1

If I perform an operation that establishes a TCP connection (e.g., an HTTP connection), the first thing that happens is that the 3-step TCP handshake is made. If I then use netstat, it shows me that there is a TCP connection with state ESTABLISHED:

$ netstat -an | grep ESTAB
Proto   Recv-Q  Send-Q Local Address       Foreign Address         State
tcp          0       0 <source IP>:49472   <destination IP>:80     ESTABLISHED

  1. How does netstat know that my client software made a TCP handshake with the server and that there now is an established connection? My best guess is that netstat looks at file descriptors or something else in the OS that holds this information, but I can't find any information about it.

  2. Can I somehow check the connections in the same way that netstat internally does?

Andy Dalton
  • 13,654
  • 1
  • 25
  • 45
Stefan Vahlgren
  • 11
  • 2
  • 1
    `netstat` usage should probably be replaced with `ss`. Both of these commands read files like /proc/self/net/tcp to get the information you are after. This is documented in the proc(5) manual page. – icarus Oct 08 '20 at 18:19
  • 1. netstat is just formatting the data from `/proc/net/{tcp,udp,unix,..}`. 2. Of course you can, `netstat` is just a program, like any other. You may do the same things it does. There are even better interfaces than the `/proc/` files, like [sock_diag](https://man7.org/linux/man-pages/man7/sock_diag.7.html). You should also take into account the network namespace(s) you have access to. –  Oct 08 '20 at 18:20
  • 2
    @icarus `ss` does not get its information from `/proc`, but via `sock_diag` netlink sockets. –  Oct 08 '20 at 18:21
  • Thank you. Now when I see how it seems to work, my question seems pretty basic. For tcp connects this information is read in /proc/net/tcp, where the 4th attribute from the left would be the state that I am looking for: sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode 0: 3500005E:0025 00000000:0000 0A 00000000:00000000 00:00000000 00000000 101 0 24150 1 ffff8700a6664bc0 100 0 0 10 0 – Stefan Vahlgren Oct 08 '20 at 18:46

0 Answers0