[Dshield] after an attack I has no choice but go to Linux

John Sage jsage at finchhaven.com
Sat Sep 7 22:31:41 GMT 2002


hmm.. What OS are you refering to?

On Wed, Sep 04, 2002 at 11:22:26AM -0500, Samantha Fetter wrote:
> I humbly suggest that this may be slightly incorrect.
> 
> 
> netstat alone shows the status of active TCP and UDP ports.

The original post stated:

<snip>
> Well since I chose linux ( not telling which one I ma gettin gparanoid
> these days) I seem happy.
<snip>

So I believe the Linux syntax is most relevant...


NETSTAT(8)          Linux Programmer's Manual          NETSTAT(8)
<snip>
DESCRIPTION
       Netstat prints information about the Linux networking subsystem.  The type
       of information printed is controlled by the first argument, as follows:

   (none)
       By default, netstat displays a list of open sockets.  If you don't specify
       any address families, then the active sockets of  all  configured  address
       families will be printed.
<snip>

This is what OS I was refering to; perhaps I should have specified
that, but that's what the original poster was refering to...

> 
> netstat -a shows all sockets - active (connection established) and passive
> (waiting for a connection/just listening).

I wasn't refering to the Window$ version, for which that is correct.

In the *nix's:

<snip>
   -a, --all
       Show both listening and  non-listening  sockets.   With  the  --interfaces
       option, show interfaces that are not marked
<snip>

This would include the UNIX domain sockets, for which there is no
counterpart in Window$:

<snip>
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  15     [ ]         DGRAM                    729    /dev/log
unix  3      [ ]         STREAM     CONNECTED     4210833 /tmp/.X11-unix/X0
unix  3      [ ]         STREAM     CONNECTED     4210832 
unix  3      [ ]         STREAM     CONNECTED     4206960 /var/lib/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     4206959 
unix  3      [ ]         STREAM     CONNECTED     4206912 /var/lib/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     4206911 
unix  3      [ ]         STREAM     CONNECTED     4206898 /var/lib/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     4206897 
unix  3      [ ]         STREAM     CONNECTED     4206823 /var/lib/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     4206822 
unix  3      [ ]         STREAM     CONNECTED     4206679 /var/lib/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     4206678 
unix  3      [ ]         STREAM     CONNECTED     4203236 /var/lib/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     4203235 
unix  3      [ ]         STREAM     CONNECTED     4203227 /var/lib/mysql/mysql.sock
unix  3      [ ]         STREAM     CONNECTED     4203226 
<snip>

That's why it's best to limit the output with -t or -u or -tu if one
is interested in TCP or UDP sockets.



- John
-- 
"In those days, you could not buy a $2000 200MHz Pentium server."

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705




More information about the list mailing list