by Matthias Langer

If you have been working with netstat on GNU/Linux for some time you’ve probably already noticed, that more often than not, applications that actually are used exclusively or almost exclusively via IPv4, show up as if we were using IPv6. A typical example is the Squid Proxy on xx.xxx.xx.xxx:3128 below:

$ netstat -tn Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 xx.xxx.xx.xxx:22 yyy.yyy.yyy.yy:56542 ESTABLISHED tcp6 0 0 xx.xxx.xx.xxx:3128 yyy.yyy.yyy.yy:3134 ESTABLISHED $ netstat -tn Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 xx.xxx.xx.xxx:22 yyy.yyy.yyy.yy:56542 ESTABLISHED tcp6 0 0 xx.xxx.xx.xxx:3128 yyy.yyy.yyy.yy:3134 ESTABLISHED

With xx.xxx.xx.xxx and yyy.yyy.yyy.yy being IPv4 addresses, two questions arise:

Why are IPv4 connections tagged with tcp6 by netstat? What makes the SSH connection to xx.xxx.xx.xxx:22 different?



To answer these questions we have to make a brief excursion to the Linux Socket API. Using the socket() function we can either create

a plain old IPv4 socket,

an IPv6 socket,

or a dual mode IPv6 socket.

Dual mode IPv6 sockets handle IPv4 connections using IPv4-Mapped IPv6 Addresses. Unfortunately, at least on Linux, there seems to be no clean way to distinguish pure IPv6 from dual mode IPv6 sockets for outside programs. They both show up in /proc/net/tcp6 , where netstat finds them and displays them accordingly. The status of plain old IPv4 sockets on the other hand, is made available to user space via /proc/net/tcp .

Using this information our two questions are easily answered:

Information related to dual mode IPv6 sockets, as they are used by Squid, is tagged with tcp6. Information related to plain old IPv4 sockets, like the SSH connection above, is tagged with tcp.