Netstat es un de las herramientas primordiales a la hora de realizar tareas relacionadas con el análisis forense digital, gracias a su amplio repertorio de instrucciones para generar información involucrada a las estadísticas de conexiones de red en un sistema.
Veamos una descripción más completa desde la Wikipedia:
Netstat (network statistics) es una herramienta de línea de comandos que muestra un listado de las conexiones activas de un ordenador, tanto entrantes como salientes. Existen versiones de este comando en varios sistemas como Unix, GNU/Linux, Mac OS X, Windows y BeOS.
La información que resulta del uso del comando incluye el protocolo en uso, las direcciones IP tanto locales como remotas, los puertos locales y remotos utilizados y el estado de la conexión. Existen, además de la versión para línea de comandos, herramientas con interfaz gráfica (GUI) en casi todos los sistemas operativos desarrollados por terceros.
Ahora algunos ejemplos de interés:
——————————————————————————————-
Ayuda/Comandos disponibles (netstat -h)
[root@freeforuse avatar]# netstat -h
usage: netstat [-veenNcCF] [<Af>] -r netstat {-V|–version|-h|–help}
netstat [-vnNcaeol] [<Socket> ...]
netstat { [-veenNac] -I[<Iface>] | [-veenNac] -i | [-cnNe] -M | -s } [delay]
-r, –route display routing table
-I, –interfaces=[<Iface>] display interface table for <Iface>
-i, –interfaces display interface table
-g, –groups display multicast group memberships
-s, –statistics display networking statistics (like SNMP)
-M, –masquerade display masqueraded connections
-v, –verbose be verbose
-n, –numeric don’t resolve names
–numeric-hosts don’t resolve host names
–numeric-ports don’t resolve port names
–numeric-users don’t resolve user names
-N, –symbolic resolve hardware names
-e, –extend display other/more information
-p, –programs display PID/Program name for sockets
-c, –continuous continuous listing
-l, –listening display listening server sockets
-a, –all, –listening display all sockets (default: connected)
-o, –timers display timers
-F, –fib display Forwarding Information Base (default)
-C, –cache display routing cache instead of FIB
-T, –notrim stop trimming long addresses
-Z, –context display SELinux security context for sockets
<Iface>: Name of interface to monitor/list.
<Socket>={-t|–tcp} {-u|–udp} {-S|–sctp} {-w|–raw} {-x|–unix} –ax25 –ipx –netrom
<AF>=Use ‘-A <af>’ or ‘–<af>’; default: inet
List of possible address families (which support routing):
inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
x25 (CCITT X.25)
——————————————————————————————-
Conexiones activas (netstat -a) | less (visualización segmentada)
[root@freeforuse avatar]# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:https *:* LISTEN
tcp 0 0 *:http *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 248 freeforuse:ssh adslxxx-xxx-xxx-xxx.ep:xxxxx ESTABLISHED
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 24410733 @/org/kernel/udev/udevd
unix 4 [ ] DGRAM 24411062 /dev/log
unix 2 [ ] DGRAM 33025313
unix 2 [ ] DGRAM 25001699
——————————————————————————————-
Programas asociados a dichos servicios (netstat -p)
[root@freeforuse avatar]# netstat -p
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 284 freeforuse:ssh adslxxx-xxx-xxx-xxx.ep:xxxxx ESTABLISHED 18128/1
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ] DGRAM 24410733 15696/udevd @/org/kernel/udev/udevd
unix 4 [ ] DGRAM 24411062 15959/syslogd /dev/log
unix 2 [ ] DGRAM 33025313 25692/crond
unix 2 [ ] DGRAM 25001699 18128/1
——————————————————————————————-
IP’s Conectadas (netstat -n)
[root@freeforuse avatar]# netstat -n
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 232 ::ffff:192.168.1.103:22 ::ffff:190.71.125.170:49249 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 24410733 @/org/kernel/udev/udevd
unix 4 [ ] DGRAM 24411062 /dev/log
unix 2 [ ] DGRAM 33025313
unix 2 [ ] DGRAM 25001699
——————————————————————————————-
Conexiones activas por TCP (netstat -t)
[root@freeforuse avatar]# netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 232 freeforuse:ssh adslxxx-xxx-xxx-xxx.ep:xxxxx ESTABLISHED
——————————————————————————————-
Conexiones activas por UDP (netstat -u)
——————————————————————————————-
Estadísticas de uso para todas las conexiones (netstat -s)
[root@freeforuse avatar]# netstat -s
Ip:
77333 total packets received
0 forwarded
0 incoming packets discarded
77333 incoming packets delivered
44657 requests sent out
Icmp:
0 ICMP messages received
0 input ICMP message failed.
ICMP input histogram:
4 ICMP messages sent
0 ICMP messages failed
ICMP output histogram:
echo request: 4
IcmpMsg:
OutType8: 4
Tcp:
843 active connections openings
140 passive connection openings
440 failed connection attempts
5 connection resets received
1 connections established
76714 segments received
43937 segments send out
38 segments retransmited
0 bad segments received.
468 resets sent
Udp:
666 packets received
0 packets to unknown port received.
0 packet receive errors
666 packets sent
TcpExt:
2 resets received for embryonic SYN_RECV sockets
93 delayed acks sent
Quick ack mode was activated 2 times
22 packets directly queued to recvmsg prequeue.
600 packets directly received from prequeue
65644 packets header predicted
3 packets header predicted and directly queued to user
4031 acknowledgments not containing data received
192 predicted acknowledgments
1 times recovered from packet loss due to SACK data
0 TCP data loss events
1 timeouts after SACK recovery
1 fast retransmits
19 other TCP timeouts
3 DSACKs sent for old packets
4 connections reset due to unexpected data
1 connections reset due to early user close
1 connections aborted due to timeout
IpExt:
——————————————————————————————-
Tabla de routing (netstat -r)
[root@freeforuse avatar]# netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.0.2.0 * 255.255.255.0 U 0 0 0 venet0
169.254.0.0 * 255.255.0.0 U 0 0 0 venet0
default 192.0.2.1 0.0.0.0 UG 0 0 0 venet0
——————————————————————————————-
Interfaces activas en el sistema (netstat -i)
[root@freeforuse avatar]# netstat -i
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
lo 16436 0 937 0 0 0 937 0 0 0 LRU
venet0 1500 0 76505 0 0 0 43766 0 0 0 BOPRU
venet0:0 1500 0 – no statistics available - BOPRU
——————————————————————————————-
Por medio de los comentarios puedes recomendar otras instrucciones (Y)
