On Mon, 12 Aug 2002 [EMAIL PROTECTED] wrote:
> On Sun, 11 Aug 2002 21:26:32 +0800
> Federico Sevilla III <[EMAIL PROTECTED]> wrote:
>
> > Perhaps a neater habit will be to run:
> >
> > # netstat -lnp
>
The problem with this option is it will try to list all listening
tcp sockets only. A neater habit is:
netstat -avp
The problem with this is it gives you unix sockets as well -
messy. Something you may not be interested. A better way:
netstat -atuwvp
This gives listing of udp,tcp and raw sockets regardless of their
state (if applicable). With this option, you can catch unauthorized
connections to your machine by:
netstat -atuwvp | grep ESTABLISHED
> Thanks! I'm learning a lot here. Check this out: I've got two ports with a
> "state" that I can't identify ("7" is not in the manpages) and no PID
> assigned to them (the last two entries).
>
> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
> tcp 0 0 0.0.0.0:2777 0.0.0.0:* LISTEN 6656/licq-bin
> tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 779/X
> tcp 0 0 0.0.0.0:7102 0.0.0.0:* LISTEN 513/fontfs
> tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN 460/
> tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN 400/
> raw 0 0 0.0.0.0:1 0.0.0.0:* 7 -
> raw 0 0 0.0.0.0:6 0.0.0.0:* 7 -
If you take a look a the last two rows, it says the socket is a
*raw* socket. In a way, you used this to create your own datagram (tcp,
udp or icmp). Instead of asking the kernel to do the nitty-gritty of
filling in a datagram header and its payload, you do it yourself. Only
root can create raw sockets for security reasons. A good example of how
raw sockets are utilized is the source code of nmap or DoS program. This
gives you a clue of how powerful raw socket is.
State "7" is only meaningful if your raw socket is a tcp socket.
In that case, 7 means the socket is at CLOSED state (look at the enum in
netinet/tcp.h).
The probable reason why you cant see the PID for the last entries
is you are running netstat with non-superuser priviledges.
rowel
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]