2

When I type "sudo netstat -an", this is part of the output I get:

Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0      0 192.99.202.17:39922        23.82.16.66:29842           TIME_WAIT

I am confused as to what the first line is saying.

Is it saying a server from 23.82.16.66 is connecting to this server through port 29842, or port 39922?

How do I know it's an incoming connection from that IP, as opposed to an outgoing connection from my server to that IP?

I'm running CENTOS 6.7, if that matters.

Improve this question
2
  • Because it's TIME_WAIT in your example, that means the machine you are running this command on is waiting for any late or resent packets since the connection was closed from this machine. Waiting on incoming...
    – Vomit IT - Chunky Mess Style
    Commented Jul 15, 2016 at 22:08
  • Pls read my answer too, it contains material which has not been covered in the other answers. It is a matter of some urgency for you, trust me.
    – MariusMatutiae
    Commented Jul 20, 2016 at 9:59

3 Answers 3

Reset to default
3

How do I know it's an incoming connection from that IP, as opposed to an outgoing connection from my server to that IP?

The Local Address is the address of the machine you are running the NETSTAT commands from so understanding the state of the TCP connections will help you understand if it's incoming or outgoing from a local address perspective.

The Simplified TCP Finite State Machine

State: TIME-WAIT

State Description: The device has now received a FIN from the other device and acknowledged it, and sent its own FIN and received an ACK for it. We are done, except for waiting to ensure the ACK is received and prevent potential overlap with new connections. (See the topic describing connection termination for more details on this state.)

Event and Transition: Timer Expiration: After a designated wait period, device transitions to the CLOSED state.

source

TIME-WAIT

(either server or client) represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request. [According to RFC 793 a connection can stay in TIME-WAIT for a maximum of four minutes known as two MSL (maximum segment lifetime).]

source

Another Good Explanation

Due to the way TCP/IP works, connections can not be closed immediately. Packets may arrive out of order or be retransmitted after the connection has been closed. CLOSE_WAIT indicates that the remote endpoint (other side of the connection) has closed the connection. TIME_WAIT indicates that local endpoint (this side) has closed the connection. The connection is being kept around so that any delayed packets can be matched to the connection and handled appropriately. The connections will be removed when they time out within four minutes.

source

rfc793: image source

enter image description here image source

Further Resources

Improve this answer
1

You can tell if you check if your server listens on port 39922 then the connection was established from the remote side.

For example: Your server accepts ssh connections on the standard port 22. With netstat -anutp | grep :22 you will see if it listens, is connected to or you have a connection to. If you open two terminal sessions to your server and then from one connect with ssh to a third server the output from the above command will show that your server is listening on port 22, that it has port 22 on the local side for the connection to the server and port 22 listed on the remote side with the IP of the third server and a random port on the local side on this line.

I don't think you can tell from the output of the netstat command if the connection was initiated from local or remote.

Improve this answer
0

You have already received two good answers to your question, so I apologize for adding a new one which addresses something which I read between the lines of your post. My answer is intended to complement the other two answers, not to substitute them.

From the output of netstat it is not possible to determine whether the connection was started by your own machine or by the remote machine. The simple fact that you are asking this question makes me worry, and what makes me worry even more is another strange fact in that output: the use of high ports, (which means > 10,000) for both sides of the connection.

Let me explain. PCs provide services to other pcs, in a client/sever model: for instance, the Web server listens for requests of Web pages on a specified port (actually, two: 80 and 443) from a remote client. Likewise for ssh,ftp,dns, and so on. All essential services listen on well-known ports (see Wikipedia for instance) some of which are so important to be carved in stone: their assignment is regulated by none less than IANA. Many other ports, though their use is not regulated by IANA, have become traditional for certain applications. What all of the listening ports have in common is that they are below 10000. High ports (those above 10,000) are traditionally reserved for outgoing connections, not for listening.

So, how come you see a connection between ports 39922 and 29842? Because someone has setup a service on a very non standard port, either on your machine or on the remote machine. Is your machine the listening server? The command

sudo ss -lntp

will tell you that: it lists all ports on which your machine listens for incoming (TCP, the -t option) connections, and the associated processes. So you may now look to see which process, if any, is listening on port 39922.

Now let us suppose this does indeed turn out to be the case, i.e. that a service which you did not setup is listening on port 39922. Who does that? Hackers, which use a tool (netcat or nc, the Swiss Army knife of TCP connections) that allows them to connect easily over high ports between their pc and a p0wned pc. This is why I am worried.

Nor am I assuaged by learning that 23.82.16.66 belongs to Nobis Technology, a company which owns several data centers providing cloud server solutions. And, icing on the cake, as I ran thru Google the info above, I stumbled upon this Post by a sysadmin relating how Nobis Technology is a well-known spammer, and found out that the address above, 23.82.16.66, falls squarely inside one of the ranges the poor guy is trying to block; and, lo and behold, your local IP address, 192.99.202.17, is reported by whatismyipaddress.com to be your mail server.

In the end, what do I make of it? A connection from a well-known spammer to your mail server, over high-ports only, of which you know nothing. It seems likely your system has been somehow violated. That's why I am writing this post.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .