CLI Reference

380 commands across 45 groups, generated straight from ze help command --json -- the same live command registry the binary itself uses, so this page cannot drift from what the binary actually supports the way a hand-maintained list can. Full machine-readable list: data/cli-commands.json.

announce 1
CommandModeDescription
announceDaemonAnnounce a route on demand to selected peers.
Usage: announce <unicast|blackhole|flowspec> <args> [tag <key> <value>] [for <duration>]
clear 16
CommandModeDescription
clear bgp rib inDaemonRemove all routes received from a peer.
Wipes the Adj-RIB-In for matched peers. They will need to
re-advertise everything (or you can send a route-refresh).
Selector: IP, name, AS pattern, glob, or *.
clear bgp rib outDaemonRe-advertise all routes to a peer.
Triggers a full Adj-RIB-Out replay to the selected peers. Useful
after a policy change to push updated attributes without tearing
down the session. Selector: IP, name, AS pattern, glob, or *.
clear debugOfflineClear the default debug profile.
clear dns cacheDaemonClear the DNS cache.
With no argument, flushes everything. Use 'record <name>' to evict
one entry, or 'stats' to see hit/miss rates without flushing.
clear interface countersDaemonZero the Rx/Tx counters for every managed interface.
Usage: clear interface counters.
clear interface name countersDaemonZero the Rx/Tx counters for one interface.
Usage: clear interface name <name> counters.
clear isis adjacencyDaemonTear down every IS-IS adjacency so neighbors re-form.
Usage: clear isis adjacency. Adjacencies re-learn from the next Hello;
the circuit is not closed and the configuration is unchanged.
clear isis countersDaemonReset IS-IS observational counters and the SPF log.
Usage: clear isis counters. Monotonic Prometheus series are not reset;
the SPF-run history is cleared.
clear l2tp session teardownDaemonDisconnect one subscriber session.
Sends a CDN to gracefully close the session. Pass the local
session ID.
clear l2tp session teardown-allDaemonDisconnect every L2TP session on this box.
Sends CDN for all sessions across all tunnels. Tunnels themselves
stay up. Use with care.
clear l2tp tunnel teardownDaemonGracefully tear down one L2TP tunnel.
Sends a StopCCN to the peer. All sessions on this tunnel will be
disconnected. Pass the local tunnel ID.
clear l2tp tunnel teardown-allDaemonTear down every L2TP tunnel on this box.
Sends StopCCN for all tunnels. Every subscriber session will be
disconnected. Use with care during maintenance.
clear ospf countersDaemonReset the OSPF SPF-run history.
Usage: clear ospf counters. Monotonic Prometheus series are not reset;
the SPF-run log is cleared.
clear ospf neighborDaemonTear down every OSPF adjacency so neighbors re-form.
Usage: clear ospf neighbor. Adjacencies re-learn from the next Hello.
clear ospf processDaemonFull OSPF reset: tear down every adjacency and re-run SPF.
Usage: clear ospf process. Adjacencies re-form from the next Hello;
the configuration is unchanged.
clear vpn ipsec saDaemonTear down IKE Security Associations.
Without arguments, terminates all SAs. Use 'peer <name>' to clear
just one peer. The tunnel will renegotiate automatically if the
config is still active.
config 1
CommandModeDescription
config archiveDaemonSave a snapshot of the current running configuration.
Captures the config into the store for later rollback or comparison.
Optional name labels the snapshot; defaults to a timestamp.
create 9
CommandModeDescription
create interface addressDaemonAdd an IP address to an interface.
Usage: create interface <name> address <prefix>. Interface must already exist.
create interface bridgeDaemonCreate a Linux bridge for L2 forwarding.
Usage: create interface bridge <name>.
create interface bridge addressDaemonCreate a bridge (if needed) and add an IP address.
Usage: create interface bridge <name> address <prefix>.
create interface bridge unitDaemonCreate a bridge (if needed) and add a VLAN sub-interface.
Usage: create interface bridge <name> unit <vid>.
create interface dummyDaemonCreate a dummy (loopback-style) interface.
Usage: create interface dummy <name>.
create interface dummy addressDaemonCreate a dummy interface (if needed) and add an IP address.
Usage: create interface dummy <name> address <prefix>.
create interface dummy unitDaemonCreate a dummy interface (if needed) and add a VLAN sub-interface.
Usage: create interface dummy <name> unit <vid>.
create interface unitDaemonAdd a VLAN sub-interface (802.1Q tagged).
Usage: create interface <parent> unit <vid>. Parent must already exist.
create interface vethDaemonCreate a veth pair (two linked virtual Ethernet interfaces).
Usage: create interface veth <name> <peer>.
debug 4
CommandModeDescription
debug ip ospf inject opaqueDaemonInject a crafted IPv4 opaque LSA into the local LSDB (RFC 5250).
Usage: debug ip ospf inject opaque scope <link|area|as> id <opaque-id>
[type <128-255>] [hex <body> | tlv <type> <value-hex> ...] [withdraw].
The default Opaque Type is Private-Use so a test LSA never collides with a
standards-track consumer. Requires `debug ospf inject enable`.
debug ipv6 ospf inject lsaDaemonInject a crafted OSPFv3 LSA into the local LSDB (RFC 5340).
Usage: debug ipv6 ospf inject lsa scope <link|area|as> type <ls-type>
id <link-state-id> [hex <body>] [withdraw]. The flooding scope is derived from
the LS Type S2/S1 bits (a reserved scope is rejected). Requires
`debug ospf inject enable`.
debug ospf inject disableDaemonDisable OSPF debug LSA injection. Usage: debug ospf inject disable.
debug ospf inject enableDaemonEnable OSPF debug LSA injection (shared across both address
families). Off by default. Usage: debug ospf inject enable.
delete 6
CommandModeDescription
delete bgp peerDaemonRemove a peer from the running config.
Tears down the TCP session and deletes the peer from the running
configuration. Does not modify the config file on disk.
delete debug moduleOfflineDisable debug for a subsystem, or remove one of its flags/scopes.
delete debug profile nameOfflineDelete a named debug profile.
delete interfaceDaemonDelete an interface from the kernel.
Usage: delete interface <name>.
delete interface addressDaemonRemove an IP address from an interface.
Usage: delete interface <name> address <prefix>.
delete interface unitDaemonRemove a VLAN sub-interface.
Usage: delete interface <name> unit.
doctor 1
CommandModeDescription
doctorOfflineVerify kernel features, file descriptor limits, sockets, and required dependencies. Run this before first start or after platform changes.
explain 1
CommandModeDescription
explainOfflinePrint the meaning, likely cause, and recommended fix for a Ze diagnostic code. Pass the code you saw in a log or error message.
fakel2tp 2
CommandModeDescription
fakel2tp emitDaemonEmit one synthetic L2TP route-change batch
fakel2tp helpDaemonPrint the fakel2tp command surface
fakeredist 3
CommandModeDescription
fakeredist emitDaemonEmit one synthetic route-change batch
fakeredist emit-burstDaemonEmit N synthetic batches sequentially
fakeredist helpDaemonPrint the fakeredist command surface
generate 1
CommandModeDescription
generate wireguard keypairOfflineGenerate a WireGuard keypair. Prints private and public keys to stdout for use in your config.
help 3
CommandModeDescription
helpRead-onlyShow available commands at this level.
Lists every registered command verb with a brief description.
help aiOfflineAI reference generated from the binary. Sections: cli, api, mcp, dispatch, all (add --json).
help commandOfflineList every command with its description. Use a filter to narrow the list.
metrics 1
CommandModeDescription
metrics poolDaemonShow attribute pool memory usage and dedup efficiency.
Returns allocated entries, reference counts, and deduplication hit
rates per attribute type. Watch the dedup rate to gauge how much
memory pooling is saving you.
monitor 8
CommandModeDescription
monitor bgpRead-onlyLive BGP peer dashboard that refreshes automatically.
Shows all peers with state, uptime, and prefix counts. State changes
highlight as they happen. Ctrl-C to stop.
monitor eventRead-onlyStream live events as they happen.
Shows a real-time feed of internal events. Filter with
include <pattern> or exclude <pattern> to focus on what matters.
