You are on page 1of 21


Infrastructure Perspective
Ken Gottry May - 2001

2001 Ken Gottry

Table of Contents
netstat Command

Sample Infrastructure Firewalls and Load Balancers Miscellany

2001 Ken Gottry

Socket Overview

2001 Ken Gottry

What is a Socket?


A socket is a way for two programs (processes) to communicate. Socket = IP Address + Port Number
Uniquely identifies every program in the world -- web server (port 80) on

UNIX domain sockets client and server on same computer. Much faster Internet domain sockets most commonly used. Client and server can
be on same or different computers.
Computer A Computer B

Program X Port 23

Program Y Port 7001

Program X Port 23

Program Y Port 1521

Program Z Port 80

2001 Ken Gottry

Types of Ports


Well-known ports between 0-1024. Same on all UNIX computers around

the world. For example, ftp=21, telnet=23, smtp=25, http=80, ldap=389

Commonly-used ports 1024-65535. Usually less than 32767. Generally

accepted default port numbers. OracleSQL=1521, WebLogic=7001, iPlanet Admin=8888

Anonymous (ephemeral) ports the socket at the client end has to

have a port number also. The TCP/IP stack assigns one temporarily. When the socket is closed, this port becomes available for use by another program
Computer A Computer B

Web server LISTENing on port 80 on Computer B Browser asks for socket connection to port 80 on by saying: (http://ComputerB) The PC on which the browser is running assigns an anonymous port (33186) that the browser can use

Web Browser Port 33186

Web Server Port 80

2001 Ken Gottry

What is a Server?


Some people call the computer a server (e.g. print server). Some people call the process a server (e.g. iPlanet web server). If there is little or no chance of confusion, or if little is to be gained from stressing the distinction, then I just say server. For example, The browser connects to the web server. Otherwise, Ill use the phrases server computer or server process. For example, the web server process is listening on port 443 on the web server computer. It can get complicated WebLogic app server process running on the app server computer contains a web server process.

2001 Ken Gottry

As David Once Told Me


When discussing IP you are either a host or a piece of wire

A host is anything that can establish a socket connection actively or passively client or server. If its not a piece of wire, then I can telnet to it; I can point my browser at it. I can ftp to it. It can run a JVM with a JDBC connection pool. And so on. It may not have any or all of these services running on it but it could Examples of hosts: an IBM mainframe, a Sun E10000, your laptop, a router, your cell phone, your microwave, your refrigerator, your Tivo box, the lock on a hotel door, the Toyota Prius Examples of pieces of wire: anything thats not a host J

2001 Ken Gottry



2001 Ken Gottry

Description of Command


netstat has lots of arguments. netstat -a shows the state of all sockets. netstat f inet shows Internet domain sockets. netstat P tcp shows TCP protocol.

-n suppresses DNS lookup. So, use netstat na The next slide contains sample output from netstat na refers to localhost Output shows client end and server end of the connection. For example, the line in red shows that port 23 (telnet) on (server) is connected to port 1714 (anonymous) on (client) If both the client process and the server process are running on the same server computer, then netstat will show 2 lines for that connection.
2001 Ken Gottry

Sample Output
Local Address Remote Address State -------------------- -------------------- ------*.42 *.512 Idle Idle Idle Idle


Local Address Remote Address Swind Send-Q Rwind Recv-Q State -------------------- -------------------- ----- ------ ----- ------ ------*.21 *.23 *.80 *.* *.* *.* 0 0 0 8732 9400 9315 9400 9300 0 0 0 1 0 0 0 0 0 0 0 9520 9520 9520 9520 9520 0 LISTEN 0 LISTEN 0 LISTEN 0 ESTABLISHED 0 TIME_WAIT 0 TIME_WAIT 0 TIME_WAIT 0 ESTABLISHED

Active UNIX domain sockets

Address Type Vnode Conn Local Addr Remote Addr 30000a2bba8 stream-ord 00000000 00000000 30000a2bd48 stream-ord 30000374300 00000000 /tmp/.X11-unix/X0

2001 Ken Gottry


Ways to use netstat


What server processes are running on a server computer?

netstat na | grep LISTEN | more

How many connections are active on a server computer?

netstat na | grep ESTABLISH | wc -l

How many connections are in some other state?

netstat na f inet P tcp | grep v ESTAB | grep v LISTEN

What users are connected to my secured web server? (very important to use n because DNS lookup of all the connected browsers may time-out or fail)
netstat na | grep 443 | more

How is my JDBC connection pool doing?

netstat na | grep 1521 | more

Note: The v option of grep says all lines except those that contain the string.
2001 Ken Gottry


Sample Infrastructure

2001 Ken Gottry


Port Architecture
Go to any computer with an inbound arrow and netstat should show
1) 2) a process that is LISTENing on the indicated port a socket in the ESTABLISHed state
App Server 7001 28010

Sample Infrastructure

Web Server


iPlanet Web Server


getAccess Authorization

Go to any computer with an outbound arrow and netstat should show a socket in ESTABLISHed state Go to the Web Server computer and netstat | grep 28004 should show 2 lines representing the client end and server end of the socket

WebLogic App Server

getAccess Authentication

1521 DB Server




2001 Ken Gottry


Firewalls and Load Balancers

2001 Ken Gottry


Firewall Ruleset


Source Target
Web1 Web1 App1 App2 App1 App2 DB1 DB1

7001 7001 1521 1521


WebLogic WebLogic SQL SQL

Web Server #1

Test with ttcp utility Web1 cant access DB1 on port 1521 Do we want to allow telnet and ftp? We know port numbers. What about Source and Target? What about DNS (port 53)?




App Server #1

App Server #2

DB Server #1

2001 Ken Gottry


What is a Load Balancer?

Load Balancers

Load Balancer is a network device (host) that listens for requests and passes them to 1-to-n servers in an attempt to evenly distribute the workload Load Balancer Configuration:
1. Port and IP on which to LISTEN 2. Port and IP of each server across which the load should be balanced 3. Algorithm used to select server a) b) c) d) Round-robin Least number of connections Least CPU utilization etc
Web Server #1 port 8080

Client Browser port 80

Load Balancer port 8080 port 8080

Web Server #2

Web Server #3

2001 Ken Gottry



2001 Ken Gottry


Socket States


The active end requests the connection, passive end accepts it. Some states refer to the active end, and some to the passive end.
Process A Active End

Socket issued bind( ) call Socket is closed Closed; then remote shutdown; awaiting acknowledgment Remote shutdown; waiting for socket to close Connection has been established Socket closed; shutting down connection Socket closed; waiting for shutdown from remote Idle; opened, but not bound Remote shutdown; then closed; awaiting acknowledgment Listening for incoming connections Initial synchronization of the connection underway Actively trying to establish conenction Wait after close for remote shutdown retransmission


Passive End Active End

Process B


Passive End

Process C


2001 Ken Gottry




lsof command displays list (ls) of open files (of). List shows which process (PID) has the file open. Sockets are files as far as UNIX is concerned so they show in the list. Helpful when you have lots of instances of the same process all listening on the same port (e.g. ATG Dynamo DRPs or Broadvision IMs)
ns-httpd ns-httpd ns-httpd ns-httpd in.telnet in.telnet in.telnet in.telnet in.telnet 2037 nobody 2037 nobody 2037 nobody 2037 nobody 8371 8371 8371 8371 8371 root root root root root root root root root root root cwd txt txt 260u txt txt 0u 1u 2u cwd txt cwd txt txt 15u VDIR VREG VREG 136,0 136,4 136,4 512 3692 4862 0t0 17256 19876 0t101 0t101 0t101 512 91668 512 25820 27884 0t0 111005 / (/dev/dsk/c0t0d0s0) 16116 /usr/local (/dev/dsk/c0t0d0s4) 16294 /usr/local -o_kgottryu10_dnlc_ref_per_per_s-daily.png TCP *:80 (LISTEN) 280771 /usr/platform/sun4u/lib/ 71721 /usr/lib/ TCP kgottryu10:telnet-> (ESTABLISHED) TCP kgottryu10:telnet-> (ESTABLISHED) TCP kgottryu10:telnet-> (ESTABLISHED) 243203 / (/dev/dsk/c0t0d0s0) 137706 /usr/bin/sh 243203 / (/dev/dsk/c0t0d0s0) 336296 / (/dev/dsk/c0t0d0s0) 71751 /usr/lib/ TCP *:33239 (LISTEN)

inet 0x30001081938 VREG VREG 136,0 136,0

inet 0x300008307b0 inet 0x300008307b0 inet 0x300008307b0 VDIR VREG VDIR VREG VREG 136,0 136,0 136,0 136,0 136,0

jmeter-se 24915 jmeter-se 24915 java java java java 24919 24919 24919 24919

inet 0x30000830670

2001 Ken Gottry


Promiscuous Mode
Promiscuous mode (sniffers) listen for any port any IP address
Socket traffic between Client PC and Web Server travels over Subnet A. The sniffer in promiscuous mode can see all socket traffic on Subnet A Therefore, the sniffer can see everything the Client PC sends to the Web Server and everything the Web Server sends to the Client PC
Client PC


Promiscuous Mode Sniffer

Subnet A
App Server Router DB Server

Subnet B

Socket traffic between Web Server and App Server travels over Subnet B. The sniffer in promiscuous mode cant see any socket traffic on Subnet B
Web Server Web Server

2001 Ken Gottry


Everything Else


Use telnet host port (e.g. telnet 80) to establish a socket connection to any host on any port. If you omit port (i.e. just use telnet host) it will use the well-known telnet port 25 Windows has netstat command
Open DOS window and try netstat na See some LISTENing ports that hackers might attack? Use your browser to open some web sites. Then jump to DOS window and try netstat na. See some ESTABLISHed sockets? See some TIME_WAIT?

Denial of Service (DoS) attacks start to make a socket connection from a

fake location, thus the connection can never be completed

2001 Ken Gottry