Sockstat is an all-around command-line utility that comes included with FreeBSD. It sees immense use in examining network connections and open sockets. In FreeBSD, it lists the names and status of the background and foreground processes that have caused a network port to unlock. You can even customize it to arrange the communication socket lists on connection status, IP versions, what ports are being listened to by specific programs, etc., and simplify the results based on socket ownership and descriptors for the communication sockets. With Sockstat, you can also see all the intricate details on each of the Unix domain sockets/IPC. An apt move would is to integrate sockstat with the grep filter to triple its functionality and get the most out of it.
Let’s look at some of the neat stuff we can pull off with Sockstat on FreeBSD.
List the working Ports on FreeBSD with Sockstat
The Sockstat command lists all of the sockets that are currently opened in a FreeBSD system. Type in the sockstat command unappended with any of the flags or options to see the list of open sockets:
Let’s take a moment and go over what each of the column labels in the output means. The first column from the left is labeled USERS, and it lists all the user accounts(roots, mysql) to which each socket belongs to. The second column header is COMMAND, and this column header lists all the commands that had set each socket to open. The PID column and FD columns list the process IDs and file descriptors, respectively, of the sockets. The column headed PROTO displays all the socket types transport protocols linked to each opened port. The last two columns are the Local Address and Foreign Address. The first of these two lists the local IP address for each open socket. Whereas the latter indicates what IP addresses are linked to each of these sockets.
List specific versions of Opened Ports in FreeBSD
To list opened sockets with a specific protocol version only, for example, the Ipv4 version, add a -4 flag to the end of the sockstat command:
You can also have it present a list of other versions similarily, for example
Should display all the sockets with IPv6.
List the open sockets based on TCP/UDP in FreeBSD
Add the –P flag to the sockstat command to have the list of open sockets presented based on TCP or UDP. You’ll also need to add the protocol’s argument name to the command, which you can look up by heading over to /etc/protocols file and checking the file there. To have only TCP based sockets, type in the following command:
Similarly, you can shortlist based on UDP:
These two can be linked together very simply:
As of yet, sockstat doesn’t extend its support to the ICMP protocol.
Display sockets with specific Port Numbers
To see all the opened sockets, both TCP and UDP, while having the list arranged based on port numbers(both local and otherwise), type in the sockstat command with appropriate flags:
$ sockstat -P udp -p 53
$ sockstat -P tcp -p 443,53,80,21
In the above commands, the first one shows the TCP HTTPS Port, the second one the UDP DNS Ports, while the third one shows both.
See the open ports being listened to on FreeBSD
With the -l flag added to the sockstat command, you will be presented open socket that is currently listening through the protocol suite and all the opened UNIX domain sockets as well as any named pipes.
List the ports actively listening on the network
Add the -l and -s flags to the sockstat command to have the open TCP ports arranged by their listening status.
UDP cannot be displayed being a non-network protocol, thus retaining no data on listening status.
Arrange open ports by the app/command using them
Here’s comes the part where pairing Sockstat command with grep utility comes in handy; with grep utility, you can have the open ports listed by the applications currently in the process of using them.
The command you’d use to list the open ports linked particularly with the ntpd server is:
You can make the listing more specific by having it only display the connected sockets by adding the -c flag to the above command:
Display all Unix Sockets
Have all the Unix domain sockets listed by adding u- a flag to the sockstat command:
This should also display the named pipes along with the Unix Sockets.
Arrange open ports by HTTPS Connected Protocols
To have the list displayed by the HTTPS protocol for each socket, use the command below:
List HTTP Remote Sockets
You can also list all of the remote sockets currently using the HTTP protocol. Run either one of the following commands in the terminal:
$ sockstat -46 -c -p 80,443 | grep -v ADDRESS|awk '{print $7}' |
uniq -c | sort -nr
Find the number of times an IP address sent requests
To find out how many connection requests have been received from each IP address, you can run the following command:
By determining if there’s an unusually high number of connection requests sent by an IP address, you can identify that there’s some malicious intent and can positively enter the yellow alert and take the appropriate safety protocols.
Send a DNS query from TCP socket
You can send a DNS query using the TCP socket on the console, provided that the network is free of any DNS traffic. Run the command below:
Wrapping up
So, you’ve learned a whole lot about using the sockstat command and its variations with flags and switches. You also saw how it is used in different ways to present the network diagnostics in different preferences and use this information to perform multifaceted troubleshooting in FreeBSD. That’s a whole lot in itself, but now that you’re familiar with this stuff, you should consider incorporating the sockstat command line with some powerful command-line tools, such as netstat and Isof.
from Linux Hint https://ift.tt/2VSca19
0 Comments