Patterns match event type names.
monitor interface rateRead-onlyStream per-second traffic rates for your interfaces.
Shows rx/tx bytes and packets per second, updating every second.
Optionally pass an interface name to watch just one link.
monitor pingRead-onlyContinuous ping with live loss and RTT statistics.
Pings <target> until you stop it. Adjust interval and timeout as
needed. Shows running min/avg/max RTT and packet loss.
monitor tracerouteRead-onlyLive mtr-style traceroute that updates continuously.
Shows each hop with running RTT statistics. Keeps probing so you
can watch path changes and latency shifts over time.
monitor traffic-statRead-onlyStart streaming traffic monitor (per-second snapshots).
Without arguments, shows all interfaces. With 'name <interface>', filters to one interface.
monitor vpn ipsecRead-onlyWatch IPsec SA events as they happen.
Streams sa-up, sa-down, child-up, child-down, and child-rekey
events. Useful for debugging tunnel flaps or rekey issues.
peer 2
CommandModeDescription
peer rawDaemonSend raw bytes into a peer's TCP stream (dangerous).
Injects arbitrary bytes with no BGP framing or validation. Intended
for conformance testing and fuzzing only. Will likely break the
session if used carelessly.
peer updateDaemonSend a pre-built BGP UPDATE to a peer.
Payload can be text (human-readable route syntax), hex, or base64.
Use 'show bgp encode' to build the payload, then send it here.
plugin 10
CommandModeDescription
plugin ackRead-onlyChoose sync or async event delivery.
sync: Ze waits for your plugin to acknowledge each event before
sending the next one. Safer but slower. async: events fire without
waiting, giving higher throughput at the cost of backpressure control.
plugin command completeRead-onlyComplete command/args
plugin command helpRead-onlyShow command details
plugin command listRead-onlyList plugin commands
plugin encodingRead-onlyChoose json or text encoding for plugin events.
Controls how events are serialized in this session. JSON is
structured and parseable; text is more compact.
plugin formatRead-onlyChoose how BGP message bytes appear in events.
hex and base64 are compact wire representations. parsed decodes
attributes into structured fields. full includes both wire bytes
and parsed content.
plugin helpRead-onlyList plugin subcommands
plugin session byeRead-onlyDisconnect
plugin session pingRead-onlyHealth check (returns PID)
plugin session readyRead-onlySignal plugin init complete
request cache 4
CommandModeDescription
request cache expireDaemonRemove a cached message immediately.
Usage: request cache expire <id>.
request cache forwardDaemonForward a cached UPDATE to peers matching a selector.
Usage: request cache forward <id> <selector>.
request cache releaseDaemonAck without forwarding (cache consumer) or undo retain (API).
Usage: request cache release <id>.
request cache retainDaemonPrevent eviction of a cached message.
Usage: request cache retain <id>.
request interface 5
CommandModeDescription
request interface downDaemonShut down an interface.
Usage: request interface <name> down.
request interface macDaemonSet the MAC address on an interface.
Usage: request interface <name> mac <aa:bb:cc:dd:ee:ff>.
request interface migrateDaemonMove IP addresses between interfaces with minimal downtime.
Takes a source interface, a target interface, and the address to move.
Adds addresses to the target before removing them from the source
(make-before-break).
request interface mtuDaemonSet the MTU on an interface.
Usage: request interface <name> mtu <bytes>. Range: 68 to 65535.
request interface upDaemonBring an interface up.
Usage: request interface <name> up.
request peer 9
CommandModeDescription
request peer borrDaemonStart an Enhanced Route Refresh cycle (RFC 7313).
Tells the peer to mark existing routes as stale. After re-sending,
send EORR to purge anything not refreshed.
request peer clear softDaemonSoft-clear a peer without dropping the session.
Sends ROUTE-REFRESH for every negotiated AFI/SAFI, causing the peer
to re-send all routes. No session bounce, no traffic impact.
request peer eorrDaemonFinish an Enhanced Route Refresh cycle (RFC 7313).
The peer purges any routes not re-advertised since the matching
BORR. Only send this after the peer has finished re-advertising.
request peer flushDaemonWait until all queued updates for a peer are sent.
Usage: request peer <selector> flush.
request peer pauseDaemonPause reading from a peer's TCP socket.
Usage: request peer <selector> pause.
request peer plugin session readyDaemonSignal that per-peer plugin setup is complete.
Usage: request peer <selector> plugin session ready.
request peer refreshDaemonAsk a peer to re-send all routes (RFC 2918).
Sends a ROUTE-REFRESH message for the specified AFI/SAFI. The
peer will re-advertise its entire Adj-RIB-Out.
request peer resumeDaemonResume reading from a previously paused peer.
Usage: request peer <selector> resume.
request peer teardownDaemonTear down a peer session.
Usage: request peer <selector> teardown [cease-subcode].
request (other) 12
CommandModeDescription
request as112 healthcheckDaemonOne-shot authoritative query against an anycast service
address (or the given target), exit 0 iff the expected
AS112 answer comes back. Finding M4: the tool a
healthcheck probe calls, since dig is not on the gokrazy
appliance and 'ze resolve dns' cannot target a specific
server. Usage: request as112 healthcheck [target <ip>].
request bgp rib injectDaemonInject a synthetic route into the Adj-RIB-In.
Behaves as if the route was received from a peer. Use this for
testing policy filters or simulating route announcements.
request bgp rib withdrawDaemonWithdraw a route from the Adj-RIB-In.
Removes a previously injected or received route from a peer's
Adj-RIB-In, triggering best-path recomputation.
request commitDaemonGroup route changes into named atomic commits.
Actions: start (begin a commit), end (finalize), eor (signal end of
RIB), rollback (undo), show (inspect), withdraw (remove all routes
in a commit), list (show all commits). Grammar: request commit <action>
<name> [args].
request haltDaemonDump goroutine stacks to stderr and terminate immediately.
request log levelDaemonChange a subsystem's log level without restarting.
Usage: request log level <logger> <level>. Takes effect immediately.
Set to debug when troubleshooting, then back to info when you are done.
request ospf graceful-restartDaemonTrigger a planned OSPFv2 graceful restart (RFC 3623 section 2.1).
Usage: request ospf graceful-restart. The engine originates one Grace-LSA per
interface, persists the non-volatile restart fact, and suppresses route churn
so the FIB is retained across the ensuing control-plane restart. Refused when
graceful-restart is not configured.
request rebootDaemonGracefully shutdown then reboot the system.
request reloadDaemonReload the configuration without restarting.
request shutdownDaemonGracefully shutdown: drain connections, close peers, exit.
request subscribeDaemonStart receiving events of one or more types.
Events are delivered asynchronously to your plugin session until
you unsubscribe. Use 'show event list' to see available event types.
request unsubscribeDaemonStop receiving events you previously subscribed to.
Removes the subscription for the specified event type from your
current plugin session.
resolve 11
CommandModeDescription
resolve cymru asn-nameRead-onlyFind out who owns an AS number.
Queries Team Cymru DNS to return the organization name for the ASN.
Usage: resolve cymru asn-name <asn>.
resolve dns aRead-onlyLook up IPv4 addresses (A records) for a hostname.
Usage: resolve dns a <hostname>.
resolve dns aaaaRead-onlyLook up IPv6 addresses (AAAA records) for a hostname.
Usage: resolve dns aaaa <hostname>.
resolve dns ptrRead-onlyReverse-lookup an IP address to its hostname (PTR).
Usage: resolve dns ptr <ip-address>.
resolve dns txtRead-onlyLook up TXT records for a hostname.
Usage: resolve dns txt <hostname>. Returns all TXT strings.
resolve irr expandRead-onlyExpand an AS-SET into its member AS numbers.
Recursively resolves nested AS-SET objects via WHOIS into a flat
list. Useful for building prefix filters from IRR data.
resolve irr prefixRead-onlyGet all prefixes announced by an AS-SET's members.
Expands the AS-SET, then returns every route/route6 object for
each member ASN. Use this to build or verify prefix filters.
resolve peeringdb as-setRead-onlyFind the IRR AS-SET registered for an ASN in PeeringDB.
