A powerful command-line tool for troubleshooting issues involving network connectivity is the netstat (network statistics) command. This command is present in Linux-based operating systems as well as being available on Windows systems.
The netstat tool allows the monitoring of both inbound and outbound connections that exist between the local host and any remote resources for which there is IP connectivity. It is also capable of providing in-depth details on overall traffic activity. This is not the extent of the information that netstat is capable of conveying but delving into this additional functionality is beyond the scope of this document. This document only serves as a succinct overview on how to use netstat for day-to-day, network connectivity troubleshooting.
Example netstat output
Below is a listing of several, handy flags that can be used with the netstat command. Please note that this is not a comprehensive catalog of all of the available netstat flags. If netstat is used without any flags it will display information on all known connections (see above screenshot). In networking parlance these connections are more commonly referred to as “sockets”.
Depending upon the OS from which you’re issuing the netstat command there will usually be either 4 columns (Windows) or 6 columns (Linux-based OS) of information displayed.
The netstat command can be quite useful in troubleshooting connectivity issues between Defenders and Console. Unlike ping or curl, netstat is a passive command used for monitoring and does not actively create connections or generate traffic of any sort.
It is possible to run netstat from within Defender or Console containers, by exec’ing into them.
$ docker exec -it <container> /bin/sh
When running netstat pay close attention to the status listed in the State column for any connections of interest. Seeing that there is an ESTABLISHED socket between a Local Address and Foreign Address is a good indication that connectivity is functioning as it should.
Example usage of netstat
Display all active TCP connections and UDP listening ports. This is accomplished by use of the “-a” flag. It displays addresses in dotted format. The “-n” flag provides an easier to understand display of IP addresses and ports. Both are displayed numerically.
netstat -an
The following example, which can be run from within the Twistlock Console or Defender containers, would provide a constantly updated display of any IPv4 TCP sockets involving port 8084. The “-anp tcp” flags provide information on all IPv4 TCP connections in numeric format, while the grep command only displays those sockets in which either the source or destination port is 8084. The watch command will update the netstat results every couple of seconds until it is manually terminated.
watch “netstat -anp tcp | grep “:8084””
To display a listing of all of the locally configured network interfaces, and their corresponding IP addresses, use the “-I” flag. At present, the “-i” flag is not supported by the version of netstat present in the Console and Defender containers. It should be possible to run this at the host level.
netstat -i
In order to display detailed protocol statistics (ie. TCP, UDP, etc.), for all network interfaces, execute netstat with the “-s” flag.
This command provides a copious amount of network traffic information regarding the local host.
At present, the “-s” flag is not supported by the version of netstat present in the Console and Defender containers.
It should be possible to run this at the host level.
netstat -s