13 Sep
2019
13 Sep
'19
10:43 p.m.
Hello,
I want to know if the following output is indicative of a
healthy computer system.The command is "netstat -t" .
I am worried about the apparent circular reference with localhost.
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 32 0 L1JDFY77FVHYMJD6O:37642 162.125.83.7:https
CLOSE_WAIT
tcp 0 0 localhost:60846 localhost:42012 ESTABLISHED
tcp 32 0 L1JDFY77FVHYMJD6O:60696 162.125.36.1:https
CLOSE_WAIT
tcp 32 0 L1JDFY77FVHYMJD6O:39138 162.125.83.3:https
CLOSE_WAIT
tcp 0 0 L1JDFY77FVHYMJD6O:46664 134.213.52.45:https
ESTABLISHED
tcp 0 0 localhost:42012 localhost:60846 ESTABLISHED
tcp 0 0 L1JDFY77FVHYMJD6O:46662 134.213.52.45:https
ESTABLISHED
tcp 32 0 L1JDFY77FVHYMJD6O:38518 162.125.83.3:https
CLOSE_WAIT
tcp 0 0 L1JDFY77FVHYMJD6O:57244 162.125.34.129:https
ESTABLISHED
tcp 32 0 L1JDFY77FVHYMJD6O:39130 162.125.83.3:https
CLOSE_WAIT
tcp 32 0 L1JDFY77FVHYMJD6O:59380 162.125.83.4:https
CLOSE_WAIT
tcp 0 0 L1JDFY77FVHYMJD6O:57852 162.125.34.129:https
ESTABLISHED
tcp 1 0 L1JDFY77FVHYMJD6O:41264 ec2-52-22-138-109:https
CLOSE_WAIT
regards Peter
14 Sep
14 Sep
5:29 p.m.
Peter Wolf via luv-beginners wrote:
I want to know if the following output is indicative
of a healthy
computer system.The command is "netstat -t" .
I am worried about the apparent circular reference with localhost.
On GNU/Linux "netstat" has been deprecated for over a decade.
You should use "ss" instead.
See also https://en.wikipedia.org/wiki/iproute2
It is perfectly normal for a host to talk to itself.
That's what the loopback interface, and the 127.0.0.0/8 address range, is for.
Here's a host I have:
root@tweak:~# ss -n | grep -e ^Netid -e 127.*127
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp ESTAB 0 0 127.0.0.1:53520 127.0.0.1:60044
udp ESTAB 0 0 127.0.0.1:43282 127.0.0.1:43282
udp ESTAB 0 0 127.0.0.1:60044 127.0.0.1:53520
tcp CLOSE-WAIT 55 0 127.0.0.1:37780 127.0.0.1:10025
tcp ESTAB 0 0 127.0.0.1:47327 127.0.0.1:54637
tcp ESTAB 0 0 127.0.0.1:32843 127.0.0.1:37867
tcp ESTAB 0 0 127.0.0.1:54637 127.0.0.1:47327
tcp ESTAB 0 0 127.0.0.1:37867 127.0.0.1:32843
If you run ss with -p (as root) you can see what the processes in question are.
For example, I see these (hand-elided and hand-wrapped):
root@tweak:~# ss -np | grep -e ^Netid -e 127.*127
... users:(("pinger",pid=7557,fd=1),
("pinger",pid=7557,fd=0))
... users:(("postgres",pid=15895,fd=10),
("postgres",pid=15894,fd=10),
("postgres",pid=15893,fd=10),
("postgres",pid=15892,fd=10),
("postgres",pid=15891,fd=10),
("postgres",pid=15889,fd=10))
... users:(("squid",pid=27687,fd=11))
... users:(("/usr/sbin/amavi",pid=29179,fd=14))
... users:(("squid-acl-check",pid=7559,fd=1),
("squid-acl-check",pid=7559,fd=0))
... users:(("squid",pid=27687,fd=21))
... users:(("squid",pid=27687,fd=18))
... users:(("squid-acl-check",pid=7560,fd=1),
("squid-acl-check",pid=7560,fd=0))
i.e. right now squid and amavis are using the loopback interface.
NFS is another obvious candidate.
DNS via systemd-resolved (without libnss-resolve) also needs lo.
I *think* dbus stuff happens via unix sockets, so
won't appear on the loopback interface, but
you can see it in ss using -x.
You can see how much relies on the loopback interface by turning it
off and watching things break (DON'T DO THIS to a production host):
sudo ip link set lo down
1295
days inactive
1296
days old
1 comments
2 participants
participants (2)
-
Peter Wolf -
Trent W. Buck