LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 01-19-2007, 07:55 PM   #1
namradi
LQ Newbie
 
Registered: May 2003
Posts: 10

Rep: Reputation: 0
understanding netstat output


HI GUys,

I am seeing this when i do netstat on my linux box. Could anybody explain this.

tcp 0 0 ::1:39881 ::1:80 TIME_WAIT -
tcp 0 0 ::1:39880 ::1:80 TIME_WAIT -
tcp 0 0 ::1:39875 ::1:80 TIME_WAIT -
tcp 0 0 ::1:39874 ::1:80 TIME_WAIT -
tcp 0 0 ::1:39873 ::1:80 TIME_WAIT -
tcp 0 0 ::1:39872 ::1:80 TIME_WAIT -
tcp 0 0 ::1:39879 ::1:80 TIME_WAIT -
tcp 0 0 ::1:39878 ::1:80 TIME_WAIT -
tcp 0 0 ::1:39877 ::1:80 TIME_WAIT -
tcp 0 0 ::1:39876 ::1:80 TIME_WAIT -
tcp 0 0 ::1:39867 ::1:80 TIME_WAIT -
tcp 0 0 ::1:39871 ::1:80 TIME_WAIT -
tcp 0 0 ::1:39870 ::1:80 TIME_WAIT -
tcp 0 0 ::1:39869 ::1:80 TIME_WAIT -
tcp 0 0 ::1:39868 ::1:80 TIME_WAIT -

Thanks a million in advance
Nav
 
Old 01-19-2007, 07:59 PM   #2
matthewg42
Senior Member
 
Registered: Oct 2003
Location: UK
Distribution: Kubuntu 12.10 (using awesome wm though)
Posts: 3,530

Rep: Reputation: 63
After a port is closed, it's state gets set to TIME_WAIT. This is a delay (typically a minute ot two) before the port will be used again. The idea to to prevent delayed packets intended for the previous connection going to a new process and confusing things.
 
Old 01-19-2007, 08:49 PM   #3
namradi
LQ Newbie
 
Registered: May 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Mathew thanks for the quick reply. I was little worried when i was seeing a lot of this when i do netstat. why i was worried these connections looked like they originated from the box itself. So i was trying to figure out what service/script is trying to connect to my web server.

hope i am not confusing the question.

Thanks a lot,
Nav

Last edited by namradi; 01-19-2007 at 09:06 PM.
 
Old 01-21-2007, 05:43 PM   #4
namradi
LQ Newbie
 
Registered: May 2003
Posts: 10

Original Poster
Rep: Reputation: 0
HI Guys,

Anyone please tell me if i have to worry about this kind of netstat output. I am still not able to find which service or script it trying to establish the connection to web server on the same box. And i have watched netstat output and i have never seen the connections established they are always in TIME_WAIT.

Thanks
Nav
 
Old 01-21-2007, 05:51 PM   #5
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162
When you run netstat add -ep to the command line and you will see extra (the 'e') and program related (the 'p') information. That should help you identify where the connection is coming from.
 
Old 01-21-2007, 06:31 PM   #6
namradi
LQ Newbie
 
Registered: May 2003
Posts: 10

Original Poster
Rep: Reputation: 0
with -ep this is the output.

tcp 0 0 ::1:51497 ::1:http TIME_WAIT root 0 -
tcp 0 0 ::1:51499 ::1:http TIME_WAIT root 0 -
tcp 0 0 ::1:51498 ::1:http TIME_WAIT root 0 -

This is forum is awesome.

Thanks,
Naveen
 
Old 01-21-2007, 07:04 PM   #7
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162
I get similar output on my box when I access pages on my web server. Once the connection is closed (as matthewg42 noted above), you will see the TIME_WAIT status for a period of time. You can also use iptstate to monitor connections with an interface similar to the top command.
 
Old 01-21-2007, 07:38 PM   #8
namradi
LQ Newbie
 
Registered: May 2003
Posts: 10

Original Poster
Rep: Reputation: 0
But the above type connections should only been seen when i browse my web server or a script/service tries to connect web port on my box right. If another IP hits my webserver then the foreing IP will be displayed right.

