List of Possible Internal Socket Statuses from /Proc

List of possible internal socket statuses from /proc

They should match to the enum in ./include/net/tcp_states.h in the linux kernel sources:

enum {
    TCP_ESTABLISHED = 1,
    TCP_SYN_SENT,
    TCP_SYN_RECV,
    TCP_FIN_WAIT1,
    TCP_FIN_WAIT2,
    TCP_TIME_WAIT,
    TCP_CLOSE,
    TCP_CLOSE_WAIT,
    TCP_LAST_ACK,
    TCP_LISTEN,
    TCP_CLOSING,    /* Now a valid state */

    TCP_MAX_STATES  /* Leave at the end! */
};

As for your 2. question, are you really sure there's not an sshd listening on e.g. 0.0.0.0:22 ? If not, I suspect what you're seeing is related to v4-mapped-on-v6 sockets, see e.g. man 7 ipv6

TCP connection state from RAW SOCKET packet sniffing

Ok, my requirement is to get the established connections. But I was sniffing traffic on the interface for other purpose. So, I though I could get TCP states from raw sockets. But I found /proc/net/tcp: there is st field, from that I can get ESTABLISHED connections. So, I should read /proc/net/tcp continuously to get ESTAB for a specific time in different thread.

So, the answer is /proc/net/tcp. Check this question. or may I should use netfilter

How can i match each /proc/net/tcp entry to each opened socket?

Take the inode number (in this case, 507218). Each open file descriptor to that socket (there may be multiple file descriptors for the same socket) will appear as a link of the form:

/proc/<PID>/fd/<N> -> socket[507218]

(where <PID> is the process ID and <N> is the file descriptor).

How to retrieve ports in use in the system?

The most common way is to use netstat console utility with the following flags:

netstat -plan

where:

-p : Show the PID and name of the program to which each socket belongs;
-l : Show only listening sockets;
-a : Show both listening and non-listening sockets;
-n : Show numerical addresses instead of trying to determine symbolic host, port or user names.

For additional output options and flags please check man pages man netstat. Based on your particular needs, only TCP or UDP (for example) protocol connections can be examined:

netstat -4 --tcp --udp --all

Alternatively, lsof -i might be helpful.

Most likely you are interested in the following information (special /proc filesystem):

/proc - Mount point for the proc filesystem, which gives access to kernel status information via the following files:

• /proc/net/dev - device information
• /proc/net/raw - raw socket information
• /proc/net/tcp - TCP socket information
• /proc/net/udp - UDP socket information
• /proc/net/igmp - IGMP multicast information
• /proc/net/unix - Unix domain socket information
• /proc/net/ipx - IPX socket information
• /proc/net/ax25 - AX25 socket information
• /proc/net/appletalk - DDP (appletalk) socket information
• /proc/net/nr - NET/ROM socket information
• /proc/net/route - IP routing information
• /proc/net/ax25_route - AX25 routing information
• /proc/net/ipx_route - IPX routing information
• /proc/net/nr_nodes - NET/ROM nodelist
• /proc/net/nr_neigh - NET/ROM neighbours
• /proc/net/ip_masquerade - masqueraded connections
• /proc/net/snmp - statistics

---

Related Topics