[lug] Netstat (newbie)

Michael Deck deckm at cleansoft.com
Tue Aug 1 17:24:23 MDT 2000


At 05:22 PM 8/1/00 -0600, David Morris wrote:
>The ports 137-139 are used by netbios.  Netbios is a windows protical
>used for file sharing/communication between computers in the windows
>world.  The IP address should be one of the network addresses for your
>computer.  Most likely, this is the IP address given to you by your
>ISP.
>
>Please correct me if I am wrong here, but I believe that the source
>address *must* be one of the local machine's IP addresses.  If it is
>not your internal network addresses and it is not the address your ISP
>gave you, than you have an extra IP address floating around.
>
>The meaning behind all of this?  Not for me to answer if you do have
>an extra IP address floating around.
>
>Check out the ifconfig command for information on your network
>interfaces and the IP addresses they are using...should be very
>enlightening.  Also, look at the file /etc/services for a listing of
>the services and the port number each service uses.
>
>--David

Interesting. In the meantime I went to www.samspade.com and it told me 172.* addresses are unrouted and reserved for internal use. Since all of my internal masqueraded boxes are 192.* addresses, this was a bit puzzling. Then I got your note and took your advice. Ifconfig shows ... 172.16.101.1 as interface "vmnet". Apparently this is a bit of cruft left over from vmware. Highly interesting. I wonder if it will go away if I remove vmware from my system?

-M


>On Tue, 1 Aug 2000, Michael Deck wrote:
>
> > At 03:42 PM 8/1/00 -0700, Jeffrey B. Siegal wrote (in another context):
> > 
> > 
> > >Actually, it is pretty easy to turn off all the services with most
> > >distributions.  A firewall doesn't need sendmail, etc. and they should be
> > >disabled.  If you do a "netstat -an" and don't see any listeners, there almost
> > >no chance of a remote exploit. (I can't remember the last time there was a
> > >remote exploit in the kernel itself.)
> > 
> > Every once in a while, following these flame-wars teaches me something. I went right in and did a netstat -an and there is a listener whose IP address I don't recognize. What does this mean? There are several relevant entries:
> > 
> > bash$ netstat -an
> > Active Internet connections (servers and established)
> > Proto Recv-Q Send-Q Local Address           Foreign Address         State      
> > tcp        0      0 172.16.101.1:139        0.0.0.0:*               LISTEN      
> > udp        0      0 172.16.101.1:138        0.0.0.0:*                           
> > udp        0      0 172.16.101.1:137        0.0.0.0:*                           
> > 
> > Any thoughts?
> > 
> > -Mike
> > 
> > Michael Deck
> > Cleanroom Software Engineering, Inc.   
> > 
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > 
> > 
>
>
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug


Michael Deck
Cleanroom Software Engineering, Inc.   




More information about the LUG mailing list