Netstat is one of those applications that users take for granted… It’s there, we use it for some basic things and then we move on. It provides some very useful information about the state of network connections on a host. Right off the bat, most people know about netstat –a. It provides a pretty comprehensive look at network connections as well as UNIX domain socket connections and the processes that are using those sockets. Typical output looks similar to this:
creative:~ root# netstat -a
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 localhost.ldap localhost.62313 ESTABLISHED
tcp4 0 0 localhost.62313 localhost.ldap ESTABLISHED
tcp4 0 0 creative.conair..ssh 192.168.25.215.52345 ESTABLISHED
tcp4 0 0 creative.conair..ldap stdm908.conair.l.55313 ESTABLISHED
tcp4 0 0 *.ldap *.* LISTEN
tcp6 0 0 *.ldap *.* LISTEN
tcp4 0 0 *.ssh *.* LISTEN
tcp4 0 0 creative.conair..ldap stsm022.conair.l.56412 SYN_SENT
tcp4 0 0 localhost.62308 localhost.ldap TIME_WAIT
Active LOCAL (UNIX) domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
ffffff80353eecc0 stream 0 0 ffffff80368898b8 0 0 0 /var/run/ldapi
ffffff8036176f80 stream 0 0 ffffff8036838f80 0 0 0 /var/run/passwordserver
ffffff80353ef740 stream 0 0 0 ffffff80353ef800 0 0 /var/run/mDNSResponder
ffffff80353f0b80 stream 0 0 ffffff80356df8b8 0 0 0 /var/run/vpncontrol.sock
ffffff80353f0d00 stream 0 0 ffffff80356dfaa8 0 0 0 /var/run/portmap.socket
ffffff80353f0a00 dgram 0 0 ffffff80356df6c8 0 0 0 /var/run/syslog
SO let’s take a look at the output for all active Internet connections… Fairly typical! We can see our active Internet connections and our active UNIX domain sockets. I’m going concentrate on the network connections for now. We can gather some basic information but let’s take a more detailed look at the output.
The first column is labeled Proto and it represents which protocol is being used for that particular connection. You can find a listing of possible results by looking through the file /etc/protocols file. In our output we can see that most of the connections are using TCPv4… though if you look closely this machine is also running IPv6 (line 6).
The next two columns represent the amount of bytes that were not accepted by either the local machine or the remote host. The man page for netstat explains Recv-Q and Send-Q as follows:
Recv-Q: The count of bytes not copied by the user program connected to this socket.
Send-Q: The count of bytes not acknowledged by the remote host.
Seeing anything in either column would indicate that there was a problem with the transfer of data between the two machines listed by Local Address and Foreign Address.
NOTE: If it’s not obvious… in the output of netstat each line represents a connection between two machines.
Next up are the columns labeled Local Address and Foreign Address. The data present here is more than simple hostnames or IP addresses. It also provides the Ethernet ports (both ephemeral ports as well as well-known ports) that is beginning utilized for that connection. It is represented as follows:
IP Address.port# or hostname.port#
Looking over at the above output we can gather a lot of information…
1. We can see that this host is serving up LDAP information and is looking at itself to LDAP lookups (lines 1 and 2).
2. We can see that it is running sshd and that the remote host (22.214.171.124) does not have reverse DNS record setup and is using the ephemeral port of 52345 for setting up the connection (line 3).
3. Line 4 is telling us that the machine stdm908.conair.lan is an established connection (see below for information on the state column) that is actively passing data between the two machines.
4. Line 4 is also telling us that stdm908.conair.lan has connected to creative.conair.lan through the specific IP address associated with that hostname. Why? Because netstat will do a reverse lookup and present the hostname wherever possible. Performing an nslookup shows that creative.conair.lan is associated with the IP address of 192.168.171.5. If we turned off hostname lookups in netstat, the output for that connection would read 192.168.171.5.ldap.
5. Lines 5, 6 and 7 indicate that services are listening on all interfaces configured on this machine. Meaning if creative.conair.lan had multiple Ethernet interfaces turned up. It would allow connections to those services from any of the interfaces.
The last column represents the stat of the connection. This column really only becomes important in TCP connections. Remember the UDP is a connectionless protocol, while TCP is connection based. It requires the building up of the connection using the three-way handshake and the tearing down of that same connection. The state represents whether the two machines are communicating or if the services is just waiting for a connection. It can also represent where in the process of building up or tearing down connection the machines are. Possible states include:
ESTABLISHED: The socket has an established connection.
SYN_SENT: The socket is actively attempting to establish a connection.
SYN_RECV: A connection request has been received from the network.
FIN_WAIT1: The socket is closed, and the connection is shutting down.
FIN_WAIT2: Connection is closed, and the socket is waiting for a shutdown from the remote end.
TIME_WAIT: The socket is waiting after close to handle packets still in the network.
CLOSE: The socket is not being used.
CLOSE_WAIT: The remote end has shut down, waiting for the socket to close.
LAST_ACK: The remote end has shut down, and the socket is closed. Waiting for acknowledgement.
LISTEN: The socket is listening for incoming connections.
CLOSING: Both sockets are shut down but we still don’t have all our data sent.
UNKNOWN: The state of the socket is unknown.
The above was taken from the man page for netstat dated 12/2/2007 as installed on Ubuntu 9.10.