Unexplained TCP connections can pose a major security threat. They can indicate that something or someone is connected to the local host. Sometimes it is necessary to know which active TCP connections are open and running on a networked host. Netstat is an important network utility that can be used to verify those connections. As shown in Example 11-1, you enter the command netstat to list the protocols in use, the local address and port numbers, the foreign address and port numbers, and the connection state.
Example 11-1 Using the netstat Command to List Protocols in Use
C:\>
netstat
Active Connections
Proto Local Address Foreign Address State
TCP 192.168.1.124:3126 192.168.0.2:netbios-ssn ESTABLISHED
TCP 192.168.1.124:3158 207.138.126.152:http ESTABLISHED
TCP 192.168.1.124:3159 207.138.126.169:http ESTABLISHED
TCP 192.168.1.124:3160 207.138.126.169:http ESTABLISHED
TCP 192.168.1.124:3161 sc.msn.com:http ESTABLISHED
TCP 192.168.1.124:3166 www.cisco.com:http ESTABLISHED
(output omitted)
C:\>
By default, the netstat command will attempt to resolve IP addresses to domain names and port numbers to well-known applications. You can use the -n option to display IP addresses and port numbers in their numerical form.
Summary (11.4)
The following is a summary of each topic in the chapter:
- The Client/Server Relationship—Servers, clients, and networking devices are all necessary for you to receive an email, update your status on social media, or shop online. The term server refers to a host running a software application that provides information or services to other hosts connected to the network. A file server stores files that clients access with client software. A web server runs server software so clients can browse the Internet. An email server runs server software so a client can use email.
The key characteristic of client/server systems is that the client sends a request to a server, and the server responds by carrying out a function, such as sending the requested document back to the client. A web server is usually in a part of the network with other servers called a server farm, or within a data center.
When a web server is being contacted to download a web page, a Uniform Resource Locator (URL) is used to locate the server and a specific resource. The URL identifies the following:
- Protocol being used, usually HTTP for web pages
- Domain name of the server being accessed
- Location of the resource on the server
- TCP and UDP—The various protocols necessary to deliver a web page function at the four different levels of the TCP/IP model are as follows:
- Application Layer Protocol for HTTP—HTTP specifies the format of the web page request and response.
- Transport Layer Protocol for TCP—TCP determines the flow control and acknowledgments of packet exchange.
- Internetwork Layer Protocol for IP—IP identifies the source and destination as packets are sent across the network.
- Network Access Layer Protocol—The specific protocol at this layer depends on the type of media and transmission methods.
When an application requires acknowledgment that a message is delivered, it uses TCP. TCP breaks up a message into small pieces known as segments. The segments are numbered in sequence and passed to the IP process for assembly into packets.
UDP is a “best effort” delivery system that does not require acknowledgment of receipt. UDP is preferable with applications such as streaming audio and VoIP.
- Port Numbers—When a message is delivered using either TCP or UDP, the protocols and services requested are identified by a port number. A port is a numeric identifier within each segment that is used to keep track of specific conversations between a client and server. There are well-known ports, registered ports, and private ports. Every message that a host sends contains both a source and destination port:
- Source Port—The source port number is dynamically generated by the sending device to identify a conversation between two devices.
- Destination Port—The client places a destination port number in the segment to tell the destination server what service is being requested.
The source and destination ports are placed within segments. Segments are then encapsulated in an IP packet. This packet contains the IP address of the source and destination. The combination of the source IP address and source port number is a socket. The combination of the destination IP address and destination port number is a socket. These two sockets combine to form a socket pair.
Sometimes you need to know which active TCP connections are open and running on a networked host. In these cases, you can use the netstat command to verify those connections. The netstat command attempts to resolve IP addresses to domain names and port numbers to well-known applications.
Practice
The following activities provide practice with the topics introduced in this chapter.
Packet Tracer Activities
Packet Tracer—The Client Interaction (11.1.6)
Check Your Understanding Questions
Complete all the review questions listed here to test your understanding of the topics and concepts in this chapter. Appendix A, “Answers to the ‘Check Your Understanding‛ Questions,” lists the answers.
1. Why is UDP well suited as the transport layer protocol for video applications?
- UDP provides acknowledgment of received data.
- UDP has low overhead.
- UDP provides flow control using windows.
- UDP provides a reliable session.
2. Which transport layer information is added to both the TCP and UDP headers?
- Port numbers
- Acknowledgment flag
- IP addresses
- Window size
3. What types of applications are best suited for using UDP?
- Applications that are sensitive to packet loss
- Applications that require retransmission of lost segments
- Applications that are sensitive to delay
- Applications that need reliable delivery
4. What protocol header information is used at the transport layer to identify a target application?
- Sequence number
- Port number
- MAC address
- IP address
5. A client device has initiated a secure HTTP request to a web browser. Which well-known port address number is associated with the destination address?
- 443
- 404
- 110
- 80
6. Which number or set of numbers represents a socket?
- 10.1.1.15
- 21
- 01-23-45-67-89-AB
- 192.168.1.1:80
7. What information does TCP use to reassemble and reorder received segments?
- Port numbers
- Fragment numbers
- Acknowledgment numbers
- Sequence numbers
8. What type of port number is assigned by IANA to commonly used services and applications?
- Private port
- Registered port
- Dynamic port
- Well-known port
9. Which protocol operates at the transport layer of the TCP/IP model and ensures reliable delivery of IP packets?
- HTTP
- IP
- TCP
- UDP
10. What is a characteristic of UDP?
- It provides unreliable delivery of segments.
- It adds 20 bytes of overhead to application data.
- It uses sequence numbers to reassemble segments.
- It establishes sessions with a three-way handshake.
11. What is the well-known port address number used by DNS to serve requests?
- 53
- 60
- 25
- 110
12. Which action is performed by a client when establishing communication with a server via the use of UDP at the transport layer?
- The client sends an ISN to the server to start the three-way handshake.
- The client sets the window size for the session.
- The client sends a synchronization segment to begin the session.
- The client selects a unique local source port number.