0

If I enter the following command in CMD prompt...

netstat -ano

I get a list of active connections as expected. What confuses me is that there are many different formats for my "Local Address"... 

Proto  Local Address          Foreign Address        State           PID
TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       656
TCP    208.80.154.224:13      0.0.0.0:0              LISTENING       4
TCP    127.0.0.1:2559         0.0.0.0:0              LISTENING       8628
TCP    [::]:135               [::]:0                 LISTENING       656
UDP    [::1]:1900             *:*                                    4512

For a particular connection, what determines which format is used for my "Local Address"? i.e. why is 0.0.0.0 displayed for some connections and [::] displayed for other connections, and so on?

Improve this question
1
  • You cannot be "hacked" just by posting an IP address. You have to have a vulnerable application running on the system that normally would allow somebody to connect ( i.e. a server application ).
    – Ramhound
    Commented Sep 26, 2014 at 21:08

1 Answer 1

Reset to default
2

netstat shows which ip adresses and ports are being listened on, because a program requested this.

0.0.0.0 means: any IP4 address.

208... is your public ip address that is being listed on.

127.0.0.1 is your local ip address, also known as local host, which would indicate that the program needs to open a port, but only does this so it can connect to itself.

  1. (or whatever your network ip address would be) is for LAN connections only.

:: is an IP v6 address which means: it listens to any ip v6 address, similar as 0.0.0.0

::1 is ipv6's version of local host, similar to 127.0.0.1 meaning that its only used for communication to itself. The PID is the program that initiated the command. You can find this number in the task manager under processes.

Improve this answer
7
  • So if the local address for a connection is 127.0.0.1 (as opposed to 208.80.154.224 or something like that), then the "foreign" application is running on your own machine. That makes sense.
    – Niko Bellic
    Commented Sep 27, 2014 at 20:47
  • No. All applications are running on your pc. If an application looks for traffic on IP 127.0.0.1, it will only accept traffic sent from this pc. If an application looks for traffic on your public internet IP, it expects the traffic to come from the internet, and will not accept traffic that is on your local network.
    – LPChip
    Commented Sep 27, 2014 at 20:55
  • Okay, so if "Local Address" is your machine's public internet IP (not 127.0.0.1), then the "Foreign Address" is most likely the IP address of some machine elsewhere on the internet? Correct?
    – Niko Bellic
    Commented Sep 27, 2014 at 21:10
  • Yes. It is listening to a connection from that IP, because that ip connected to your machine first. When you want to transmit data from a server, the client first has to connect, then the server knows where it is going to send its data.
    – LPChip
    Commented Sep 27, 2014 at 21:56
  • To clarify what I mean with the above: A server has one listening port that clients can connect to. If the server used that port to transmit all the data, only one client could connect. Instead the server notes the ip address from the client, then sets up a new connection towards the client using a different port, specifically for that client.
    – LPChip
    Commented Sep 27, 2014 at 21:58

Not the answer you're looking for? Browse other questions tagged .