Usage: resolve peeringdb as-set <asn>. Feed the result into
'resolve irr expand' to get the full member list.
resolve peeringdb max-prefixRead-onlyGet max-prefix limits for an ASN from PeeringDB.
Returns IPv4 and IPv6 prefix limits. Apply via the config editor. Usage: resolve peeringdb max-prefix <asn>.
resolve pingRead-onlyPing from the router with optional source binding.
Usage: resolve ping <target> [source <ip>] [count <n>] [size <bytes>].
resolve tracerouteRead-onlyTraceroute from the router with optional source binding.
Usage: resolve traceroute <target> [source <ip>] [max-hops N] [timeout D] [probes N].
set 5
CommandModeDescription
set debug active nameOfflineLoad a named debug profile and apply it to the running daemon.
set debug moduleOfflineEnable debug for a subsystem; optionally set level/flag/scope. E.g. 'set debug module bgp.reactor level debug'.
set debug profile nameOfflineSave the current debug state as a named profile.
set debug timeoutOfflineSet the debug auto-disable timer (e.g. 30m, 1h, 90s; 0 disables).
set system file-descriptorsDaemonRaise the file descriptor limit for the daemon process.
Pass a number or 'max' to go to the hard limit. Takes effect
immediately. Check current limits with 'show system file-descriptors'.
show bfd 4
CommandModeDescription
show bfd profileRead-onlyShow BFD timer profiles with effective values.
Returns min-tx, min-rx, and detect-multiplier after inheritance.
Use 'show bfd profile' for every profile or 'show bfd profile name <name>'
for one profile.
show bfd profile nameRead-onlyShow one BFD profile by name.
show bfd session addressRead-onlyShow full detail for one BFD session.
Pass the peer address. Returns local/remote discriminators,
negotiated timers, detection time, and packet counters.
show bfd sessionsRead-onlyList all active BFD sessions.
One line per session: peer address, state, negotiated tx/rx
intervals, and detect multiplier.
show bgp 17
CommandModeDescription
show bgp decodeRead-onlyDecode a hex-encoded BGP message into readable JSON.
Paste a hex BGP UPDATE and get back parsed attributes, NLRI, and
withdrawn prefixes. Handy for reading pcap captures or debugging
wire issues. Also available in the web UI under tools.
show bgp encodeRead-onlyTurn a route announcement into wire-format hex.
Takes a route in API syntax and returns the BGP UPDATE as a hex
string. Useful for building test payloads, feeding to ze-test, or
verifying that your announcement encodes correctly.
show bgp irrRead-onlyShow IRR filter status per ASN.
Lists each enrolled ASN with its resolved AS-SET, prefix counts,
last refresh time, and error status. Use this to confirm that IRR
prefix-lists are loaded and current.
show bgp irr checkRead-onlyCheck if a prefix is accepted by the IRR filter.
Usage: show bgp irr check <peer> <prefix>. Reports whether the
prefix would be accepted or rejected, and which entry matches.
show bgp irr prefixRead-onlyShow IRR-resolved prefixes for a peer.
Usage: show bgp irr prefix <peer>. Lists all IPv4 and IPv6 prefixes
in the IRR-resolved prefix-list for the given peer address.
show bgp peer capabilitiesRead-onlyShow what capabilities were negotiated with a peer.
Usage: show bgp peer <selector> capabilities.
show bgp peer detailRead-onlyShow full detail for one or more peers.
Usage: show bgp peer <selector> detail. The selector can be an IP,
peer name, AS pattern (as65001), glob, or *.
show bgp peer historyRead-onlyShow FSM state transitions for a peer over time.
Usage: show bgp peer <selector> history.
show bgp peer listRead-onlyList your peers, one line each.
Shows name, address, ASN, state, and uptime. Quick overview without
the detail of 'show bgp peer <selector> detail'.
show bgp peer ribRead-onlyShow RIB data scoped to one peer.
Usage: show bgp peer <selector> rib [scope|filters|terminal].
show bgp peer statisticsRead-onlyShow UPDATE throughput for your peers.
Usage: show bgp peer <selector> statistics.
show bgp ribRead-onlyQuery routes in the BGP RIB.
Look at received or advertised routes with flexible filters: peer,
family, prefix, AS path regex, community, match expression. Pipe
operators: | count, | prefix-summary, | graph. This is the main
route inspection command.
show bgp rib bestRead-onlyShow the winning route for each prefix.
Same filters as 'show bgp rib'. Use '| reason' to see why each
path was selected (local-pref, AS path length, MED, etc.).
show bgp rib best statusRead-onlyCheck whether best-path computation is still running.
Reports idle, pending, or running, plus the last run duration.
show bgp rib rpfRead-onlyReverse-path forwarding lookup in the Loc-RIB.
Performs a longest-prefix-match and returns the best-path entry.
Use this to verify RPF checks would pass for a given source.
show bgp rib statusRead-onlyGet a quick RIB overview without dumping routes.
Shows total peers, received/accepted/advertised route counts, and
per-family breakdowns. Use this to confirm convergence after a
peer comes up.
show bgp summaryRead-onlyShow a one-line-per-peer BGP summary.
Lists every peer with state, ASN, prefixes received, and uptime.
Optionally scope by address family: ipv4, ipv6, or l2vpn.
show bmp 4
CommandModeDescription
show bmp collectorsRead-onlyShow BMP collector connection status.
Lists configured collectors with connection state, sent message
counts, and error statistics. Check here if your collector is
not receiving data.
show bmp peersRead-onlyShow BGP peers as seen through BMP monitoring.
Lists peers reported via BMP with their state and route statistics.
show bmp ribRead-onlyShow routes received via BMP monitoring sessions.
Returns the BMP RIB content. Use this to verify what your
collector is seeing from remote peers.
show bmp sessionsRead-onlyShow active BMP receiver sessions.
Lists each session with connection state and message counters.
Check here to confirm your BMP collector is receiving data.
show config 7
CommandModeDescription
show config catRead-onlyPrint the full text of a stored configuration snapshot.
Usage: show config cat <id>. Outputs the config as-is.
show config diffRead-onlyCompare two configuration versions side by side.
Shows what was added, removed, or changed. Commonly used with
rollback revisions to review what changed before you roll back.
show config dumpRead-onlyShow the fully resolved configuration tree.
Parses the config and outputs it after includes, defaults, and group
inheritance have been applied. What you see here is exactly what the
daemon is using.
show config fmtRead-onlyPretty-print the configuration with consistent formatting.
Normalizes indentation and ordering. Output goes to stdout (read-only).
To rewrite the file in place, use 'ze config fmt -w' from the CLI.
show config graphOfflineShow how components and peers depend on each other (DOT graph format).
show config historyRead-onlyList available configuration rollback points.
Shows revisions with timestamps and commit metadata. Pair with
'show config diff' to review changes before rolling back.
show config lsRead-onlyList all configuration files stored in the database.
Shows archived snapshots and the active config.
show ddos 4
CommandModeDescription
show ddos flowspecRead-onlyShow the upstream FlowSpec/RTBH DDoS mitigation status: whether a rule is
currently announced, the target vector it covers, and whether the leak-probe is running.
show ddos incidentsRead-onlyShow the recent DDoS incident ring (newest first): per incident the
target vector (prefix/proto/port), attack family, top source addresses, peak pps/bps,
start/end time, and whether it is still active.
show ddos localRead-onlyShow the on-host DDoS mitigation status: whether an nft drop rule is
currently installed and the target vector (prefix / proto / port) it covers.
show ddos statusRead-onlyShow DDoS observation status: whether the incident store is running, the
number of currently active attacks, and the number of incidents retained in the ring.
show firewall 4
CommandModeDescription
show firewall groupRead-onlyShow members of a firewall address/port group.
Without arguments, lists all known groups. With a name, shows the
set elements. Reads from the last applied config, not the kernel.
show firewall irrRead-onlyShow IRR filter status for all cached ASN/AS-SET entries.
Lists each cached entry with prefix counts, last refresh time, and
error status. Use this to confirm that IRR prefix-lists are loaded
and current before committing firewall config.
show firewall irr prefixRead-onlyShow IRR-resolved prefixes for a cached entry.
