What is ::: in the Local Address of netstat output?

networking netstat

This is the output of netstat -tulpn that I get:

tcp        0      0 127.0.0.1:2208              0.0.0.0:*                   LISTEN      2055/hpiod
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      2077/cupsd
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      2138/sendmail: acce
tcp        0      0 127.0.0.1:2207              0.0.0.0:*                   LISTEN      2060/python
tcp        0      0 0.0.0.0:735                 0.0.0.0:*                   LISTEN      1825/rpc.statd
tcp        0      0 :::111                      :::*                        LISTEN      1781/rpcbind
tcp        0      0 :::80                       :::*                        LISTEN      2624/httpd
tcp        0      0 :::22                       :::*                        LISTEN      2096/sshd
udp        0      0 0.0.0.0:32768               0.0.0.0:*                               2398/avahi-daemon:
udp        0      0 0.0.0.0:68                  0.0.0.0:*                               1581/dhclient
udp        0      0 0.0.0.0:729                 0.0.0.0:*                               1825/rpc.statd
udp        0      0 0.0.0.0:732                 0.0.0.0:*                               1825/rpc.statd
udp        0      0 0.0.0.0:5353                0.0.0.0:*                               2398/avahi-daemon:
udp        0      0 0.0.0.0:631                 0.0.0.0:*                               2077/cupsd
udp        0      0 :::32769                    :::*                                    2398/avahi-daemon:
udp        0      0 :::684                      :::*                                    1781/rpcbind
udp        0      0 :::5353                     :::*                                    2398/avahi-daemon:
udp        0      0 :::111                      :::*                                    1781/rpcbind

I'm curious to know: what does ::: in Local Address mean? And what is 0.0.0.0:* and :::* in Foreign Address?


As many of the other answers mention, :: represents all zeros, and then netstat may show a colon after an address, so then you get three colons.

What I didn't see in any of these answers is a response to the question about what that really means (in this case).

In the case of netstat, :: (in IPv6) or 0.0.0.0 (in IPv4) basically means "any".
So, the software is listening on TCP port 80 (the HTTP port) on any of the addresses.

If you have multiple network card interfaces (which you do, as I'll explain in a moment), it is possible for you to listen on only a specific address. For example, with some software, you could do something like make your HTTP server listen on a network card that uses wired Ethernet, but not respond to a network card that uses wireless networking. If you did that, then your computer might do something like listen on IPv4 192.0.2.100:80 (or IPv6 2001:db8:abcd::1234:80).

But, since you're listening to ":::80", your computer isn't listening for port 80 traffic on just one incoming IP address, you're listening for port 80 traffic on any IPv6 address.

Why would you ever want to be picky about which interface you're listening on? Well, one way I've used this capability, sometimes, is to have a computer listen to the loopback interface. (Remember when I said you have multiple network card interfaces... this is one reason I said that. I'm guessing you have a real physical network connection, and that you also have a loopback interface. That is the most typical setup for most types of computers these days.) I do that with SSH tunneling. Then I can do something like make a local VNC viewer connect to the local end of an SSH tunnel. By having the SSH tunnel listen on the loopback interface, I don't need to worry that the SSH tunnel might listen to traffic that comes in from one of the physical network interfaces. So, the SSH tunnel will only see network traffic which comes from my computer.

In some cases, 0.0.0.0 or :: basically means the "unspecified" address, as specified by RFC 4291 section 2.5.2 which says "It indicates the absence of an address." I've sometimes seen this when software tries to refer to an "invalid" address (like if a computer does not have an address assigned, perhaps), where there is no specific address to display. However, in this case, the :: or 0.0.0.0 refers to an "unknown" address. That is why all of the LISTENING ports show as "unknown". For an established connection, you know who the remote end is, because you are communicating with them. For a "LISTENING" connection, you're listening for brand new conversations. That traffic could come from, well, possibly anywhere in the world. Incoming traffic could come from any address. And, the way that nestat displays that is to specify an address of all zeros. Since there is no specific address to use, the "unspecified" address seems quite appropriate.

