2

We're running a Apache webserver on Arch Linux (build from May '10) and while monitoring connections with netstat we're seeing some odd connections on port 443 that don't report an IP address; is this cause for concern? We also don't don't get full ip addresses reported for remote hosts on 90% of our connections, we just get the first three portions of the IP, a period, and then the remote port. Any ideas on why either of these things is happening?

    tcp        0      0 ::ffff:xxx.xxx.xxx.xxx:80 ::ffff:yyy.yyy.yyy.:60027 TIME_WAIT   
    tcp        0      0 ::ffff:xxx.xxx.xxx.xxx:80 ::ffff:yyy.yyy.yyy.:62145 TIME_WAIT   
    tcp        0      0 ::1:48439               ::1:443                 TIME_WAIT   
    tcp        0      0 ::1:47370               ::1:443                 TIME_WAIT    
    tcp        0      0 ::1:48413               ::1:443                 TIME_WAIT   
    tcp        0      0 ::1:48563               ::1:443                 TIME_WAIT     
    tcp        0      0 ::ffff:xxx.xxx.xxx.xxx:80 ::ffff:yyy.yyy.yyy.:62191 TIME_WAIT   
    tcp        0      0 ::ffff:xxx.xxx.xxx.xxx:443 ::ffff:yyy.yyy.yyy.:59667 TIME_WAIT
    tcp        0      0 ::ffff:xxx.xxx.xxx.xxx:443 ::ffff:yyy.yyy.yyy.:59667 TIME_WAIT
    tcp        0      0 ::ffff:xxx.xxx.xxx.xxx:80 ::ffff:yyy.yyy.yyy.:59667 TIME_WAIT

netstat -V yields:

    # netstat -V
    net-tools 1.60
    netstat 1.42 (2001-04-15)
    Fred Baumgarten, Alan Cox, Bernd Eckenfels, Phil Blundell, Tuan Hoang and others
    +NEW_ADDRT +RTF_IRTT +RTF_REJECT +FW_MASQUERADE -I18N
    AF: (inet) +UNIX +INET +INET6 +IPX +AX25 +NETROM +X25 +ATALK -ECONET -ROSE 
    HW:  +ETHER +ARC +SLIP +PPP +TUNNEL +TR +AX25 +NETROM +X25 +FR -ROSE -ASH -SIT -FDDI -HIPPI -HDLC/LAPB
scoopseven
  • 125
  • 6

4 Answers4

2

::1 is a full [IPv6 address](::1 is a full IPv6 address, the rough equivalent of 127.0.0.1), the rough equivalent of 127.0.0.1 (localhost).

David Schwartz
  • 31,449
  • 2
  • 55
  • 84
  • The markup on your question looks a bit confused. You appear to be repeating yourself. Did you copy and paste your text when you meant to insert a link? – Zoredache Oct 27 '11 at 07:20
1

netstat has a known problem with truncating both ipv6 addresses and ipv4 addresses in AF_INET6 sockets (e.g. ::ffff:192.168.0.1). You can prevent this behavior in most newer kernels with the -W flag

netstat -anpW

And, as @TalKlainer points out, the -T flag will work on machines with a much older version of netstat

MANA624
  • 111
  • 3
1

You are seeing IPs addres that, but IPv6 address. Your pcs maybe are stablishn connections by IPv6 and by IPv4. Confirm that doing a ping6 to one client from the server.

If it responds and you dont like it you have to deleted the enable by default Ipv6 addressing.

::1 is the local host address.

Ricardo Polo Jaramillo
  • 2,039
  • 2
  • 18
  • 35
1

Try using netstat -naT

-n, --numeric don't resolve names

-a, --all, --listening display all sockets (default: connected)

-T, --notrim stop trimming long addresses

Tal Klainer
  • 11
  • 1
  • This only applies to older machines (~cent6), but in my case was exactly what I was looking for +1 – MANA624 Nov 08 '21 at 18:29