Netstat

Availability The netstat.exe command is an external command available in the below Microsoft Operating Systems. Windows Windows Windows Windows Windows Windows
netstat

95 98 NT ME 2000 XP

is a great tool that allows you to get a quick overview of different aspects of your networking setup.

About netstat The netstat command is used to display the TCP/IP network protocol statistics and information Syntax NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

-a -e -n -p

Displays all connections and listening ports. Displays Ethernet statistics. This may be combined with the -s option. Displays addresses and port numbers in numerical form. proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP. Displays the routing table.

-r

-s

Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default.

interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once. Examples netstat Displays all local network information. Below is an example of what may be displayed. Proto TCP TCP TCP netstat 5 Running netstat with a number after the command will continue to run the command until stopped. In this case netstat would be refreshed ever five seconds. To cancel press CTRL + C. Notice: Keep in mind that if you have network applications open, such as the browser you're using to view this page, additional items will be listed when you run "netstat" and/or the "netstat -a" command. So you may see items from Computer Hope in your list; if you want a true listing of what is running in the background, close all programs and run the command. Local Address hope:4409 hope:3708 hope:4750 Foreign Address State www.computerhope.com:telnetESTABLISHED multicity.com:80 CLOSE_WAIT www.google.com:80 CLOSE_WAIT

Learn the Netstat Command To Understand Your Internet Connections Better Who is connecting to my computer ? Why is my PC suddenly transferring so much data ? Where is it sending the data to ? Are there some zombie process or spyware running in the background that's actively making connections to the internet without my knowledge ? Why did my internet connection get so slow ? If you are connected to the internet and any of the above questions trouble your mind, all you need to do is learn Netstat [network statistics], a hidden DOS Command that helps you keep an eye on your internet and network connections (both incoming and outgoing)

You can run the netstat command from directly from DOS command prompt window. We will not go into any technical details but directly jump to practical examples of using the Netstat command in real world situations: How do I know who is connecting to my computer from the internet ? netstat -p TCP To display a list of external machines (IP address or Machine names with Port Number) that your computer is connnected to. If you wish to display the foreign address only in numeric form, append the -n switch. I think a virus or trojan on my computer is sending data to the internet ? Can I confirm this netstat -e 10 This command displays the number of bytes sent and received in real time. The command loops after every 10 seconds to give you an idea of how much data is being transferred and at what rate. If you are not transferring a file over the internet but still large data is being sent across, that signals a problem. Which program(s) on my computer are making active connections to the internet ? netstat -p TCP -b This command displays the list of software executable (like Firefox.exe) that are connecting to the internet. It will also show which websites (or IP address) they are connecting to and what is the status of the connection. ESTABLISHED - Both hosts are connected. CLOSING - The remote host has agreed to close its connection. LISTENING - Your computer is waiting to handle an incoming connection. I am downloading an illegal file over a torrent network. Will others come to know about my activity ? Absolutely, they can run the netstat command on their own machines and your computer's IP address would appear in the command's output. Any IP address can be easily traced to a physical geographic location of the computer with a little help from the ISP. I have subscribed to a fast broadband internet connection but the data transfer rate sometimes drops down to 0 kbps. Why ? Run the netstat command with the -b switch and look for values under the column "state"

- If you see a lot of active connections with TIMED_WAIT status, that may be holding down the speed of your internet transfer. Kill the culprit process(es) from the Task manager or if it's an essential process, restart the computer.

The power of “netstat” in 10 easy steps
. Plain old netstat
Without any command-line arguments, “netstat” shows a list of network connections in your system, including TCP, UDP and UNIX socket connections. If you want to speed up things a bit, use “-n” (numeric) to prevent network lookups and display IP and port numbers instead of names.

2. Seeing all connections with “netstat -a”
Just like the above, but shows all connections, including those in the LISTEN state. Good when you want to see all connections in one shot.

3. What I am listening to? “netstat -l”
Many people type “netstat -a | grep -i LISTEN”, but “netstat -l” will do the same: filter the output to show sockets in the LISTEN state only. Very useful to quickly see what is being “served” in your box. You can combine this with “-u” to only show UDP connections or “-p” to restrict the output to TCP connections only.

4. Who’s using that socket? “netstat -p”
With “-p”, netstat shows what program/pid is using a given socket. Very handy to find out who’s listening on a port or holding a connection open. A personal favorite of mine is “netstat -lput”, which displays all TCP and UDP sockets in the LISTEN state, plus the name and pid of the program listening on that socket.

5. Details, lots of details: “netstat -e”
If you really want to see what’s going on, add the “-e” command-line switch to your netstat command. It will cause “extra” information to be printed, such as the username, process name and pid, and the inode number of each of your sockets.

