The NETSTAT Command | Search for a title, author or keyword | ||||||||
The NETSTAT Command PDF document. Steve Gibson and Leo Laporte ( Security Now! Episode 49 for July 20, 2006 ). Steve and Leo describe the operation and use of the universally available "Netstat" command – available in every desktop operating system from Unix and Linux through Windows and Macs. "Netstat" allows anyone to instantly see what current Internet connections and listening ports any system has open and operating. Mastering the power of this little-known command will greatly empower any security-conscious computer user. For example, if you say “netstat,” and you see 6667s, which is the default IRC port, there’s a very good chance that – and you’re not knowingly using IRC – there’s a chance that you’ve got an IRC trojan that has connected to a remote IRC server and is connected right now and waiting to receive commands. The normal Netstat command just all by itself only shows you either existing or recently closed connections. So if you say “netstat -a,” or over on the Mac you’d say “netstat -finet” and then “ -a,” now you will also see any listening sockets. And these are so-called “open ports”. These are ports on your machine due to processes running in your machine which have opened ports and are looking for incoming traffic. So in general the Netstat display has four columns. The leftmost column says Proto, and that’s short for protocol. We’ve talked about TCP and UDP. Netstat always sorts the protocols so that all the TCP connections and activities are shown first, followed by UDP. The second column is the Local Address column. Now, we’ve talked about how a socket is an IP address and a port. So what you’ll see there is either an IP address, you know, the standard something.something.something.something. For example, if we’re looking at the Local column, you might see your machine’s own IP address, 192.168.something, you know, .0.1 or whatever, then a colon and the port number. So the way the so-called “socket” is displayed, the socket endpoint, to use the full terminology, is an IP address and colon and then the port number that is involved in that. The third column is the remote or the foreign address. Well, that’s the one that’s really interesting. And then the final column is called State, which is the state that this connection or potential connection is in. Most common states are LISTENING, meaning that you have an, I mean, a classic open port listening for any incoming traffic. If you actually have connections established, that is, you know, I mean, that’s what was – we’ve talked about the TCP three-way handshake that establishes a connection. And so now you have an agreement between your local machine and some remote machine. Then the word ESTABLISHED will appear in that column, meaning that that is an actual connection right now that exists between your machine and that remote IP and port that is able to exchange traffic. And sometimes people will see TIME_WAIT. TIME_WAIT is a state that TCP goes into at the end of an established connection, as it’s being torn down, that prevents packets coming in late from confusing the system. So it’s sort of like a delay before those endpoints can be used again. It sort of holds that connection out of use to allow the packets that might be still floating around the Internet to die or no longer arrive before it will sort of release that for re-use so that a new connection isn’t confused by an old connection’s, you know, similar endpoint packets coming along. Sometimes you might see SYN_RECEIVED or SYN_SENT that literally refers to the SYN packets we’ve talked about often that are involved in establishing a connection. So that means that a connection is in the process of being set up. And normally that happens so quickly that you won’t see it in a Netstat command.
|
|||||||||
The NETSTAT Command | Disclaimer: this link points to content provided by other sites. |