Please explain my netstat results

hankknight
hankknight used Ask the Experts™
on
I use CentOS 5 and Apache.

Below are the results for:
           netstat -an |grep :80


Please explain what they mean.

1.  The IP addresses that begin with 10 do not look like real IP addresses.  And when I look them up the result says: "Private".  What are they?
2.  What does CLOSE_WAIT mean?
3.  What does TIME_WAIT mean?

tcp        1      0 10.16.119.194:35086         10.0.77.54:80               CLOSE_WAIT  
tcp        1      0 10.16.119.194:35084         10.0.77.54:80               CLOSE_WAIT  
tcp        1      0 10.16.119.194:35093         10.0.77.54:80               CLOSE_WAIT  
tcp        1      0 10.16.119.194:35092         10.0.77.54:80               CLOSE_WAIT  
tcp        1      0 10.16.119.194:35091         10.0.77.54:80               CLOSE_WAIT  
tcp        1      0 10.16.119.194:35088         10.0.77.54:80               CLOSE_WAIT  
tcp        1      0 10.16.119.194:35096         10.0.77.54:80               CLOSE_WAIT  
tcp        0      0 66.222.244.146:39110        66.222.244.146:80           TIME_WAIT   
tcp        0      0 :::80                       :::*                        LISTEN      
tcp        0      0 ::ffff:66.222.147.149:80    ::ffff:66.222.147.149:56030  TIME_WAIT

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
The 10. range IP addresses are a private range - so this will be the IP range of the local LAN the box is sitting on.  This is not the externally facing "internet visible" address.

There's an article here that describes the various TCP connections states :

http://support.microsoft.com/kb/137984

Normally the CLOSE-WAIT just means the connection is part way through the process of being ended.  So the question is whether all those connections to port 80 on 10.0.77.54 were closed a short while later.
Commented:
Just for snippet of info for the future these are the private address ranges :

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

These aren't routable on the internet and hence are used by organisations for their internal networks.
Top Expert 2007
Commented:
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
The CLOSE_WAIT items do not go away.  Even several hours later they are still there.

How can I find out if these are good connections or malicious?  How can I trace these open connections to a script or computer?
Top Expert 2007
Commented:
do you have lsof on your system? if yes then you can see which process is binding to that connection

Author

Commented:
I have lsof but it returns many pages of results.  What should I look for?
Top Expert 2007
Commented:
try these

lsof -i@10.16.119.194

or

lsof -i4:portno

put port number above

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial