Network Debugging Utility – netstat

netstat is a useful tool for checking your network configuration and statistics.

When invoked with the –i flag, it displays statistics for the network interfaces currently configured.

Output

Kernel Interface table

Iface       MTU Met    RX-OK RX-ERR RX-DRPRX-OVR   TX-OK TX-ERRTX-DRPTX-OVR Flg

eth0       1500   0   245257      0            0            0               118056      0        0              0     BMRU

lo        16436   0    23632        0            0            0                23632       0       0               0       LRU

The MTU and Met fields show the current MTU and metric values for that interface. The RX and TX columns show how many packets have been received or transmitted error-free (RX-OK/TX-OK) or damaged (RX-ERR/TX-ERR); how many were dropped (RX-DRP/TX-DRP); and how many were lost because of an overrun (RX-OVR/TX-OVR).

When invoked with –a flag, netstat displays all the active internet socket connections

Output

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address               Foreign Address             State

tcp        0      0 prabakaran:irdmi            *:*                         LISTEN

tcp        0      0 *:43812                     *:*                         LISTEN

tcp        0      0 *:mysql                     *:*                         LISTEN

tcp        0      0 *:sunrpc                    *:*                         LISTEN

tcp        0      0 prabakaran:ncube-lm         prabakaran:49594            ESTABLISHED

tcp        0      0 prabakaran:49594            prabakaran:ncube-lm         ESTABLISHED

udp        0      0 prabakaran:filenet-cm       *:*

Active UNIX domain sockets (servers and established)

Proto RefCnt Flags       Type       State         I-Node Path

unix  2      [ ACC ]     STREAM     LISTENING     5624   @/tmp/fam-root-

unix  2      [ ACC ]     STREAM     LISTENING     5039   /var/run/cups/cups.sock

unix  2      [ ACC ]     STREAM     LISTENING     4986   /var/run/avahi-daemon/socket

unix  2      [ ACC ]     STREAM     LISTENING     6130   /tmp/.X11-unix/X0

where

   Proto

       specifies the protocol used by the socket(tcp, upd or raw)

   Recv-Q

       Total bytes not copied by the user program connected to this socket.

   Send-Q

       Total bytes not acknowledged by the remote host.

   Local Address

       Address and port number of the local end of the socket. 

   Foreign Address

       Address and  port  number of the remote end of the socket.

   State

       It represents Socket state and is applicable only for TCP sockets. Possible values are

       ESTABLISHED

              The socket has an established connection.

       SYN_SENT

              The socket is actively attempting to establish a connection.

       SYN_RECV

              A connection request has been received from the network.

       FIN_WAIT1

              The socket is closed, and the connection is shutting down.

       FIN_WAIT2

              Connection is closed, and socket is waiting for a shutdown from the remote end.

       TIME_WAIT

              The socket is waiting after close to handle packets still in the network.

       CLOSED

               The socket is not being used.

       CLOSE_WAIT

              The remote end has shut down, waiting for the socket to close.

       LAST_ACK

              The remote end has shut down, and socket is closed but waiting for acknowledgement.

       LISTEN

              The socket is listening for incoming connections.

       CLOSING

              Both sockets are shut down but we still don’t have all our data sent.

       UNKNOWN

              The state of the socket is unknown.

When invoked with –p option, it displays the process ID and executable file name for all sockets.

Output

Active Internet connections (w/o servers)

Proto Recv-Q Send-Q Local Address      Foreign Address       State                  PID/Program name

tcp        0         0    prabakaran:ncube-lm  prabakaran:49594   ESTABLISHED    1750/tnslsnr

…..

This option will help to know the process which owns the socket when bind() call returns “address already in use” for the port.

When invoked with –s option, it displays statistics of TCP, UDP, IP protocol such as total number of active and passive connections for TCP, failed connection attempts for TCP, established connections for TCP, total TCP segments received and sent, total UDP packets received and sent, packet receive errors for UDP, etc.

Inspecting What is inside executable or library

Sometimes, it is necessary to know what dynamic libraries an executable depends on and what functions are defined in particular library, etc. In this blog, some tools which aid understanding the content of executable / library is discussed.

size

Size is a diagnostic tool for executable file analysis. This utility displays the total size for each object file. The running program of the computer is called a process. Each process of the computer allocates some memory from RAM known as process memory. The process memory of the computer is divided into different blocks segment such as code, data, heap and stack.

