It seems that my previous article, “Getting a feel for the network
with ’ss’” was pretty popular. ss is a great tool but isn’t always
part of a base install for your favorite version of Linux. With
that in mind, let’s talk about how to do some things with tools
that are more likely to be part of the base. This time we will
discuss netstat and next time we will cover just the tip of the
iceberg that is lsof.
Our tricks for the day:
* Get a list of active TCP connections
* Get a list of active TCP connections and resolve hostnames of IP addresses in question
* Get a list of listening TCP sockets
* Get a list of TCP connections in various other connection states
First netstat:
Get a list of TCP connections (in this case, we include “listening” TCP ports):
$ netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 1 192.168.253.101:52812 74.52.160.50:80 FIN_WAIT1
tcp 509792 0 192.168.253.101:49200 38.119.55.141:80 ESTABLISHED
tcp 0 1 192.168.253.101:52813 74.52.160.50:80 FIN_WAIT1
tcp 0 0 :::22 :::* LISTEN
As before, except this time resolve the IP addresses in question:
$ netstat -at
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:ipp *:* LISTEN
tcp 509792 0 chaco.local:49200 rieko.ziaspace.com:www ESTABLISHED
tcp 0 0 *:ssh *:* LISTEN
In the previous commands we showed active TCP connections but also TCP
ports that were in the “listening” state. If you are messing with
netstat and lsof then you are probably at least somewhast familiar
with IP networking but, if not, listening basically means that some
process is ready to accept new connections on that port.
In this command we are going to show only TCP ports that are in the
listening state and not active TCP connections. Note that, as in my
previous article, the only processes listening for new connections
on my workstation are the SSH and CUPS daemons.
$ netstat -tl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost:ipp *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
Now for our final netstat trick, we are going to list all of the TCP
connections where a TCP SYN packet has been sent but the receiving end
has not yet replied. See Wikipedia for more information about the TCP
handshake. I’ve fired up a Gnutella client so that we have lots of
interesting TCP connections in the output:
$ netstat -tl | grep SYN
(Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.)
tcp 0 1 192.168.253.101:59227 142.217.112.185:2729 SYN_SENT 7542/gtk-gnutella
tcp 0 1 192.168.253.101:36291 74.193.252.111:37998 SYN_SENT 7542/gtk-gnutella
tcp 0 1 192.168.253.101:36874 12.210.29.230:53781 SYN_SENT 7542/gtk-gnutella
tcp 0 1 192.168.253.101:35878 69.245.72.170:2500 SYN_SENT 7542/gtk-gnutella
tcp 0 1 192.168.253.101:33314 24.94.77.8:50345 SYN_SENT 7542/gtk-gnutella
tcp 0 1 192.168.253.101:43488 24.238.218.203:1334 SYN_SENT 7542/gtk-gnutella
tcp 0 1 192.168.253.101:53485 24.95.79.143:1128 SYN_SENT 7542/gtk-gnutella
tcp 0 1 192.168.253.101:60224 69.133.19.41:24536 SYN_SENT 7542/gtk-gnutella
tcp 0 1 192.168.253.101:52441 72.51.246.127:4379 SYN_SENT 7542/gtk-gnutella
tcp 0 1 192.168.253.101:57700 70.80.99.180:23112 SYN_SENT 7542/gtk-gnutella
Okay, that’s it for today. If you want to do some extra credit then I suggest
looking at the ‘-p’ flag for netstat.
Wednesday, March 18, 2009
Getting a feel for the network with ‘netstat’
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment