You are on page 1of 21

Sockets

Infrastructure Perspective
Ken Gottry May - 2001

www.gottry.com

2001 Ken Gottry

Table of Contents
Overview
netstat Command

Sample Infrastructure Firewalls and Load Balancers Miscellany

www.gottry.com

2001 Ken Gottry

Socket Overview

www.gottry.com

2001 Ken Gottry

What is a Socket?

Overview

A socket is a way for two programs (processes) to communicate. Socket = IP Address + Port Number
Uniquely identifies every program in the world 192.168.1.200:80 -- web server (port 80) on 192.168.1.200

UNIX domain sockets client and server on same computer. Much faster Internet domain sockets most commonly used. Client and server can
be on same or different computers.
Computer A 192.168.1.200 Computer B 66.66.34.202

Program X Port 23

Program Y Port 7001

Program X Port 23

Program Y Port 1521

Program Z Port 80

www.gottry.com

2001 Ken Gottry

Types of Ports

Overview

Well-known ports between 0-1024. Same on all UNIX computers around


the world. For example, ftp=21, telnet=23, smtp=25, http=80, ldap=389

Commonly-used ports 1024-65535. Usually less than 32767. Generally


accepted default port numbers. OracleSQL=1521, WebLogic=7001, iPlanet Admin=8888

Anonymous (ephemeral) ports the socket at the client end has to


have a port number also. The TCP/IP stack assigns one temporarily. When the socket is closed, this port becomes available for use by another program
Computer A 192.168.1.200 Computer B 66.66.34.202

Web server LISTENing on port 80 on Computer B Browser asks for socket connection to port 80 on 66.66.34.202 by saying: (http://ComputerB) The PC on which the browser is running assigns an anonymous port (33186) that the browser can use

Web Browser Port 33186

Web Server Port 80

www.gottry.com

2001 Ken Gottry

What is a Server?

Overview

Some people call the computer a server (e.g. print server). Some people call the process a server (e.g. iPlanet web server). If there is little or no chance of confusion, or if little is to be gained from stressing the distinction, then I just say server. For example, The browser connects to the web server. Otherwise, Ill use the phrases server computer or server process. For example, the web server process is listening on port 443 on the web server computer. It can get complicated WebLogic app server process running on the app server computer contains a web server process.

www.gottry.com

2001 Ken Gottry

As David Once Told Me

Overview

When discussing IP you are either a host or a piece of wire

A host is anything that can establish a socket connection actively or passively client or server. If its not a piece of wire, then I can telnet to it; I can point my browser at it. I can ftp to it. It can run a JVM with a JDBC connection pool. And so on. It may not have any or all of these services running on it but it could Examples of hosts: an IBM mainframe, a Sun E10000, your laptop, a router, your cell phone, your microwave, your refrigerator, your Tivo box, the lock on a hotel door, the Toyota Prius Examples of pieces of wire: anything thats not a host J

www.gottry.com

2001 Ken Gottry

netstat

Command

www.gottry.com

2001 Ken Gottry

Description of Command

netstat

netstat has lots of arguments. netstat -a shows the state of all sockets. netstat f inet shows Internet domain sockets. netstat P tcp shows TCP protocol.

-n suppresses DNS lookup. So, use netstat na The next slide contains sample output from netstat na
127.0.0.1 refers to localhost Output shows client end and server end of the connection. For example, the line in red shows that port 23 (telnet) on 192.168.1.200 (server) is connected to port 1714 (anonymous) on 192.168.1.150 (client) If both the client process and the server process are running on the same server computer, then netstat will show 2 lines for that connection.
www.gottry.com
2001 Ken Gottry

