Connection states change continually and it's helpful when using tools such as NETSTAT or TCPView to understand their status at any given moment. Let's look at the status of connections so you understand what each means this information is useful for determining what's happening on networked computers.
A socket that is prepared to respond to any IP packets destined for that socket's port number is called an open port or listening port. Every serving application has an open port. If you're running a Web server on a computer, for example, it will have an open port 80. That's easy enough to appreciate but you'll be amazed at the number of open ports on just about any computer. Fire up a copy of NETSTAT and type netstat -an to see all of your listening ports. Running netstat -an gives a lot of information, so let's just look at a small amount:
C:\>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:7 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:912 0.0.0.0:0 LISTENING TCP 0.0.0.0:990 0.0.0.0:0 LISTENING TCP 127.0.0.1:27015 0.0.0.0:0 LISTENING TCP 127.0.0.1:52144 127.0.0.1:52145 ESTABLISHED TCP 127.0.0.1:52145 127.0.0.1:52144 ESTABLISHED TCP 127.0.0.1:52146 127.0.0.1:52147 ESTABLISHED TCP 127.0.0.1:52147 127.0.0.1:52146 ESTABLISHED TCP 192.168.4.27:139 0.0.0.0:0 LISTENING TCP 192.168.4.27:52312 184.108.40.206:80 TIME_WAIT TCP 192.168.4.27:57913 220.127.116.11:80 CLOSE_WAIT TCP 192.168.4.27:61707 192.168.4.10:445 ESTABLISHED
NOTE The -a switch tells NETSTAT to show all used ports. -n instructs NETSTAT to show raw port numbers and IP addresses.
First look at this line:
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
This line shows a listening port, listening and ready for incoming packets that have a destination port number of 445. Notice the local address is 0.0.0.0. This is how Windows tells you that the open port works on all NICs on this PC. In this case my PC has only one NIC (192.168.4.27), but even if you have only one NIC, NETSTAT still shows it this way. This computer is sharing some folders on the network. Since at this moment there's no one connected, NETSTAT shows the Foreign Address as 0.0.0.0. Incoming requests use port number 445 to connect to those shared folders. If another computer on my network (192.168.4.83) was accessing the shared folders, this line would look like:
TCP 192.168.4.27:445 192.168.4.83:1073 ESTABLISHED
Established ports are active, working endpoint pairs.
Over time all connections eventually close like this one:
TCP 192.168.4.27:57913 18.104.22.168:80 CLOSE_WAIT This line shows a Web browser making a graceful closure, meaning that each side of the conversation sees the session closing normally.
Not all connections close gracefully. The following line shows a Web browser that has lost the connection to the other side and is waiting a defined amount of time:
TCP 192.168.4.27:52312 22.214.171.124:80 TIME_WAIT
This is called a timeout period. Most Web browsers time out in around two minutes.
If data's going to move back and forth between computers, there always must be some program that's doing the sending and/or receiving. Take a look at this line from netstat -an:
TCP 192.168.4.27:52312 126.96.36.199:80 ESTABLISHED
You see the 80 and might assume the connection is going out to a Web server. But what program on the computer is sending it? Enter the command netstat -ano (the -o switch tells NETSTAT to show the process ID). While you'll see many lines, the one for this connection looks like this:
Proto Local Address Foreign Address State PID TCP 192.168.4.27:52312 188.8.131.52:80 ESTABLISHED 112092
Every running program on your computer gets a process ID (PID), a number used by the operating system to track all the running programs. Numbers aren't very helpful to you, though, because you want to know the name of the running program. In most operating systems, finding this out is fairly easy to do. In Linux you can use the ps command:
martinm@ubuntu:~$ ps PID TTY TIME CMD 3225 pts/1 00:00:00 bash 3227 pts/1 00:00:00 ps
Windows doesn't come with an easy tool to determine what programs are using a certain PID, so once again we turn to Mark Russinovich. His Process Explorer is a perfect tool for this. Explorer scrolled down to the bottom so that you can see the program using PID 112092-good old Firefox!
NOTE To get Process Explorer, enter "Process Explorer" in your search
engine to find it or try going here:
Click the Process Utilities icon to get the latest copy.
You might be tempted to say, "Big whoop, Mike-what else would use port 80?" Then consider the possibility that you run NETSTAT and see a line like the one just shown, but you don't have a browser open! You determine the PID and discover that the name of the process is "Evil_Overlord.exe." This is something running on your computer that should not be there.
Understanding how TCP/IP uses ports is a base skill for any network tech. To pass the CompTIA Network, you need to memorize a number of different well-known ports and even a few of the more popular registered ports. You must appreciate how the ports fit into the process of TCP/IP communications and know how to use NETSTAT and other tools to see what's going on inside your computer.
The biggest challenge is learning what's supposed to be running and what's not. No one on Earth can run a NETSTAT command and instantly recognize every connection and why it's running, but a good network tech should know most of them. For those connections that a tech doesn't recognize, he or she should know how to research them to determine what they are.
In this tutorial:
- TCP/IP Applications
- Transport Layer Protocols
- The Power of Port Numbers
- Registered Ports
- Connection Status
- Rules for Determining Good vs. Bad Communications
- Common TCP/IP Applications
- Publishing Web Pages
- Web Servers and Web Clients
- Secure Sockets Layer and HTTPS
- Telnet Servers and Clients
- Configuring a Telnet Client
- Rlogin, RSH, and RCP
- SSH and the Death of Telnet
- SMTP, POP3, and IMAP4
- Alternatives to SMTP, POP3, and IMAP4
- E-mail Servers
- Passive vs. Active FTP