Could you help me to understand netstat output?



I am trying to figure out how to get IP of a suspicious access point I am using to access the internet. Running netstat, I get the following:

$ netstat -rn
Routing tables

Destination        Gateway            Flags        Refs      Use   Netif Expire
default            XX.100.43.65       UGSc           24        0     en1
YYY.37.129/24      link#8             UC              2        0   vnic1
YYY.37.129.2       0:1c:42:0:0:9      UHLWI           1        1     lo0
YYY.37.129.255     ff:ff:ff:ff:ff:ff  UHLWbI          0       15   vnic1
YYY.211.55/24      link#7             UC              2        0   vnic0
YYY.211.55.2       0:1c:42:0:0:8      UHLWI           0        1     lo0
YYY.211.55.25      ff:ff:ff:ff:ff:ff  UHLWbI          0       14   vnic0
127                UCS             0        0     lo0          UH              0   410025     lo0
169.254            link#5             UCS             0        0     en1
XX.100.43.64/26    link#5             UCS             2        0     en1
XX.100.43.65       0:4:28:f2:60:0     UHLWI          24        0     en1   1198
XX.100.43.70          UHS             0        0     lo0
XX.100.43.127      ff:ff:ff:ff:ff:ff  UHLWbI          0       12     en1


  1. XX.100.43.65 (or for short IP.65) is the ISP's router
  2. IP.70 is me (static address)
  3. IP.127 - I don't know who, no ports are open. It disappears from time to time.

Is there the AP data, and what is IP.127 considering its flags and gateway?


Posted 2010-09-04T11:19:51.920

Reputation: 63



If IP.65 (I'm assuming that's a public address, i.e. it doesn't start with 10., 192.168., or 172.16-31.) is the ISP's router, that means the base station is in bridge mode (i.e. it's just passing packets without getting involved at the IP layer), and its IP address isn't going to be terribly easy to find. If it has an address assigned in the local subnet range (which isn't needed in bridge mode), you can find it by probing all IPs and looking for its hardware address.

for ip in XX.100.43.{65..126}; do ping -c1 -W1 $ip & done

give that a few seconds to finish (it'll give lots of incoherent output; just ignore it), then hit return to get a new prompt, and run:

arp -an | grep -v incomplete

Now find the base station's hardware address by option-clicking the airport icon in the menu bar; it'll be listed as the "BSSID". Look for that address in the arp listing; if it's there, it'll be preceded by the station's IP address in parentheses. If it's not there, the base station doesn't have an IP in the local range, which is totally possible.

BTW, IP.127 is the broadcast address for the local subnet; that's why it's listed with a "gateway" of ff:ff:ff:ff:ff:ff (the ethernet broadcast address).

Gordon Davisson

Posted 2010-09-04T11:19:51.920

Reputation: 28 538