Home / server / Questions / 405853
In Process
HOLOGRAPHICpizza
Asked: 2012-07-09 09:15:51 +0800 CST

iftop Shows Lots of Mysterious Connections - Not Showing in netstat

  • 772

I've just stopped all pretty much all services except sshd on my server (Ubuntu Server 10.04), and when I run iftop I get output that looks like this:

                 12.5Kb            25.0Kb           37.5Kb            50.0Kb      62.5Kb
└────────────────┴─────────────────┴────────────────┴─────────────────┴─────────────────
flash.gateway.2wire.net:ssh   <=> 172.16.1.151:60405             1.75Kb  1.54Kb  2.22Kb
flash.gateway.2wire.net:21095 <=> 69.127.29.20:32582              536b    107b     27b
flash.gateway.2wire.net:21095 <=> 190.164.122.134:13557             0b    105b     26b
flash.gateway.2wire.net:21095 <=> 79.165.212.195:45138              0b    105b     26b
flash.gateway.2wire.net:21095 <=> 151.42.15.151:9031                0b     72b     18b
flash.gateway.2wire.net:21095 <=> 88.185.120.179:51413              0b      0b     49b
flash.gateway.2wire.net:21095 <=> 178.120.152.97:25924              0b      0b     29b
flash.gateway.2wire.net:21095 <=> 109.110.217.77:27868              0b      0b     26b
flash.gateway.2wire.net:21095 <=> 84.13.201.90:16509                0b      0b     26b
flash.gateway.2wire.net:21095 <=> 171.7.125.224:11777               0b      0b     26b
flash.gateway.2wire.net:21095 <=> 115.177.164.170:21360             0b      0b     26b
flash.gateway.2wire.net:21095 <=> 50.88.126.18:25540                0b      0b     25b
flash.gateway.2wire.net:21095 <=> 223.206.230.163:13431             0b      0b     25b
flash.gateway.2wire.net:21095 <=> 78.144.187.26:24515               0b      0b     25b
flash.gateway.2wire.net:21095 <=> 83.20.61.211:27572                0b      0b     25b
flash.gateway.2wire.net:21095 <=> 82.134.151.42:18448               0b      0b     18b
flash.gateway.2wire.net:21095 <=> 126.117.95.247:25316              0b      0b     18b
flash.gateway.2wire.net:21095 <=> 116.202.65.230:9044               0b      0b     18b
flash.gateway.2wire.net:21095 <=> 88.120.63.205:51413               0b      0b     17b
────────────────────────────────────────────────────────────────────────────────────────
TX:             cumm:  61.6KB   peak:   8.00Kb          rates:   1.59Kb  1.38Kb  2.04Kb
RX:                    18.4KB           1.64Kb                    696b    549b    640b
TOTAL:                 80.0KB           9.64Kb                   2.27Kb  1.92Kb  2.66Kb

This is the first part (not the unix socket part) of the output of netstat -a:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:ssh                   *:*                     LISTEN
tcp        0      0 *:55677                 *:*                     LISTEN
tcp        0      0 flash.gateway.2wire:ssh 172.16.1.151:60405      ESTABLISHED
tcp        0     48 flash.gateway.2wire:ssh 172.16.1.151:60661      ESTABLISHED
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN
udp        0      0 *:37790                 *:*

What could all those strange connections on port 21095 be? And why would they not show up in netstat?? Any advice would be greatly appreciated.

ubuntu connection networking netstat linux-networking

2 Answers

  1. iftop looks at all packets going through the interface using pcap (packet capture).

    netstat shows sockets on the machines.

    Any packet that’s forwarded to another host will appear in the former, not the latter.

    Looks like all of the packets found to port 21095 were almost alone. It could be failing connection attempts.

    • 3

  2. Those are most certainly failed connection attempts. Check out with tcpdump; you should see them along with your host's ICMP port unreachable (since you don't have anything listening on that port):

    01:58:31.471535 IP some.remote.host.24053 > your.local.host.21095: UDP, length 35
01:58:31.472006 IP your.local.host > some.remote.host: ICMP your.local.host udp port 21095 unreachable, length 71

    (example supposing it's UDP)

    • 0