H-4. netstatThis program obtains network information from kernel data structures. The following command displays the routing table on Windows: C:\>netstat -rn Route Table =========================================================================== Interface List 0x1 ........................... MS TCP Loopback interface 0x2 ...00 03 47 b8 9d 10 ...... Intel(R) PRO/100 SP Mobile Combo Adapter - SecuR emote Miniport 0x10004 ...00 09 5b e6 cd 6d ...... NETGEAR WG511 54 Mbps Wireless PC Card =========================================================================== =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.3 192.168.1.120 25 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.0 255.255.255.0 192.168.1.120 192.168.1.120 25 192.168.1.120 255.255.255.255 127.0.0.1 127.0.0.1 25 192.168.1.255 255.255.255.255 192.168.1.120 192.168.1.120 25 224.0.0.0 240.0.0.0 192.168.1.120 192.168.1.120 25 255.255.255.255 255.255.255.255 192.168.1.120 2 1 255.255.255.255 255.255.255.255 192.168.1.120 192.168.1.120 1 Default Gateway: 192.168.1.3 =========================================================================== Persistent Routes: None And the same command on a Unix system: $ netstat -rn Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 eth0 $ Note the third column, Flags. A U indicates the path is up or available, an H indicates the destination is a host rather than a network, and a G indicates a gateway or router. These are the most useful. Others include b, indicating a broadcast address; S, indicating a static or manual addition; and W and c, indicating a route that was generated as a result of cloning. (See the manpage for netstat for more information.) To display all connections and listening ports, run netstat -a. On Unix, this looks like: $ netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost.localdoma:705 *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:www *:* LISTEN tcp 0 0 *:ipp *:* LISTEN tcp 0 0 localhost.localdom:smtp *:* LISTEN tcp 0 0 localhost.localdoma:ipp localhost.localdo:33628 ESTABLISHED tcp 0 0 dhcp48:33630 64.233.171.107:www ESTABLISHED tcp 0 0 dhcp48:33631 crown:nntp ESTABLISHED tcp 0 0 dhcp48:33557 crown:nntp ESTABLISHED tcp 1 0 dhcp48:33487 65.39.248.92:www CLOSE_WAIT tcp 0 0 dhcp48:33562 65.161.97.185:www ESTABLISHED tcp 0 0 dhcp48:33561 65.161.97.185:www ESTABLISHED tcp 0 0 dhcp48:33560 65.161.97.167:www ESTABLISHED tcp 0 0 dhcp48:33559 65.161.97.167:www ESTABLISHED tcp 0 0 dhcp48:33455 crown:imaps ESTABLISHED tcp 0 0 localhost.localdo:33628 localhost.localdoma:ipp ESTABLISHED tcp 0 0 dhcp48:33606 66.28.46.137:www ESTABLISHED tcp 1 0 dhcp48:33475 69.8.203.74:www CLOSE_WAIT tcp 0 0 dhcp48:33115 myic:ssh ESTABLISHED tcp6 0 0 *:ssh *:* LISTEN udp 0 0 *:bootpc *:* udp 0 0 *:sunrpc *:* udp 0 0 *:ipp *:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 7619 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 7895 /tmp/.X11-unix/X64 unix 2 [ ACC ] STREAM LISTENING 8270 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 8399 /tmp/ssh-wPdEoj4981/agent.4981 unix 2 [ ACC ] STREAM LISTENING 8413 /tmp/orbit-kjs/linc-139f-0-4b8cc076635e7 unix 2 [ ACC ] STREAM LISTENING 8423 /tmp/orbit-kjs/linc-1375-0-7bd6e96e75bf2 unix 2 [ ACC ] STREAM LISTENING 8579 /tmp/.ICE-unix/4981 unix 2 [ ACC ] STREAM LISTENING 8587 /tmp/keyring-7SnfPy/socket $ The following line from the output shows an HTTP connection between dhcp48 and 66.28.46.137. tcp 0 0 dhcp48:33606 66.28.46.137:www ESTABLISHED When a connection is in CLOSE_WAIT, it indicates a recently terminated session: tcp 1 0 dhcp48:33475 69.8.203.74:www CLOSE_WAIT |