netstat question

when i run netstat -a, can u pls. tell me whats' the meaning of the ff:
LISTENING:
TIME_WAIT
ESTABLISHED:
CLOSE_WAIT:

thanks

Hi.

It is what your sockets are doing...

Here's an example of what I think will look similar to what you are seeing:

# netstat -an | grep 23
tcp 0 2 10.16.0.120.23 192.168.214.131.1343 ESTABLISHED
tcp 0 0 *.23 *.* LISTEN


Okey. Now, for what it all means:

tcp - The protocol that are being used
0 2 - The length of the receive & send queue
10.16.0.120.23 - Local Address and port number (.23)
192.168.214.131.1343 - Foreign Address and port number (.1343)
ESTABLISHED - The internal state of the Protocol

LISTEN - That it's listening for traffic

Hope this helps

/Fjodor

ok thanks, how about how can u know if an attackerr has passed into ur system? will netstat will tell u that?

Well, sort of.
If you know what communication should be going on with your computer then any communicating that shouldn't bee there should take some looking into. And, it might possibly be a trojan or something like that.


Like, if you know that port 12345 shouldn't be open (listening) on your computer when during a netstat you find it is open, then what I would do is first to make sure that this port isn't just a port that should be open by the normal operations of a normal program. If it's not, I usually take a peek at sans trojan list to see what trojans I might possibly have gotten infected with. One thing to note about trojans and ports is that the lists with various trojan ports only show the default port. On many trojans you can choose whichever port you want. So... a trojan that use port 80 on a webserver will be hard to detect since it's using a legal/valid port.


I'll use my previous example:

# netstat -an | grep 23
tcp 0 2 10.16.0.120.23 192.168.214.131.1343 ESTABLISHED

Here you can see that 192.168.214.131 is connected to your computer (10.16.0.120) on port 23. That means someone is using that port for some kind of communication...most likely telnet.


While I am a bit paranoid (probably a good quality for a network security person) I must say that more often than not open ports and wierd things can be traced to misconfigurations, valid programs or just dumb.. or should I say uneducated users... At least when you have a big network. This isn't to say that just for that reason you shouldn't be suspicious of wierd communications.

A good example might be if you are the net admin and are responsible for the firewall... Everything works peachy when you find that one day something is acting as a server on your internal network and trying to fool your firewall so people can access it. Easy to think trojan/backdoor, but most likely it's just somebody that for some reason or another figured it was a good thing to use your companys bandwith to download stuff with KaZaa (or however that is spelled). Now this wasn't a trojan or backdoor... but you might want to kill it off anyway since you don't want users to hog bandwith for illegal stuff when they should be working.

So... Netstat is a very good place to start to look for suspicious connections to your workstation since you can see if any wierd ports are open, if someone is connected to the wierd ports and what adress this person has (well, unless it's spoofed and yadda yadda yadda).

so... if you find something strange on your computer... use google.com (or other) to do some research... most likely someone else allready had this problem, posted it in a forum, got help, and found the problem. That's the major benefit of the net

/Fjodor

Nice to see you are going to try a BSD flavor btw.. You won't be dissapointed no matter which one you choose

/f