Sample Output
UDP
Local Address Remote Address State -------------------- -------------------- ------*.42 *.512 127.0.0.1.53 192.168.1.200.53 Idle Idle Idle Idle

netstat

TCP
Local Address Remote Address Swind Send-Q Rwind Recv-Q State -------------------- -------------------- ----- ------ ----- ------ ------*.21 *.23 *.80 192.168.1.200.23 192.168.1.200.80 192.168.1.200.80 192.168.1.200.80 192.168.1.200.80 *.* *.* *.* 192.168.1.150.1714 192.168.1.150.1716 192.168.1.150.1717 192.168.1.150.1718 192.168.1.150.1719 0 0 0 8732 9400 9315 9400 9300 0 0 0 1 0 0 0 0 0 0 0 9520 9520 9520 9520 9520 0 LISTEN 0 LISTEN 0 LISTEN 0 ESTABLISHED 0 TIME_WAIT 0 TIME_WAIT 0 TIME_WAIT 0 ESTABLISHED

Active UNIX domain sockets


Address Type Vnode Conn Local Addr Remote Addr 30000a2bba8 stream-ord 00000000 00000000 30000a2bd48 stream-ord 30000374300 00000000 /tmp/.X11-unix/X0

www.gottry.com

2001 Ken Gottry

10

Ways to use netstat

netstat

What server processes are running on a server computer?


netstat na | grep LISTEN | more

How many connections are active on a server computer?


netstat na | grep ESTABLISH | wc -l

How many connections are in some other state?


netstat na f inet P tcp | grep v ESTAB | grep v LISTEN

What users are connected to my secured web server? (very important to use n because DNS lookup of all the connected browsers may time-out or fail)
netstat na | grep 443 | more

How is my JDBC connection pool doing?


netstat na | grep 1521 | more

Note: The v option of grep says all lines except those that contain the string.
www.gottry.com
2001 Ken Gottry

11

Sample Infrastructure

www.gottry.com

2001 Ken Gottry

12

Port Architecture
Go to any computer with an inbound arrow and netstat should show
1) 2) a process that is LISTENing on the indicated port a socket in the ESTABLISHed state
App Server 192.168.30.50 7001 28010

Sample Infrastructure

Web Server 192.168.1.100

443

iPlanet Web Server

28004

getAccess Authorization

Go to any computer with an outbound arrow and netstat should show a socket in ESTABLISHed state Go to the Web Server computer and netstat | grep 28004 should show 2 lines representing the client end and server end of the socket

WebLogic App Server

getAccess Authentication

1521 DB Server 192.168.30.51

389

Oracle

LDAP

www.gottry.com

2001 Ken Gottry

13

Firewalls and Load Balancers

www.gottry.com

2001 Ken Gottry

14

Firewall Ruleset

Firewalls

Source Target
Web1 Web1 App1 App2 App1 App2 DB1 DB1

Port
7001 7001 1521 1521

Protocol
TCP TCP TCP TCP

Use
WebLogic WebLogic SQL SQL
443

Web Server #1

Test with ttcp utility Web1 cant access DB1 on port 1521 Do we want to allow telnet and ftp? We know port numbers. What about Source and Target? What about DNS (port 53)?
7001

Firewall

7001

1521

App Server #1

App Server #2

DB Server #1

www.gottry.com

2001 Ken Gottry

15

What is a Load Balancer?

Load Balancers

Load Balancer is a network device (host) that listens for requests and passes them to 1-to-n servers in an attempt to evenly distribute the workload Load Balancer Configuration:
1. Port and IP on which to LISTEN 2. Port and IP of each server across which the load should be balanced 3. Algorithm used to select server a) b) c) d) Round-robin Least number of connections Least CPU utilization etc
Web Server #1
10.3.22.13 port 8080

Client Browser

www.gottry.com 66.66.34.202 port 80

Load Balancer

10.3.22.14 port 8080

10.3.22.15 port 8080

Web Server #2

Web Server #3

www.gottry.com

2001 Ken Gottry

16

Miscellany

www.gottry.com

2001 Ken Gottry

17

Socket States

Miscellany

The active end requests the connection, passive end accepts it. Some states refer to the active end, and some to the passive end.
State
BOUND
Process A Active End

