Lesson 4	Determining which servers are listening
Objective	Use netstat command to check what servers are listening for connection on machine.

Determining which Servers are listening

A second important application of the netstat command is to determine what servers are listening for connections on your machine. Of particular interest are TCP and UDP^[1] servers. You obtain this information using the -a option to netstat:
netstat command with -a option

View the diagram below to observe the netstat command:

* under Local Address refers to the local machine.

*.* under Foreign Address means that any incoming connection is acceptable.

LISTEN means that the server indicated is waiting for a connection.

This line means that the server is listening on the SMTP port. This is the email server (Mail Transfer Agent) awaiting incoming email.

Use the netstat command to check which servers are listening for a Connection

To use the netstat command to check which servers are listening for connections on a machine, you’ll want to focus on identifying active listening ports. Here’s how you can do it step-by-step, depending on your operating system (Windows, Linux, or macOS).
On Windows:

Open a Command Prompt (you can search for "cmd" in the Start menu).
Type the following command and press Enter:
```
netstat -a -n -o
    
```
- -a: Displays all active connections and listening ports.
- -n: Shows numerical addresses and ports (faster, avoids name resolution).
- -o: Displays the process ID (PID) associated with each connection.
Look for lines under the "State" column that say LISTENING. These are the ports where a server or service is waiting for incoming connections.
- For example, you might see something like:
```
TCP    0.0.0.0:80     0.0.0.0:0     LISTENING     1234
        
```
  Here, port 80 is listening on all interfaces (0.0.0.0), and the PID is 1234.
To identify the program, use Task Manager or run tasklist | find "1234" (replace "1234" with the PID) to match the PID to a process name.

On Linux or macOS:

Open a terminal.
Use this command:
```
netstat -tuln
```
- -t: Shows TCP connections.
- -u: Shows UDP connections.
- -l: Displays only listening sockets (servers waiting for connections).
- -n: Uses numerical addresses and ports.
The output will list listening ports. For example:
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:123 0.0.0.0:*
- 0.0.0.0:22 means the server is listening on port 22 (likely SSH) on all interfaces.
- No "State" column appears for -l, as it only shows listening ports.
To see which process is using a port, add the -p flag (requires root privileges on some systems, so use sudo): sudo netstat -tulnp
- The output will include the program name and PID, e.g., /usr/sbin/sshd for port 22.

Notes:

If netstat isn’t installed (common on some modern Linux distros), you can use ss instead:
```
ss -tuln
```
The output is similar, showing listening ports like 0.0.0.0:22.
Common listening ports include 22 (SSH), 80 (HTTP), 443 (HTTPS), etc.
If you want to filter for a specific port, pipe the output to grep (Linux/macOS) or findstr (Windows). For example:
- Linux: netstat -tuln | grep :80
- Windows: netstat -a -n -o | findstr :80
This will show you which servers are actively listening on your machine. Let me know if you need help interpreting the output!

For UDP servers, use the -u option. The -n option means to use numeric addresses:

host$ netstat –nua

Active Internet connections (including servers)

Proto Recv-Q Send-Q Local Address  Foreign Address

udp    0     0 0.0.0.0:753         0.0.0.0:*

udp    0     0 0.0.0.0:514         0.0.0.0:*

udp    0     0 0.0.0.0:111         0.0.0.0:*

udp    0     0 0.0.0.0:37          0.0.0.0:*

udp    0     0 127.0.0.1:53        0.0.0.0:*

udp    0     0 131.193.178.198:53  0.0.0.0:*

udp    0     0 0.0.0.0:53          0.0.0.0:*

udp    0     0 0.0.0.0:635         0.0.0.0:*

udp    0     0 0.0.0.0:2049        0.0.0.0:*

udp    0     0 0.0.0.0:137         0.0.0.0:*

udp    0     0 0.0.0.0:138         0.0.0.0:*

On Solaris, to view a report on active UDP connections, use netstat -P udp.
This output is similar to the TCP output, except that:

The port numbers refer to UDP ports.
It refers to the first interface on the local machine (by a standard convention).
There is no state, because UDP carries no state.

Notice the UDP server listening on port 53; this is the DNS port (called domain in /etc/services), so this machine has a DNS server listening for UDP connections. The UDP server on port 111 is the portmapper process (rpcbind).

[1]UDP: User Datagram Protocol: A connectionless datagram service in the Transport layer used by applications that typically transmit small quantities of data.