Understanding [::] in netstat Output: IPv6 Wildcard Address Explained for Developers


2 views

When you run netstat on Linux/Unix systems, you might encounter entries like:

[::]:ssh                [::]:*                  LISTEN

The [::] notation represents the IPv6 wildcard address (equivalent to 0.0.0.0 in IPv4). It indicates that the service is listening on all available IPv6 interfaces.

In IPv6:

  • :: is the compressed form of 0000:0000:0000:0000:0000:0000:0000:0000
  • When enclosed in brackets [::], it represents the wildcard address
  • The colon after the brackets ([::]:) separates the address from the port number

Here's how to check listening ports with netstat:

netstat -tulnp | grep '\['

Sample output showing IPv6 listening sockets:

tcp6       0      0 [::]:http               [::]:*                  LISTEN      1234/nginx
tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      5678/sshd

When writing network applications, you might need to handle IPv6 wildcard addresses. Here's a Python example:

import socket

# Create IPv6 TCP socket
s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)

# Bind to all IPv6 interfaces
s.bind(('::', 8080))
print("Listening on [::]:8080")

You'll typically see [::] in these cases:

  • Services configured to listen on all interfaces (IPv4 and IPv6)
  • When IPv6 is enabled but no specific address is bound
  • In dual-stack implementations where IPv6 is preferred

If you need to verify IPv6 connectivity:

# Check IPv6 routes
ip -6 route

# Test connectivity
ping6 ::1

# Check firewall rules for IPv6
ip6tables -L

Binding to [::] means your service is accessible from:

  • All network interfaces
  • Both IPv4 and IPv6 (via IPv4-mapped addresses)
  • Consider restricting binding to specific interfaces when possible

When examining netstat output, you'll often encounter [::] as part of socket information. This notation represents IPv6's wildcard address, equivalent to 0.0.0.0 in IPv4. It indicates the service is listening on all available IPv6 interfaces.

Consider this output line:

[::]:ssh                [::]:*                  LISTEN

Here's what each component means:

  • [::]:ssh - The service is listening on port 22 (SSH) across all IPv6 interfaces
  • [::]:* - Accepting connections from any remote IPv6 address
  • LISTEN - Current socket state

When programming network applications, understanding these notations is crucial:

// Python example checking listening ports
import socket

def check_ipv6_listening():
    for port in [22, 80, 443]:
        sock = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)
        result = sock.connect_ex(('::1', port))
        if result == 0:
            print(f"Port {port} is listening on IPv6")
        sock.close()

Here's how equivalent configurations appear:

Address Type Wildcard Notation Example
IPv4 0.0.0.0 0.0.0.0:80
IPv6 :: [::]:80

The brackets around :: are necessary because the colon is also used for port separation. In configuration files, you might see variations:

# Apache configuration example
Listen [::]:80
Listen 0.0.0.0:80

When debugging, combine netstat with other tools for complete information:

$ netstat -tulnp | grep '$$::$$'
$ ss -tulnp | grep -i ssh
$ lsof -i -P -n | grep LISTEN