23

I used netstat (in Windows) to view the listened ports for TCP and UDP:

enter image description here

I noticed that in the Foreign Address column, UDP displays *:* instead of 0.0.0.0:0, do these two values represent the same thing? If so, then why does UDP display *:* instead of 0.0.0.0:0?

techraf
  • 4,852
  • 11
  • 24
  • 40
user612473
  • 241
  • 1
  • 2
  • 4
  • I believe `*:*` is IPv6 while `0.0.0.0:0` is IPv4. – LPChip Jul 01 '16 at 14:23
  • I have also noticed the following: `UDP 0.0.0.0:5355 *:*`, does that mean that data can be sent between IPv4 and IPv6? – user612473 Jul 01 '16 at 14:37
  • look here: http://security.stackexchange.com/questions/13724/what-do-the-udp-entries-in-my-netstat-output-stand-for – marsh-wiggle Jul 01 '16 at 14:37
  • 4
    the IPv6 equivalent of 0.0.0.0 is [::] – marsh-wiggle Jul 01 '16 at 14:39
  • 2
    @LPChip You are mistaken. `*:*` doesn't say anything about the IP version. However since the local address of that socket is IPv4 only, then the remote address has to be IPv4 as well. – kasperd Jul 01 '16 at 20:41
  • I cannot answer this question because it is a Windows specific question. However I strongly suspect the difference between the two is due to one socket being UDP and one being TCP. The connection oriented nature of TCP influences how sockets work. If you were to run an equivalent command on Linux, the output would be using `0.0.0.0:*` for both kinds of sockets. – kasperd Jul 01 '16 at 20:50

4 Answers4

15

The / refers to the subnet netmask, which is part of the IP Layer.

The : refers to a port which is part of the Transport Layer.

For TCP it makes sense that there is a remote end for a connection.

UDP, since it is connectionless, it doesn't make any sense for it to show a foreign address.

My gut feeling is that it would always show the wildcard for UDP and that it is potentially there to make parsing the output a little more friendly, or to show if you are using IPv4/6:

IPV4 "*:*" vs IPV6 "[::]:*"

Luke Exton
  • 271
  • 2
  • 6
  • I was just saying this to some friends. You could display listening PORTS, but to display actual remote sessions when there isn't one is likely the reason why its displayed as `*:*`for remote UDP non-existant sessions. I'm in agreement with you here. – NotAdmin Dave Jul 02 '16 at 00:40
12

It has been pointed out that my answer was in error. Since I cannot delete it, I will instead provide the correct one.

The expression *:* means "Any Address, Any port". All UDP listeners will display this signature. This is due to the connectionless nature of UDP.

Original (incorrect) answer. Yes and no. *:* refers to ANY IPv6 address. The distinction between an unknown/unspecified address is vague in IPv4, so we use 0.0.0.0/0 to represent any host on the network, but in IPv6 there is a subtle difference.

For the most part however, people use :: to represent a contiguous string of 0's.

In an IPv6 address, any sequence of contiguous zeros can be replaced with :: so:

  • 0.0.0.0/0 => 0000:0000:0000:0000:0000:0000:0000:0000 => :: => *:*
  • fe80:0000:0000:0000:2000:0aff:fea7:0f7c => fe80::2000:0aff:fea7:0f7c

The representation using wildcards however allows a finer control of address patterns. For instance, :: would not match fe80::2000:0aff:fea7:0f7c, but *:* will.

This difference isn't really meaningful to any device that isn't performing routing, but when it comes time to select optimal routes to aggregated address spaces, the wildcard notation allows more flexible selection of destination networks.

