Netstat

Netstat displays protocol statistics and current TCP/IP network connections. With Netstat you can collect connection statistics about the names of the protocols (TCP or UDP) used, the IP addresses of both local and remote computers, the ports used for both local and remote computers and the state of TCP connections.

The Windows 7 command line utility Netstat helps you troubleshoot network performance issues by collecting network statistics. It displays active connections, the ports on which the computer is listening, Ethernet statistics, the IP routing table and IPV4 and IPV6 statistics. A typical example where Netstat becomes handy is when checking a PID (process ID) of an active connection and therefore finding which application is creating that connection by verifying that PID against the process list in Task Manager or you can directly display executables creating each connection.

Another useful task provided by Netstat is when listing all connections whether they are established or idle connections and their respective foreign (external) IP address and port number. Netstat can also help you troubleshoot network configuration by checking the contents of the IP routing table. The full syntax of the Netstat command is as follows:

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [interval]

-a            Displays all connections and listening ports – a long list of statistics, not very useful on its own!

-b            Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.

-e            Displays Ethernet statistics. This may be combined with the -s option for advanced statistics.

-f            Displays Fully Qualified Domain Names (FQDN) for foreign addresses – very useful as a quick check of connections made to remote computers where you can quickly notice suspected/unwanted connections.

-n            Displays addresses and port numbers in numerical form.

-o            Displays the owning process ID associated with each connection – very useful in determining which application is creating which connection, the output list is more compact and comprehensible than the -b option. You need to verify the PID from Task Manager.

-p proto   Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, CPv6, or UDPv6.  If used with the -s option to display per-protocol statistics, proto may be any of: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.

-r            Displays the routing table – very useful in multi-homed hosts where different routes exist.

-s            Displays per-protocol statistics.  By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default.

-t            Displays the current connection offload state.

interval      Redisplays selected statistics, pausing interval seconds between each display.  Press CTRL+C to stop redisplaying statistics.  If omitted, netstat will print the current configuration information once. This parameter can be used in batch files that are run over a long period of time. For instance, when you suspect that some malicious processes may be instantiating new connections when the computer is idle.

For example: You want to check for any connections that you are unaware of or that may look suspicious:

  1. Open a command prompt by typing cmd in the Start text box and press enter
  2. Type netstat -f or netstat -fn and press enter
  3. Review the output list of connections paying special attention to the foreign addresses.
    In this example, you can see that a remote connection is established with the test computer. The test computer local IP is 192.168.1.101 while a connection exists from 192.168.1.104 on port 3389 which is the default port for Remote Desktop Protocol (RDP). You can also notice that the test computer had some browser activity and hence, is waiting to close some http/https connections. However, the user of the test computer is unaware of a specific active connection made to w0043.106-85-80.internet.vodafone.com.mt on port 43029. How would the user investigate further this suspicious connection?
  4. Type netstat -b and press enter
    The netstat -b option displays the executables responsible for every connection. In this example, the so far unknown connection turns out to be valid as the application (Skype) creating it is known to the test user while the test user confirms that Skpe is running on the test computer. Another way to find which application is bound with a specific connection is by typing netstat -o and then find the corresponding process ID and name from Task Manager.
Share