SANS Digital Forensics and Incident Response Blog: Tag - netstat

When "Redundant" Yields Different Results

by Hal Pomeranz, Deer Run Associates

One question that often comes up with I'm talking about Digital Forensics in SANS Sec506 is, "There are so many ways to get at the same data on a Linux/Unix system, which method should we choose?" My response is, "All of them." And then I show them this little example to explain why.

Let's take the case of active network connections on the system. There are all sorts of ways to get at this data, including "lsof" and "netstat":

# lsof -i :22
# netstat -anp | grep :22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 172.1.1.136:22 172.1.1.1:39967 ESTABLISHED -

This is definitely a

...