Linux – Meaning of netstat output

centoslinuxnetstatnetworkingtcp

When I type "sudo netstat -an", this is part of the output I get:

Proto Recv-Q Send-Q Local Address               Foreign Address             State      
tcp        0      0 192.99.202.17:39922        23.82.16.66:29842           TIME_WAIT  

I am confused as to what the first line is saying.

Is it saying a server from 23.82.16.66 is connecting to this server through port 29842, or port 39922?

How do I know it's an incoming connection from that IP, as opposed to an outgoing connection from my server to that IP?

I'm running CENTOS 6.7, if that matters.

Best Answer

  • How do I know it's an incoming connection from that IP, as opposed to an outgoing connection from my server to that IP?

    The Local Address is the address of the machine you are running the NETSTAT commands from so understanding the state of the TCP connections will help you understand if it's incoming or outgoing from a local address perspective.

    The Simplified TCP Finite State Machine

    State: TIME-WAIT

    State Description: The device has now received a FIN from the other device and acknowledged it, and sent its own FIN and received an ACK for it. We are done, except for waiting to ensure the ACK is received and prevent potential overlap with new connections. (See the topic describing connection termination for more details on this state.)

    Event and Transition: Timer Expiration: After a designated wait period, device transitions to the CLOSED state.

    source


    TIME-WAIT

    (either server or client) represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request. [According to RFC 793 a connection can stay in TIME-WAIT for a maximum of four minutes known as two MSL (maximum segment lifetime).]

    source


    Another Good Explanation

    Due to the way TCP/IP works, connections can not be closed immediately. Packets may arrive out of order or be retransmitted after the connection has been closed. CLOSE_WAIT indicates that the remote endpoint (other side of the connection) has closed the connection. TIME_WAIT indicates that local endpoint (this side) has closed the connection. The connection is being kept around so that any delayed packets can be matched to the connection and handled appropriately. The connections will be removed when they time out within four minutes.

    source


    rfc793: image source

    enter image description here image source


    Further Resources

  • Related Question