netstat is one of the most basic network service debugging tools, telling you what ports are open and whether any programs are listening on ports. For example, if you want to view all open TCP ports, run this command:
netstat -t
Table 6-2 lists the netstat options.
Option |
Description |
---|---|
-t |
Prints TCP port information |
-u |
Prints UDP port information |
-l |
Prints listening ports |
-a |
Prints every active port |
-n |
Disables name lookups (useful if DNS isn't working) |
Being able to list open and listening ports is good, but our good old friend lsof can go one step further.
In Section 4.8.1 you saw how lsof can track open files, but lsof can also list the programs currently using or listening to ports. For a complete list, run this command:
lsof -i
The output should look something like this:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME portmap 520 daemon 3u IPv4 150 UDP *:sunrpc portmap 520 daemon 4u IPv4 151 TCP *:sunrpc (LISTEN) inetd 522 root 4u IPv4 188 TCP *:discard (LISTEN) inetd 522 root 5u IPv4 189 UDP *:discard inetd 522 root 6u IPv4 190 TCP *:daytime (LISTEN) inetd 522 root 7u IPv4 191 UDP *:daytime inetd 522 root 8u IPv4 192 TCP *:time (LISTEN) inetd 522 root 9u IPv4 193 UDP *:time inetd 522 root 11u IPv4 195 TCP *:auth (LISTEN) sshd 853 root 3u IPv4 696 TCP *:ssh (LISTEN) X 900 root 1u IPv4 791 TCP *:6000 (LISTEN)
If you're looking for one port in particular (that is, if you know that a process is using a particular port and you want to know what that process is), use this version of the command:
lsof -i :port
The full syntax is
lsof -i protocol@host:port
protocol, @host, and :port are all optional. Specifying any of these parameters filters the lsof output accordingly. As with most other network utilities, host and port can be either names or numbers.
You can disable host-name resolution with the -n option. Finally, lsof -P forces numeric port listings.
Note? |
If you don't have lsof on your system, you can run netstat -p to get the processes associated with ports. This is a Linux-specific netstat feature, but lsof is still far more flexible. |
If you need to know what's happening on your network, tcpdump puts your network interface card into promiscuous mode and reports on every packet that crosses the wire.
tcpdump with no arguments produces output resembling the following sample, which includes an ARP request and Web connection:
tcpdump: listening on eth0 20:36:25.771304 arp who-has mikado.example.com tell duplex.example.com 20:36:25.774729 arp reply mikado.example.com is-at 0:2:2d:b:ee:4e 20:36:25.774796 duplex.example.com.48455 > mikado.example.com.www: S 3200063165:3200063165(0) win 5840 <mss 1460,sackOK,timestamp 38815804[|tcp]> (DF) 20:36:25.779283 mikado.example.com.www > duplex.example.com.48455: S 3494716463:3494716463(0) ack 3200063166 win 5792 <mss 1460,sackOK,timestamp 4620[|tcp]> (DF) 20:36:25.779409 duplex.example.com.48455 > mikado.example.com.www: . ack 1 win 5840 <nop,nop,timestamp 38815805 4620> (DF) 20:36:25.779787 duplex.example.com.48455 > mikado.example.com.www: P 1:427(426) ack 1 win 5840 <nop,nop,timestamp 38815805 4620> (DF) 20:36:25.784012 mikado.example.com.www > duplex.example.com.48455: . ack 427 win 6432 <nop,nop,timestamp 4620 38815805> (DF) 20:36:25.845645 mikado.example.com.www > duplex.example.com.48455: P 1:773(772) ack 427 win 6432 <nop,nop,timestamp 4626 38815805> (DF) 20:36:25.845732 duplex.example.com.48455 > mikado.example.com.www: . ack 773 win 6948 <nop,nop,timestamp 38815812 4626> (DF) 9 packets received by filter 0 packets dropped by kernel
You can tell tcpdump to be more specific by adding some filtering arguments. You can filter based on source and destination hosts, networks, Ethernet addresses, protocols at many different layers in the network model, and much more. Among the many packet protocols that tcpdump recognizes are ARP, RARP, ICMP, TCP, UDP, IP, IPv6, AppleTalk, and IPX packets. For example, if you want tcpdump to output only TCP packets, run this command:
tcpdump tcp
If you want to see Web packets and UDP packets, use this command:
tcpdump udp or port 80
In the preceding examples, tcp, udp, and port 80 are called primitives. The most important primitives are in Table 6-3:
Primitive |
Packet Specification |
---|---|
tcp |
TCP packets |
udp |
UDP packets |
port port |
TCP and/or UDP packets to/from port port |
host host |
Packets to or from host |
net network |
Packets to or from network |
As you saw in the example, or is an operator. Other operators include and and !; you may use parentheses for grouping. If you're going to do any serious work with tcpdump, make sure that you read the manual page, especially the section that describes the primitives.
Note? |
Use good judgment when using tcpdump. The output shown earlier in this section includes only packet TCP (transport layer) and IP (Internet layer) header information, but you can also make tcpdump print the entire packet contents. Even though many network operators make it far too easy to look at their network packets, it doesn't mean that you should. Don't snoop around on networks other than the ones you own, unless you happen to be in the espionage business and understand the risks of having sensitive wiretapped data. |
If you find that you need to do a lot of packet sniffing, you should probably consider a GUI alternative to tcpdump named Ethereal.
If you need more flexibility in connecting to a remote host than a command such as telnet host port allows, use netcat (or nc). Netcat can connect to remote TCP/UDP ports, specify a local port, listen on ports, scan ports, redirect standard I/O to and from network connections, and more.
To open a TCP connection to a port, run this command:
netcat host port
netcat does not terminate until the other side of the connection ends the connection. This can confuse you if you redirect standard input to netcat. You can end the connection at any time by pressing CONTROL-C.
To listen on a port, run this command:
netcat -l -p port
Note? |
There are two versions of netcat. The somewhat quirky original has just one executable name, nc, with a final version number of around 1.10. However, there is a newer GNU version using the name netcat, though the current version numbers are lower than the original. The new version includes several improvements, not the least of which is a manual page. |
The netcat utility is very specific in its treatment of the network connection; in particular, it does not like to exit until the network connection has terminated. If this behavior doesn't suit your application (in particular, if you'd like the program and network connection to terminate based on the standard input stream), try the sock program instead.