Appearance
For troubleshooting network issues, to check if a service is properly open on your server, or simply for monitoring that there are no unintended services that could represent security breaches, it's useful to obtain information on any open incomming connections that your computer is currently receiving or waiting for.
netstat - commonly available tool ​
Netstat should be available in most modern systems, including Windows, MacOS and Linux, it's often included even in many minimal VMs so this should be a pretty universal way of checking this.
By default it'll show the status of current connections, but it'll exclude the listening ports. In order to gather data from the listening ports some options would have to be provided. There's multiple versions of netcat and these might differ based on the implementation. But below are a couple of common ones, present.
-a- display all type of connections, including listening ports (by default listening ports won't show)-b- show the program/process responsible for creating each connection (requires it be run with root/administrator permissions)
powershell
netstat -abThere's also the option below specifically for showing only listening ports, but it's not available in Windows systems:
-l- show only listening connections. (this option isn't available in Windows)
sh
sudo netstat -lbBelow a table of the possible states. The names might change slightly depending on the implementation or platform, below is a basic common denominator.
| State | Description |
|---|---|
| CLOSE_WAIT | The remote end has shut down, waiting for the socket to close. |
| CLOSED | The socket is not being used. |
| ESTABLISHED | The socket has an established connection. |
| FIN_WAIT_1 | The socket is closed, and the connection is shutting down. |
| FIN_WAIT_2 | Connection is closed, waiting for a shutdown from the remote end. |
| LAST_ACK | The remote end has shut down. Waiting for acknowledgement. |
| LISTENING | The socket is listening for incoming connections. |
| SYN_RECEIVED | A connection request has been received from the network. |
| SYN_SEND | The socket is actively attempting to establish a connection |
| TIME_WAIT | The socket is waiting after close to handle packets still in the network. |
| UNKNOWN | The state of the socket is unknown. |
ss - socket statistics for Linux systems ​
In modern Linux systems netstat is being superseded for the newer ss tool, part of the iproute2 suite of network tools.
Similar to netcat, when no option is used ss displays a list of open non-listening sockets (e.g. TCP/UNIX/UDP) that have established connection.
-t, –tcpdisplay only TCP sockets-u, –udpdisplay only UDP sockets-w, –rawdisplay only RAW sockets-x, –unixdisplay only Unix domain sockets-l, –listeningdisplay listening sockets-p, –processesshow process using socket–s, –summaryshow socket usage summary
sh
# Show all listening connections and process responsible
ss -lp
# Show open TCP connections towards 127.0.0.1 on port 443
ss -t dst 127.0.0.1:443lsof - check open files/sockets in Unix systems ​
lsof is a powerful tool that can be used to get information for the open files in the system. Since in Unix sockets expose a filesystem interface, they can also be checked with lsof.
sh
# Show all listening TCP ports
sudo lsof -nP -iTCP -sTCP:LISTEN
# Show connections listening to port 443
sudo lsof -nP -iTCP:443 -sTCP:LISTEN
# Show all UDP connections
sudo lsof -nP -iUDPParse /proc/net/ from the Linux kernel filesystem ​
Even if we don't have any of the previous tools available in our device (or VM), it's still possible to check for open ports just by parsing the special files under /proc/net.
/proc/net/tcp and /proc/net/udp are special files generated by the Kernel that will show the tcp and udp connections respectivelly.
sh
$ cat /proc/net/tcp
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode
0: 0B00007F:8C81 00000000:0000 0A 00000000:00000000 00:00000000 00000000 0 0 1092144051 1 ffff8802ad120e00 100 0 0 10 0The second field is the local address, and what's after the : symbol is the port. But it's shown in hexadecimal.
We can filter them all and convert them to decimal with the following oneliner:
sh
sed -n 's/ *[0-9:]* *[^ :]*:\([^ ]*\).*/\1/p' /proc/net/tcp | while read p; do echo $((16#$p)); doneWe can proceed in a similar way with /proc/net/udp for UDP listening ports.