[lug] Netstat (newbie)
Michael Deck
deckm at cleansoft.com
Tue Aug 1 17:24:23 MDT 2000
At 05:22 PM 8/1/00 -0600, David Morris wrote:
>The ports 137-139 are used by netbios. Netbios is a windows protical
>used for file sharing/communication between computers in the windows
>world. The IP address should be one of the network addresses for your
>computer. Most likely, this is the IP address given to you by your
>ISP.
>
>Please correct me if I am wrong here, but I believe that the source
>address *must* be one of the local machine's IP addresses. If it is
>not your internal network addresses and it is not the address your ISP
>gave you, than you have an extra IP address floating around.
>
>The meaning behind all of this? Not for me to answer if you do have
>an extra IP address floating around.
>
>Check out the ifconfig command for information on your network
>interfaces and the IP addresses they are using...should be very
>enlightening. Also, look at the file /etc/services for a listing of
>the services and the port number each service uses.
>
>--David
Interesting. In the meantime I went to www.samspade.com and it told me 172.* addresses are unrouted and reserved for internal use. Since all of my internal masqueraded boxes are 192.* addresses, this was a bit puzzling. Then I got your note and took your advice. Ifconfig shows ... 172.16.101.1 as interface "vmnet". Apparently this is a bit of cruft left over from vmware. Highly interesting. I wonder if it will go away if I remove vmware from my system?
-M
>On Tue, 1 Aug 2000, Michael Deck wrote:
>
> > At 03:42 PM 8/1/00 -0700, Jeffrey B. Siegal wrote (in another context):
> >
> >
> > >Actually, it is pretty easy to turn off all the services with most
> > >distributions. A firewall doesn't need sendmail, etc. and they should be
> > >disabled. If you do a "netstat -an" and don't see any listeners, there almost
> > >no chance of a remote exploit. (I can't remember the last time there was a
> > >remote exploit in the kernel itself.)
> >
> > Every once in a while, following these flame-wars teaches me something. I went right in and did a netstat -an and there is a listener whose IP address I don't recognize. What does this mean? There are several relevant entries:
> >
> > bash$ netstat -an
> > Active Internet connections (servers and established)
> > Proto Recv-Q Send-Q Local Address Foreign Address State
> > tcp 0 0 172.16.101.1:139 0.0.0.0:* LISTEN
> > udp 0 0 172.16.101.1:138 0.0.0.0:*
> > udp 0 0 172.16.101.1:137 0.0.0.0:*
> >
> > Any thoughts?
> >
> > -Mike
> >
> > Michael Deck
> > Cleanroom Software Engineering, Inc.
> >
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> >
>
>
>_______________________________________________
>Web Page: http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
Michael Deck
Cleanroom Software Engineering, Inc.
More information about the LUG
mailing list