4

I ran the command sudo lsof -i -n -P | grep TCP and I was wondering if I could get some more clarification on its output.

Specifically, in this image:

enter image description here

Why do I have an IP:PORT pointing to another IP:PORT and then back at itself with the label 'ESTABLISHED'? I am confused on what this means exactly.

Filipe Gonçalves
  • 20,783
  • 6
  • 53
  • 70
Jeff Gong
  • 1,713
  • 3
  • 15
  • 19

2 Answers2

5

I'm not sure how familiar you are with networking and TCP in general, so I'll try to provide a brief description with a couple of details. From your question, it appears that you're not very familiar with networking internals, so it may be hard to understand some of these concepts, but I hope this helps:

The TCP protocol has various states. Think of it as a state machine. States on the client side include CLOSED, SYN_SENT, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2 and TIME_WAIT.

Thus, the ESTABLISHED label means that the TCP connection is in the ESTABLISHED state. Being in the established state means that both hosts successfully completed the TCP 3-way handshake (and in doing so, transitioned from SYN_SENT to ESTABLISHED). The transition from CLOSED to SYN_SENT happens when the client side sends the TCP SYN request to the server.

In an established connection, both sides transmit and receive application specific data. Basically, a session is established and a bidirectional stream of bytes flows between the two end systems.

TCP sockets are uniquely identified by the 4-tuple (source-ip, source-port, destination-ip, destination-port). The IP identifies an end system's network interface, and the port number is used to multiplex and demultiplex packet arrival at that network interface (so that the target system knows which service to deliver the packets to). That's the meaning of the IP:PORT fields.

I'm not sure why you have two entries for the same connection. This might be system-dependent, although it's odd (in my system I get only one entry per socket). But sockets are bidirectional, so it may be the case that your system shows you each packet flow direction as a distinct entry. This might also depend on how the system implements sockets.

Filipe Gonçalves
  • 20,783
  • 6
  • 53
  • 70
  • Downvoter minds explaining? I'd love to know what's wrong with my answer. – Filipe Gonçalves Jun 19 '15 at 23:09
  • 1
    I downvoted your answer because you wrote a lot of trivia but failed to explain the observation. Your answer boils down to _I'm not sure why you have two entries for the same connection._ It is a no-answer answer. – Maxim Egorushkin Jun 20 '15 at 05:08
1

ESTABLISHED means that the TCP connection has completed the 3-way handshake. (Not sure though whether accept must have been called). See TCP state diagram.

Why do I have an IP:PORT pointing to another IP:PORT and then back at itself

That mean you have two TCP sockets open in your process. Most likely, one listens on port 9092, and another one that connected from port 57633 to that listening socket. Port 57633 belongs to the ephemeral port range, i.e. the range of ports that the OS automatically assigns to the sockets that call connect but did not call bind to assign a specific port.

Maxim Egorushkin
  • 131,725
  • 17
  • 180
  • 271
  • Hum, are you sure that both entries identify distinct sockets? I think it's the same socket showing up twice. I mean, if you have a socket `HostA:PortA -> HostB:PortB`, then you can't have a *distinct* socket `HostB:PortB -> HostA:PortA`. How would `HostA` differentiate traffic targeted to `PortA` and deliver it to the right socket? It's not possible - I think it's just `lsof` showing distinct entries for each flow direction in the same socket. – Filipe Gonçalves Jun 19 '15 at 21:38
  • @FilipeGonçalves I am sure. It is not the same socket twice. The first addr:port is the local address, the second addr:port is the remote. – Maxim Egorushkin Jun 19 '15 at 22:16
  • It can't be two sockets. You did notice the IP is always the same, didn't you? You can't have two sockets in the same system with the same (source ip, source port, destination ip, destination port) combination. It's the basics of how TCP multiplexes segments. – Filipe Gonçalves Jun 19 '15 at 22:46
  • Also: `accept(2)` isn't really relevant here. Sockets on which we call `accept(2)` are always in the `LISTEN` state, it's the *new* socket returned by `accept(2)` that eventually transitions from `SYN_RCVD` to `ESTABLISHED`. So I don't understand why you mention `accept(2)` in your answer. – Filipe Gonçalves Jun 19 '15 at 23:13
  • @FilipeGonçalves The socket returned from `accept` is in `ESTABLISHED` stated, i.e. `accept` never returns a socket for which the 3-way handshake has not completed. ([TCP Fast](https://en.wikipedia.org/wiki/TCP_Fast_Open) open is different). – Maxim Egorushkin Jun 20 '15 at 05:05