michael_kent123 Posted February 20, 2013 Share Posted February 20, 2013 I have never been able to understand what 0.0.0.0 means? How does it differ from 127.0.0.1? Please do not be too technical! Thanks! Quote Link to comment Share on other sites More sharing options...
no42 Posted February 20, 2013 Share Posted February 20, 2013 (edited) It means all interfaces so if you IP is 10.1.1.1 on eth0, and 192.168.1.1 on wlan0 your service appears on 10.1.1.1 (eth0),192.168.1.1(wlan0) & 127.0.0.1(localhost) Edited February 20, 2013 by midnitesnake Quote Link to comment Share on other sites More sharing options...
ApacheTech Consultancy Posted February 20, 2013 Share Posted February 20, 2013 (edited) 0.0.0.0 is used in a few different ways; but first of all, it may be important to understand what 127.0.0.1 is. 127.0.0.1 is a loopback IP address to the computers own NIC. It's the address you use when you want to contact yourself. It is important to have this ability so that networkable components do not fail automatically when used on a stand alone computer. It is often known as localhost. Locally hosted TCP/UDP/HTTP/FTP or any other network or transport layer protocols (which use routed packets rather than frames) will use this address. When on a LAN, 127.0.0.1 works in much the same way as connecting to your own, allocated Local IP address, say 192.168.1.254. The key difference though is that when connecting to 127.0.0.1, the traffic never touches the LAN, as it would connecting to 192.168.1.254. 0.0.0.0 can be seen initially as a default IP address. It is the IP that is used by a computer that has not yet been allocated an IP by a DHCP server, but is associated with a network. It is also the address that a computer uses is a DHCP allocation fails. In this case it is used as a fallback, or a promise of an IP in the future. Because 0.0.0.0 is an unroutable address, multiple computers can have the same IP and will receive broadcast and probe packets, but they do not yet have a place on the network. The other way in which 0.0.0.0 is used is as a mask to mean "any IPv4 address". This is essentially a blanket "listen" request for all IPs. Think of it as an inbound version of 255.255.255.255. Edited February 20, 2013 by ApacheTech Consultancy Quote Link to comment Share on other sites More sharing options...
ApacheTech Consultancy Posted February 25, 2013 Share Posted February 25, 2013 One thing that a lot of people don't realise is that 127.0.0.1 is only one address in a range of addresses that can be used as a loopback address. If you have XAMPP or anything you can call localhost to, try typing in 127.0.0.254, or any number from 1-254 in the last octet. It will yield the same result as 127.0.0.1. :D Some exploits ...erm... exploit this fact by referring to 127.0.0.x with a random value from 2-254 to remain unseen by docile AVs and poorly tuned firewalls that only scan the default 127.0.0.1. Quote Link to comment Share on other sites More sharing options...
joey-world Posted March 11, 2013 Share Posted March 11, 2013 The 0.0.0.0 ip address is allocated when you don't have an IP address setup. This is not complete true since windows actually has a pre-setup IP in case the DHCP fails, it will allocate you a random generated IP address that would be used as "backup IP" The IP address in windows would look some think like this IP address 169.254.23.47Subnet Mask 255.255.0.0default gateway [blank] anyways in the Networking Science an IP address like this 0.0.0.0 Translates to any valid IP address in the network. As opposite difference between the loopback 127.0.0.1, the loopback will ping (or whatever you want to do with the loopback) will use your local device IP, independently whether you have an IP or not. for an instance: if you have the IP 192.168.1.2 the loopback 127.0.0.1 will ping the IP 192.168.1.2 If we were to use 0.0.0.0 instead, actually will look up for every IP in the network (depending of what are you doing) so If you have a class C IP will lookup for every IP as the example follows: 192.168.1.0/24 network Up devices = 192.168.1.1, 192.168.1.2, 192.168.1.2, etc It will ping every address being in use. Technically would be like a broadcast address. In the Class C network scheme would be the broadcast address 192.168.1.255 Hope this helps. Best Regards joey-world Network Systems Administrator Quote Link to comment Share on other sites More sharing options...
digip Posted March 12, 2013 Share Posted March 12, 2013 (edited) 0.0.0.0 is also a listening address used in routing for all nics and ethernet ports. Think of it like an interconnect for all traffic. Type: route print and you will see its part of your routing table, and if you run tools such as TCPview in windows, you can see what ports your system are listening on, and the IP is almost always going to be 0.0.0.0. If its anything other than this, its either an established connection already in progress, or another services in use. Its also a good way to find rouge route entries and DNS hijacks be monitoring non standard IP's setup like mentioned above for local host. Always be sure to lock down the hosts file, on both windows and linux, and periodically check your local systems routing table, in the event your route suddenly starts routing through some 3rd party. Netstat is another good one to use for monitoring connections and works on both windows and linux, I just like the GUI control of TCPview, and when run as administrator, can close connections and end processes if working on a persons system with malware, you can end the process and close the socket(windows only tool though). Edited March 12, 2013 by digip Quote Link to comment Share on other sites More sharing options...
logicalconfusion Posted June 6, 2013 Share Posted June 6, 2013 @digip I just run netstat -ant | less and noticed a few open ports. It looks like the system is waiting for a connection or possibly running a daemon on some ports - 53, 631, 52931. How can I figure out the name of the application that opened the port and more importantly close the port? I know TCPview can close connections on Windows. Whats the best way to monitor and admin network connections on Linux? The default Ubuntu apps seem kind of primitive, imo. Quote Link to comment Share on other sites More sharing options...
digip Posted June 6, 2013 Share Posted June 6, 2013 (edited) @digip I just run netstat -ant | less and noticed a few open ports. It looks like the system is waiting for a connection or possibly running a daemon on some ports - 53, 631, 52931. How can I figure out the name of the application that opened the port and more importantly close the port? I know TCPview can close connections on Windows. Whats the best way to monitor and admin network connections on Linux? The default Ubuntu apps seem kind of primitive, imo.Know what the ports are for first, since they are services. 53, leave open if you want DNS to work. 631 listening may be uBuntu specific, but check the iana known ports list since its under port 1024. Anything over that, could be anything, but there are other switches in netstat to show the programs and inodes things are tied to under linux to show which programs are using which ports as well as another command I can't think of but I think its lsof or such, that can also show ports and socket connections and the program in use with it. http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml To close sockets or ports, you would either close the program or end the service that uses it, or firewall shut/block traffic on those ports. http://en.wikipedia.org/wiki/Lsof Edited June 6, 2013 by digip Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.