JANOS Help: NETSTAT

NETSTAT User Commands NAME netstat - Network Status Utility SYNOPSIS netstat [OPTIONS] DESCRIPTION This displays the status of the LAN connection and lists all of the active network connections as well as any of the services accepting connections. -U Displays any services accepting connectionless UDP packets. -A Displays network statistics such as packet and error tallies. -M [N] [LOGFILES] Dynamically displays network activity. The display mode is exited by any keyboard entry. An optional log file such as jniorsys.log or list of log files may be provided. Newly appended lines to these files will be displayed as notifications while monitoring. This offers a convenient means for correlating changes in network status with logged events. The [N] option specifies an approximate number of log lines to display before rolling. N is 5 lines by default and is constrained to a number between 5 and 20. -C [FILTER] Generates the /temp/network.pcapng capture file which contains recent network traffic. This may be downloaded and opened with Wireshark https://wireshark.org . An optional FILTER may be used to limit the content. -F [FILTER] JANOS always buffers recent network traffic for capturing. This option can set a FILTER to limit the traffic collected. Since only a limited space is available for buffering, a filter can be used to retain packets of interest for a much longer period of time. The filtering is removed if FILTER is omitted. -R Resets the network buffer removing prior buffered traffic. -K port -K ipaddr:port This forces the specified socket (combination of remote IP address and remote port) to close. The ipaddr may be required if the remote port alone is not sufficient in identifying the connection. This command is useful in testing connections that should immediately reconnect when dropped unexpectedly. Note that neither the local application nor remote system will be aware of the reason for the disconnect. -T Displays TLS statistics regarding the negotiation of various security suites. -S [FILTER] The -C option generates a PCAPNG file that can be remotely opened in Wireshark. The -S option enables a real-time network scanner/sniffer where packets are displayed as they occur. Any keystroke will terminate the scanning. A FILTER can be specified to limit the packets listed to only those of interest. -P [FILTER] This displays packets from the current capture buffer. A FILTER may be defined to limit the list to only packets of interest. If this option is used in combination with -S, once packets are displayed from the capture buffer the scanner will proceed to display new packets as they occur. -D Enables the hexadecimal dump of packet payload when used with either the -S and/or -P options. This displays only the data and not the associated headers (such as MAC, IP and TCP/UDP headers). -V The Verbose setting will display additional information during sniffer operation. This causes some additional low-level packets to be displayed. Packet payload dumps are typically abbreviated. In verbose mode the entire payload is displayed. -N Filter Noise from the sniffer display. Packets that are received by the JNIOR that are not processed are considered to be noise. These might be from some external application attempting to access a port on the JNIOR that is not defined. The sniffer identifies these packets with a '-' character to the left of the packet details. This is quite prevalent when connected to a wide-area network or the Internet directly. The -N option hides the display of this traffic. -B -B1 -B2 -B3 Outputs the internal Blacklist if one is in use in sorted order. The output is sorted by IP address (-B or -B1), by blocking count (-B2) or by last encounter date (-B3). NOTES When connecting to the JNIOR command line through a network connection, packets associated with that connection are not displayed by the sniffer. Those are presumably not what you are interested in. The packets involved in those communications are still in the buffer. The detailed display of ongoing network traffic itself generates considerable traffic through your viewing connection. The capture buffer can overrun. This may result in a "malformed packet" or other error breaking you out of the sniffer mode. A solution to this is to filter your console communications from the capture using the NETSTAT -F filter. You may need to logically include your connection in the filter expression if a filter is already in use. In most cases you may simply avoid using the -V verbose setting; Only use the -D payload dump option as may be needed for debugging; And, perhaps view the previous capture data using -P only if that would be helpful. You