Explanation
Socket issued bind( ) call Socket is closed Closed; then remote shutdown; awaiting acknowledgment Remote shutdown; waiting for socket to close Connection has been established Socket closed; shutting down connection Socket closed; waiting for shutdown from remote Idle; opened, but not bound Remote shutdown; then closed; awaiting acknowledgment Listening for incoming connections Initial synchronization of the connection underway Actively trying to establish conenction Wait after close for remote shutdown retransmission

CLOSED CLOSING CLOSE_WAIT ESTABLISHED

Passive End Active End

Process B

FIN_WAIT_1 FIN_WAIT_2 IDLE LAST_ACK

Passive End

Process C

LISTEN SYN_RECEIVED SYN_SENT TIME_WAIT

www.gottry.com

2001 Ken Gottry

18

lsof

Miscellany

lsof command displays list (ls) of open files (of). List shows which process (PID) has the file open. Sockets are files as far as UNIX is concerned so they show in the list. Helpful when you have lots of instances of the same process all listening on the same port (e.g. ATG Dynamo DRPs or Broadvision IMs)
ns-httpd ns-httpd ns-httpd ns-httpd in.telnet in.telnet in.telnet in.telnet in.telnet 2037 nobody 2037 nobody 2037 nobody 2037 nobody 8371 8371 8371 8371 8371 root root root root root root root root root root root cwd txt txt 260u txt txt 0u 1u 2u cwd txt cwd txt txt 15u VDIR VREG VREG 136,0 136,4 136,4 512 3692 4862 0t0 17256 19876 0t101 0t101 0t101 512 91668 512 25820 27884 0t0 111005 / (/dev/dsk/c0t0d0s0) 16116 /usr/local (/dev/dsk/c0t0d0s4) 16294 /usr/local -o_kgottryu10_dnlc_ref_per_per_s-daily.png TCP *:80 (LISTEN) 280771 /usr/platform/sun4u/lib/libc_psr.so.1 71721 /usr/lib/libmp.so.2 TCP kgottryu10:telnet->192.168.1.150:2170 (ESTABLISHED) TCP kgottryu10:telnet->192.168.1.150:2170 (ESTABLISHED) TCP kgottryu10:telnet->192.168.1.150:2170 (ESTABLISHED) 243203 / (/dev/dsk/c0t0d0s0) 137706 /usr/bin/sh 243203 / (/dev/dsk/c0t0d0s0) 336296 / (/dev/dsk/c0t0d0s0) 71751 /usr/lib/nss_files.so.1 TCP *:33239 (LISTEN)

inet 0x30001081938 VREG VREG 136,0 136,0

inet 0x300008307b0 inet 0x300008307b0 inet 0x300008307b0 VDIR VREG VDIR VREG VREG 136,0 136,0 136,0 136,0 136,0

jmeter-se 24915 jmeter-se 24915 java java java java 24919 24919 24919 24919

inet 0x30000830670

www.gottry.com

2001 Ken Gottry

19

Promiscuous Mode
Promiscuous mode (sniffers) listen for any port any IP address
Socket traffic between Client PC and Web Server travels over Subnet A. The sniffer in promiscuous mode can see all socket traffic on Subnet A Therefore, the sniffer can see everything the Client PC sends to the Web Server and everything the Web Server sends to the Client PC
Client PC

Miscellany

Promiscuous Mode Sniffer

Subnet A
App Server Router DB Server

Subnet B

Socket traffic between Web Server and App Server travels over Subnet B. The sniffer in promiscuous mode cant see any socket traffic on Subnet B
Web Server Web Server

www.gottry.com

2001 Ken Gottry

20

Everything Else

Miscellany

Use telnet host port (e.g. telnet www.nervewire.com 80) to establish a socket connection to any host on any port. If you omit port (i.e. just use telnet host) it will use the well-known telnet port 25 Windows has netstat command
Open DOS window and try netstat na See some LISTENing ports that hackers might attack? Use your browser to open some web sites. Then jump to DOS window and try netstat na. See some ESTABLISHed sockets? See some TIME_WAIT?

Denial of Service (DoS) attacks start to make a socket connection from a


fake location, thus the connection can never be completed

www.gottry.com

2001 Ken Gottry

21