iptstate question

Discussion in 'Linux Networking' started by colin marr, Jun 2, 2013.

  1. colin marr

    colin marr Guest

    Im trying to understand iptstate.

    When I see the word ESTABLISH when i run iptstate -s does that means that there is currently a live connection between me and some other site?

    All other references are for past connections or other errors?

    I cant see a command to run iptstate and just see the live connections (asuming that the above is true)

    colin marr, Jun 2, 2013
    1. Advertisements

  2. colin marr

    Moe Trin Guest

    On Sun, 2 Jun 2013, in the Usenet newsgroup comp.os.linux.networking, in article

    NOTE: Posting from groups.google.com (or some web-forums) dramatically
    reduces the chance of your post being seen. Find a real news server.
    [fermi ~]$ whatis iptstate
    iptstate (8) - A top-like display of IP Tables state table entries
    [fermi ~]$

    OK. You may want to start by reading some of the HOWTOs at

    [TXT] NAT-HOWTO.txt 05-Oct-2012 10:33 25K
    [TXT] netfilter-double-nat.txt 05-Oct-2012 10:33 9.4K
    [TXT] netfilter-extensions-HOWTO.txt 05-Oct-2012 10:33 80K
    [TXT] netfilter-hacking-HOWTO.txt 05-Oct-2012 10:33 81K
    [TXT] netfilter-mirror-HOWTO.txt 05-Oct-2012 10:33 7.8K
    [TXT] networking-concepts-HOWTO.txt 05-Oct-2012 10:33 28K
    [TXT] packet-filtering-HOWTO.txt 05-Oct-2012 10:33 51K
    0793 Transmission Control Protocol. J. Postel. September 1981.
    (Format: TXT=172710 bytes) (Obsoletes RFC0761) (Updated by
    RFC1122, RFC3168, RFC6093, RFC6528) (Also STD0007) (Status:

    Your favorite search engine will find a copy of RFC0793 at many
    locations. Way down on page 21 of that document, you'll find

    A connection progresses through a series of states during its
    lifetime. The states are: LISTEN, SYN-SENT, SYN-RECEIVED,
    TIME-WAIT, and the fictional state CLOSED. CLOSED is fictional
    because it represents the state when there is no TCB, and therefore,
    no connection. Briefly the meanings of the states are:


    ESTABLISHED - represents an open connection, data received can be
    delivered to the user. The normal state for the data transfer
    phase of the connection.

    so you and the peer said "Hello" and agreed to talk to each other.
    You have a connection, and have not said "Goodbye" or hung up the
    phone. However, that doesn't mean you are actively transferring
    bits at this exact moment.
    True - you'd have to put the data through a filter to select the
    "ESTABLISHED" state. For a "snapshot" view, I'm more used to running

    /bin/netstat -antu | grep ESTABLISHED

    The HOWTOs from the netfilter.org website may be helpful. If your
    primary language is French, you may want to look in the

    [DIR] fr/ 05-Oct-2012 10:33 -

    at the http://www.netfilter.org/documentation/HOWTO/ site.

    Old guy
    Moe Trin, Jun 2, 2013
    1. Advertisements

  3. colin marr

    colin marr Guest

    Thanks for your ideas.
    I dont suppose tehre is a way in netstat to resolve ip like in
    iptstate -sl

    I looked in the man page but didnt see it.
    That would be real helpfull to see what sites are being gone to.

    colin marr, Jun 3, 2013
  4. colin marr

    Moe Trin Guest

    On Mon, 3 Jun 2013, in the Usenet newsgroup comp.os.linux.networking, in article

    NOTE: Posting from groups.google.com (or some web-forums) dramatically
    reduces the chance of your post being seen. Find a real news server.

    ]> /bin/netstat -antu | grep ESTABLISHED
    OK - compare

    -l, --lookup
    Show hostnames instead of IP addresses

    -s, --src-filter IP
    Only show states with a source of IP. Note, that this
    must be an IP, hostname matching is not yet supported.


    --numeric , -n
    Show numerical addresses instead of trying to determine
    symbolic host, port or user names.

    So try '/bin/netstat -atu | grep ESTABLISHED' instead. The default
    for 'iptstate' is to NOT look up names, while for 'netstat' the
    default is to try to look them up.
    Maybe, maybe. RFC2050

    2050 Internet Registry IP Allocation Guidelines. K. Hubbard, M.
    Kosters, D. Conrad, D. Karrenberg, J. Postel. November 1996.
    (Format: TXT=28975 bytes) (Obsoletes RFC1466) (Also BCP0012)

    section 5 tasks the various internet registries (AfriNIC, APNIC, ARIN,
    LACNIC and RIPE internationally, and for example, cira.ca for Canada)
    to see the Reverse DNS (that is, IP to hostname) works. Many sites
    seem to think providing the service is a undue burden or a frill, and
    don't do so. Other sites may provide only "generic" names that may
    or may not be meaningful. Still other sites are hosted by bandwidth
    providers, or content providers and the resulting names don't tell
    you anything about the site. Another problem is the "forward" names
    (hostname to IP) don't always equal "reverse" names (IP to hostname),
    nor is it required (by RFC) to be so. SOMETIMES, doing a "whois"

    [fermi ~]$ whatis whois
    whois (1) - client for the whois service
    [fermi ~]$

    might provide hints that are of some use.

    Old guy
    Moe Trin, Jun 3, 2013
  5. colin marr

    Rick Jones Guest

    By default, netstat will attempt to map IP addresses to names and port
    numbers to service names. If you specify the -n option (as Moe's
    example did) then it will not attempt to do that.

    If you have not set -n on your netstat command, and you do not see a
    name, likely as not, there is no "PTR" record for that IP - an entry
    in the DNS which maps from IP address to hostname.

    rick jones
    Rick Jones, Jun 3, 2013
  6. colin marr

    colin marr Guest

    Thanks I will look at your suggestions.
    colin marr, Jun 4, 2013
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.