[Courses] [Security] netstat status field
Raven, corporate courtesan
raven at oneeyedcrow.net
Mon Mar 11 12:28:02 EST 2002
Heya --
Quoth Hamster (Sat, Mar 09, 2002 at 12:36:52PM +0100):
> I noticed on a couple of entries of the output of the netstat command on my machine that the "State" field was empty.
> So I did a man netstat, to be told that that field is left empty if the protocol was UDP (well that makes sense, its a connectionless protocol) || if something is acting in raw mode.
Right. UDP doesn't have a state. (We're going to get into that
very shortly, talking about firewalls.)
> So my question is, what is raw mode, and how long does it need to be cooked for? ;-)
Raw mode is basically there to allow you to bypass some of the
way that your computer handles TCP/IP. Rather than going through the
normal layers of encapsulation/decapsulation that the TCP/IP stack on
the kernel does, you just pass the packet to the application that needs
it. No TCP/IP processing -- so it's not a processed packet, it's a raw
packet. The application that's using the packet is now responsible for
stripping off the headers, analyzing the packet, all the stuff that the
TCP/IP stack in the kernel normally does for you.
A raw socket is a socket that takes packets, bypasses the normal
TCP/IP processing, and sends them to the application that wants them.
Unless you're a programmer, a kernel hacker, or really really
into security, you will most likely not need to deal much with these.
But it's good to know what they are, in case you find yourself in one of
the above scenarios.
Good question!
Cheers,
Raven
"Sed, sed, awk. Like duck, duck, goose. Sync, sync, halt. It's the
order of nature."
-- me, after too long a day at work
More information about the Courses
mailing list