LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-05-2008, 09:59 PM   #1
twelvenine
Member
 
Registered: Sep 2006
Posts: 72

Rep: Reputation: 16
need help with netstat


i'm looking at my netstat output and i have a few questions about the connections i'm seeing that i couldn't figure out using google. i've posted my "netstat -an" output below. so, here are my questions:

1. what does it mean when the ip is 0.0.0.0? like all of those connections where the foreign address is 0.0.0.0:0, what's up with those?
2. what does the "*:*" foreign address mean?
3. why don't the udp connections have states?
4. it doesn't show up here, but sometimes i see addresses that look like "[::]" on machines where ipv6 is supported. what does that address mean?

Code:
Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:912            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2869           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3260           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3261           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:6224           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1030         0.0.0.0:0              LISTENING
  TCP    192.168.1.102:139      0.0.0.0:0              LISTENING
  TCP    192.168.1.102:1512     192.168.1.178:445      SYN_SENT
  TCP    192.168.177.1:139      0.0.0.0:0              LISTENING
  TCP    192.168.190.1:139      0.0.0.0:0              LISTENING
  TCP    192.168.190.1:1513     192.168.190.190:445    SYN_SENT
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:1043           *:*
  UDP    0.0.0.0:1116           *:*
  UDP    0.0.0.0:1117           *:*
  UDP    0.0.0.0:1118           *:*
  UDP    0.0.0.0:1119           *:*
  UDP    0.0.0.0:1120           *:*
  UDP    0.0.0.0:1121           *:*
  UDP    0.0.0.0:1122           *:*
  UDP    0.0.0.0:1123           *:*
  UDP    0.0.0.0:1124           *:*
  UDP    0.0.0.0:4500           *:*
  UDP    127.0.0.1:123          *:*
  UDP    127.0.0.1:1025         *:*
  UDP    127.0.0.1:1250         *:*
  UDP    127.0.0.1:1900         *:*
  UDP    192.168.1.102:123      *:*
  UDP    192.168.1.102:137      *:*
  UDP    192.168.1.102:138      *:*
  UDP    192.168.1.102:1900     *:*
  UDP    192.168.177.1:123      *:*
  UDP    192.168.177.1:137      *:*
  UDP    192.168.177.1:138      *:*
  UDP    192.168.177.1:1900     *:*
  UDP    192.168.190.1:123      *:*
  UDP    192.168.190.1:137      *:*
  UDP    192.168.190.1:138      *:*
  UDP    192.168.190.1:1900     *:*
 
Old 12-05-2008, 10:58 PM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by twelvenine
1. what does it mean when the ip is 0.0.0.0? like all of those connections where the foreign address is 0.0.0.0:0, what's up with those?
It means a service port is bound to all interfaces (and all IP addresses on those interfaces). A quick practice in comparing and contrasting leads me to believe that LISTENING tcp connections display the Foreign Address as 0.0.0.0:0.

Quote:
Originally Posted by twelvenine
2. what does the "*:*" foreign address mean?
Ditto here. UDP service ports appear to display the Foreign Address as *:* in netstat output.

Quote:
Originally Posted by twelvenine
3. why don't the udp connections have states?
http://en.wikipedia.org/wiki/User_Datagram_Protocol

Quote:
Originally Posted by twelvenine
4. it doesn't show up here, but sometimes i see addresses that look like "[::]" on machines where ipv6 is supported. what does that address mean?
My guess is this means a service port is bound to all interfaces (including all IPv6 addresses on those interfaces).

Last edited by anomie; 12-05-2008 at 10:59 PM.
 
Old 12-06-2008, 01:23 PM   #3
twelvenine
Member
 
Registered: Sep 2006
Posts: 72

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by anomie View Post
It means a service port is bound to all interfaces (and all IP addresses on those interfaces). A quick practice in comparing and contrasting leads me to believe that LISTENING tcp connections display the Foreign Address as 0.0.0.0:0.
so, a listening connection with "0.0.0.0:0" as the foreign address will accept a connection from any ip? is it actually listening for connections from port 0 or is that a convention that means it will accept connections from any port?

also, those udp connections with "*:*" are like the 0.0.0.0:0 tcp connections right? are the udp connections listening and that "*:*" means they will connect with all addresses from any foreign port?

Last edited by twelvenine; 12-06-2008 at 01:33 PM.
 
Old 12-08-2008, 12:44 AM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by twelvenine
so, a listening connection with "0.0.0.0:0" as the foreign address will accept a connection from any ip?
For LISTENING connections, I'd focus on the Local Address. 0.0.0.0 == TCP port listening on all local interfaces. This means connections will be accepted from any IP address that is on any of the subnets you're on. (That is, unless you're blocking them via packet filtering, tcp wrappers, application ACLs.)

Quote:
Originally Posted by twelvenine
also, those udp connections with "*:*" are like the 0.0.0.0:0 tcp connections right? are the udp connections listening and that "*:*" means they will connect with all addresses from any foreign port?
Again, let's focus on the Local Address. 0.0.0.0 == UDP port bound to all local interfaces.

I can't speak definitively to the conventions used in the Foreign Address field for listening connections (and, IMO, it doesn't particularly matter). I was just making observations.

Last edited by anomie; 12-08-2008 at 12:46 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Netstat ?? mickeyboa Fedora 2 11-06-2007 06:01 PM
netstat sanjaykhuntia Programming 6 11-02-2007 09:52 PM
netstat Smooth Solaris / OpenSolaris 4 11-17-2006 12:30 AM
netstat -s r_213 Linux - Networking 2 01-27-2005 06:45 AM
netstat sopiaz57 Linux - Networking 1 10-14-2003 03:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration