≡ Menu

netstat command

Unhide is a little handy forensic tool to find hidden processes and TCP/UDP ports by rootkits / LKMs or by another hidden technique. This tools works under both Linux / Unix, and MS-Windows operating systems. From the man page:

It detects hidden processes using three techniques:

  1. The proc technique consists of comparing /proc with the output of /bin/ps.
  2. The sys technique consists of comparing information gathered from /bin/ps with information gathered from system calls.
  3. The brute technique consists of bruteforcing the all process IDs. This technique is only available on Linux 2.6 kernels.

[click to continue…]

So how do you list the network open ports on your Linux server and the process that owns them? The answer is simple. Use the following command (must be run as the root user):


sudo lsof -i
sudo netstat -lptu
sudo netstat -tulpn

Sample outputs (see video demo):

netstat command and shell pipe feature can be used to dig out more information about particular IP address connection. You can find out total established connections, closing connection, SYN and FIN bits and much more. You can also display summary statistics for each protocol using netstat.

This is useful to find out if your server is under attack or not. You can also list abusive IP address using this method.
# netstat -nat | awk '{print $6}' | sort | uniq -c | sort -n
Output:

      1 CLOSE_WAIT
      1 established)
      1 Foreign
      3 FIN_WAIT1
      3 LAST_ACK
     13 ESTABLISHED
     17 LISTEN
    154 FIN_WAIT2
    327 TIME_WAIT

Dig out more information about a specific ip address:
# netstat -nat |grep {IP-address} | awk '{print $6}' | sort | uniq -c | sort -n

      2 LAST_ACK
      2 LISTEN
      4 FIN_WAIT1
     14 ESTABLISHED
     91 TIME_WAIT
    130 FIN_WAIT2

Busy server can give out more information:
# netstat -nat |grep 202.54.1.10 | awk '{print $6}' | sort | uniq -c | sort -n
Output:

  15 CLOSE_WAIT
  37 LAST_ACK
  64 FIN_WAIT_1
  65 FIN_WAIT_2
1251 TIME_WAIT
3597 SYN_SENT
5124 ESTABLISHED

Get List Of All Unique IP Address

To print list of all unique IP address connected to server, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq
To print total of all unique IP address, enter:
# netstat -nat | awk '{ print $5}' | cut -d: -f1 | sed -e '/^$/d' | uniq | wc -l
Output:

449

Find Out If Box is Under DoS Attack or Not

If you think your Linux box is under attack, print out a list of open connections on your box and sorts them by according to IP address, enter:
# netstat -atun | awk '{print $5}' | cut -d: -f1 | sed -e '/^$/d' |sort | uniq -c | sort -n
Output:

    1 10.0.77.52
      2 10.1.11.3
      4 12.109.42.21
      6 12.191.136.3
.....
...
....
    13 202.155.209.202
     18 208.67.222.222
     28 0.0.0.0
    233 127.0.0.1

You can simply block all abusive IPs using iptables or just null route them.

Get Live View of TCP Connections

You can use tcptrack command to display the status of TCP connections that it sees on a given network interface. tcptrack monitors their state and displays information such as state, source/destination addresses and bandwidth usage in a sorted, updated list very much like the top command.

Display Summary Statistics for Each Protocol

Simply use netstat -s:
# netstat -s | less
# netstat -t -s | less
# netstat -u -s | less
# netstat -w -s | less
# netstat -s

Output:

Ip:
    88354557 total packets received
    0 forwarded
    0 incoming packets discarded
    88104061 incoming packets delivered
    96037391 requests sent out
    13 outgoing packets dropped
    66 fragments dropped after timeout
    295 reassemblies required
    106 packets reassembled ok
    66 packet reassembles failed
    34 fragments failed
Icmp:
    18108 ICMP messages received
    58 input ICMP message failed.
    ICMP input histogram:
        destination unreachable: 7173
        timeout in transit: 472
        redirects: 353
        echo requests: 10096
    28977 ICMP messages sent
    0 ICMP messages failed
    ICMP output histogram:
        destination unreachable: 18881
        echo replies: 10096
Tcp:
    1202226 active connections openings
    2706802 passive connection openings
    7394 failed connection attempts
    47018 connection resets received
    23 connections established
    87975383 segments received
    95235730 segments send out
    681174 segments retransmited
    2044 bad segments received.
    80805 resets sent
Udp:
    92689 packets received
    14611 packets to unknown port received.
    0 packet receive errors
    96755 packets sent
TcpExt:
    48452 invalid SYN cookies received
    7357 resets received for embryonic SYN_RECV sockets
    43 ICMP packets dropped because they were out-of-window
    5 ICMP packets dropped because socket was locked
    2672073 TCP sockets finished time wait in fast timer
    441 time wait sockets recycled by time stamp
    368562 delayed acks sent
    430 delayed acks further delayed because of locked socket
    Quick ack mode was activated 36127 times
    32318597 packets directly queued to recvmsg prequeue.
    741479256 packets directly received from backlog
    1502338990 packets directly received from prequeue
    18343750 packets header predicted
    10220683 packets header predicted and directly queued to user
    17516622 acknowledgments not containing data received
    36549771 predicted acknowledgments
    102672 times recovered from packet loss due to fast retransmit
    Detected reordering 1596 times using reno fast retransmit
    Detected reordering 1 times using time stamp
    8 congestion windows fully recovered
    32 congestion windows partially recovered using Hoe heuristic
    19 congestion windows recovered after partial ack
    0 TCP data loss events
    39951 timeouts after reno fast retransmit
    29653 timeouts in loss state
    197005 fast retransmits
    186937 retransmits in slow start
    131433 other TCP timeouts
    TCPRenoRecoveryFail: 20217
    147 times receiver scheduled too late for direct processing
    29010 connections reset due to unexpected data
    365 connections reset due to early user close
    6979 connections aborted due to timeout

Display Interface Table

You can easily display dropped and total transmitted packets with netstat for eth0:
# netstat --interfaces eth0
Output:

Kernel Interface table
Iface       MTU Met    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR Flg
eth0       1500   0  2040929      0      0      0  3850539      0      0      0 BMRU

Other netstat related articles / tips:

  1. Get Information about All Running Services Remotely
  2. Linux / UNIX Find Out What Program / Service is Listening on a Specific TCP Port

Read following man pages for the details:
$ man netstat
$ man cut
$ man awk
$ man sed
$ man grep

Updated for accuracy.

You can use traditional netstat / lsof command to lists open Internet or UNIX domain sockets on FreeBSD. FreeBSD comes with a simple and easy to use command called sockstat.
The -4 option only displays IPv4 sockets.

The -6 option only displays IPv6 sockets.

The -c option only displays connected sockets.

The -l option only displays listening sockets (open port).

For example, display IPv4 related open ports, enter:
# sockstat -4 -l
Output:

USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     sendmail   653   3  tcp4   127.0.0.1:25          *:*
root     sshd       647   3  tcp4   10.20.110.2:22        *:*
root     ntpd       616   4  udp4   *:123                 *:*

Here the equivalent of netstat:
$ netstat -nat | grep LISTEN
For information read sockstat command man page:
$ man sockstat

Get Information about All Running Services Remotely

From my mailbag the other day I received an interesting suggestion about obtaining information regarding all running process and network connections remotely using inetd / xinetd :

SSH client can be used to execute a command(s) on a remote UNIX box. Same technique can be used to get current network and system information using netstat information:
ssh you@remotebox netstat -a
ssh you@remotebox netstat -tulpn

He suggests that above command can be run via inetd / xinetd so that admin can connect easily and get information using telnet from 100s UNIX boxes. All you have to do is open /etc/inetd.conf under UNIX / Linux:
# vi /etc/inetd.conf
Append following line:
netstat stream tcp nowait root /bin/netstat netstat -a
Restart inetd:
# /etc/init.d/openbsd-inetd restart
Next, use telnet to connect to the netstat service (port 15) and get network connection information:
$ telnet server-name netstat
$ telnet 192.168.1.5 15

Output:

Trying 192.168.1.5...
Connected to 192.168.1.5.
Escape character is '^]'.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:6881                  *:*                     LISTEN
tcp        0      0 *:6081                  *:*                     LISTEN
tcp        0      0 *:nfs                   *:*                     LISTEN
tcp        0      0 localhost:6082          *:*                     LISTEN
tcp        0      0 *:54053                 *:*                     LISTEN
tcp        0      0 *:59275                 *:*                     LISTEN
tcp        0      0 *:netstat               *:*                     LISTEN
tcp        0      0 *:sunrpc                *:*                     LISTEN
tcp        0      0 localhost:webcache      *:*                     LISTEN
tcp        0      0 *:43218                 *:*                     LISTEN
tcp        0      0 *:domain                *:*                     LISTEN
tcp        0      0 localhost:ipp           *:*                     LISTEN
tcp        0      0 *:telnet                *:*                     LISTEN
tcp        0      0 *:3128                  *:*                     LISTEN
tcp        0      0 localhost:smtp          *:*                     LISTEN
tcp        0      1 vivek-desktop.loc:48925 bas4-kitchener06-:56662 SYN_SENT
tcp        0      0 vivek-desktop.loc:54791 customer5673.pool:16273 ESTABLISHED
tcp        0      0 vivek-desktop.loc:38398 59.94.1xx.yy:45483      ESTABLISHED
tcp        0      0 vivek-desktop.loc:42048 60.21.zz.yyy:23235       ESTABLISHED
...........
....
....
unix  3      [ ]         STREAM     CONNECTED     15973
unix  3      [ ]         STREAM     CONNECTED     15947    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     15946
unix  3      [ ]         STREAM     CONNECTED     15936    /var/run/dbus/system_bus_socket
unix  3      [ ]         STREAM     CONNECTED     15935
unix  2      [ ]         DGRAM                    15931
unix  3      [ ]         STREAM     CONNECTED     15916
unix  3      [ ]         STREAM     CONNECTED     15915
unix  2      [ ]         DGRAM                    15906
Connection closed by foreign host.

There are few problems with this solution:
a] Unnecessary service running at port # 15

b] Telnet protocol is not secure

c] I strongly recommend using ssh and password-less login for scripts to obtain this kind of information:
ssh user@remote-box netstat -a
ssh user@remote-box df -H
ssh user@remote-box free -m
ssh user@remote-box /path/to/script.pl

My friend wanted to know how to change or convert DHCP network configuration to static configuration. After initial installation, he wanted to change network settings. Further, his system is w/o GUI system aka X Windows. Here is quick way to accomplish the same:

Your main network configuration file is /etc/network/interfaces

Desired new sample settings:
=> Host IP address 192.168.1.100
=> Netmask: 255.255.255.0
=> Network ID: 192.168.1.0
=> Broadcast IP: 192.168.1.255
=> Gateway/Router IP: 192.168.1.254
=> DNS Server: 192.168.1.254

Open network configuration file
$ sudo vi /etc/network/interfacesOR$ sudo nano /etc/network/interfaces

Find and remove dhcp entry:
iface eth0 inet dhcp

Append new network settings:

iface eth0 inet static
address 192.168.1.100
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.254

Save and close the file. Restart the network:
$ sudo /etc/init.d/networking restart

Task: Define new DNS servers

Open /etc/resolv.conf file
$ sudo vi /etc/resolv.conf

You need to remove old DNS server assigned by DHCP server:
search myisp.com
nameserver 192.168.1.254
nameserver 202.54.1.20
nameserver 202.54.1.30

Save and close the file.

Task: Test DNS server

$ host cyberciti.biz

Network command line cheat sheet

You can also use commands to change settings. Please note that these settings are temporary and not the permanent. Use above method to make network changes permanent or GUI tool as described below.

Task: Display network interface information

$ ifconfig

Task: Take down network interface eth0 / take a network interface down

$ sudo ifconfig eth0 downOR $ sudo ifdown eth0

Task: Bring a network interface eth0 up

$ sudo ifconfig eth0 upOR$ sudo ifup eth0

Task: Change IP address and netmask from command line

Activate network interface eth0 with a new IP (192.168.1.50) / netmask:
$ sudo ifconfig eth0 192.168.1.50 netmask 255.255.255.0 up

Task: Display the routing table

$ /sbin/route OR$ /sbin/route -n
Output:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
localnet        *               255.255.255.0   U     0      0        0 ra0
172.16.114.0    *               255.255.255.0   U     0      0        0 eth0
172.16.236.0    *               255.255.255.0   U     0      0        0 eth1
default         192.168.1.254   0.0.0.0         UG    0      0        0 ra0

Task: Add a new gateway

$ sudo route add default gw 172.16.236.0

Task: Display current active Internet connections (servers and established connection)

$ netstat -nat

Task: Display open ports

$ sudo netstat -tulpOR$ sudo netstat -tulpn

Task: Display network interfaces stats (RX/TX etc)

$ netstat -i

Task: Display output for active/established connections only

$ netstat -e
$ netstat -te
$ netstat -tue

Where,

  • -t : TCP connections
  • -u : UDP connections
  • -e : Established

Task: Test network connectivity

Send ICMP ECHO_REQUEST to network hosts, routers, servers etc with ping command. This verifies connectivity exists between local host and remote network system:
$ ping router
$ ping 192.168.1.254
$ ping cyberciti.biz

See simple Linux system monitoring with ping command and scripts for more information.

Task: Use GUI (Graphical Configuration) network Tool

If you are new, use GUI configuration tool, type the following command at terminal:
$ network-admin &

Above command is Ubuntu's GUI for configuring network connections tool.

Final tip - Learn how find out more information about commands

A man page is your best friend when you wanted to learn more about particular command or syntax. For example, read detailed information about ifconfig and netstat command:
$ man ifconfig
$ man netstat

Just get a short help with all command options by appending --help option to each command:
$ netstat --help

Find out what command is used for particular task by searching the short descriptions and manual page names for the keyword:
$ man -k 'delete directory'
$ apropos -s 1 remove

Display short descriptions of a command:
$ whatis rm
$ whatis netstat

Linux offers an excellent collection of utilities, which can be use to finding the files and executables, remember you cannot memorize all the commands and files ;)

Someone might attack on your Linux based system. You can drop attacker IP using IPtables. However, you can use route or ip command to null route unwanted traffic. A null route (also called as blackhole route) is a network route or kernel routing table entry that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering.

You can nullroute (like some time ISP do prevent your network device from sending any data to a remote system) stopping various attacks coming from a single IP (read as spammers or hackers) using the following syntax on a Linux based system.
[click to continue…]