While trying to generate some test traffic on my loopback interface, I noticed there was so much noise there that the output from Wireshark was essentially useless, with tons of SYN/RST, ACK packets on port 4101 (which some Googling suggests has to do with braille services? I'm not aware that I'm running anything remotely related to that, but, then agan, this is Ubuntu we're talking about).
ggoncalves@inspiron:~$ sudo netstat -tlpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN 4776/dnsmasq
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 2626/systemd-resolv
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 11501/cupsd
tcp 0 0 0.0.0.0:53127 0.0.0.0:* LISTEN 6789/transmission-g
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 2626/systemd-resolv
tcp 0 0 0.0.0.0:2222 0.0.0.0:* LISTEN 2625/sshd
tcp6 0 0 ::1:631 :::* LISTEN 11501/cupsd
tcp6 0 0 :::53127 :::* LISTEN 6789/transmission-g
tcp6 0 0 :::5355 :::* LISTEN 2626/systemd-resolv
tcp6 0 0 :::2222 :::* LISTEN 2625/sshd
ggoncalves@inspiron:~$
Is this normal? Why wouldn't this service show up on netstat? This traffic looks absolutely useless, so I'd like to disable it if possible.
Best Answer
The SYN/RST indicates that the port is closed so then the application closes the connection which means that it would be visible in netstat during only a fraction of a second.
You can try to drop the SYN of this traffic with the following iptable rule:
You should then be able to see with netstat which application is generating this traffic as it will stay in the "SYN sent" state during a while.