Unexplained TCP connections can create a major security risk. They can show that something or someone is connected to the local host. Sometimes it is necessary to know which active TCP connections are open and running on a networked host. Netstat is a useful network tool for checking and verifying those connections.
The netstat command can show particulars about individual network connections, overall and protocol-specific networking statistics, all listening ports, along with incoming and outgoing network connections and much more, all of which could help troubleshoot certain kinds of networking issues. By default, the netstat command will try to resolve IP addresses to domain names and port numbers to well-known applications.
There are various ways that a system administrator might use the assortment of switches with netstat command. I will give you a complete detail in this article.
Open the Command Prompt and execute the netstat command alone to show a comparatively simple list of all active TCP connections which, for each one, will show the local IP address, the foreign IP address, along with their relevant port numbers, as well as the TCP state.
Netstat Command Syntax
netstat [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-t] [-x] [-y] [time_interval] [/?]
Switches for Netstat command | |
Switch | Description |
-a | The -a switch displays all active TCP connections and the TCP and UDP ports on which the computer is listening. |
-b | The -b switch displays the executable concerned in creating each connection or listening port. This switch is added in XP SP2. |
-e | The -e switch displays Ethernet statistics, such as the data includes the number of bytes and packet sent and received including unicast packets, non-unicast packets, discards, errors, and unknown protocols since the connection was established. |
-f | The -f switch will force the netstat command to display the (FQDN ) Fully Qualified Domain Name for each foreign host IP addresses when possible. |
-n | The -n switch could significantly decrease the time it takes for netstat to fully execute. The switch will show active TCP connections, but, addresses and port numbers are expressed numerically. |
-o | This switch displays active TCP connections and includes the process ID (PID) for all connections. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p. |
-p proto | Using the -p switch to show connections or statistics only for a particular protocol. You can’t define more than one protocol at once, nor can you execute netstat with -p switch without defining a protocol. proto may be any of TCP, UDP, TCPv6, or UDPv6. If you use -s with -p to view statistics by protocol, you can use icmp, IP, icmpv6, or ipv6 in addition to the first four I mentioned. |
-r | The -r switch displays the contents of the IP routing table. This is equivalent to the route print command. |
-s | The -s switch displays statistics per-protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols, but be sure to use -s before -p protocol when using the switches together. |
-t | Using -t switch will show the current TCP pipe offload state in place of the typically displayed TCP state. |
[interval] | An integer used to display results multiple times with a specified number of seconds between displays. Continues until stopped by command ctrl+c. The default setting is to display once. |
/? | ? is Used to show details about the netstat command's several options. |
Netstat Command Examples
netstat -f
This is the example of a netstat with -f switch. I execute netstat to show all active TCP connections. but, I do want to see the computers I'm connected to in FQDN format [-f] instead of a simple IP address.
Here's an example of what you might see:
C:\User\Muhammad>netstat -f Active Connections Proto Local Address Foreign Address State TCP 127.0.0.1:49216 Muhammad-PC:49328 ESTABLISHED TCP 127.0.0.1:49328 Muhammad-PC:49216 ESTABLISHED TCP 192.168.58.101:49273 .:https CLOSE_WAIT TCP 192.168.58.101:49322 wo-in-f188.1e100.net:5228 ESTABLISHED TCP 192.168.58.101:49726 51.143.22.239:http SYN_SENT TCP 192.168.58.101:49727 xx-fbcdn-shv-02-sin6.fbcdn.net:https ESTABLISHED TCP 192.168.58.101:49728 edge-star-mini-shv-02-sin6.facebook.com:https ESTABLISHED TCP 192.168.58.101:49729 edge-star-mini-shv-02-sin6.facebook.com:https TIME_WAIT TCP 192.168.58.101:49730 182.176.35.18:https TIME_WAIT TCP 192.168.58.101:49731 182.176.35.18:https ESTABLISHED TCP 192.168.58.101:49736 xx-fbcdn-shv-02-sin6.fbcdn.net:https TIME_WAIT TCP 192.168.58.101:49737 182.176.35.17:https ESTABLISHED TCP 192.168.58.101:49739 18.55.c0ad.ip4.static.sl-reverse.com:https ESTABLISHED TCP 192.168.58.101:49740 18.55.c0ad.ip4.static.sl-reverse.com:https ESTABLISHED TCP 192.168.58.101:49741 edge-star-shv-02-sin6.facebook.com:https SYN_SENT TCP 192.168.58.101:49742 edge-star-shv-02-sin6.facebook.com:https ESTABLISHED |
The command shows that there are 16 active TCP connections at the time of execution. The only protocol (in the Proto column) listed is TCP, if udp is required then you can use -a switch with n switch to reduce the execution time.
netstat -an
| C:\User\Muhammad> netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 127.0.0.1:49158 0.0.0.0:0 LISTENING TCP 127.0.0.1:49158 127.0.0.1:49214 ESTABLISHED TCP 192.168.58.103:49695 178.255.83.1:80 TIME_WAIT TCP 192.168.58.103:49696 23.46.123.27:80 ESTABLISHED TCP 192.168.58.103:49697 178.255.83.1:80 TIME_WAIT TCP 192.168.58.103:49708 93.184.220.29:80 ESTABLISHED TCP 192.168.58.103:49730 50.97.63.217:443 CLOSE_WAIT TCP 192.168.58.103:49731 50.97.63.217:443 ESTABLISHED TCP 192.168.58.103:49732 216.58.208.68:80 ESTABLISHED TCP 192.168.58.103:49733 216.58.208.68:80 TIME_WAIT TCP 192.168.58.103:49741 52.20.224.89:443 ESTABLISHED TCP 192.168.58.103:49742 52.20.224.89:443 TIME_WAIT TCP 192.168.58.103:49757 192.169.80.98:80 TIME_WAIT TCP 192.168.58.103:49758 192.169.80.98:80 ESTABLISHED TCP 192.168.58.103:49759 172.217.19.34:80 TIME_WAIT TCP 192.168.58.103:49760 172.217.19.34:80 ESTABLISHED TCP 192.168.58.103:49763 35.187.117.15:80 TIME_WAIT TCP 192.168.58.103:49838 52.221.160.235:443 ESTABLISHED TCP 192.168.58.103:49839 52.221.160.235:443 ESTABLISHED TCP [::]:135 [::]:0 LISTENING TCP [::]:445 [::]:0 LISTENING UDP [::1]:62889 *:* UDP [fe80::71dd:e26c:b955:52be%12]:546 *:* UDP [fe80::71dd:e26c:b955:52be%12]:1900 *:* |
The information above that is displayed in the result of the netstat –an command including protocol, the local address and port number, the foreign address and port number, and the connection status. An explanation of the different connection states is given below:
State | Description |
LISTENING | This status shows that the server is ready to accept a connection |
CLOSED | Closed status shows that the server has received an ACK signal from the client and the connection is closed now. |
CLOSE_WAIT | This status shows that the server has received the first FIN from the client and the connection is in the process of being closed |
ESTABLISHED | This status means that the server received the SYN signal from the client and the session is now established. |
FIN_WAIT_1 | This status means that the connection is still active but not currently in use. |
FIN_WAIT_2 | This status Indicates that the client now received acknowledgment of the first FIN signal from the server. |
LAST_ACK | This status shows that the server is in the process of sending its own FIN |
SYN_SEND | This means that this particular connection is open and active |
SYN_RECEIVED | The status means that the server just received an SYN signal from the client |
TIME_WAIT | This status means that the client recognizes the connection as still active but not currently being used |
No comments:
Post a Comment