Usage: show firewall irr prefix <asn-or-as-set>. Lists all IPv4 and
IPv6 prefixes in the cached prefix-list for the given ASN or AS-SET.
show firewall rulesetRead-onlyShow the live firewall ruleset with per-term counters.
Usage: show firewall ruleset <name>. Joins applied desired state with
kernel counters from the nft backend.
show host 9
CommandModeDescription
show host allRead-onlyShow the full hardware inventory in one shot.
Returns every section (cpu, nic, dmi, memory, thermal, storage,
kernel, platform) as a single JSON response. Ideal for support
bundles or automated inventory collection.
show host cpuRead-onlyShow what CPUs are in this box.
Returns vendor, model, core/thread topology, hybrid layout, scaling
driver, current/min/max frequencies, and throttle counts.
show host dmiRead-onlyShow the box's identity from SMBIOS/DMI.
Returns system vendor, board name, BIOS version, and chassis type.
Useful for inventory or confirming which hardware model you are on.
show host kernelRead-onlyShow the running kernel version and boot parameters.
Returns kernel release, command line, CPU microcode revision, boot
time, and security-relevant CPU flags (spectre mitigations, etc.).
show host memoryRead-onlyShow installed memory and ECC health.
Returns DIMM sizes and, when the edac driver is present, correctable
and uncorrectable error counters. Non-zero ECC counts mean you should
plan a DIMM replacement.
show host nicRead-onlyShow physical NICs installed in this box.
Returns driver, PCI vendor/device IDs, link speed, queue counts, and
firmware version. Virtual interfaces are excluded. Use this to confirm
NIC firmware before an upgrade.
show host platformRead-onlyShow platform capabilities and constraints.
Reports read-only root, privilege level, systemd presence, gokrazy
update socket, reboot-allowed flag, persistent-storage writability,
and fd limits. Helps you understand what operations are possible
on this particular deployment.
show host storageRead-onlyShow storage devices attached to this box.
Returns size, model, transport type (nvme, sata, mmc, virtio),
rotational flag, and NVMe firmware version where applicable.
show host thermalRead-onlyShow temperature sensors and thermal throttle events.
Returns hwmon sensor readings and per-CPU throttle counters. Non-zero
throttle counts mean the box has been running hot enough to slow down.
show interface 8
CommandModeDescription
show interfaceRead-onlyShow network interfaces on this box.
Without arguments, returns all interfaces with full detail.
Subcommands: brief, type <t>, errors, rate [<name>], name <name> detail,
name <name> counters.
show interface briefRead-onlyOne-line summary per interface: name, state, IP, and MTU.
Quick way to see what is up and what addresses are assigned.
show interface errorsRead-onlyShow interfaces that have errors or drops.
Filters to only interfaces with non-zero Rx/Tx error or drop
counters. Quick way to find troubled links.
show interface name countersRead-onlyShow counters for one interface.
Usage: show interface name <name> counters.
show interface name detailRead-onlyShow full detail for one interface.
Usage: show interface name <name> detail.
show interface rateRead-onlyShow per-second traffic rates on your interfaces.
Returns rx/tx bytes and packets per second. Pass an interface name
to narrow the output. Requires the rate tracker. For continuous
monitoring, use 'monitor interface rate' instead.
show interface scanRead-onlyDiscover and classify all OS interfaces.
Returns name, Ze type (ethernet, bridge, vxlan, etc.), and MAC for
each interface found. Pipe to table, yaml, or json for different
views. Useful during initial setup to see what the box has.
show interface typeRead-onlyShow only interfaces of a given type.
Usage: show interface type <type>. Types include ethernet, bridge,
vxlan, wireguard, tunnel, bond, and more. If you pick an invalid
type, the error lists all valid ones.
show isis 8
CommandModeDescription
show isis databaseRead-onlyShow the IS-IS link-state database.
Lists each LSP with its LSP ID, sequence number, remaining lifetime,
checksum, and overload bit, across Level-1 and Level-2.
show isis database detailRead-onlyShow the IS-IS link-state database with TLV detail.
Expands each LSP into its decoded TLVs (type, length, value) so you
can read exactly what each node advertises.
show isis hostnameRead-onlyShow the IS-IS dynamic-hostname mapping (RFC 5301).
Maps each System ID to the hostname it advertises in TLV 137.
show isis interfaceRead-onlyShow IS-IS-enabled circuits.
Returns level, circuit type, metric, hello interval, hold multiplier,
passive flag, DIS state, and the count of Up adjacencies per circuit.
show isis neighborRead-onlyShow IS-IS adjacencies.
Returns the neighbor System ID, interface, level, adjacency state,
and hold time for each IS-IS neighbor.
show isis routeRead-onlyShow IS-IS-computed routes.
Lists each prefix the SPF installed with its metric, level, up/down
bit, and next-hops (address and outgoing interface).
show isis route ipv6Read-onlyShow IS-IS-computed IPv6 routes (RFC 5308).
Lists each IPv6 prefix the SPF installed with its metric, level,
and next-hops (link-local address and outgoing interface).
show isis spf-logRead-onlyShow recent IS-IS SPF runs.
Returns the most recent SPF runs with their timestamp, level, trigger,
duration, and node count.
show l2tp 15
CommandModeDescription
show l2tpRead-onlyL2TP tunnel, session, and subscriber state.
Without a subcommand, shows a summary of tunnels and sessions.
show l2tp configRead-onlyShow the resolved L2TP configuration.
Returns the effective config after defaults and overrides. Confirms
what the daemon is actually using.
show l2tp cqmRead-onlyShow subscriber line quality (CQM latency buckets).
Pass a login name for one subscriber or 'summary' for an overview.
Helps diagnose poor subscriber experience.
show l2tp echoRead-onlyShow LCP echo health for a subscriber session.
Returns echo request/reply counters and round-trip times. Rising
loss or high RTT indicates a degraded line.
show l2tp listenersRead-onlyShow which UDP sockets are listening for L2TP.
Lists each bound address, port, and the number of tunnels on it.
show l2tp observerRead-onlyShow recent events for a session (debug aid).
Returns the event ring buffer for one session ID or 'all'. Useful
for understanding why a session failed to establish.
show l2tp reliableRead-onlyShow the reliable transport window for a tunnel.
Returns send/receive sequence numbers, window size, and retransmit
queue depth. Check here when tunnel control messages seem stuck.
show l2tp session idRead-onlyShow full detail for one L2TP session.
Pass the local session ID. Returns PPP state, assigned addresses,
negotiated LCP/NCP options, and traffic counters.
show l2tp session-historyRead-onlyShow state transitions for a session over time.
Timestamped FSM entries for session establishment. Use this when a
subscriber's session fails to come up.
show l2tp session-trafficRead-onlyShow traffic counters for a subscriber's PPP interface.
Returns byte and packet counts, error counters, and current rates.
Compare with CQM data to get the full picture of subscriber health.
show l2tp sessionsRead-onlyList all active L2TP sessions.
One line per session: local/remote ID, parent tunnel, subscriber
login, and uptime.
show l2tp statisticsRead-onlyShow aggregate L2TP protocol counters.
Tunnels and sessions established, control messages sent/received,
retransmits, and errors. Your first stop for L2TP health.
show l2tp tunnel idRead-onlyShow full detail for one L2TP tunnel.
Pass the local tunnel ID. Returns control channel state, peer
endpoint, hello interval, and all assigned sessions.
show l2tp tunnel-historyRead-onlyShow state transitions for a tunnel over time.
Timestamped FSM entries showing how the tunnel reached its current
state. Use this to diagnose tunnel establishment failures.
show l2tp tunnelsRead-onlyList all active L2TP tunnels.
One line per tunnel: local/remote ID, peer address, session count,
and uptime.
show ospf 49
CommandModeDescription
show ospfRead-onlyOSPFv2 process summary: router-id, areas, ABR/ASBR status, and stub-router (max-metric) state (RFC 2328).
show ospf border-routersRead-onlyShow routes to OSPF area-border and AS-boundary routers.
Lists each reachable ABR/ASBR with its router-id, cost, next-hops, and
area.
show ospf databaseRead-onlyShow the OSPF link-state database.
