Networking / Beginners

---

Connection Status

Connection states change continually and it's helpful when using tools such as NETSTAT or TCPView to understand their status at any given moment. Let's look at the status of connections so you understand what each means this information is useful for determining what's happening on networked computers.

A socket that is prepared to respond to any IP packets destined for that socket's port number is called an open port or listening port. Every serving application has an open port. If you're running a Web server on a computer, for example, it will have an open port 80. That's easy enough to appreciate but you'll be amazed at the number of open ports on just about any computer. Fire up a copy of NETSTAT and type netstat -an to see all of your listening ports. Running netstat -an gives a lot of information, so let's just look at a small amount:

C:\>netstat -an
Active Connections
  Proto   Local Address 	Foreign Address 	State
  TCP     0.0.0.0:7 		0.0.0.0:0 		LISTENING
  TCP     0.0.0.0:135 		0.0.0.0:0 		LISTENING
  TCP     0.0.0.0:445 		0.0.0.0:0 		LISTENING
  TCP     0.0.0.0:912 		0.0.0.0:0 		LISTENING
  TCP     0.0.0.0:990 		0.0.0.0:0 		LISTENING
  TCP     127.0.0.1:27015 	0.0.0.0:0 		LISTENING
  TCP     127.0.0.1:52144 	127.0.0.1:52145 	ESTABLISHED
  TCP     127.0.0.1:52145 	127.0.0.1:52144 	ESTABLISHED
  TCP     127.0.0.1:52146 	127.0.0.1:52147 	ESTABLISHED
  TCP     127.0.0.1:52147 	127.0.0.1:52146 	ESTABLISHED
  TCP     192.168.4.27:139 	0.0.0.0:0 		LISTENING
  TCP     192.168.4.27:52312 	74.125.47.108:80 	TIME_WAIT
  TCP     192.168.4.27:57913 	63.246.140.18:80 	CLOSE_WAIT
  TCP     192.168.4.27:61707 	192.168.4.10:445 	ESTABLISHED

NOTE The -a switch tells NETSTAT to show all used ports. -n instructs NETSTAT to show raw port numbers and IP addresses.

First look at this line:

TCP 	0.0.0.0:445 	0.0.0.0:0 	LISTENING

This line shows a listening port, listening and ready for incoming packets that have a destination port number of 445. Notice the local address is 0.0.0.0. This is how Windows tells you that the open port works on all NICs on this PC. In this case my PC has only one NIC (192.168.4.27), but even if you have only one NIC, NETSTAT still shows it this way. This computer is sharing some folders on the network. Since at this moment there's no one connected, NETSTAT shows the Foreign Address as 0.0.0.0. Incoming requests use port number 445 to connect to those shared folders. If another computer on my network (192.168.4.83) was accessing the shared folders, this line would look like:

TCP 	192.168.4.27:445 	192.168.4.83:1073 	ESTABLISHED

Established ports are active, working endpoint pairs.
Over time all connections eventually close like this one:

TCP 192.168.4.27:57913 63.246.140.18:80 CLOSE_WAIT This line shows a Web browser making a graceful closure, meaning that each side of the conversation sees the session closing normally.

Not all connections close gracefully. The following line shows a Web browser that has lost the connection to the other side and is waiting a defined amount of time:

TCP 	192.168.4.27:52312 	74.125.47.108:80 	TIME_WAIT

This is called a timeout period. Most Web browsers time out in around two minutes.

If data's going to move back and forth between computers, there always must be some program that's doing the sending and/or receiving. Take a look at this line from netstat -an:

TCP 	192.168.4.27:52312 	74.125.47.108:80 	ESTABLISHED

You see the 80 and might assume the connection is going out to a Web server. But what program on the computer is sending it? Enter the command netstat -ano (the -o switch tells NETSTAT to show the process ID). While you'll see many lines, the one for this connection looks like this:

Proto 	Local Address 		Foreign Address    State 	PID
TCP 	192.168.4.27:52312 	74.125.47.108:80   ESTABLISHED 	112092

Every running program on your computer gets a process ID (PID), a number used by the operating system to track all the running programs. Numbers aren't very helpful to you, though, because you want to know the name of the running program. In most operating systems, finding this out is fairly easy to do. In Linux you can use the ps command:

martinm@ubuntu:~$ ps
PID TTY TIME CMD
3225 pts/1 00:00:00 bash
3227 pts/1 00:00:00 ps

Windows doesn't come with an easy tool to determine what programs are using a certain PID, so once again we turn to Mark Russinovich. His Process Explorer is a perfect tool for this. Explorer scrolled down to the bottom so that you can see the program using PID 112092-good old Firefox!

NOTE To get Process Explorer, enter "Process Explorer" in your search engine to find it or try going here:
http://technet.microsoft.com/en-us/sysinternals/default.aspx Click the Process Utilities icon to get the latest copy.

You might be tempted to say, "Big whoop, Mike-what else would use port 80?" Then consider the possibility that you run NETSTAT and see a line like the one just shown, but you don't have a browser open! You determine the PID and discover that the name of the process is "Evil_Overlord.exe." This is something running on your computer that should not be there.

Understanding how TCP/IP uses ports is a base skill for any network tech. To pass the CompTIA Network, you need to memorize a number of different well-known ports and even a few of the more popular registered ports. You must appreciate how the ports fit into the process of TCP/IP communications and know how to use NETSTAT and other tools to see what's going on inside your computer.

The biggest challenge is learning what's supposed to be running and what's not. No one on Earth can run a NETSTAT command and instantly recognize every connection and why it's running, but a good network tech should know most of them. For those connections that a tech doesn't recognize, he or she should know how to research them to determine what they are.