LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   need help with netstat (https://www.linuxquestions.org/questions/linux-newbie-8/need-help-with-netstat-688670/)

twelvenine 12-05-2008 09:59 PM
need help with netstat
 
i'm looking at my netstat output and i have a few questions about the connections i'm seeing that i couldn't figure out using google. i've posted my "netstat -an" output below. so, here are my questions:

1. what does it mean when the ip is 0.0.0.0? like all of those connections where the foreign address is 0.0.0.0:0, what's up with those?
2. what does the "*:*" foreign address mean?
3. why don't the udp connections have states?
4. it doesn't show up here, but sometimes i see addresses that look like "[::]" on machines where ipv6 is supported. what does that address mean?

Code:
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:912            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2869          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3260          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3261          0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6224          0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1030        0.0.0.0:0              LISTENING
  TCP    192.168.1.102:139      0.0.0.0:0              LISTENING
  TCP    192.168.1.102:1512    192.168.1.178:445      SYN_SENT
  TCP    192.168.177.1:139      0.0.0.0:0              LISTENING
  TCP    192.168.190.1:139      0.0.0.0:0              LISTENING
  TCP    192.168.190.1:1513    192.168.190.190:445    SYN_SENT
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:1043          *:*
  UDP    0.0.0.0:1116          *:*
  UDP    0.0.0.0:1117          *:*
  UDP    0.0.0.0:1118          *:*
  UDP    0.0.0.0:1119          *:*
  UDP    0.0.0.0:1120          *:*
  UDP    0.0.0.0:1121          *:*
  UDP    0.0.0.0:1122          *:*
  UDP    0.0.0.0:1123          *:*
  UDP    0.0.0.0:1124          *:*
  UDP    0.0.0.0:4500          *:*
  UDP    127.0.0.1:123          *:*
  UDP    127.0.0.1:1025        *:*
  UDP    127.0.0.1:1250        *:*
  UDP    127.0.0.1:1900        *:*
  UDP    192.168.1.102:123      *:*
  UDP    192.168.1.102:137      *:*
  UDP    192.168.1.102:138      *:*
  UDP    192.168.1.102:1900    *:*
  UDP    192.168.177.1:123      *:*
  UDP    192.168.177.1:137      *:*
  UDP    192.168.177.1:138      *:*
  UDP    192.168.177.1:1900    *:*
  UDP    192.168.190.1:123      *:*
  UDP    192.168.190.1:137      *:*
  UDP    192.168.190.1:138      *:*
  UDP    192.168.190.1:1900    *:*

anomie 12-05-2008 10:58 PM
Quote:
Originally Posted by twelvenine
1. what does it mean when the ip is 0.0.0.0? like all of those connections where the foreign address is 0.0.0.0:0, what's up with those?
It means a service port is bound to all interfaces (and all IP addresses on those interfaces). A quick practice in comparing and contrasting leads me to believe that LISTENING tcp connections display the Foreign Address as 0.0.0.0:0.

Quote:
Originally Posted by twelvenine
2. what does the "*:*" foreign address mean?
Ditto here. UDP service ports appear to display the Foreign Address as *:* in netstat output.

Quote:
Originally Posted by twelvenine
3. why don't the udp connections have states?
http://en.wikipedia.org/wiki/User_Datagram_Protocol

Quote:
Originally Posted by twelvenine
4. it doesn't show up here, but sometimes i see addresses that look like "[::]" on machines where ipv6 is supported. what does that address mean?
My guess is this means a service port is bound to all interfaces (including all IPv6 addresses on those interfaces).

twelvenine 12-06-2008 01:23 PM
Quote:
Originally Posted by anomie (Post 3366065)
It means a service port is bound to all interfaces (and all IP addresses on those interfaces). A quick practice in comparing and contrasting leads me to believe that LISTENING tcp connections display the Foreign Address as 0.0.0.0:0.
so, a listening connection with "0.0.0.0:0" as the foreign address will accept a connection from any ip? is it actually listening for connections from port 0 or is that a convention that means it will accept connections from any port?

also, those udp connections with "*:*" are like the 0.0.0.0:0 tcp connections right? are the udp connections listening and that "*:*" means they will connect with all addresses from any foreign port?

anomie 12-08-2008 12:44 AM
Quote:
Originally Posted by twelvenine
so, a listening connection with "0.0.0.0:0" as the foreign address will accept a connection from any ip?
For LISTENING connections, I'd focus on the Local Address. 0.0.0.0 == TCP port listening on all local interfaces. This means connections will be accepted from any IP address that is on any of the subnets you're on. (That is, unless you're blocking them via packet filtering, tcp wrappers, application ACLs.)

Quote:
Originally Posted by twelvenine
also, those udp connections with "*:*" are like the 0.0.0.0:0 tcp connections right? are the udp connections listening and that "*:*" means they will connect with all addresses from any foreign port?
Again, let's focus on the Local Address. 0.0.0.0 == UDP port bound to all local interfaces.

I can't speak definitively to the conventions used in the Foreign Address field for listening connections (and, IMO, it doesn't particularly matter). I was just making observations.


All times are GMT -5. The time now is 09:28 PM.