Lists each LSA with its LS Type, Link State ID, Advertising Router,
sequence number, age, and checksum.
show ospf database asbr-summaryRead-onlyShow only ASBR-Summary-LSAs (Type 4).
show ospf database externalRead-onlyShow only AS-external-LSAs (Type 5).
show ospf database networkRead-onlyShow only Network-LSAs (Type 2).
show ospf database nssa-externalRead-onlyShow only NSSA-external-LSAs (Type 7, RFC 3101).
show ospf database opaque-areaRead-onlyShow only area-scope opaque-LSAs (Type 10, RFC 5250).
show ospf database opaque-area detailRead-onlyDecode each area-scope opaque LSA body into its typed TLVs (TE / Router-Information / Extended / Segment-Routing) or a generic type/length/hex view (spec-ospf-ext-14, RFC 5250).
show ospf database opaque-asRead-onlyShow only AS-scope opaque-LSAs (Type 11, RFC 5250).
show ospf database opaque-as detailRead-onlyDecode each AS-scope opaque LSA body into its typed TLVs (TE / Router-Information / Extended / Segment-Routing) or a generic type/length/hex view (spec-ospf-ext-14, RFC 5250).
show ospf database routerRead-onlyShow only Router-LSAs (Type 1).
show ospf database router-informationRead-onlyShow the Router Information LSAs (RFC 7770) for both address
families -- OSPFv2 opaque type 4 and OSPFv3 function code 12 -- decoded into the
advertised informational capability bits and the TLV list.
show ospf database summaryRead-onlyShow only Summary-LSAs (Type 3, inter-area network).
show ospf graceful-restartRead-onlyShow OSPFv2 (IPv4) Graceful Restart state (RFC 3623): the restarter
state (in-restart or not, grace end, reason) and the per-neighbor helper
sessions (which neighbors are being helped and their remaining grace).
show ospf instanceRead-onlyShow the configured OSPFv2 instances (RFC 6549 Multi-Instance).
Lists each Instance ID with its router-id and the size of its isolated
area, interface, neighbor, and link-state database state.
show ospf interfaceRead-onlyShow OSPF-enabled interfaces.
Returns area, network-type, cost, ISM state, DR/BDR, hello/dead
intervals, priority, and passive flag per interface.
show ospf interface detailRead-onlyShow full per-interface state (spec-ospf-ext-14): ISM, DR/BDR election detail, all three timers, and the opaque-capable neighbour count.
show ospf ipv6Read-onlyShow the OSPFv3 (IPv6) address-family instances (RFC 5838).
Lists each configured address family (ipv6-unicast, ipv6-multicast,
ipv4-unicast, ipv4-multicast) with its Instance ID, router-id, and
neighbor/interface counts, so multiple AF instances on a link are
distinguishable.
show ospf ipv6 databaseRead-onlyShow the OSPFv3 (IPv6) link-state database with each native scope-aware LSA decoded (RFC 5340). Base types decode into named fields; unknown function codes fall back to a scope-aware header + body-hex view (spec-ospf-ext-14).
show ospf ipv6 database detailRead-onlyDecode every OSPFv3 LSA body with its scope-aware header (RFC 5340 section A.4.2.1).
show ospf ipv6 database extendedRead-onlyShow the RFC 8362 extended OSPFv3 LSAs (E-Router / E-Network / E-Inter-Area / E-AS-External / E-Link / E-Intra-Area-Prefix) decoded into named TLVs.
show ospf ipv6 database router detailRead-onlyDecode each OSPFv3 Router-LSA body.
show ospf ipv6 database router-informationRead-onlyShow the OSPFv3 Router Information LSAs (RFC 7770, function code 12) decoded into capability bits and TLVs.
show ospf ipv6 database scope areaRead-onlyShow only area-scope (S2/S1 = 01) LSAs.
show ospf ipv6 database scope asRead-onlyShow only AS-scope (S2/S1 = 10) LSAs.
show ospf ipv6 database segment-routingRead-onlySummarise the OSPFv3 Segment Routing content (RFC 8666) carried in the RI and extended LSAs.
show ospf ipv6 graceful-restartRead-onlyShow OSPFv3 (IPv6) Graceful Restart state (RFC 5187): the restarter
state (in-restart or not, grace end, reason) and the per-neighbor helper
sessions (which neighbors are being helped and their remaining grace).
show ospf ipv6 instanceRead-onlyEnumerate the active OSPFv3 address-family instances (RFC 5838 section 2): each with its address family, Instance ID, area count, and neighbor count.
show ospf ipv6 interfaceRead-onlyShow OSPFv3 (IPv6-family) interfaces and their RFC 4552 IPsec status.
Returns per interface whether IPsec is configured, the protocol (ah/esp) and
SPI, and whether the kernel SA is installed. The key is never shown.
show ospf ipv6 interface detailRead-onlyShow full per-interface OSPFv3 state (spec-ospf-ext-14): ISM, DR/BDR by Router ID, timers, the local Interface ID and Instance ID.
show ospf ipv6 neighborRead-onlyShow OSPFv3 (IPv6) neighbors: the link-local address as identity, adjacency state, DR/BDR by Router ID, and dead time.
show ospf ipv6 neighbor detailRead-onlyShow full per-neighbor OSPFv3 state (spec-ospf-ext-14): the advertised Interface ID, DD sequence, decoded Options (R/V6/E/N/AF), list sizes, last NSM event, and timers.
show ospf ipv6 segment-routingRead-onlyShow OSPFv3 (IPv6) Segment Routing state (RFC 8666): the configured
SRGB/SRLB label ranges, the advertised SR-Algorithm, this node's node
Prefix-SIDs, and the Adjacency-SIDs allocated per adjacency.
show ospf ipv6 spfRead-onlyShow the OSPFv3 (IPv6) per-area SPF run history.
show ospf ipv6 spf detailRead-onlyExplain why each OSPFv3 route won (spec-ospf-ext-14), AF/Instance-ID tagged; read-only.
show ospf ldp-syncRead-onlyShow OSPF LDP-IGP synchronization state (RFC 5443, RFC 6138).
Lists each ldp-sync interface with its state (not-synchronized /
hold-down / synchronized), remaining hold-down, effective metric, and
whether it is stuck not-synchronized after having been synchronized.
show ospf neighborRead-onlyShow OSPF neighbors.
Returns each neighbor's router-id, interface, adjacency state, DR/BDR,
priority, dead time, and address.
show ospf neighbor detailRead-onlyShow full per-neighbor state (spec-ospf-ext-14): DD sequence, decoded Options (incl. the RFC 5250 O-bit), request/summary list sizes, last NSM event, and timers.
show ospf routeRead-onlyShow OSPF-computed routes.
Lists each prefix with its path type (intra/inter/external-1/2), cost,
next-hops, and area.
show ospf route fast-rerouteRead-onlyShow OSPF fast-reroute (LFA / TI-LFA) backups (RFC 5286).
Lists each prefix's primary next-hops with their pre-computed loop-free
backup, protection class (node/link/downstream), and TI-LFA repair label
stack. Unprotected primaries are shown as unprotected.
show ospf segment-routingRead-onlyShow OSPFv2 (IPv4) Segment Routing state (RFC 8665): the configured
SRGB/SRLB label ranges, the advertised SR-Algorithm, this node's node
Prefix-SIDs, and the Adjacency-SIDs allocated per adjacency.
show ospf spfRead-onlyShow recent OSPF SPF runs.
Returns the most recent per-area SPF runs with their timestamp,
duration, node count, and pending state.
show ospf spf detailRead-onlyExplain why each route won (spec-ospf-ext-14): the candidate paths considered per prefix, the winning cost, and the RFC 2328 section 16.4 path-preference tie-break. Read-only; the route table and SPF run count are unchanged.
show ospf te-databaseRead-onlyShow the OSPF Traffic Engineering Database (RFC 3630 / RFC 5392):
router addresses plus TE links with their Link ID, local/remote address, link
type, TE metric, bandwidths, admin group, and (for inter-AS links) remote AS and
remote ASBR.
show pppoe 5
CommandModeDescription
show pppoeRead-onlyPPPoE session and protocol state.
Without a subcommand, shows a summary of active sessions.
show pppoe interfacesRead-onlyShow which interfaces are accepting PPPoE sessions.
