Checking Socket Status with netstat

netstat is a command that can be used to check on a wide variety of network information, such as the status of network connections, the contents of the routing table, what masqueraded connections are supported by the system, and what multicast groups the system has joined. The most important of these is the status of network connections, which is the default netstat display. To limit that display to TCP/IP network connections, use the —inet command-line option, as shown in Listing 13.13.

Listing 13.13: Displaying Network Socket Connections

Active Internet connections (w/o servers)

Proto

Recv-Q

Send-Q

Local

Address

Foreign Address

State

tcp

1

0

robin:

: 1967

www.sybex.com:80

CLOSE_WAIT

tcp

1

0

robin:

: 1966

www.sybex.com:80

CLOSE_WAIT

tcp

1

0

robin:

: 1964

www.sybex.com:80

CLOSE_WAIT

tcp

1

0

robin:

: 1963

www.sybex.com:80

CLOSE_WAIT

tcp

0

126

robin:

: 23

phoebe:1449

ESTABLISHED

This command lists the currently active IP connections. Each line displays the transport protocol being used, the number of packets in the send and receive queues, the local address including port number, the remote address including port number, and the status of the connection. In Listing 13.13, the first four lines describe outbound connections to well-known port number 80. From reading Chapter 6, "The Apache Web Server," you know that 80 is the web server port. So those are outbound web connections. The last line in the sample shows an inbound connection to port 23: the telnet port.

The State field on each line indicates the TCP protocol state for that connection. Table 13.1 lists the possible TCP protocol states that netstat displays.

Table 13.1: TCP Protocol States

State

Meaning

CLOSED

The socket is completely closed.

CLOSE_WAIT

The remote end is shut down, but the local socket is not yet closed.

CLOSING

Both ends of the connection are shut down, but the local system still has data to send.

ESTABLISHED

The connection is established.

FIN_WAIT1

The local end of the connection is shutting down.

FIN_WAIT2

The socket is waiting for the remote end of the connection to shut down.

LAST_ACK

The protocol is waiting for the final acknowledgment on a closed socket.

LISTEN

The socket is listening for incoming connections.

SYN RECV

A connection request has been received.

SYN SENT

A connection attempt is underway.

TIME_WAIT

The socket is closed, but is waiting to clear remaining packets from the network.

UNKNOWN

netstat cannot determine the state of the socket.

In Listing 13.13, the inbound telnet connection has a state of ESTABLISHED, meaning that it is a healthy, active connection. The three outbound connections are all sitting in CLOSE_WAIT. All of these connections are directed at the same remote web server. The probable cause for this is a user with a browser open to the remote server that is not actively requesting data. Perhaps the user is reading the data; perhaps the user is out to lunch. In either case, the user has left the browser running. This is normal and causes no harm, other than consuming a port number. When the user closes the browser, these ports will close.

With the -a option, netstat displays all sockets (not just those that are active), and it does not have to limit the display to IP sockets. Listing 13.14 is an excerpt of the full socket listing from a Linux system. This listing is only about half of the number of lines actually displayed. To see the full listing, enter the netstat command on your own Linux system.

Listing 13.14: Display All Sockets

Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State

Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State

tcp

0

2

parrot:telnet

robin:

1027

ESTABLISHED

tcp

0

0

:netbios-ssn

*

LISTEN

tcp

0

0

*

: www

*

LISTEN

tcp

0

0

*

smtp

*:

*

LISTEN

tcp

0

0

*

: 1024

*:

*

LISTEN

tcp

0

0

*:

printer

*:

*

LISTEN

tcp

0

0

*:

imap2

*:

*

LISTEN

tcp

0

0

*:

login

*:

*

LISTEN

tcp

0

0

*:

shell

*:

*

LISTEN

tcp

0

0

*:

telnet

*:

*

LISTEN

tcp

0

0

*:

ftp

*:

*

LISTEN

udp

0

0

parrot:netbios-

-dgm

*:

*

udp

0

0

parrot:netbios-

-ns

*:

*

udp

0

0

*:

: netbios-dgm

*:

*

udp

0

0

*:

netbios-ns

*:

*

udp

0

0

*:

1024

*:

*

udp

0

0

*:

talk

*:

*

raw

0

0

*:

: icmp

*:

*

7

raw

0

0

*:

tcp

*:

*

7

Active UNIX domain sockets (servers and established)

Proto RefCnt Flags Type State I-Node Path unix 1 [ ] STREAM CONNECTED 415 @00000019

unix 1 [ ] STREAM CONNECTED 888 @0000003e unix 0 [ ACC ] STREAM LISTENING 519 /dev/printer unix 0 [ ACC ] STREAM LISTENING 725 /dev/gpmctl unix 0 [ ACC ] STREAM LISTENING 395 /dev/log unix 1 [ ] STREAM CONNECTED 889 /dev/log

Active UNIX domain sockets (servers and established)

Proto RefCnt Flags Type State I-Node Path unix 1 [ ] STREAM CONNECTED 415 @00000019

unix 1 [ ] STREAM CONNECTED 888 @0000003e unix 0 [ ACC ] STREAM LISTENING 519 /dev/printer unix 0 [ ACC ] STREAM LISTENING 725 /dev/gpmctl unix 0 [ ACC ] STREAM LISTENING 395 /dev/log unix 1 [ ] STREAM CONNECTED 889 /dev/log

The first line in this listing shows an active inbound telnet connection, just like the one seen earlier. The next several lines all have the status LISTEN. These are the tCp services that this system offers. If the list of services produced by netstat on your server does not match the services that you think your system offers, you need to check the server's configuration. The asterisks in the address fields mean that any address is accepted.

Next come the UDP services offered by the system. UDP is a connectionless protocol, so it does not maintain connection state. For all UDP entries, the State field is empty. Again, these services should match the services you think you're offering.

For network testing, you can ignore the rest of the listing. It contains two entries for raw sockets, which are sockets that communicate directly to IP without using a transport protocol, and several entries for Unix sockets. The Unix sockets define sockets-based I/O for Linux devices and are not related to the TCP/IP network.

Use netstat to check the socket status when inbound or outbound connections appear to hang. An example of how this netstat information can be used to diagnose a problem occurred when we noticed strange symptoms on my campus e-mail server. The CPU utilization was very high. The mail queue was taking forever to process, and several users were having trouble downloading their mail. Nothing really appeared to be wrong with the network until the netstat command showed hundreds of connections in SYN_RECV state—the classic symptom of a SYN flooding denial of service attack!

All of these connection attempts were originating from the same system on our internal network. The router was reconfigured to block connections from that specific system, and immediately the mail server began to recover. The administrator of the offending system was called and told that an intruder might have broken into his computer. That, however, was not the case. The offending computer was an experimental, massively parallel computer with hundreds of processors. A mistake in the experimental software caused the system to simultaneously start hundreds of connection requests whenever the system tried to connect to a remote host. The experimenters removed the test system from the live network, and we lived happily ever after. Using netstat to discover the problem and route filtering to block the offender, the initial problem was solved in just a few minutes.

The Linux version of netstat has an interesting option missing in many other netstat implementations: the -p option. When netstat is run with the -p option by the root user, it displays the PID and program name of whatever is using each socket. This can be very useful, particularly when you suspect a problem.

Was this article helpful?

0 0

Post a comment