I understand when the connections close it shows TIME_WAIT but it will show the IP of the Foreing Address in the case the output is show no IP that means all connections are local right.

I am sorry if i am confusing i am only trying to understand these connections.

Thanks a lot guys this forum is so active.

Nav
 
Old 01-21-2007, 08:14 PM   #9
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162
Yes, if there is an external connection then the IP address of that connection will be shown. You can demonstrate it for yourself by going to a site that can scan your PC from the internet - for example, http://www.hackerwatch.org/probe/ - and using netstat to watch the connections.
 
Old 01-21-2007, 08:30 PM   #10
namradi
LQ Newbie
 
Registered: May 2003
Posts: 10

Original Poster
Rep: Reputation: 0
Basically what i am looking for is to figure out what script/service on my box it connecting to the webserver on the same box.

tcp 0 0 ::1:51497 ::1:http TIME_WAIT root 0 -

in this above output i couldnt find any info that will lead me to the script/program. And i am seeing these connections frequently.

If i am supposed to see these connections when an outside computer tries to connect to my webserver then i am fine but that is not the case right.

Thanks,
Nav
 
Old 01-22-2007, 02:04 AM   #11
gilead
Senior Member
 
Registered: Dec 2005
Location: Brisbane, Australia
Distribution: Slackware64 14.0
Posts: 4,123

Rep: Reputation: 162Reputation: 162
I'm assuming that the "1" in your output is shorthand for 127.0.0.1, ie localhost. In my output I see the following:
Code:
tcp    0  0 127.0.0.1:80        127.0.0.1:29448     TIME_WAIT  0      0      -
tcp    0  0 127.0.0.1:80        127.0.0.1:29449     TIME_WAIT  0      0      -
Yes it's correct that if the connections were from an external host the IP address of that host would be displayed. For example:
Code:
tcp    0  0 192.168.1.2:80     192.168.1.122:1068   TIME_WAIT  0      0      -
tcp    0  0 192.168.1.2:80     192.168.1.122:1067   TIME_WAIT  0      0      -
Once the connections are in a TIME_WAIT state you can't tell what program they were related to. However if you monitor the connections with netstat, when a new connection occurs you can use netstat and lsof to identify who/what is responsible. For example:
Code:
watch -n 5 'netstat --inet -apen | grep -E "(http|80)"'
tcp        0      0 127.0.0.1:23493         127.0.0.1:80            ESTABLISHED1000       25120982   7476/firefox-bin
tcp        0      0 127.0.0.1:23492         127.0.0.1:80            ESTABLISHED1000       25120979   7476/firefox-bin

watch -n 5 lsof -i@127.0.0.1:80 -i@192.168.1.2:80
COMMAND     PID   USER   FD   TYPE   DEVICE SIZE NODE NAME
firefox-b  7476  steve   73w  IPv4 25121643       TCP localhost:23492->localhost:http (ESTABLISHED)
firefox-b  7476  steve   74u  IPv4 25121645       TCP localhost:23493->localhost:http (ESTABLISHED)
httpd    5516 apache    6u  IPv4 25116574       TCP fender.guitars.com.au:http->strat.guitars.com.au:ansoft-lm-1 (ESTABLISHED)
httpd   16777 apache    6u  IPv4 25118512       TCP fender.guitars.com.au:http->strat.guitars.com.au:ansoft-lm-2 (ESTABLISHED)
 
  


Reply

Tags
netstat


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Understanding netstat -r Ouptu scottym Linux - Networking 1 06-10-2005 02:23 PM
Netstat output Raafi Linux - Security 4 05-24-2005 11:14 PM
What does this netstat output mean? Kovacs Linux - Security 2 01-25-2004 07:32 PM
netstat -l output help dai Linux - Security 2 07-02-2003 04:40 PM
netstat output... WeNdeL Linux - Networking 3 03-20-2003 10:45 AM


All times are GMT -5. The time now is 07:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration