Netstat is an extremely useful Linux command line tool that allows you to check which service is connecting to a port on your machine. It is very useful to analyze what\u2019s going on on your machine when you are facing or trying to to prevent an attack on it. You can find information such as how many connection are being made on a port, which IP addresses these connections originate from, and much more. Netstat ships with most distributions of Linux so it should already be installed on yours.<\/p>\n
Launch a shell terminal on your machine and run the following command:<\/p>\n
# netstat -ant
\nActive Internet connections (servers and established)
\nProto Recv-Q Send-Q Local Address Foreign Address State
\ntcp 0 0 ::ffff:192.168.1.19:80 ::ffff:192.168.1.240:63049 TIME_WAIT
\ntcp 0 0 ::ffff:192.168.0.19:80 ::ffff:192.168.1.240:62793 TIME_WAIT
\ntcp 0 0 ::ffff:192.168.1.19:80 ::ffff:192.168.1.240:62795 TIME_WAIT<\/p>\n
The output will most likely be very long. I\u2019ve just given a snapshot of the output above. As you can see in the data above there is a connection made from 192.168.1.240 to my server\u2019s port 80 using the TCP protocol and the connection in the a state of TIME_WAIT. The out put that you get for your server will have information about all the ports on your machine, not just port 80.<\/p>\n
The first thing you realize is that an output this big is not of too much use. So let\u2019s organize it a bit. Here are a few tricks I use to analyze the nature of the connections being made to of from my server. the first thing I do is figure out which services I want to analyze. Usually it is port 80 as that\u2019s the default port for the web server to run on, and port 3306 which is the default port for MySQL to run on. So i use the following query to see what\u2019s going on on port 80:<\/p>\n
# netstat -ant | grep 80<\/p>\n
Again I get big list of connections, smaller than the first, but still too big to grasp. So I use the \u201cwc -l\u201d command to count the number of lines in the output to see approximately how many connections I have on my port 80:<\/p>\n
# netstat -ant | grep 80 | wc -l
\n625<\/p>\n
And then I do the same for MySQL:<\/p>\n
# netstat -ant | grep 3306 | wc -l
\n61<\/p>\n
Now, if I want to get a complete picture of what\u2019s going on on my server in terms of the nature of connections here\u2019s what I do:<\/p>\n
# netstat -ant | awk \u2018{print $6}\u2019 | sort | uniq -c | sort -n<\/p>\n
1 established)
\n1 Foreign
\n4 FIN_WAIT2
\n8 LISTEN
\n16 CLOSE_WAIT
\n134 ESTABLISHED
\n409 TIME_WAIT<\/p>\n
This tells me how many connections of different types of state I have on my machine. I can run a similar command to see a complete picture of the state of all the connections made to my web server:<\/p>\n
netstat -ant | grep 80 | awk \u2018{print $6}\u2019 | sort | uniq -c | sort -n<\/p>\n
1 FIN_WAIT1
\n4 LISTEN
\n6 FIN_WAIT2
\n17 CLOSE_WAIT
\n94 ESTABLISHED
\n534 TIME_WAIT<\/p>\n
You can perform a lot more complex things using Netstat along with other Linux command line tools. It can be helpful to be familiar with some tricks to get this kind of information using Netstat, particularly when you are facing an attack on your server.<\/p>\n","protected":false},"excerpt":{"rendered":"
Netstat is an extremely useful Linux command line tool that allows you to check which service is connecting to a port on your machine. It is very useful to analyze what\u2019s going on on your machine when you are facing or trying to to prevent an attack on it. You can find information such as… <\/p>\n