Using Netstat

00:00 In the previous lesson, I wrote a server that listened on a socket. In this lesson, I’ll show you how to see what sockets are on your machine. The netstat program lists all the sockets on your box.

00:12 Although originally a Unix command, it ships with Windows as well. The output can be a bit daunting as it shows all sockets on your machine, and that can be a lot because it includes everything, not just your TCP/IP ones.

00:26 It’s important to use two command line flags with netstat. The first is -a, which says to show everything. If you forget it, the thing you’re looking for might not show as it filters for certain kinds of routes by default.

00:39 The second flag is -n, which says to report the addresses as numbers. This is important. Otherwise, your command can take a long time to run as it will try to do a reverse lookup of every host name in the list.

00:51 As this list can be quite long, it’s better to stick with the numbers.

00:56 I’m running our bork server in a different window, so let’s see what netstat will tell us about it.

01:02 Let me scroll back. Told you it was long. Still scrolling back,

01:13 still scrolling back, and there we go. And up here at the top, you can see the stuff I actually wanted. In fact, the bork server is actually the second item listed.

01:24 The _Protocol_ column tells me that this is using IP version 4, and the address shows the localhost 127.0.0.1 and port 65432. It doesn’t use a colon to separate the port number, but a dot, which I don’t like, but what are you going to do? Next to that in the _Foreign Address_ column, you see *.*.

01:46 This is because bork server is a server and it’s listening to anyone that is willing to connect. And there’s another indication of that in the last column as well, which shows the state as LISTEN. On the line below, you can see a web connection on my machine.

02:00 I know it’s a web connection because the foreign address is on port 443, which is TLS. The ESTABLISHED state means that something is actually talking over this connection.

02:10 When you run netstat, you can include a filter which will reduce the amount of output. Let me scroll back down.

02:22 I’m going to use -f with a value of inet to restrict the listing to just IP version 4 connections. Still a lot of stuff,

02:33 but now it’s only three pages. The content at the top here is just like it was before, but I didn’t have to filter through as much stuff to find it.

02:44 When looking at the netstat data, you saw the LISTEN and ESTABLISHED states. These are just two of the eleven possible states.

02:52 LISTEN is a server waiting for a connection. ESTABLISHED means a connection has been made. CLOSE-WAIT and CLOSING mean the connection is in the process of closing.

03:03 CLOSED means the connection is closed, but the operating system hasn’t cleaned the socket up yet. And TIME-WAIT means the connection is waiting on a timeout.

03:12 Remember when I mentioned how you want to catch your exceptions in your code so that a socket can be closed properly? Well, if you don’t and your program crashes, your socket will be in TIME-WAIT mode, and you’ll have to wait until the timeout happens for the OS to clean the socket up.

03:27 While your socket is in TIME-WAIT, nobody else can use that port. There are other states as well that have to do with the protocol used for sockets to establish a connection.

03:38 These states are quick and you’re not likely to catch them using netstat as they go away in an instant.

03:45 Next up, I’ll write a client to go with our bork server.