Lists each PPPoE-enabled interface with its service name, session
limit, and how many sessions are currently active.
show pppoe session idRead-onlyShow full detail for one PPPoE session.
Pass the session ID. Returns discovery tags, LCP/NCP state,
assigned addresses, and traffic counters.
show pppoe sessionsRead-onlyList all active PPPoE sessions.
One line per session: session ID, MAC, subscriber login, uptime,
and assigned addresses.
show pppoe statisticsRead-onlyShow PPPoE protocol message counters.
Returns PADI, PADO, PADR, PADS, PADT counts, active sessions, and
errors. A rising PADI count with flat PADS means sessions are not
completing.
show rsvp-te 4
CommandModeDescription
show rsvp-te fast-rerouteRead-onlyShow RSVP-TE Fast Reroute (RFC 4090) protection state.
Returns each configured facility-backup bypass LSP and each protected
LSP with its armed bypass, mode, and whether local protection is
available and in use.
show rsvp-te interfaceRead-onlyShow RSVP-TE bandwidth allocation per interface.
Returns reserved, available, and maximum bandwidth for each
TE-enabled interface.
show rsvp-te lspRead-onlyShow RSVP-TE label-switched paths.
Returns state, role (ingress/transit/egress), reserved bandwidth,
and in/out labels for each LSP.
show rsvp-te tunnelRead-onlyShow configured RSVP-TE tunnels and their current state.
Returns tunnel name, endpoints, signaling state, and active LSP.
show schema 5
CommandModeDescription
show schema eventsRead-onlyList all notification types defined in YANG API modules.
Shows which events a plugin can subscribe to.
show schema handlersRead-onlyShow which handler serves each YANG module.
Maps module names to their implementing Go handler.
show schema listRead-onlyList all YANG schemas loaded by the daemon.
Shows module name, namespace, and revision for each schema.
show schema methodsRead-onlyList all RPC methods defined in YANG API modules.
Useful for plugin developers to discover available operations.
show schema protocolRead-onlyShow the wire protocol version and format details.
Useful for checking compatibility between Ze versions.
show system 16
CommandModeDescription
show system conntrackRead-onlyShow the kernel connection tracking table.
Returns conntrack entry count, table size, timeouts, and loaded
modules. Requires the nft backend. Check this when you suspect
conntrack table exhaustion is dropping traffic.
show system cpuRead-onlyShow CPU utilization context for the daemon.
Returns goroutine count, logical CPU count, and GOMAXPROCS setting.
Useful when the box feels sluggish and you want to see if Ze is
hogging threads.
show system dateRead-onlyShow the daemon's current wall-clock time and timezone.
Useful for correlating log timestamps when the box is in a
different timezone than you are.
show system file-descriptorsRead-onlyShow how many file descriptors the daemon has open.
Summary mode: totals by type (socket, pipe, file). Detail mode: every
fd with its path and type. Linux only (reads /proc/self/fd). Check
this when you suspect fd exhaustion.
show system goroutinesRead-onlyDump goroutine stacks for debugging hangs or deadlocks.
Modes: summary (groups by state), blocked (only lock/channel waiters),
full (all stacks). Default: summary. Share the output with support
when the daemon stops responding.
show system kernel-logRead-onlyShow kernel log messages (dmesg-style).
Reads from /dev/kmsg. Filter by syslog level (emerg through debug)
and limit with count. Without count, you get everything available.
Linux only. Useful for spotting NIC errors or OOM events.
show system memoryRead-onlyShow how much memory the daemon is using.
Returns allocated bytes, heap in-use, total allocations, GC cycles,
and last GC pause duration. Compare over time to spot leaks.
show system memory-mapRead-onlyShow the process memory footprint from the kernel's view.
Returns VmRSS, VmSize, VmSwap, and thread count from /proc/self/status.
Complements 'show system memory' (Go runtime) with the OS-level picture.
show system ntpRead-onlyNTP clock synchronization status
show system ntp peersRead-onlyShow NTP peers with offset, RTT, stratum, and reachability.
Tells you whether your clock is synced and how far off each
NTP server thinks you are.
show system platformRead-onlyShow what kind of platform the daemon is running on.
Reports whether this is gokrazy, systemd, container, plain-linux, or
darwin, along with platform-specific capabilities.
show system profileRead-onlyCapture a runtime profile for performance analysis.
Types: cpu (requires duration, e.g. 30s), heap, goroutine, allocs
(instant snapshots). Output is pprof format you can open with
'go tool pprof'. Send the file to support for deep analysis.
show system socketsRead-onlyShow open TCP and UDP sockets on this box.
Filters: [tcp|udp] [state <STATE>] [port <N>], all optional and
combinable. States use kernel names (ESTABLISHED, LISTEN, TIME_WAIT).
Linux only. Good for confirming listeners or spotting stuck connections.
show system subsystem listRead-onlyList every registered subsystem and whether it is running.
Shows you which components (bgp, dns, web, l2tp, etc.) are active,
stopped, or failed.
show system updateRead-onlyCheck if a firmware update is available.
Shows the running version, latest available version, and when the
last check ran. Use 'update system firmware check' to trigger an
immediate re-check.
show system update historyRead-onlyShow recent firmware update activity.
Lists the last 20 update events: checks, downloads, installs,
and rollbacks with timestamps and outcomes.
show vpp 4
CommandModeDescription
show vpp runtimeRead-onlyShow VPP graph node processing statistics.
Returns per-node packet counts, vectors, clocks, and suspends.
Helps you find which node is the bottleneck. Requires the VPP
backend.
show vpp trace clearRead-onlyDiscard the captured VPP trace buffer.
Clears all packets so you can start a fresh trace. Requires the
VPP backend.
show vpp trace showRead-onlyRetrieve packets captured since the last trace start.
Shows per-packet VPP graph node traversal. Requires the VPP backend.
show vpp trace startRead-onlyStart capturing packets in the VPP dataplane.
Default input node is dpdk-input, default count is 100 (max 10000).
After starting, use 'show vpp trace show' to retrieve the captured
packets. Requires the VPP backend.
show (other) 78
CommandModeDescription
show aaa accountingRead-onlyShow AAA accounting counters and any dropped records.
Tells you whether TACACS+ accounting is working or if records are
being lost due to server unreachability.
show announcementsRead-onlyList active on-demand announcements.
Usage: show announcements [tag <key>] [selector <pattern>] [family <fam>]
show anomaly detectRead-onlyShow recent behavioral anomaly incidents (report-only): source entity, cohort,
fired features with their deviation z-scores, combined score, and severity. The detector reports;
the anomaly/shape responder (Spec 2b) acts.
show anomaly shapeRead-onlyShow the shadow-first anomaly responder status: mode (shadow/armed), action,
kill-switch state, and the currently armed source entities with live firewall actions.
show arpRead-onlyShow the IPv4 ARP table (shortcut for 'show neighbor ipv4').
Lists IPv4 ARP entries with MAC address and state. ARP is IPv4-only;
use 'show neighbor' for both families or 'show neighbor ipv6' for the
IPv6 ND table.
show as112Read-onlyAS112 node status: enabled, address-family, hostname/
facility/location, allow-from count, served zone count, and
the current SOA serial.
show auditRead-onlyShow who did what and when on this box.
Returns audit log entries with timestamps, actors, and actions.
Filters (all optional, combinable): action <type>, actor <name>,
surface <name> (cli, web, api), since/until <RFC3339>, count <N>.
Actions include config-commit, login, peer-teardown, and more.
show bgp-healthRead-onlyQuick health check for all your BGP peers.
Lists every peer with address, state, ASN, and uptime. Reports how
many are not Established. Much faster than 'show bgp peer *' when
you just need a status overview.
show cacheRead-onlyList cached BGP UPDATE message IDs with their
retain and consumer state.
show captureRead-onlyShow captured control-plane messages.
Returns protocol messages you previously enabled capture for. Without
a protocol keyword, shows all protocols. Filters: tunnel-id (L2TP),
peer (remote address), count (limit entries). Use this to debug
session establishment issues.
show capture interfaceRead-onlyCapture live packets on an interface (like tcpdump).
Uses AF_PACKET for zero-copy capture. Filter by protocol and port.
