2

In my linux server when I run netstat -su I can get the statistics of udp packets like this:

netstat -su 
IcmpMsg:
    InType0: 10827
    InType3: 42792
    InType8: 298795
    InType13: 2
    OutType0: 298795
    OutType3: 328120
    OutType8: 10827
    OutType14: 2 
Udp:
    232862733 packets received
    12074334 packets to unknown port received.
    555474 packet receive errors
    8650718 packets sent 
UdpLite: IpExt:
    InBcastPkts: 375
    InOctets: 169855997552
    OutOctets: 60497003017
    InBcastOctets: 144080

Where did netstat command get these statistics from ? Can I clear the buffer in order to have them start from zero ?

Marged
  • 10,577
  • 10
  • 57
  • 99
Y.L.
  • 1,274
  • 6
  • 23
  • 39

2 Answers2

11

You can find out answers to these sort of things without leaving your terminal.

Let's see for ourselves:

# strace netstat -su &> netstat_strace

It will be an 'open' and 'read' because it's getting the data from somewhere (but grep out where it failed to read/open):

# grep -E 'open|read' netstat_strace  | grep -v ENOENT
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\320\37\2\0\0\0\0\0"..., 832) = 832
open("/usr/lib/locale/locale-archive", O_RDONLY|O_CLOEXEC) = 3
open("/proc/meminfo", O_RDONLY|O_CLOEXEC) = 3
read(3, "MemTotal:        3854816 kB\nMemF"..., 1024) = 1024
open("/proc/net/snmp", O_RDONLY)        = 3
read(3, "Ip: Forwarding DefaultTTL InRece"..., 4096) = 1261
open("/usr/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 4
read(4, "# Locale name alias data base.\n#"..., 4096) = 2570
read(4, "", 4096)                       = 0
read(3, "", 4096)                       = 0
open("/proc/net/netstat", O_RDONLY)     = 3
read(3, "TcpExt: SyncookiesSent Syncookie"..., 4096) = 2158
read(3, "", 4096)                       = 0

and from inspecting the strace output, we can see that it's writing a string:

write(1, "IcmpMsg:\n    InType0: 11\n    InT"..., 373IcmpMsg:
    InType0: 11

well, that's fun. Let's check out the man page for netstat:

man netstat

If you look under FILES:

FILES

   /etc/services -- The services translation file

   /proc -- Mount point for the proc filesystem, which gives access to kernel status information via the following files.

   /proc/net/dev -- device information

   /proc/net/raw -- raw socket information

   /proc/net/tcp -- TCP socket information

   /proc/net/udp -- UDP socket information

   /proc/net/igmp -- IGMP multicast information

...

you can see why it opened and read from the above. In searching for 'clear' or 'reset' (or reading it), you'll find that those aren't options for the command.

The next step would be checking out man proc, which describes itself as a "process information pseudo-filesystem."

From here, you could get the idea that if you modified the files that netstat read from, you could change the output of netstat (/proc/net/netstat looks particularly interesting in my opinion) -- and you can -- but I'd suggest letting this be read only.

1

Counters are designed not to be reset as a rule, it defeats their purpose in being a counter if they are reset. The point of a counter is that consumers of the data can poll them and calculate rates, or calculate an increment since some time before, but the frequency of polling does not matter. There could be many different consumers of the data, and if a counter goes down (to zero say) consumers can either discard a data period or assume they have rolled over (possibly resulting in false reporting).

You could rebase them with your own consumer though (e.g. run a script that gets the stats, sees their current value, and provides subsequent readings with those initial values deducted).

Michael
  • 3,639
  • 14
  • 29