[GLLUG] Can anyone explain this netstat output?

Chris Bell chrisbell at chrisbell.org.uk
Sun Jun 30 11:47:57 UTC 2019 

On Sunday, 30 June 2019 11:50:54 BST John Winters via GLLUG wrote:
> I've just been experimenting with Syncthing on a Raspberry Pi 4.  As
> it's headless, I had change it to listen on 0.0.0.0:8384 instead of
> 127.0.0.1:8384.
> 
> When I checked the result with netstat I got the following:
> 
> john at pi4:~ $ netstat -l
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address
> State
> tcp        0      0 0.0.0.0:ssh             0.0.0.0:*
> LISTEN
> tcp6       0      0 [::]:22000              [::]:*
> LISTEN
> tcp6       0      0 [::]:ssh                [::]:*
> LISTEN
> tcp6       0      0 [::]:8384               [::]:*                  LISTEN
> ...
> 
> I've cut out everything after the tcp stuff.
> 
> Oh drat I thought, why's it only listening for IPv6 connections?  Then I
> discovered it wasn't.  I can still connect using IPv4, even though there
> is no apparent listen.
> 
> After a bit of use, I can see this:
> 
> john at pi4:~ $ netstat -an | grep 8384
> tcp6       0      0 :::8384                 :::*
> LISTEN
> tcp6       0      0 10.3.1.40:8384          10.3.0.80:51806
> ESTABLISHED
> tcp6       0      0 10.3.1.40:8384          10.3.0.80:51814
> ESTABLISHED
> tcp6       0      0 10.3.1.40:8384          10.3.0.80:51864
> ESTABLISHED
> tcp6       0      0 10.3.1.40:8384          10.3.0.80:51810
> ESTABLISHED
> tcp6       0      0 10.3.1.40:8384          10.3.0.80:51804
> ESTABLISHED
> tcp6       0      0 10.3.1.40:8384          10.3.0.80:51812
> ESTABLISHED
> tcp6       0      0 10.3.1.40:8384          10.3.0.80:51808
> TIME_WAIT
> john at pi4:~ $
> 
> A TCP connection over IPv6 from 10.3.0.80 to 10.3.1.40?  WTF?
> 
> Is this an error in netstat, or something odd about the way Syncthing
> does its listens?
> 
> Note the entries for sshd show two listens - one for IPv4 and one for
> IPv6 which is more what I would expect.
> 
> Cheers,
> John

Hello John,
The second group specifies tcp6. One valid method to generate and display an 
IPv6 address from an IPv4 address is to include the IPv4 address complete with 
dots together with the full local prefix. Perhaps it is doing that unless an 
IPv6 address is specified,

IPv4-mapped IPv6 address	0:0:0:0:0:ffff:a.b.c.d/96
or				::ffff:a.b.c.d/96

IPv4-compatible IPv6 address are used for automatic tunneling, (being replaced 
by 6to4 tunneling)
				0:0:0:0:0:0:a.b.c.d/96
or				::a.b.c.d/96

-- 
Chris Bell
Website http://chrisbell.org.uk

More information about the GLLUG mailing list