Netstat outputs and tracing data traffic.

Discussion in 'privacy general' started by Thelps, Apr 10, 2018.

  1. Thelps

    Thelps Registered Member

    Joined:
    Apr 1, 2012
    Posts:
    46
    Been interested in the meaning of some Netstat outputs.

    Ran Netstat -ano and got this output:

    NOTE: some data anonymised... Port numbers replaced with ___ and some IP Addresses overwritten with *IP Address*.
    ----------------------------------------------------------------------------------------


    Proto Local Address Foreign Address State PID
    TCP 0.0.0.0: ___ 0.0.0.0:0 LISTENING ___
    TCP 0.0.0.0:___ 0.0.0.0:0 LISTENING ___
    TCP 0.0.0.0:___ 0.0.0.0:0 LISTENING ___
    TCP 0.0.0.0:___ 0.0.0.0:0 LISTENING ___
    TCP 0.0.0.0:___ 0.0.0.0:0 LISTENING ___
    TCP 0.0.0.0:___ 0.0.0.0:0 LISTENING ___
    TCP 0.0.0.0:___ 0.0.0.0:0 LISTENING ___
    TCP 0.0.0.0:___ 0.0.0.0:0 LISTENING ___
    TCP *Ip Address* 0.0.0.0:0 LISTENING _
    TCP *IP Address* 0.0.0.0:0 LISTENING _
    TCP *IP Address* *IP Address* FIN_WAIT_2 ___
    TCP [::]:__ [::]:0 LISTENING ___
    TCP [::]:__ [::]:0 LISTENING ___
    TCP [::]:__ [::]:0 LISTENING ___
    TCP [::]:__ [::]:0 LISTENING ___
    TCP [::]:__ [::]:0 LISTENING ___
    TCP [::]:__ [::]:0 LISTENING ___
    TCP [::]:__ [::]:0 LISTENING ___
    TCP [::]:__ [::]:0 LISTENING ___
    UDP 0.0.0.0:__ *:* ___
    UDP 0.0.0.0:__ *:* ____
    UDP 0.0.0.0:___ *:* ____
    UDP 0.0.0.0:___ *:* ___
    UDP 0.0.0.0:___ *:* ___
    UDP 0.0.0.0:___ *:* ___
    UDP 0.0.0.0:___ *:* ____
    UDP *IP Address* *:* _
    UDP *IP Address* *:* _
    UDP *IP Address* *:* _
    UDP *IP Address* *:* _
    UDP [::]:__ *:* ____
    UDP [::]:__ *:* ____
    UDP [::]:__ *:* ____
    UDP [::]:__ *:* ____
    ----------------------------------------------------------------------------------------------

    Just wondering what the following outputs mean...

    -0.0.0.0:
    and
    [::]:
    and
    *:*

    Do these represent active connections or are they simply null-terminated by IP-addresses that don't exist? Do these outputs mean something else?

    Once again, you guys are really helping here.:)
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    0.0.0.0 means there is no active network connection for the process.

    :: is the notation used for the IPv6 localhost connection.

    *.* is usually used to indicate all processes.

    For reference, use netstat -anob which will give you a listing of network connections used by each process.
     
  3. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    If 0.0.0.0 means there is no active connection then what is netstat detecting?
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Listening status.
     
  5. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    Yes but what I meant was, if an application is listening it has to open a port to do it right?
    Netstat looks at the Network interface and sees what? An application that is listening but hasn't opened a port? How can netstat detect an application is listening if it doesnt have a port and also how can an application be listening without a port?
     
  6. Thelps

    Thelps Registered Member

    Joined:
    Apr 1, 2012
    Posts:
    46
    I was told 0.0.0.0. could mean all available IPs and ports that responded to the connection, but that guy might have been trolling or mistaken.

    I assumed the 0.0.0.0 meant the connection had been null-terminated or somesuch. So the application is trying to establish a connection but some setting has redirected that connection to a 'null' IP address so it goes nowhere.

