[ACCEPTED]-How do I interpret 'netstat -a' output-netstat
0.0.0.0 usually refers to stuff listening 7 on all interfaces. 127.0.0.1 = localhost 6 (only your local interface) I'm not sure 5 about [::]
TIME_WAIT means both sides have 4 agreed to close and TCP must now wait a 3 prescribed time before taking the connection down.
CLOSE_WAIT 2 means the remote system has finished sending and 1 your system has yet to say it's finished.
I understand the answer has been accepted 1 but here is some additional information:
- If it says
0.0.0.0on the Local Address column, it means that port is listening on all 'network interfaces' (i.e. your computer, your modem(s) and your network card(s)).
- If it says
127.0.0.1on the Local Address column, it means that port is ONLY listening for connections from your PC itself, not from the Internet or network. No danger there.
- If it displays your
online IPon the Local Address column, it means that port is ONLY listening for connections from the Internet.
- If it displays your
local network IPon the Local Address column, it means that port is ONLY listening for connections from the local network.
- Foreign Address - The IP address and port number of the remote computer to which the socket is connected. The names that corresponds to the IP address and the port are shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*). (from wikipedia)
What is the distinction between 0.0.0.0, 127.0.0.1, and 2 [::]?
- 0.0.0.0 indicates something that is listening on all interfaces on the machine.
- 127.0.0.1 indicates your own machine.
- [::] is the IPv6 version of 0.0.0.0
- My machine also shows *:\* for UDP which shows that UDP connections don't really have a foreign address - they receive packets from any where. That is the nature of UDP.
How should each part of the foreign 1 address be read (part1:part2)?
127.0.0.1 is your loopback address also 5 known as 'localhost' if set in your HOSTS 4 file. See here for more info: http://en.wikipedia.org/wiki/Localhost
0.0.0.0 means 3 that an app has bound to all ip addresses 2 using a specific port. MS info here: http://support.microsoft.com/default.aspx?scid=kb;en-us;175952
'::' is 1 ipv6 shorthand for ipv4 0.0.0.0.
Send-Q is the amount of data sent by the 8 application, but not yet acknowledged by 7 the other side of the socket.
Recv-Q is 6 the amount of data received from the NIC, but 5 not yet consumed by the application.
Both 4 of these queues reside in kernel memory. There 3 are guides to help you tweak these kernel buffers, if 2 you are so inclined. Although, you may 1 find the default params do quite well.
This link has helped me a lot to interpret netstat -a
A copy from there -
TCP Connection States
Following is a brief 46 explanation of this handshake. In this context 45 the "client" is the peer requesting 44 a connection and the "server" is 43 the peer accepting a connection. Note that 42 this notation does not reflect Client/Server 41 relationships as an architectural principal.
The 40 client sends a SYN message which contains 39 the server's port and the client's Initial 38 Sequence Number (ISN) to the server (active 37 open).
The server sends back its own SYN 36 and ACK (which consists of the client's 35 ISN + 1).
The Client sends an ACK (which 34 consists of the server's ISN + 1).
Connection Tear-down (modified three way handshake).
The 33 client sends a FIN (active close). This 32 is a now a half-closed connection. The client 31 no longer sends data, but is still able 30 to receive data from the server. Upon receiving 29 this FIN, the server enters a passive close 28 state.
The server sends an ACK (which is 27 the clients FIN sequence + 1)
The server 26 sends its own FIN.
The client sends an ACK 25 (which is server's FIN sequence + 1). Upon 24 receiving this ACK, the server closes the 23 connection.
A half-closed connection can 22 be used to terminate sending data while 21 sill receiving data. Socket applications 20 can call shutdown with the second argument 19 set to 1 to enter this state.
State explanations as shown in Netstat:
State 18 Explanation
SYN_SEND Indicates active open.
SYN_RECEIVED Server 17 just received SYN from the client.
ESTABLISHED Client 16 received server's SYN and session is established.
LISTEN Server 15 is ready to accept connection.
NOTE: See 14 documentation for listen() socket call. TCP 13 sockets in listening state are not shown 12 - this is a limitation of NETSTAT. For additional 11 information, please see the following article 10 in the Microsoft Knowledge Base: 134404 NETSTAT.EXE 9 Does Not Show TCP Listen Sockets FIN_WAIT_1 8 Indicates active close.
TIMED_WAIT Client enters this 7 state after active close.
CLOSE_WAIT Indicates passive 6 close. Server just received first FIN from 5 a client.
FIN_WAIT_2 Client just received acknowledgment 4 of its first FIN from the server.
LAST_ACK Server 3 is in this state when it sends its own FIN.
CLOSED Server 2 received ACK from client and connection 1 is closed.
For those seeing [::] in their netstat output, I'm 3 betting your machine is running IPv6; that 2 would be equivalent to 0.0.0.0, i.e. listen 1 on any IPv6 address.
More Related questions