of their statistics, that's not what they
were designed to convey. (Note that I'm talking about the Interface
options of netstat here.)

On a properly configured and active (more than one host) ethernet
SEGMENT, there will always be collisions. Note that a SEGMENT is either
a HUB or single cable with multiple Ethernet devices connected to it. A
switched environment, however, should always have zero collisions. This
is true for some hub configurations as well. (Maybe, most hubs today.)
Similarly, a WiFi (802.11) connection with only one station active will
not likely see collisions, but with multiple stations transmitting, you
will begin to see collisions. A WiFi Access point is basically a Hub.

Some problems -- like duplex-mismatch -- occurring on a switch won't
show up at all in netstat, but your performance will be going to hell
in a handbasket. This is because the problem is happening in the media
layer below netstat's view.

Off hand, I suspect that you'll have to dig up a copy of Comer (TCP/IP
Networking) to find out what all of the Kernel data structures "really"
mean (the -s output). I don't recall seeing them documented anywhere.
It's always assumed that if you care, you know what they mean
otherwise, they have labels which are "self expalanatory." Sometimes
SNMP documentation (which doesn't exist for OS X that I know of)
contains useful information as it is another way of displaying these
same data structures.

And by the by, you probably should be doing this with Perl rather than
a shell script. For that matter, there may already be some such critter
floating around.

T.T.F.N.
William H. Magill
# Beige G3 - Rev A motherboard - 768 Meg
# Flat-panel iMac (2.1) 800MHz - Super Drive - 768 Meg
# PWS433a [Alpha 21164 Rev 7.2 (EV56)- 64 Meg]- Tru64 5.1a
***@mcgillsociety.org
***@acm.org
***@mac.com