Parse a /proc/net/tcp line and detect a public LISTEN

Challenge

/proc/net/tcp formats each TCP socket as one line. Columns we care about:

  sl  local_address rem_address   st ...
   0: 00000000:0050 00000000:0000 0A ...

local_address is IIIIIIII:PPPP where I is the IPv4 address (in host byte order, but the hex digits are little-endian per nibble — the canonical form is reversed-byte) and P is the port.

For this exercise we simplify: implement int is_public_listen(const char *line) returning 1 if the line:

• Has state 0A (LISTEN), and
• Has local address starting 00000000: (i.e. bound to 0.0.0.0).

Else return 0. Ignore the leading sl index and whitespace.

Why this matters

The single most useful Linux defender query is 'what's listening?'. /proc/net/tcp answers it; parsing it lets you write the same tool that powers ss/netstat.

Input format

One line of /proc/net/tcp.

Output format

0/1.

Constraints

Pure string scan.

Starter code

int is_public_listen(const char *line) { /* TODO */ (void)line; return 0; }

Common mistakes

Comparing the state column without skipping the address columns.

Edge cases to handle

Line with extra whitespace; line for IPv6 (different format — return 0).

Complexity

O(strlen).

Background lessons

• /proc forensics — a cookbook
• Log parsing — line iteration + classification

Up next

• Decide whether an fd-target string is suspicious
• Parse a /proc/self/maps line