Frank Thomas
  • 35,097
  • 3
  • 77
  • 98
  • what would this line in `netstat -aon` be in terms of IPv4 and IPv6? `UDP 0.0.0.0:123 *:*` http://i.imgur.com/N9TOgdk.png – barlop Jul 01 '16 at 16:04
  • that there is a global IPv4 listener that will accept UDP traffic from any protocol, address, or port. – Frank Thomas Jul 01 '16 at 16:35
  • 5
    But you wrote in your answer that `*:* refers to ANY IPv6 address` Here you say `any..address` i.e.presumably IPv4 or IPv6. So which is it? Is `*:*` limiting itself to IPv6, or does it allow for IPv4 too? – barlop Jul 01 '16 at 17:11
  • 2
    Both sockets mentioned in the question are IPv4-only. You can see that from the local address assigned to each socket. As such mentioning IPv6 is not relevant to the question. – kasperd Jul 01 '16 at 20:47
  • There is a difference between `0.0.0.0:0` and `0.0.0.0/0`, isn't there? – Hagen von Eitzen Jul 01 '16 at 20:56
  • 1
    Local address is IPv4 but remote address is IPv6? How does that make sense? – Lightness Races in Orbit Jul 02 '16 at 00:01
  • 7
    IPv6 isn't relevant to this question at all. – hobbs Jul 02 '16 at 05:02
  • 8
    This answer is totally wrong for the question asked. – Brad Jul 02 '16 at 05:33
  • 3
    As [kasperd's comment](http://superuser.com/questions/1095793/does-0-0-0-00-and-represent-the-same-thing#comment-1554219) notes (and [hobbs's comment](http://superuser.com/questions/1095793/does-0-0-0-00-and-represent-the-same-thing#comment-1554377) too), IPv6 is unrelated to the question. The question is about what we see in the Foreign Address column, which corresponds to what is in the same row(s) in the Local Address column, which is IPv4. (Although, with some operating systems, listening on one address family/IP-version may typically auto-listen on another address family.) – TOOGAM Jul 02 '16 at 06:04
  • 1
    @HagenvonEitzen : Yes, absolutely. Typically, the **:** after an IP address specifies a port number (TCP, UDP, and SCTP all use port numbers). The /0 is CIDR-style notation to specify a subnet size (also known as a "prefix length" in IPv6, and translatable to and from the standard "subnet mask" notation used in IPv4). So, yes, they are definitely different things. – TOOGAM Jul 02 '16 at 06:06
7

In both cases the information is basically meaningless, but indicates more-or-less the same thing.

Your first line is a TCP listen socket. The local address column indicates the address and port that it's accepting connections on, and the remote address column means nothing because a listen socket has no remote end of the connection yet. A connected TCP socket would show the address of the other end of the connection in that column, but for a listen socket it decides to display an all-zero address and port.

Your second line is a UDP socket. UDP is a connectionless protocol, meaning that it sends and receives packets without any notion of who connected to who, whether the packet is part of an existing conversation, or whether the data just arrived out of the blue. The local address column has the same meaning as it does for TCP, and the remote address column is meaningless because a UDP socket could have one peer, many peers, or no peers at any moment. (Actually POSIX has the notion of a "connected UDP socket" but that's getting a bit far afield).

Now the question: why do they display differently? It seems to be nothing more than a quirk of the Windows netstat code. Linux (net-tools) netstat displays 0.0.0.0:* for the remote end of both TCP listen sockets and UDP sockets (for IPv4; it displays :::* for IPv6), which is different from either example on Windows, but at least it's consistent within the same program. Perhaps Windows is going for a semantic distinction between "to be filled in later" in the case of TCP and "open to anything" in the case of UDP, but just as likely the two bits of code were written by two different people with no particular concern for consistency.

hobbs
  • 1,276
  • 8
  • 11
  • +1 for the start of the 4th paragraph. 0.0.0.0 has some documentation: An address of all zeros is the "unspecified" address (according to [the IPv6 Addressing RFC 4291 sec 2.5.2](https://tools.ietf.org/html/rfc4291#section-2.5.2)), often applying to unknown addresses. [RFC 1700 page 4](https://tools.ietf.org/html/rfc1700#page-4) mentions "Can only be used as a source address", and [RFC 1122#page-29](https://tools.ietf.org/html/rfc1122#page-29) section "a" describes usage further. ([my answer about :::](http://superuser.com/a/871898/401839) mentions 0.0.0.0) – TOOGAM Jul 02 '16 at 06:35
  • Doesn't the `0.0.0.0:0` value in the **Foreign Address** column means that any IP address and port number can send data to this socket? and if this value was for example `127.0.0.0:12345`, then this means that only the IP address `127.0.0.0` with the port number `12345` can send data to this socket and no one else? – Tom Jul 02 '16 at 08:41
6

The difference is simply notational.

Netstat in Windows uses 0.0.0.0:0 to represent an abstract idea of "any remote address and port" for a local IPv4 TCP listener and *:* for a UDP listener. For IPv6, the remote address is denoted by [::]:0 for TCP and *:* for UDP.

In OS X, *.* is used for both TCP and UDP, whether IPv4 or IPv6 (note that OS X uses dots to separate address and port). Linux uses 0.0.0.0:* for IPv4 and :::* for IPv6, with the first two colons representing the abbreviation for all IPv6 address and the third colon the separator between the address and the port.

IIRC from something I heard or read long ago, I think UDP pairings can show up, but usually don't because they are torn down upon completion and UDP connections are usually very short, lasting milliseconds or less. I've never seen this myself, though, so it could be incorrect.

NetworkLlama
  • 179
  • 3