    Google says:
    "In the context of servers, 0.0.0.0 can mean "all IPv4 addresses on the local machine". If a host has two IP addresses, 192.168.1.1 and 10.1.2.1, and a server running on the host is configured to listen on 0.0.0.0, it will be reachable at both of those IP addresses."

    I'm just dubious because this isn't a server, but perhaps Windows simulates a server as part of the OS?

    Further information appreciated.
     
  7. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Pretty much on target. Refer to how the hosts file works in Windows. It is normally empty. If you want to block a URL, you enter - 0.0.0.0 somedomain.com.

    When you use something like TCPView, all 0.0.0.0 means when associated with a process is it has established TCP/IP connectivity but no connection is in an active state. When TCPView shows an "*", that means that no TCP/IP connectivity has been established.

    In reality, most processes when started will establish TCP/IP connectivity. It has nothing to do in regards to any port being used in any status. All it means is the process may at some time access the network.
     
  8. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    The terms client and server are used to distinguish between the sides of a communication, the role each side plays, the actions each performs. Basically...

    Server: Awaits contact, receives requests, sends responses to the requests.
    Client: Initiates contact, sends requests, receives responses to those requests.

    Although different sides may correspond to different computers, that need not be the case. It is common for one computer (even a home computer) to be running software that acts like a client and also running software that acts like a server. One software component can even act as both, simultaneously.

    All zeroes addresses (0.0.0.0 in IPv4, and 0:0:0:0:0:0:0:0 aka :: in IPv6) have context-dependent implications. In the context of a server and the Local Address column of netstat, it reflects the server being receptive on any/all IP addresses supported by the host. In the context of netstat's Foreign Address column, it reflects there being no foreign IP address to report [for TCP][for some versions of netstat]. In the context of a client attempting to contact a server, an all-zeros destination IP address (because of hosts file entry or whatever) should be considered invalid. Thus the client's attempt to contact the server should fail.
     
  9. Thelps

    Thelps Registered Member

    Joined:
    Apr 1, 2012
    Posts:
    46

    So, if you could clarify with regards to the linked Netstat output...

    Local Address
    0.0.0.0


    The processes with this setting are willing to receive requests from any and all IP addresses that would care to initiate a connection?

    ...and where we see the following:

    Foreign Address
    0.0.0.0


    The processes with this setting are attempting to contact a 'null' IP Address (due to HOSTS file or another setting) and consequently aren't communicating with any remote machines or even other applications that use TCP-IP on the Local Machine?
     
  10. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    That netstat output shows information about sockets. The sockets with a Local Address of 0.0.0.0 will receive traffic sent to any of the host's IPv4 addresses. The sockets with a Local Address of [::] will receive traffic sent to any of the host's IPv6 addresses. Yes, from any other addresses that are able to reach your host's addresses/interfaces and get past firewall or other blocking rules.

    The executing software (process) that owns/uses a socket can be (as in may be, if it is so designed/configured) selective about how it handles traffic received by its socket. It may implement its own IP Address or other filtering, ignore unexpected traffic, etc.

    TCP is a connection-oriented protocol. UDP is a connectionless protocol.

    The TCP sockets showing a Foreign Address of 0.0.0.0 and [::] are listening for (waiting to receive) a TCP connection. They aren't associated with (connected to) a specific foreign endpoint/address. When a TCP connection happens another socket is created to handle it (and will be shown with both local and foreign addresses) and the listening socket will continue listening for more connections.

    It may help to view an all-zeroes address as: the "unspecified address". Bearing in mind how an unspecified address applies to different contexts.
    • If local software creates a socket for receiving traffic and it doesn't choose a specific address to receive on (it binds to the "unspecified address" instead), that is interpreted as it wanting to receive traffic on any/all addresses.
    • If a TCP socket is listening and isn't associated with a foreign address, [your] netstat shows an "unspecified address" in the foreign column.
    • If local software tries to connect/send to an unspecified address that is an error (you need to specify a valid address to send to). Given the rejection, I don't this will ever be the explanation for an all-zeroes address appearing in the Foreign Address column.
    https://en.wikipedia.org/wiki/0.0.0.0
    https://tools.ietf.org/html/rfc4291#page-9
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.