As many of the other answers mention, :: represents all zeros, and then netstat may show a colon after an address, so then you get three colons.
What I didn’t see in any of these answers is a response to the question about what that really means (in this case).
In the case of netstat, :: (in IPv6) or 0.0.0.0 (in IPv4) basically means “any”.
So, the software is listening on TCP port 80 (the HTTP port) on any of the addresses.
If you have multiple network card interfaces (which you do, as I’ll explain in a moment), it is possible for you to listen on only a specific address. For example, with some software, you could do something like make your HTTP server listen on a network card that uses wired Ethernet, but not respond to a network card that uses wireless networking. If you did that, then your computer might do something like listen on IPv4 192.0.2.100:80 (or IPv6 2001:db8:abcd::1234:80).
But, since you’re listening to “:::80”, your computer isn’t listening for port 80 traffic on just one incoming IP address, you’re listening for port 80 traffic on any IPv6 address.
Why would you ever want to be picky about which interface you’re listening on? Well, one way I’ve used this capability, sometimes, is to have a computer listen to the loopback interface. (Remember when I said you have multiple network card interfaces… this is one reason I said that. I’m guessing you have a real physical network connection, and that you also have a loopback interface. That is the most typical setup for most types of computers these days.) I do that with SSH tunneling. Then I can do something like make a local VNC viewer connect to the local end of an SSH tunnel. By having the SSH tunnel listen on the loopback interface, I don’t need to worry that the SSH tunnel might listen to traffic that comes in from one of the physical network interfaces. So, the SSH tunnel will only see network traffic which comes from my computer.
In some cases, 0.0.0.0 or :: basically means the “unspecified” address, as specified by RFC 4291 section 2.5.2 which says “It indicates the absence of an address.” I’ve sometimes seen this when software tries to refer to an “invalid” address (like if a computer does not have an address assigned, perhaps), where there is no specific address to display. However, in this case, the :: or 0.0.0.0 refers to an “unknown” address. That is why all of the LISTENING ports show as “unknown”. For an established connection, you know who the remote end is, because you are communicating with them. For a “LISTENING” connection, you’re listening for brand new conversations. That traffic could come from, well, possibly anywhere in the world. Incoming traffic could come from any address. And, the way that nestat displays that is to specify an address of all zeros. Since there is no specific address to use, the “unspecified” address seems quite appropriate.
I’ll just wrap up by noting that having software listen on all network interfaces is a very common thing. Some software can be configured to listen to only a specific Internet address, or maybe a specific network card. And that can be a bit more secure, because then the software is not listening where no valid traffic is expected. That might limit an ability to attack. However, a lot of software does not have such an option, or such an option is somewhat buried/hidden. So, listening on all network cards is not a super terrible thing. It’s quite common. And, if you want to prevent software from receiving traffic on a specific network port, there are other ways to accomplish that, including blocking unwanted traffic with a firewall. If you do that, the firewall may block the traffic, but the (web) server might still listen for traffic on that network interface. In that case, the server will never get traffic on that interface, but netstat will still report that the server is listening (for that traffic that won’t ever reach that server). Seeing netstat report that server software is listening on all interfaces is very common, and so it is not something to be particularly alarmed about.
Lastly, I will mention that this question, and this answer, are not Linux-specific. (I’m mentioning this because I do see the “Linux” tag on this question.) The command line parameters shown, and the example output shown, might have come from Linux, and different operating systems might display things slightly different. However, about the topic of :: and 0.0.0.0, the way that netstat works in this regard is identical on a machine running BSD or Microsoft Windows (and presumably many other systems).
As others said, it’s the natural IPv6 notation for this context.
Let’s cite and interpret the relevant standards:
::: == 0000.0000.0000.0000.0000.0000.0000.0000:**
https://www.rfc-editor.org/rfc/rfc5952#section-4 says that the canonical (not just a possible shorthand) IPv6 addresses are:
- written in hex with the characters
- grouped every 2 bytes by
- leading 0’s MUST be removed.
