Operating System - Linux
1839301 Members
2935 Online
110138 Solutions
New Discussion

Re: "netstat -s" output - "XXXX packets to unknown port received" - what does it mean

 
SOLVED
Go to solution
Vitaly Karasik_1
Honored Contributor

"netstat -s" output - "XXXX packets to unknown port received" - what does it mean

netstat -s
Udp:
70868699 packets received
1300775309 packets to unknown port received.


what does it mean?
8 REPLIES 8
Ivan Ferreira
Honored Contributor
Solution

Re: "netstat -s" output - "XXXX packets to unknown port received" - what does it mean

The statistics.c file in the source code for net-tools says:

struct entry Udptab[] =
{
{"InDatagrams", N_("%u packets received"), number},
{"NoPorts", N_("%u packets to unknown port received."), number},
{"InErrors", N_("%u packet receive errors"), number},
{"OutDatagrams", N_("%u packets sent"), number},
};


NoPorts: Displays the total number of UDP datagrams received for which there was no application at the destination port.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Vitaly Karasik_1
Honored Contributor

Re: "netstat -s" output - "XXXX packets to unknown port received" - what does it mean

thank you very much!

I was too lazy to install and read sources :-(

But I am still very curious:
even when I installed net-tools source, I found Udptab struct, but not "NoPorts: Displays the total number of UDP datagrams received for which there was no application at the destination port." explanation.
Ivan Ferreira
Honored Contributor

Re: "netstat -s" output - "XXXX packets to unknown port received" - what does it mean

The explanation I found by googling ;) but is applicable. I think it was a cisco document about UDP protocol.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Vitaly Karasik_1
Honored Contributor

Re: "netstat -s" output - "XXXX packets to unknown port received" - what does it mean

thank you very much!

it is really applicable to my situation, because I have network server, which works via pcap library.
rick jones
Honored Contributor

Re: "netstat -s" output - "XXXX packets to unknown port received" - what does it mean

Unless you are trying to run your own IP stack via libpcap, the system shouldn't be seeing anything it woudn't have seen otherwise. If you _are_ running your own IP stack via libpcap, you should _really_ consider doing it via an interface to which no IP addresses are bound. I know that for HP-UX at least, that would preclude traffic also going up to IP in the host. I _think_ it would do the same in Linux, but I'm not 100% certain.
there is no rest for the wicked yet the virtuous have no pillows
Vitaly Karasik_1
Honored Contributor

Re: "netstat -s" output - "XXXX packets to unknown port received" - what does it mean

Rick, thank you!

As I wrote, my application works via libpcap.
Can you explain more - what does "bind to NIC" mean?
Our application processes only UDP packets to its IPs.
rick jones
Honored Contributor

Re: "netstat -s" output - "XXXX packets to unknown port received" - what does it mean

The host's IP stack will have bound the IP (and ARP) SAPs to the interface when the interface is ifconfig'd with an IP address (at least that is when HP-UX does it, I'm guessing about Linux). This means that the driver will pass all frames with the IP and ARP sap in the header to the host's IP code.

If you are running your own IP stack on top of libpcap you are getting your IP (and ARP) traffic via the taps, which is a separate path. Just as you end-up having to ignore IP and ARP traffic which wasn't your's (it was the host's) the host ends-up seeing traffic which wasn't its, it was yours.

To keep the host from seeing your application's traffic, you have to run your libpcap-based stack over an interface to which the IP and ARP saps have not been bound. I'm guessing that if no host IP addresses are assigned to the interface(s) in question that the IP and ARP saps will not be bound and so the host will not get copies of your traffic. Also, you will be less likely to get copies of the host's traffic - although you will still see ARP requests for IP's other than your own.
there is no rest for the wicked yet the virtuous have no pillows
Vitaly Karasik_1
Honored Contributor

Re: "netstat -s" output - "XXXX packets to unknown port received" - what does it mean

thanks to all!