6. Dial “o” for obscure: “netstat -o”
The “-o” command-line option causes the TCP timers to be displayed next to the connection. If you’re not into TCP/IP, the extra information will not make sense. For those who are, you’ll be able to see your TCP timers in real-time, and follow the progress of things like the KeepAlive timer, for instance. For a real treat, use “watch netstat -to”, sit down and watch the blinkenlights.

7. Interface status with “netstat -i”

Shows the status of your interfaces. Very handy to make sure everything is going smooth on the hardware side of things. Keep an eye on the ERR, DRP and OVR counters, as they can indicate trouble (10/100 mismatch anyone?).

8. Continuous display: “netstat -c”
Makes netstat display output continuously. This command-line option can be used with any other form of netstat. I’d suggest using the “watch” command instead.

9. TCP/IP statistics: “netstat -s”
Shows statistics about your TCP/IP stack. Requires deeper knowledge of the protocols to make some sense of it, but can be used by anyone to impress (scare?) friends, relatives and prospect girlfriends.

10. Boooooring: “netstat -r”
Use “ip route” instead of “netstat -r” to look cool and hip, and say “netstat is sooo 1975” when somebody asks why you’re doing that.

Netstat
Netstat is a useful tool for checking network and Internet connections. Some useful applications for the average PC user are considered, including checking for malware connections.

Syntax and switches
The command syntax is netstat [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval] A brief description of the switches is given in Table I below. Note that switches for Netstat use the dash symbol "-" rather than the slash "/".

Table I. Switches for Netstat command Switch -a -b Description Displays all connections and listening ports Displays the executable involved in creating each connection or listening port. (Added in XP SP2.)

-e -n -o -p proto -r -s

Displays Ethernet statistics Displays addresses and port numbers in numerical form Displays the owning process ID associated with each connection Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6. Displays the routing table Displays per-protocol statistics When used in conjunction with -b, will display sequence of components involved in creating the connection or listening port for all executables An integer used to display results multiple times with specified number of seconds between displays. Continues until stopped by command ctrl+c. Default setting is to display once,

-v

[interval]

Applications of Netstat
Netstat is one of a number of command-line tools available to check the functioning of a network. (See this page for discussion of other tools.) It provides a way to check if various aspects of TCP/IP are working and what connections are present. In Windows XP SP2, a new switch "-B" was added that allows the actual executable file that has opened a connection to be displayed. This newer capability provides a chance to catch malware that may be phoning home or using your computer in unwanted ways on the Internet. There are various ways that a system administrator might use the assortment of switches but I will give two examples that might be useful to home PC users. Checking TCP/IP connections TCP and UDP connections and their IP and port addresses can be seen by entering a command combining two switches: netstat -an An example of the output that is obtained is shown in Figure 1.
Figure 1. Example output for command "netstat -an"

The information that is displayed includes the protocol, the local address, the remote (foreign) address, and the connection state. Note that the various IP addresses include port information as well. An explanation of the different connection states is given in Table II> Table II. Description of various connection states State CLOSED Description Indicates that the server has received an ACK signal from the client and the connection is closed Indicates that the server has received the first FIN signal from the client and the connection is in the process of being closed Indicates that the server received the SYN signal from the client and the session is established

CLOSE_WAIT

ESTABLISHED

FIN_WAIT_1

Indicates that the connection is still active but not currently being used Indicates that the client just received acknowledgment of the first FIN signal from the server Indicates that the server is in the process of sending its own FIN signal Indicates that the server is ready to accept a connection Indicates that the server just received a SYN signal from the client Indicates that this particular connection is open and active Indicates that the client recognizes the connection as still active but not currently being used

FIN_WAIT_2

LAST_ACK LISTENING SYN_RECEIVED SYN_SEND TIME_WAIT

Checking for malware by looking at which programs initiate connections To find out which programs are making connections with the outside world, we can use the command netstat -b Actually, it is better to check over a period of time and we can add a number that sets the command to run at fixed intervals. Also, it is best to create a written record of the connections that are made over some period of time. The command can then be written netstat -b 5 >> C:\connections.txt Note that as written, this command will run with fivesecond intervals until stopped by entering "Ctrl+c", which is a general command to exit. (Some reports say that this can be fairly CPU intensive so it may cause a slower, single-core machine to run sluggishly. It was not noticeable on my dualcore machine.) A simple example of the type of output is shown in Figure 2. Note that the Process ID (PID) is given. This command can be combined with other tools such as Task Manager to analyze what executable files and processes are active and are trying to make Internet connections.

Batch program to check connections and terminate automatically The previous example of using "netstat -b" to check connections at intervals has the disadvantage that it requires manual termination. It is also possible to use a batch file that runs a specified number of times with a given time interval and then terminates automatically. In Windows XP we can make use of a command from the Windows 2003 Server Tools called "Sleep". A possible batch file is: @echo off for /L %%X in (1,1,100) do (netstat -b >> C:\connections.txt)&(sleep 5) This particular example does 100 iterations of the netstat command at 5 second intervals.