Re: [plug] sunrpc?

Sun, 11 Aug 2002 16:51:25 -0700 


On Mon, 12 Aug 2002 [EMAIL PROTECTED] wrote:
> On Sun, 11 Aug 2002 21:26:32 +0800
> Federico Sevilla III <[EMAIL PROTECTED]> wrote:
>
> > Perhaps a neater habit will be to run:
> >
> >     # netstat -lnp
>
        The problem with this option is it will try to list all listening
tcp sockets only. A neater habit is:

        netstat -avp

        The problem with this is it gives you unix sockets as well -
messy.  Something you may not be interested. A better way:

        netstat -atuwvp

        This gives listing of udp,tcp and raw sockets regardless of their
state (if applicable). With this option, you can catch unauthorized
connections to your machine by:

        netstat -atuwvp | grep ESTABLISHED


> Thanks! I'm learning a lot here. Check this out: I've got two ports with a
> "state" that I can't identify ("7" is not in the manpages) and no PID
> assigned to them (the last two entries).
>
> Proto Recv-Q Send-Q Local Address  Foreign Address  State   PID/Program name
> tcp        0      0 0.0.0.0:2777   0.0.0.0:*        LISTEN  6656/licq-bin
> tcp        0      0 0.0.0.0:6000   0.0.0.0:*        LISTEN  779/X
> tcp        0      0 0.0.0.0:7102   0.0.0.0:*        LISTEN  513/fontfs
> tcp        0      0 0.0.0.0:515    0.0.0.0:*        LISTEN  460/
> tcp        0      0 0.0.0.0:113    0.0.0.0:*        LISTEN  400/
> raw        0      0 0.0.0.0:1      0.0.0.0:*        7       -
> raw        0      0 0.0.0.0:6      0.0.0.0:*        7       -

        If you take a look a the last two rows, it says the socket is a
*raw* socket. In a way, you used this to create your own datagram (tcp,
udp or icmp). Instead of asking the kernel to do the nitty-gritty of
filling in a datagram header and its payload, you do it yourself. Only
root can create raw sockets for security reasons. A good example of how
raw sockets are utilized is the source code of nmap or DoS program.  This
gives you a clue of how powerful raw socket is.
        State "7" is only meaningful if your raw socket is a tcp socket.
In that case, 7 means the socket is at CLOSED state (look at the enum in
netinet/tcp.h).
        The probable reason why you cant see the PID for the last entries
is you are running netstat with non-superuser priviledges.

rowel

_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]

To subscribe to the Linux Newbies' List: send "subscribe" in the body to 
[EMAIL PROTECTED]


























					Reply via email to