Limit with count or duration. Output as pcap (for Wireshark) or text.
Snap-len controls how many bytes per packet are captured.
show capture rawRead-onlyControl raw byte capture for protocol debugging.
Actions: start (begin capturing), stop (halt), dump (retrieve).
Protocols: l2tp, bgp. Output formats: pcap (for Wireshark), json.
Limit with count <N>.
show command completeRead-onlyGet tab-completion candidates for a partial command.
Returns possible completions for the given input. Used internally
by the CLI editor, but also callable for scripting.
show command helpRead-onlyShow usage and arguments for a specific command.
Gives you the full description, expected arguments, and usage
pattern for one command.
show command listRead-onlyList every command the daemon knows about.
Returns dispatch key and description for each. Useful for scripting
or discovering commands not shown in the top-level help.
show crashesRead-onlyView saved crash reports from panics.
Without arguments, lists available crash files. Use 'latest' to see
the newest crash or 'name <filename>' to print one specific report.
Send the output to support when reporting a crash.
show data catRead-onlyPrint the raw content of a blob store entry.
Usage: show data cat <key>. Outputs the value for the given key,
like 'cat' for ZeFS.
show data lsRead-onlyList everything stored in the ZeFS blob store.
Shows all keys and their sizes. Use 'show data cat <key>' to see
the content of a specific entry.
show data registeredRead-onlyList the key patterns registered by all subsystems.
Shows you what types of data ZeFS knows about.
show debugRead-onlyShow live debug state from the running daemon.
Lists every registered subsystem with its current log level and any
active flag or scope filters. Unlike 'debug show' (which reads the
stored profile), this reflects actual runtime state.
show debug profileOfflineShow stored debug profiles (list, 'name <name>' for one, add 'module <prefix>' to filter).
show dns cacheRead-onlyInspect the DNS cache.
'stats' shows hit/miss/eviction counters. 'list' shows all cached
entries. 'record <name>' shows one specific entry. Requires the DNS
component to be active.
show dns lookupRead-onlyLook up a DNS name from the router.
Resolves <hostname> using the daemon's DNS resolver (falls back to
the system resolver if no DNS component is configured). Default type
is A. Returns records, TTL, and query time. Supports A, AAAA, MX,
NS, TXT, CNAME, and PTR.
show doctorRead-onlyCheck if this box is ready to run Ze.
Verifies runtime dependencies: required files, sockets, ports, and
kernel modules. Each check reports pass or fail with a reason. Run
this before first start or after changing the platform setup.
show env getRead-onlyShow one environment variable in detail.
Returns the variable name, current value, default, and what it
controls. Usage: show env get <name>.
show env listRead-onlyList all Ze environment variables with their current values.
Shows which env vars are set and their defaults.
show env registeredRead-onlyList every registered environment variable with metadata.
Includes type, default, description, and whether it is currently set.
show errorsRead-onlyShow recent errors across all subsystems, newest first.
This is the first place to look when something goes wrong. Filter
with source <name> to narrow to one subsystem, count <N> to limit
output.
show event listRead-onlyList every event type you can subscribe to.
Shows event name, category, and payload structure. Use this to
discover what events are available before subscribing.
show event namespacesRead-onlyList all event namespaces and how many events each has logged.
Tells you which subsystems are generating events and how active
they are.
show event recentRead-onlyShow recent events, newest first.
Each event includes timestamp, namespace, and type. Filter with
namespace <name> to focus on one area, count <N> to limit output.
Useful for reconstructing what happened before an incident.
show flow-exportRead-onlyShow flow export (NetFlow/IPFIX) collector status.
Without arguments, lists all configured collectors. With 'name <name>',
shows details for that collector including protocol stats and errors.
Returns not-configured when no exporter is active.
show flow-recentRead-onlyShow recent conntrack flow records from the bounded recent-flow ring.
Without arguments, returns every ring record (oldest to newest, up to the
configured recent-flow-ring capacity). With 'dst <prefix>', filters to flows
whose destination is inside that prefix. The ring is fed only while conntrack
export is enabled; the filter is by destination prefix (conntrack is host-global
and carries no ingress interface).
show geodnsRead-onlyGeoDNS server status: enabled, bind addresses/port, client-IP
source mode, zones, nameserver/host-set/source counts, and the
current SOA serial.
show gnmiRead-onlyShow whether the gNMI server is running and how it is configured.
Returns listen address, TLS details, authentication mode, and the
number of active streaming subscribers.
show healthRead-onlyIs this box healthy? One command to find out.
Returns per-component health (bgp, fib, iface, plugins, l2tp, etc.)
plus an overall status. Each component reports healthy, degraded, or
unhealthy with a reason. Start here when troubleshooting.
show l2tp-healthRead-onlyFind your worst L2TP sessions at a glance.
Sorts sessions by echo loss ratio (worst first). Shows subscriber
login, session state, echo count, average RTT, and CQM bucket count.
Reports how many sessions are degraded.
show ldp bindingRead-onlyShow LDP FEC-to-label bindings.
Lists local and remote label bindings for each FEC (prefix).
Use this to verify label distribution is working.
show ldp neighborRead-onlyShow LDP neighbors and their session state.
Returns peer address, transport address, session state, and
hold time for each LDP neighbor.
show log levelsRead-onlyShow what log level each subsystem is using.
Lists every registered logger with its current level. Use
'request log level' to change a level at runtime without restarting.
show log recentRead-onlyShow recent log entries from the in-memory ring.
Filters (all optional): level <lvl>, component <name>, count <N>.
Newest entries first. Useful when you cannot access the log file
directly.
show metrics listRead-onlyList all registered metric names (no values).
Useful for discovering what metrics exist before querying them.
show metrics valuesRead-onlyDump all metrics in Prometheus text format.
Outputs every registered metric with labels and values. Suitable
for feeding into Prometheus, Grafana, or curl-based monitoring.
show metrics-queryRead-onlyQuery a specific Prometheus metric by name.
Usage: show metrics-query <name> [label=value ...]. Returns matching
time series from the internal registry. Multiple label filters are
ANDed. More targeted than the full metrics dump.
show mpls forwardingRead-onlyShow MPLS forwarding entries installed in the kernel.
Each entry shows the incoming label, swap/push/pop operation, and
outgoing next-hop. Pass 'limit N' to cap large tables. Linux only.
show neighborRead-onlyShow the ARP and neighbor discovery table.
Lists IPv4 ARP and IPv6 ND entries with MAC addresses and states.
Pass ipv4 or ipv6 to filter by address family; no argument shows both.
For the IPv4-only view, 'show arp' is a shortcut.
show pingRead-onlyPing a target from the router itself.
Sends ICMP echo requests to <dest> (IP or hostname). Default count
is 5. Timeout uses Go duration syntax (e.g. 3s, 500ms). Confirms
reachability from this box, not from your workstation.
show pki certificate nameRead-onlyInspect a specific certificate in detail.
Usage: show pki certificate name <name> [pem | bundle pem | fingerprint
[sha256|sha384|sha512]]. Use 'pem' to export for another system,
'fingerprint' to verify identity.
show pki certificatesRead-onlyList all loaded certificates with expiry dates.
Shows name, type (CA or device), subject, issuer, expiry, and
validity status. Check here to find certificates approaching
expiration.
show policy chain peerRead-onlyShow the import/export filter chain applied to a peer.
Usage: show policy chain peer <selector> [import|export]. The selector
(IP, name, as<N>) and the optional direction are parsed by the handler.
Shows the effective chain after group inheritance is resolved. Without
a direction keyword, shows both import and export.
show policy listRead-onlyList all available filter types and named instances.
Shows each filter type and its implementing plugin. Check here
when building a new policy chain to see what filters you can use.
show policy test peerRead-onlyTest what your policy does to a specific UPDATE.
Feed a hex-encoded BGP UPDATE through a peer's filter chain and see
the accept/reject result plus attribute modifications at each stage.
Read-only: no routes are actually forwarded. Great for validating
policy changes before you commit.
Usage: show policy test peer <selector> import|export [filter <name>]
update <hex> [source-asn4 true|false]. The selector and the
import/export/filter/update/source-asn4 tokens are parsed by the
handler so the peer selector can be a free-form name or address.
show policy-routesRead-onlyShow policy-based routing rules.