- the longest sequence of
:0:0:0:MUST be converted to
::. Can only be done once, or would lead to ambiguity.
0000:0000:0000:0000:0000:0000:0000on any port (
0:0:0:0:0:0:0(trailing 0 removal)
::(consecutive zero contraction)
0000.0000.0000.0000.0000.0000.0000.0000: == unspecified address*
https://www.rfc-editor.org/rfc/rfc4291#section-2.5.2 defines the “unspecified address”:
The address 0:0:0:0:0:0:0:0 is called the unspecified address. It
must never be assigned to any node. It indicates the absence of an
address. One example of its use is in the Source Address field of
any IPv6 packets sent by an initializing host before it has learned
its own address.
The unspecified address must not be used as the destination address
of IPv6 packets or in IPv6 Routing headers. An IPv6 packet with a
source address of unspecified must never be forwarded by an IPv6
which makes it a good choice for a N/A column like in this case.
:: is not
localhost, which the same document says is at
netstat 1.60, the protocols on the output read
udp6 for IPv6, which show better what is going on, e.g.:
tcp6 0 0 :::22 :::* LISTEN 1201/sshd udp6 0 0 :::5353 :::* 1449/avahi-daemon:
- analogous for IPv4: The meaning of port 0 in netstat output
- closely related: https://serverfault.com/questions/444554/what-does-mean-as-an-ip-address-bracket-colon-colon-bracket
It refers to the IPv6 address. In IPv6 we can condense a sequence of
0‘s using the
can be written as
But there are specific rules to be followed in this regard which you can look up on any Ipv6 tutorial
::1 is the localhost for IPv6, like 127.0.0.1 for IPv4.
:::* is the short version of 0:0:1:* (IPv6 0:0:0, port *), it is like IPv4 0.0.0.0:*. Both of these in the foreign address column mean that there is no foreign address column. In case of the listening sockets it is clear that there is not (yet) a connected foreign address. In case of the udp sockets you normally do not have connected foreign addresses, so these are also listed with 0.0.0.0:*.
:::* Would be your localhost/loop back in IPv6 🙂
Basically, you have services listening and connecting to services locally.
I’m curious to know: what does ::: in Local Address mean?
The linux version of netstat uses a notation of : where the IP address is displayed bare*.
So :::111 means an IP of :: and a port of 111.
:: is an IPv6 address in condensed form using the rule that a run of zeros can be replaced with ::. Written out in full it is is equivilent to 0000:0000:0000:0000:0000:0000:0000:0000 .
As with IPv4 the all zeros address (known as the unspecified address) is used as a placeholder value. In the case of a local address it means that the socket is listening on all IPv6 interfaces (and possiblly all IPv4 interfaces as well depending on socket options that netstat doesn’t show).
And what is 0.0.0.0:* and :::* in Foreign Address?
It means that the socket is not bound to a specific foreign address. :: or 0.0.0.0 indicates an unspecified IP address (for IPv4 or IPv6 respectively) and * indicates an unspecified port.
For TCP this applies only to sockets listening for incoming connections. When “accept” is called to accept a connection a seperate socket is created with a defined remote IP and port.
For UDP there is no concept of accepting connections. An application bound to a UDP socket with a foreign address of :::* uses the “recvfrom” API call to receive packets and determine where they came from and the “sendto” API call to send packets to a specific address.
* This notation is unfortunate because it means that a displayed string means different things in netstat to elsewhere. In most contexts 3FFE::1234:5678 would mean the IP address 3FFE:0000:0000:0000:0000:0000:1234:5678 but in linux netstat output it means the IP address 3FFE:0000:0000:0000:0000:0000:0000:1234 and the port 5678 . The windows version of netstat by contrast surrounds IPv6 addresses in square brackets to avoid ambiguity.