Trying to Understand Netstat and Best Practices

Cyberpunk_Is_Bae · 2020-09-15 14:49:56

Hi thank you for your time.

I have read a lot this morning about what commands people use to transparently understand their systems using commands such as netstat, ss, and so on. Right now I'm looking at netstat but will happily change to a better solution if you have a preferred tool and would gratefully appreciate the suggestion.

However, if netstat is the right tool, I've narrowed it down to the following:

# netstat -uptn
# netstat -a | grep // ESTABLISHED || LISTENING || CONNECTED

The first can be watched or given -c, the second is for a heavier system-sweep.

Are these the best practices for using this program and, probably a better question, is my overall approach here best for gaining transparency into my system to discover what is or might be open to the outside world?

Last edited by Cyberpunk_Is_Bae (2020-09-15 14:50:09)

solskog · 2020-09-16 01:03:08

List network open files for the current users login session
$ lsof -i
Detailed output without pipe or pattern matching.
$ lsof -i [46][protocol][@hostname|hostaddr][:service|port]

Cyberpunk_Is_Bae · 2020-09-18 18:26:49

solskog wrote:

List network open files for the current users login session
$ lsof -i
Detailed output without pipe or pattern matching.
$ lsof -i [46][protocol][@hostname|hostaddr][:service|port]

Thanks. Is there anything similar to this that I can run continuously? It takes a while to run and won't see small changes.

seth · 2020-09-18 18:44:51

is or might be open to the outside world

There's no point in checking opened files if you're only interested in opened sockets, let alone for a certain protocol (tcp/udp)
You'd use "netstat" or "ss" for that and apply some filter according to your interests.

That being said: your task description is way to generic to tell what you're probably interested in.
Do you care about (every) active communication w/ the outside (including open connections of your browser etc.) or rather stuff that's actively listening for incoming traffic (an ssh server) - because that's not the same thing.
Or are your actually interested in the traffic itself? => You're looking for wireshark.

On top of that "outside world" might be inhibited by a firewall and/or (pseudo-)DMZ on the local system and/or a (consumer) router.
If you want to know what ports are available from the "outside world" you want to nmap the system from the "outside world".

solskog · 2020-09-19 00:29:14

lsof does check internet and unix domain sockets.

$ man lsof
An open file may be a regular file, a directory, a block special file, a character special file, an executing text reference, a library, a stream or a network file (Internet socket, NFS file or UNIX domain socket.)

With this command you may continually watching the output:

$ watch -n 1 lsof -i

I agree with @seth though, network mitigation is a much bigger topic then just relay on a few commands. And lsof is not a replacement for netstat. However since lsof can also inspect open files, it could be used on application level inspection for a long running service like apache:

# lsof -i | Filter out child PID of a service forming a incomming connection.
# lsof -p PID

Last edited by solskog (2020-09-19 01:37:21)

seth · 2020-09-19 06:10:58

It's not that lsof does not check sockts, but that it checks everything else (and the resulting overhead and wide surveillance grid the OP complained about)
If you're only interested in (network) socktes, netstat and ss get you there much more efficiently.

Arch Linux

#1 2020-09-15 14:49:56

Trying to Understand Netstat and Best Practices

#2 2020-09-16 01:03:08

Re: Trying to Understand Netstat and Best Practices

#3 2020-09-18 18:26:49

Re: Trying to Understand Netstat and Best Practices

#4 2020-09-18 18:44:51

Re: Trying to Understand Netstat and Best Practices

#5 2020-09-19 00:29:14

Re: Trying to Understand Netstat and Best Practices

#6 2020-09-19 06:10:58

Re: Trying to Understand Netstat and Best Practices

Board footer