Lists PBR rules with match criteria and routing actions.
show probe-roundRead-onlyRun a parallel traceroute probe round to a target.
Sends all probes concurrently for faster results than sequential
traceroute. Returns per-hop RTT and IP. Use probes and max-hops
to tune accuracy vs speed.
show routeRead-onlyShow the kernel routing table.
Lists installed routes with next-hop, interface, protocol, and metric.
Pass a CIDR prefix or 'default' to filter, or a route limit to cap the
output.
show route lookupRead-onlyLook up which route the kernel would use for a given IP.
Performs a longest-prefix-match and returns the matching route with
gateway, interface, protocol, and metric. Usage: show route lookup
<ip>.
show rr peersRead-onlyShow route reflector client peers.
Lists each RR client with session state and reflected route counts.
show rr statusRead-onlyShow whether the route reflector is active.
Returns cluster ID, running state, and summary statistics
(reflected routes, client count).
show staticRead-onlyShow static routes defined in the configuration.
Lists each static route with its prefix, next-hop, and interface.
show statusRead-onlyShow process status, uptime, and resource usage.
show storage smartRead-onlyShow disk health via SMART data.
Returns health status, temperature, power-on hours, and self-test
schedule for each block device. Replace drives that report failing
health before they cause data loss.
show subscriberRead-onlyShow a summary of all subscriber sessions.
Counts by access type (PPPoE, L2TP, IPoE) with totals. Quick way
to see how many subscribers are online.
show subscriber id detailRead-onlyShow everything about one subscriber session.
Pass the session ID. Returns access type, assigned addresses,
authentication state, uptime, and traffic counters.
show tcp-checkRead-onlyTest TCP connectivity to a remote host and port.
Tries to open a TCP connection and reports success or failure with
the connection time. Use 'source <IP>' to bind a specific local
address. Quick way to verify a peer's BGP port is reachable.
show tracerouteRead-onlyTrace the network path from this router to a target.
Shows each hop with its IP and round-trip time. Dest can be an IP
or hostname. Defaults: 30 max hops, 3 probes per hop. Increase
probes for more reliable RTT measurements.
show traffic controlRead-onlyShow traffic control (QoS) configuration per interface.
Without arguments, lists every interface with its qdisc type and
class/filter counts. With an interface name, shows the full qdisc
and class breakdown. Use this to verify your shaping is applied.
show traffic usageRead-onlyShow per-interface traffic byte counters captured by eBPF TCX.
Per destination/source port and protocol counters are always present; per-IP
top-talker counters appear when track-ip is enabled. Without arguments, lists
all monitored interfaces. With 'name <interface>', shows that one interface.
show traffic-featureRead-onlyShow neutral per-source traffic feature signals: fan-out (distinct destinations),
out/in byte ratio (exfiltration), destination-port entropy, new-peer, rare-port/proto, and coarse beaconing.
Without arguments, shows the top source entities. With 'name <address>', filters to one source.
show traffic-statRead-onlyShow aggregated traffic snapshot (interface rates, top talkers, top ports, severity).
Without arguments, shows all interfaces. With 'name <interface>', filters to one interface.
show uptimeRead-onlyShow how long the daemon has been running.
Returns the start time and elapsed uptime. Handy after a maintenance
window to confirm the process restarted.
show versionRead-onlyShow the running Ze version and build date.
You can verify which release is deployed on this box.
show vpn ipsec peer nameRead-onlyShow full detail for one IPsec peer.
Returns IKE SA state, all child SAs with traffic selectors, and
byte counts. Usage: show vpn ipsec peer name <name>.
show vpn ipsec saRead-onlyShow all IKE and Child Security Associations.
Lists every SA with peer, negotiated algorithms, byte counts, rekey
timers, and uptime. Includes SPIs, NAT detection, and child SA
traffic selectors. Your main IPsec status command.
show vpn ipsec statusRead-onlyQuick IPsec health check.
Reports whether the IKE engine is running, how many peers are
configured, and how many IKE SAs are Established.
show warningsRead-onlyShow active warnings across all subsystems.
Displays any conditions that need your attention (degraded peers,
resource limits approaching, etc.). Use 'source <name>' to filter
to a single subsystem.
show yang completionRead-onlyShow YANG paths available for tab completion.
Lists every valid completion point in the command tree.
show yang docRead-onlyGenerate command reference docs from YANG schemas.
Produces structured documentation with descriptions, arguments, and
usage patterns for every registered command.
show yang treeRead-onlyPrint the YANG tree for a module in a readable hierarchy.
Shows node types, data types, and config-vs-state annotations.
Similar to 'pyang -f tree'. Useful for understanding the config
or command structure.
skills 1
CommandModeDescription
skillsOfflineList or retrieve agent skill definitions matching this Ze version. Use 'get <name>' to fetch a specific skill.
support 1
CommandModeDescription
supportOfflineBundle logs, config, state, and diagnostics into one archive file. Send the result to support when reporting an issue.
system 8
CommandModeDescription
system command completeRead-onlyComplete command/args
system command helpRead-onlyShow command details
system command listRead-onlyList all commands
system dispatchRead-onlyDispatch a text command
system helpRead-onlyShow available commands
system subsystem listRead-onlyList available subsystems
system version apiRead-onlyShow IPC protocol version
system version softwareRead-onlyShow ze version
update 12
CommandModeDescription
update bgp irr allDaemonRefresh all IRR prefix-lists immediately.
Re-queries the IRR server for every enrolled ASN and atomically
swaps prefix-lists on success. Failed refreshes preserve the
existing prefix-list and report an error.
update bgp irr as-setDaemonRefresh IRR prefix-list for a specific AS-SET.
Usage: update bgp irr as-set <as-set>. Re-queries the IRR server
for all peers using the given AS-SET name.
update bgp irr asnDaemonRefresh IRR prefix-list for a specific ASN.
Usage: update bgp irr asn <asn>. Re-queries the IRR server for
the given ASN only.
update bgp peer prefixDaemonRefresh max-prefix limits from PeeringDB.
Usage: update bgp peer <selector> prefix. Queries PeeringDB for each
matched peer's ASN, applies the configured margin, and writes the
result to the config draft. Run 'config commit' to apply.
update firewall irr allDaemonRefresh all cached IRR prefix-lists.
Re-queries the IRR server for every cached ASN/AS-SET entry and
updates the zefs cache on success. Failed refreshes preserve the
existing cache and report an error.
update firewall irr as-setDaemonFetch or refresh IRR prefix-list for an AS-SET.
Usage: update firewall irr as-set <as-set>. Queries the IRR server
and saves resolved prefixes to the zefs cache.
update firewall irr asnDaemonFetch or refresh IRR prefix-list for an ASN.
Usage: update firewall irr asn <asn>. Queries the IRR server and
saves resolved prefixes to the zefs cache. Creates the cache entry
if it does not exist.
update system firmware applyDaemonFull upgrade: download, verify, stage, and restart.
Runs the complete update cycle in one command. Only available on
platforms where Ze owns the update lifecycle (e.g. gokrazy).
The box will reboot into the new version.
update system firmware checkDaemonCheck for a new firmware version right now.
Bypasses the scheduled interval timer and contacts the update server
immediately. Compare the result with 'show system update'.
update system firmware downloadDaemonDownload the latest firmware image right now.
Bypasses the maintenance window and spread timers. The image is
staged but not applied. Use 'update system firmware apply' or
'restart' to activate it.
update system firmware restartDaemonReboot into the already-staged firmware.
No download happens. Use this after 'update system firmware download'
when you are ready to activate the new version.
update system firmware rollbackDaemonRoll back to the previous firmware and restart.
Reverts to the prior image. Only available on platforms with A/B
partitioning (e.g. gokrazy). Use this if the new version has issues.
validate 1
CommandModeDescription
validate configOfflineCheck your config for errors without applying anything. Reports syntax and semantic issues.
withdraw 1
CommandModeDescription
withdrawDaemonWithdraw on-demand announcements.
Usage: withdraw tag <key> <value|*> | withdraw tag * | withdraw id <N> | withdraw all