[lug] Netstat (newbie)

D. Stimits stimits at idcomm.com
Tue Aug 1 18:01:02 MDT 2000 

Michael Deck wrote:
> 
> At 05:22 PM 8/1/00 -0600, David Morris wrote:
> >The ports 137-139 are used by netbios.  Netbios is a windows protical
> >used for file sharing/communication between computers in the windows
> >world.  The IP address should be one of the network addresses for your
> >computer.  Most likely, this is the IP address given to you by your
> >ISP.
> >
> >Please correct me if I am wrong here, but I believe that the source
> >address *must* be one of the local machine's IP addresses.  If it is
> >not your internal network addresses and it is not the address your ISP
> >gave you, than you have an extra IP address floating around.
> >
> >The meaning behind all of this?  Not for me to answer if you do have
> >an extra IP address floating around.
> >
> >Check out the ifconfig command for information on your network
> >interfaces and the IP addresses they are using...should be very
> >enlightening.  Also, look at the file /etc/services for a listing of
> >the services and the port number each service uses.
> >
> >--David
> 
> Interesting. In the meantime I went to www.samspade.com and it told me 172.* addresses are unrouted and reserved for internal use. Since all of my internal masqueraded boxes are 192.* addresses, this was a bit puzzling. Then I got your note and took your advice. Ifconfig shows ... 172.16.101.1 as interface "vmnet". Apparently this is a bit of cruft left over from vmware. Highly interesting. I wonder if it will go away if I remove vmware from my system?
> 
> -M
> 
> >On Tue, 1 Aug 2000, Michael Deck wrote:
> >
> > > At 03:42 PM 8/1/00 -0700, Jeffrey B. Siegal wrote (in another context):
> > >
> > >
> > > >Actually, it is pretty easy to turn off all the services with most
> > > >distributions.  A firewall doesn't need sendmail, etc. and they should be
> > > >disabled.  If you do a "netstat -an" and don't see any listeners, there almost
> > > >no chance of a remote exploit. (I can't remember the last time there was a
> > > >remote exploit in the kernel itself.)
> > >
> > > Every once in a while, following these flame-wars teaches me something. I went right in and did a netstat -an and there is a listener whose IP address I don't recognize. What does this mean? There are several relevant entries:
> > >
> > > bash$ netstat -an
> > > Active Internet connections (servers and established)
> > > Proto Recv-Q Send-Q Local Address           Foreign Address         State
> > > tcp        0      0 172.16.101.1:139        0.0.0.0:*               LISTEN
> > > udp        0      0 172.16.101.1:138        0.0.0.0:*
> > > udp        0      0 172.16.101.1:137        0.0.0.0:*
> > >
> > > Any thoughts?
> > >
> > > -Mike
> > >
> > > Michael Deck
> > > Cleanroom Software Engineering, Inc.
> > >
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > >
> > >
> >
> >
> >_______________________________________________
> >Web Page:  http://lug.boulder.co.us
> >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> Michael Deck
> Cleanroom Software Engineering, Inc.
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

Being NETBIOS and related to network neighborhood, are you running SAMBA
(with or without vmware)?

More information about the LUG mailing list