Ubuntu – Difference between ESTABLISHED and LISTENING

networkingnmap

I have use Nmap -a to view all open ports on my laptop. However, I noticed that the states are different. Some have ESTABLISHED, some LISTENING and some were stateless. What do they mean?

Best Answer

Any "ESTABLISHED" socket means that there is a connection currently made there.

Any "LISTEN" means that the socket is waiting for a connection.

Both are opened ports but one is waiting for a connection to be made while the other has a connection already made.

You can imagine this like the following:

The HTTP protocol (typically port 80) is on LISTEN mode until somebody actually goes to the server. The moment somebody visits the page, then it will be in ESTABLISHED mode.

The same applies for the MySQL 3306. When nobody is using the service, it is on LISTEN mode. When somebody actually uses it, at that moment it will be in ESTABLISHED mode.

For more information here are some man pages that are useful:

man nmap
man netstat
man arp
man lsof

Basically with this you will see how the the ports work, how they are handled and probably more information regarding sockets and their states. And yes, as stated ESTABLISHED & LISTEN both are Open Ports but ESTABLISHED means it is connected while LISTEN means that is waiting to be connected.