List of possible internal socket statuses from /proc
They should match to the enum in ./include/net/tcp_states.h in the linux kernel sources:
enum {
TCP_ESTABLISHED = 1,
TCP_SYN_SENT,
TCP_SYN_RECV,
TCP_FIN_WAIT1,
TCP_FIN_WAIT2,
TCP_TIME_WAIT,
TCP_CLOSE,
TCP_CLOSE_WAIT,
TCP_LAST_ACK,
TCP_LISTEN,
TCP_CLOSING, /* Now a valid state */
TCP_MAX_STATES /* Leave at the end! */
};
As for your 2. question, are you really sure there's not an sshd listening on e.g. 0.0.0.0:22 ? If not, I suspect what you're seeing is related to v4-mapped-on-v6 sockets, see e.g. man 7 ipv6
TCP connection state from RAW SOCKET packet sniffing
Ok, my requirement is to get the established connections. But I was sniffing traffic on the interface for other purpose. So, I though I could get TCP states from raw sockets. But I found /proc/net/tcp
: there is st
field, from that I can get ESTABLISHED
connections. So, I should read /proc/net/tcp
continuously to get ESTAB
for a specific time in different thread.
So, the answer is /proc/net/tcp
. Check this question. or may I should use netfilter
How can i match each /proc/net/tcp entry to each opened socket?
Take the inode number (in this case, 507218). Each open file descriptor to that socket (there may be multiple file descriptors for the same socket) will appear as a link of the form:
/proc/<PID>/fd/<N> -> socket[507218]
(where <PID>
is the process ID and <N>
is the file descriptor).
How to retrieve ports in use in the system?
The most common way is to use netstat console utility with the following flags:
netstat -plan
where:
-p : Show the PID and name of the program to which each socket belongs;
-l : Show only listening sockets;
-a : Show both listening and non-listening sockets;
-n : Show numerical addresses instead of trying to determine symbolic host, port or user names.
For additional output options and flags please check man pages man netstat
. Based on your particular needs, only TCP or UDP (for example) protocol connections can be examined:
netstat -4 --tcp --udp --all
Alternatively, lsof -i
might be helpful.
Most likely you are interested in the following information (special /proc filesystem):
/proc - Mount point for the proc filesystem, which gives access to kernel status information via the following files:
- /proc/net/dev - device information
- /proc/net/raw - raw socket information
- /proc/net/tcp - TCP socket information
- /proc/net/udp - UDP socket information
- /proc/net/igmp - IGMP multicast information
- /proc/net/unix - Unix domain socket information
- /proc/net/ipx - IPX socket information
- /proc/net/ax25 - AX25 socket information
- /proc/net/appletalk - DDP (appletalk) socket information
- /proc/net/nr - NET/ROM socket information
- /proc/net/route - IP routing information
- /proc/net/ax25_route - AX25 routing information
- /proc/net/ipx_route - IPX routing information
- /proc/net/nr_nodes - NET/ROM nodelist
- /proc/net/nr_neigh - NET/ROM neighbours
- /proc/net/ip_masquerade - masqueraded connections
- /proc/net/snmp - statistics
Related Topics
Delete a Column from a Delimited File in Linux
How to Automate Telnet Session Using Expect
Boost with Qt Creator and Linux
How to Get Cmake to Use the Default Compiler on System Path
Pyqt5 Error "Pycapsule_Getpointer Called with Incorrect Name"
Aslr Bits of Entropy of Mmap()
Different Results Between Ps Aux and 'Ps Aux' Inside a Script
How to Make One Linux Kernel Module Depend on Another External Module with Depmod
Qimage to Cv::Mat Convertion Strange Behaviour
Why Does '/Proc/Meminfo' Show 32Gb When Aws Instance Has Only 16Gb
Bash Output Stream Write to a File
Should %Rsp Be Aligned to 16-Byte Boundary Before Calling a Function in Nasm
Using a Glob Expression Passed as a Bash Script Argument
Makefile with Multiple Targets
Copy Files from Windows to Windows Subsystem for Linux (Wsl)
Splitting Gzipped Logfiles Without Storing the Ungzipped Splits on Disk