Ex.

int x=100; // data

int y; // bss

void main()

{

static int a=10; // data

static int b; // bss

In the above program x and y are external variables where as a and b are static variable. All external and initialize static and external variable are created in Data Segment but uninitialized static and external variables are created in bss (uninitialized data segment) segment. To view the memory allocation by each of these segment we can use the size command.

$ size ./a.out

output:

data bss dec hex filename

252 8 1319 527 a.out

You can type the object files name to be examined. If none are specified, the file "a.out" will be used.

options

-d The total size is always displayed in decimal format.

-o The total size is always displayed in octal format.

$ size -x ./a.out

text data bss dec hex filename

0x3b7 0x100 0x10 1223 4c7 ./a.out

$ size -o ./a.out

text data bss oct hex filename

01667 0400 020 2307 4c7 ./a.out

ldd

ldd is a diagnostic tool for executable file analysis. It shows which shared libraries an executable would use in your environment. A C program is nothing but collection of some functions. Every function is defined in a library file (static/dynamic library). When a program is loaded along with that the respective dynamic libraries are loaded. To enhance yourself with the dynamic libraries used in your program you are equipped with a development tool called ldd. It gives you brief details about which dynamic library is loaded & which dynamic library is missing in your program.

Ex.

main()

{

printf(“Hello”);

bbsr();

Here main.c is the source file. On compiling generates the object file ( main.o). Now the object file is linked with the dynamic libraries (libc.so, sample.so) to build the executable file(singo).

For Example:

$ldd ./singo

Output :

linux-gate.so.1 => (0x00110000)

sample.so=> not found

libc.so.6 => /lib/libc.so.6 (0x00367000)

/lib/ld-linux.so.2 (0x00348000) 

nm

This command list symbol names from object file. These symbol names can be either functions, global variables or static variables. For each symbol the value, symbol type & symbol names are displayed. Lower case symbol types means the symbol is local , upper case means the symbol is global.

Options:

-S print size of undefined symbols

-D Print dynamic, not normal, symbols. Useful only when working with dynamic objects (for example some kinds of shared libraries).

-l For each symbol, use debugging information to try to find a file name and line number. For a defined symbol, look for the line number of the address of the symbol. For an undefined symbol, look for the line number of a relocation entry which refers to the symbol. If line number information can be found, print it after the other symbol information.

Ex.

//prg.c

main()

{

bbsr();

printf(“Hello”);

ctc();

}

int ctc()

{

printf(“I am incuttack”);

}

$ gcc -c prg.c

$nm prg.o

output:

U bbsr

00000030 T ctc

00000000 T main

U printf

Here in the above output printf() & bbsr() are undefined.

$ nm -D -l -S ./a.out

080484b8 00000004 R _IO_stdin_used

w __gmon_start__

U __libc_start_main

U printf 

objdump

It displays information about object files.

This command is used to disassemble shared objects & libraries. It locates the method in which the problem originates.

Options:

-d Display the assembler mnemonics for the machine instructions from object file. This option disassembles only those sections that are expected to contain instructions.

-s Display the full contents of any section requested.

-h Display summary information from the section headers of the object file.

using objdump -h to list the file section headers can’t show the correct addresses. Instead, it shows the usual addresses, which are implicit for the target.

Example

//prg1.c

main()

{

static int x=12;

static int y;

printf(“%d”,x);

bbsr();

}

int bbsr()

{

printf(“Hi”);

}

$objdump -h ./a.out

output:

./a.out: file format elf32-i386

Sections:

Idx Name Size VMA LMA File off Algn

0 .interp 00000013 08048134 08048134 00000134 2**0

CONTENTS, ALLOC, LOAD, READONLY, DATA

1 .note.ABI-tag 00000020 08048148 08048148 00000148 2**2

CONTENTS, ALLOC, LOAD, READONLY, DATA

2 .note.gnu.build-id 00000024 08048168 08048168 00000168 2**2

CONTENTS, ALLOC, LOAD, READONLY, DATA

$ objdump -s -j .rowdata ./a.out

output:

a.out: file format elf32-i386

$ objdump -d -r -j .text ./a.out

output:

./a.out: file format elf32-i386

Disassembly of section .text:

080482f0 <_start>:

80482f0: 31 ed xor %ebp,%ebp

80482f2: 5e pop %esi

80482f3: 89 e1 mov %esp,%ecx

80482f5: 83 e4 f0 and $0xfffffff0,%esp

80482f8: 50 push %eax

The above output is the disassembly of text section with the -d flag. This option disassembles the section which are expected to contains the instructions.