can also optionally enlarge the capture buffer with the IpConfig/CaptureBuffer registry setting. The IpConfig/Greylisting advanced option is available. This reduces unwanted connections from bots and malicious actors. The concept, in use routinely in SPAM email detection, ignores connection requests on the initial attempt. The connection is accepted only if the client then properly retries. Malicious systems tend to not retry. Note that the initially ignored SYN packet is considered to be Noise. It will not be displayed when the -N option is used. Another approach available for use in protecting the JNIOR on an open network is Blacklisting. A text file containing one IP address per line may be defined using the IpConfig/Blacklist registry key. The remainder of the line in the file is ignored and may contain notes or comments. JANOS ingests the blacklist and prevents access by any client therein defined. Blacklisted packets are displayed in the sniffer using an asterisk '*' to the far left of the packet details. These packets are considered to be noise and are not displayed when the -N option is used. An application may be created to analyze information from the access.log file which can automatically add IP addresses to the blacklist file. JANOS monitors the file and will immediately update the internal blacklist with any new addresses. For a locked-down implementation consider carefully using the IpConfig/Allow registry entry to limit access. NETWORK SCANNER New with JANOS v2.4 is that ability from the command line to view ongoing network communications in real-time. As more and more JNIOR applications involve the interaction with remote network equipment it becomes important in testing to get immediate feedback as to proper operation. The NETSTAT -S network scanner displays network traffic as it happens. As network packets are received and transmitted JANOS records them for later analysis. This has always been available for export and analysis by Wireshark through the NETSTAT -C option. The amount of network data available at any one time is limited by the size of the capture buffer established by the setting of the IpConfig/CaptureBuffer Registry key. By default this is a modest 512KB and can be expanded to 8MB. Depending on the frequency of network communication and the amount of data exchanged the network history in terms of time can be quite small and on the order of only several minutes. FILTERING A capture filter can be used to limit the traffic being recorded. A FILTER can be set using the NETSTAT -F command. This filter then permits only certain communications to be recorded in the capture buffer. When analyzing the interactions with one particular remote device this can greatly increase the amount of time covered and the amount of interaction available for review. NOTE When using the scanner to look for specific interactions make sure that these are not filtered. The NETSTAT -F command without a filter specification removes any existing filter. These are Registry changes that are logged in the jniorsys.log file if you need to determine a prior setting. The FILTER specified with the NETSTAT -C, -P and -S options is a restriction imposed on the data being retrieved from the capture buffer. That is to say after what might already be filtered by the -F filter. If you are looking for a specific communication it must not be first filtered on reception and then not filtered upon display. When running the scanner, network communications related to the current connection are automatically filtered. For instance, if you are accessing the command line console using Telnet those packets will not be displayed as you are likely looking for other traffic. This is a secondary filter in addition to (and does not alter) any FILTER that you define regarding display. This traffic will however be captured in the buffer unless filtered by the incoming -F filter. (See IpConfig/Filter). REAL-TIME The NETSTAT -P command will display the (optionally) selected packets from the capture buffer. That would start from the oldest available right up to the present moment. At the completion of display you are returned to the command prompt. To view real-time traffic use the NETSTAT -S command (with optional filter). This will immediately display new packets (matching your filter) as they occur. This will continue for as long as the command is active. Any keystroke will interrupt the command and return you to the prompt. If you are interested in traffic past and present you will need to use both options in one command. For instance NETSTAT -PS or NETSTAT -SP. Notice that if you issue the NETSTAT -P and then after returning to the prompt you give the NETSTAT -S command there is a chance that you would skip packets occurring between the two command executions. DISPLAY FORMAT The network scanner displays packets in a similar fashion as Wireshark. With each packet a timestamp is displayed followed by the source IP address, source port number, the destination IP address and destination port number. The timestamp does not display the date given that a capture extending over days is unlikely. The following is a brief moment in time and happens to show only broadcast traffic. The -V option includes underlying packets for ARP, ICMP and so on, which are normally not listed. Packets for current session not displayed Timestamp Src_IPaddr srcprt Dst_IPaddr dstprt typ 12:01:56.728 10.0.0.20 17500 255.255.255.255 17500 UDP 12:01:56.730 10.0.0.20 17500 255.255.255.255 17500 UDP 12:01:56.730 10.0.0.20 17500 10.0.0.255 17500 UDP 12:01:57.470 10.0.0.27 17500 10.0.0.255 17500 UDP 12:01:58.462 10.0.0.17 60504 10.0.0.255 1947 UDP 12:02:01.252 10.0.0.20 54131 255.255.255.255 1947 UDP 12:02:02.541 10.0.0.5 137 10.0.0.255 137 UDP 12:02:04.180 10:78:d2:75:14:06 Integpro_00:07:f9 ARP 12:02:04.180 Integpro_00:07:f9 10:78:d2:75:14:06 ARP 12:02:05.258 10.0.0.20 54131 10.0.0.255 1947 UDP The right side of each line may define the protocol and provide some additional details. typ proto detail UDP (144 bytes) UDP (144 bytes) UDP (144 bytes) UDP (154 bytes) UDP (40 bytes) UDP (40 bytes) UDP NBNS (50 bytes) ARP Who has 10.0.0.102? Tell 10.0.0.20 ARP 10.0.0.102 is at 9c:8d:1a:00:07:f9 UDP (40 bytes) If additional analysis is needed then an export using NETSTAT -C and subsequent viewing in Wireshark is recommended. PAYLOAD The NETSTAT -D option used with either the -S, -P or -SP scanning, displays in hexadecimal and ASCII the data contained in the payload portion of the communications. Here we use the DATE -N command to update the clock using NTP and then look at the network exchange. Notice that NTP uses port 123 and we can use 'NTP' in the filter definition since it is a standard port for that. bruce_dev /> netstat -pd NTP LAN connection active (100 Mbps) Packets for current session not displayed Timestamp Src_IPaddr srcprt Dst_IPaddr dstprt typ proto detail 12:20:33.562 10.0.0.102 53270 50.205.57.38 123 UDP NTP (48 bytes) 0000 0b000000 00000000 00000000 00000000 00000000 .................... 0014 00000000 e818b7d1 8fdf3b64 00000000 00000000 ....h.7Q._;d........ 0028 00000000 00000000 ........ 12:20:33.601 50.205.57.38 123 10.0.0.102 53270 UDP NTP (48 bytes) 0000 0c0106e7 00000000 00000000 47505300 e818b7d1 ...g........GPS.h.7Q 0014 00000000 00000000 00000000 e818b7d1 94731021 ............h.7Q.s.! 0028 e818b7d1 94735fe5 h.7Q.s_e bruce_dev /> Here we see the binary exchange with the network time server. None of the packet payload involves characters that make sense. The ASCII is displayed however since in some cases text is clearly exchanged (in serial commands with some devices for instance) and translation from the hexadecimal ASCII is a chore. If you use NETSTAT -C to export this and then open the capture file in Wireshark a complete parsing of this exchange is available. NETWORK NOISE Depending on network structure and proximity to the open Internet packets may be received that cannot be processed by the JNIOR. These may be attempting to open connections to ports that are not supported by the JNIOR. Such packets are considered to be network Noise. The NETSTAT sniffer will indicate noise by placing a '-' character at the beginning of the line to the left of the timestamp. The NETSTAT -N option may be used to omit noise from the scanner display. The IpConfig/Greylisting feature may be enabled to filter bot and malicious traffic attempting to make connections. These sources on average do not conform the standards and thus can be detected. When enabled this feature marks any initial connection attempt (SYN) packet as network noise. While connections are allowed when subsequently properly retried, this rejects as much as 90% of annoying Internet traffic. A Blacklisting capability exists for use in extreme cases. A file containing a list of IP addresses to be blocked can be supplied using the IpConfig/Blacklist registry key. Packets received from blacklisted clients are ignored and the scanner also considers those to be network noise. These are indicated by an asterisk '*' at the left margin. For additional security it is recommended that you disable replies to PING requests. This is achieved by setting the IpConfig/PingReply registry key. When these replies are disabled PING packets are considered to be network noise. SEE ALSO HELP Topics: FILTER, ASCII, PING [/flash/manpages/manpages.hlp:4961]