I'll just wrap up by noting that having software listen on all network interfaces is a very common thing. Some software can be configured to listen to only a specific Internet address, or maybe a specific network card. And that can be a bit more secure, because then the software is not listening where no valid traffic is expected. That might limit an ability to attack. However, a lot of software does not have such an option, or such an option is somewhat buried/hidden. So, listening on all network cards is not a super terrible thing. It's quite common. And, if you want to prevent software from receiving traffic on a specific network port, there are other ways to accomplish that, including blocking unwanted traffic with a firewall. If you do that, the firewall may block the traffic, but the (web) server might still listen for traffic on that network interface. In that case, the server will never get traffic on that interface, but netstat will still report that the server is listening (for that traffic that won't ever reach that server). Seeing netstat report that server software is listening on all interfaces is very common, and so it is not something to be particularly alarmed about.

Lastly, I will mention that this question, and this answer, are not Linux-specific. (I'm mentioning this because I do see the "Linux" tag on this question.) The command line parameters shown, and the example output shown, might have come from Linux, and different operating systems might display things slightly different. However, about the topic of :: and 0.0.0.0, the way that netstat works in this regard is identical on a machine running BSD or Microsoft Windows (and presumably many other systems).


As others said, it's the natural IPv6 notation for this context.

Let's cite and interpret the relevant standards:

::: == 0000.0000.0000.0000.0000.0000.0000.0000:**

https://www.rfc-editor.org/rfc/rfc5952#section-4 says that the canonical (not just a possible shorthand) IPv6 addresses are:

  • written in hex with the characters a-f lowercase.
  • grouped every 2 bytes by :
  • leading 0's MUST be removed. 0000 becomes 0.
  • the longest sequence of :0:0:0: MUST be converted to ::. Can only be done once, or would lead to ambiguity.

So :::* means:

  • 0000:0000:0000:0000:0000:0000:0000 on any port (:*)
  • == 0:0:0:0:0:0:0 (trailing 0 removal)
  • == :: (consecutive zero contraction)

0000.0000.0000.0000.0000.0000.0000.0000: == unspecified address*

https://www.rfc-editor.org/rfc/rfc4291#section-2.5.2 defines the "unspecified address":

The address 0:0:0:0:0:0:0:0 is called the unspecified address. It must never be assigned to any node. It indicates the absence of an address. One example of its use is in the Source Address field of any IPv6 packets sent by an initializing host before it has learned its own address.

The unspecified address must not be used as the destination address of IPv6 packets or in IPv6 Routing headers. An IPv6 packet with a source address of unspecified must never be forwarded by an IPv6 router.

which makes it a good choice for a N/A column like in this case.

So :: is not localhost, which the same document says is at ::1.

On netstat 1.60, the protocols on the output read tcp6 and udp6 for IPv6, which show better what is going on, e.g.:

tcp6       0      0 :::22                   :::*                    LISTEN      1201/sshd
udp6       0      0 :::5353                 :::*                                1449/avahi-daemon:

See also:

  • analogous for IPv4: The meaning of port 0 in netstat output
  • closely related: https://serverfault.com/questions/444554/what-does-mean-as-an-ip-address-bracket-colon-colon-bracket

It refers to the IPv6 address. In IPv6 we can condense a sequence of 0's using the :: modifier

For example,

0:0:0:0:0:0:0:1

can be written as

::1

But there are specific rules to be followed in this regard which you can look up on any Ipv6 tutorial

Related

Explorer command line switches?
How can I compile a .NET project without having Visual Studio installed?
Is Interactive Services Detection a legitimate message from Windows?
How can I view .HEIC photos on Linux?
Hiding files/folders which begin with a full stop (period)
Git Bash Here in Console2?
Why there are two users showing in uptime command results?
GNU sort by case-sensitive
how to install .tar.xz file in ubuntu
How to increase VLC RAM buffer for offline files?
Word formatting - need to align left to left, right to right in same line
Create a pie chart from distinct values in one column by grouping data in Excel