Some things look strange to me:
- What is the distinction between 0.0.0.0, 127.0.0.1, and [::]?
- How should each part of the foreign address be read (part1:part2)?
- What does a state Time_Wait, Close_Wait mean?
- etc.
Could someone give a quick overview of how to interpret these results?
127.0.0.1 is your loopback address also known as 'localhost' if set in your HOSTS file. See here for more info: http://en.wikipedia.org/wiki/Localhost
0.0.0.0 means that an app has bound to all ip addresses using a specific port. MS info here: http://support.microsoft.com/default.aspx?scid=kb;en-us;175952
'::' is ipv6 shorthand for ipv4 0.0.0.0.
0.0.0.0 usually refers to stuff listening on all interfaces. 127.0.0.1 = localhost (only your local interface) I'm not sure about [::]
TIME_WAIT means both sides have agreed to close and TCP must now wait a prescribed time before taking the connection down.
CLOSE_WAIT means the remote system has finished sending and your system has yet to say it's finished.
This link has helped me a lot to interpret netstat -a
A copy from there -
TCP Connection States
Following is a brief explanation of this handshake. In this context the "client" is the peer requesting a connection and the "server" is the peer accepting a connection. Note that this notation does not reflect Client/Server relationships as an architectural principal.
Connection Establishment
The client sends a SYN message which contains the server's port and the client's Initial Sequence Number (ISN) to the server (active open).
The server sends back its own SYN and ACK (which consists of the client's ISN + 1).
The Client sends an ACK (which consists of the server's ISN + 1).
Connection Tear-down (modified three way handshake).
The client sends a FIN (active close). This is a now a half-closed connection. The client no longer sends data, but is still able to receive data from the server. Upon receiving this FIN, the server enters a passive close state.
The server sends an ACK (which is the clients FIN sequence + 1)
The server sends its own FIN.
The client sends an ACK (which is server's FIN sequence + 1). Upon receiving this ACK, the server closes the connection.
A half-closed connection can be used to terminate sending data while sill receiving data. Socket applications can call shutdown with the second argument set to 1 to enter this state.
State explanations as shown in Netstat:
State Explanation
SYN_SEND
Indicates active open.SYN_RECEIVED
Server just received SYN from the client.ESTABLISHED
Client received server's SYN and session is established.LISTEN
Server is ready to accept connection.NOTE: See documentation for listen() socket call. TCP sockets in listening state are not shown - this is a limitation of NETSTAT. For additional information, please see the following article in the Microsoft Knowledge Base: 134404 NETSTAT.EXE Does Not Show TCP Listen Sockets FIN_WAIT_1 Indicates active close.
TIMED_WAIT
Client enters this state after active close.CLOSE_WAIT
Indicates passive close. Server just received first FIN from a client.FIN_WAIT_2
Client just received acknowledgment of its first FIN from the server.LAST_ACK
Server is in this state when it sends its own FIN.CLOSED
Server received ACK from client and connection is closed.I understand the answer has been accepted but here is some additional information:
0.0.0.0
on the Local Address column, it means that port is listening on all 'network interfaces' (i.e. your computer, your modem(s) and your network card(s)).127.0.0.1
on the Local Address column, it means that port is ONLY listening for connections from your PC itself, not from the Internet or network. No danger there.online IP
on the Local Address column, it means that port is ONLY listening for connections from the Internet.local network IP
on the Local Address column, it means that port is ONLY listening for connections from the local network.What is the distinction between 0.0.0.0, 127.0.0.1, and [::]?
How should each part of the foreign address be read (part1:part2)?
Send-Q is the amount of data sent by the application, but not yet acknowledged by the other side of the socket.
Recv-Q is the amount of data received from the NIC, but not yet consumed by the application.
Both of these queues reside in kernel memory. There are guides to help you tweak these kernel buffers, if you are so inclined. Although, you may find the default params do quite well.