#1
  1. No Profile Picture
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2002
    Location
    earth
    Posts
    364
    Rep Power
    13

    netstat question


    when i run netstat -a, can u pls. tell me whats' the meaning of the ff:
    LISTENING:
    TIME_WAIT
    ESTABLISHED:
    CLOSE_WAIT:

    thanks
    ...
  2. #2
  3. No Profile Picture
    Slacker
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2001
    Location
    Sweden
    Posts
    76
    Rep Power
    14
    Hi.

    It is what your sockets are doing...

    Here's an example of what I think will look similar to what you are seeing:

    # netstat -an | grep 23
    tcp 0 2 10.16.0.120.23 192.168.214.131.1343 ESTABLISHED
    tcp 0 0 *.23 *.* LISTEN


    Okey. Now, for what it all means:

    tcp - The protocol that are being used
    0 2 - The length of the receive & send queue
    10.16.0.120.23 - Local Address and port number (.23)
    192.168.214.131.1343 - Foreign Address and port number (.1343)
    ESTABLISHED - The internal state of the Protocol

    LISTEN - That it's listening for traffic

    Hope this helps

    /Fjodor
    Last edited by Fjodor; June 25th, 2002 at 03:51 AM.
  4. #3
  5. No Profile Picture
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2002
    Location
    earth
    Posts
    364
    Rep Power
    13
    ok thanks, how about how can u know if an attackerr has passed into ur system? will netstat will tell u that?
    ...
  6. #4
  7. No Profile Picture
    Slacker
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2001
    Location
    Sweden
    Posts
    76
    Rep Power
    14
    Well, sort of.
    If you know what communication should be going on with your computer then any communicating that shouldn't bee there should take some looking into. And, it might possibly be a trojan or something like that.


    Like, if you know that port 12345 shouldn't be open (listening) on your computer when during a netstat you find it is open, then what I would do is first to make sure that this port isn't just a port that should be open by the normal operations of a normal program. If it's not, I usually take a peek at sans trojan list to see what trojans I might possibly have gotten infected with. One thing to note about trojans and ports is that the lists with various trojan ports only show the default port. On many trojans you can choose whichever port you want. So... a trojan that use port 80 on a webserver will be hard to detect since it's using a legal/valid port.


    I'll use my previous example:

    # netstat -an | grep 23
    tcp 0 2 10.16.0.120.23 192.168.214.131.1343 ESTABLISHED

    Here you can see that 192.168.214.131 is connected to your computer (10.16.0.120) on port 23. That means someone is using that port for some kind of communication...most likely telnet.


    While I am a bit paranoid (probably a good quality for a network security person) I must say that more often than not open ports and wierd things can be traced to misconfigurations, valid programs or just dumb.. or should I say uneducated users... At least when you have a big network. This isn't to say that just for that reason you shouldn't be suspicious of wierd communications.

    A good example might be if you are the net admin and are responsible for the firewall... Everything works peachy when you find that one day something is acting as a server on your internal network and trying to fool your firewall so people can access it. Easy to think trojan/backdoor, but most likely it's just somebody that for some reason or another figured it was a good thing to use your companys bandwith to download stuff with KaZaa (or however that is spelled). Now this wasn't a trojan or backdoor... but you might want to kill it off anyway since you don't want users to hog bandwith for illegal stuff when they should be working.

    So... Netstat is a very good place to start to look for suspicious connections to your workstation since you can see if any wierd ports are open, if someone is connected to the wierd ports and what adress this person has (well, unless it's spoofed and yadda yadda yadda).

    so... if you find something strange on your computer... use google.com (or other) to do some research... most likely someone else allready had this problem, posted it in a forum, got help, and found the problem. That's the major benefit of the net

    /Fjodor
    Last edited by Fjodor; June 25th, 2002 at 06:23 AM.
  8. #5
  9. No Profile Picture
    Slacker
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2001
    Location
    Sweden
    Posts
    76
    Rep Power
    14
    Nice to see you are going to try a BSD flavor btw.. You won't be dissapointed no matter which one you choose

    /f
    Last edited by Fjodor; June 25th, 2002 at 10:11 AM.

IMN logo majestic logo threadwatch logo seochat tools logo