[techtalk] Netstat weirdness

Malcolm Tredinnick malcolm at commsecure.com.au
Thu Aug 17 04:40:31 EST 2000


OK, I'm responding to this particular message in the thread because it's
got all the information I need to refer to. I've read the later messages
and think I understand some of where Caity's confusion is coming from...

On Tue, Aug 15, 2000 at 05:20:31PM -0400, C. M. Martin wrote:
> eth0      Link encap:Ethernet  HWaddr 00:06:29:F5:3F:AD
>           inet addr:63.251.67.58  Bcast:63.251.67.63  Mask:255.255.255.248
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:4640 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:3380 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           Interrupt:11

Notice the field labelled "Mask:" in the second row? This means that you
have been assigned a group of eight IP addresses where the top 29 bits
of the address are set (248 is 11111000 in binary). So, in other words,
you are on a subnet and the individual IPs of the machines on that
subnet will come from altering the last three bits of the IP address
(I'll explain how below). I assume the company you are setting this up
for has purchased a block of external IP addresses and due to the
shortage of addresses, service providers are handing them out in very
small blocks.

Now, in reality, you can only use six of those addresses because you
have the "network address" and the "broadcast address" as well. To work
out which are the network and broadcast IPs, look at the 63.251.67.58
address. Since we know the top three bytes of this address are fixed, it
will at least look like 63.251.67.x. To work out the last byte, write 58
in binary -- 00111010 -- and remember that the bottom three bits are
"yours". The network address for a subnet is when all the bits that
represent the machines on that subnet are zero. In other words, the
subnet address is 111000 in binary, or 56 in decimal!

Similarly, the broadcast address occurrs when all the bits for that
subnet are 1 -- 00111111 or 63 in decimal. This show why the field
labelled "BCast:" above has an address of 63.251.67.63.

> eth1      Link encap:Ethernet  HWaddr 00:06:29:AF:91:1E
>           inet addr:192.168.0.20  Bcast:192.168.0.255  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:3325 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:3078 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           Interrupt:10 Base address:0x2000

In this case, looking at the "Mask:", we see that you get to choose the
lower 8 bits of the IP address on this subnet (and the top three bytes
are 192.168.0 for this subnet). So the network address will be
192.168.0.0 and the broadcast address will be 192.168.0.255 and you can
put 254 other machines on this network. Clear as mud?

[...snip...]
> Now, look at what netstat -nr gives me:
> 
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
> 63.251.67.56    0.0.0.0         255.255.255.248 U         0 0          0 eth0
> 192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
> 127.0.0.0       0.0.0.0         255.0.0.0       U         0 0          0 lo
> 0.0.0.0         63.251.67.57    0.0.0.0         UG        0 0          0 eth0 
> 
> Those first two destination addresses are *wrong*.  How can netstat, which I
> believe reads directly from the kernel routing tables, get out of sync with
> ifconfig?  More importantly, how on earth do I fix this?

The first two addresses are *right*. :-)

They are saying to get to the network with address 63.251.67.56 (all of
the machines on that subnet), go out eth0. To get to the 192.168.0.x
machines, go out eth1. And the last line is saying to get to anything
else (the default route), go to the specific machine 64.251.67.57 (but I
think it was only the first two lines that were giving you grief?).

> 
> The guy I was speaking with has seen this once before, on a SuSe box,
> but can't remember how he fixed it.  Argh!

It doesn't need to be fixed. It's saying the right thing. If the network
is not working, it's for some other reason.

Hope this helps,
Malcolm

-- 
Malcolm Tredinnick            email: malcolm at commsecure.com.au
CommSecure Pty Ltd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://linuxchix.org/pipermail/techtalk/attachments/20000817/5f59afcc/attachment.pgp


More information about the Techtalk mailing list