You are on page 1of 5

Lab 4.5.

1: Observing TCP and UDP using Netstat
Topology Diagram

Addressing Table
Device R1-ISP R2-Central Eagle Server hostPod#A hostPod#B S1-Central Interface IP Address S0/0/0 Fa0/0 S0/0/0 Fa0/0 N/A N/A N/A N/A N/A 10.10.10.6 10.10.10.5 172.16.255.254 172.31.24.254 172.16.Pod#.1 172.16.Pod#.2 172.16.254.1 Subnet Mask 255.255.255.252 255.255.255.252 255.255.0.0 255.255.255.0 255.255.0.0 255.255.0.0 255.255.0.0 Default Gateway N/A N/A N/A N/A 192.168.254.253 N/A 172.16.255.254 172.16.255.254 172.16.255.254

192.168.254.253 255.255.255.0

192.168.254.254 255.255.255.0

Learning Objectives

All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 1 of 5

or UDPv6.5. Display addresses and port numbers in numerical form. and interface statistics. Open a terminal window by clicking on Start | Run. IPv6. and adjust netstat output options to analyze and understand TCP/IP Transport Layer protocol status. UDP. Shows connections for the protocol specified by proto. proto may be any of: IP. TCPv6. Transmission Control Protocol. Press CTRL+C to stop redisplaying statistics. Page 2 of 5 . ICMPv6. host computer routing table information. 1981.1: Observing TCP and UDP using Netstat • • Explain common netstat command parameters and outputs. During the life of a TCP connection. Use netstat to examine protocol information on a pod host computer. The following table is a summary of TCP states. use the /? options. Inc. compiled from RFC 793. netstat displays incoming and outgoing network connections (TCP and UDP). Background netstat is an abbreviation for the network statistics utility. the connection passes through a series of states. ICMP. or UDPv6. If used with the –s option to display per-protocol statistics. Redisplay all connections and listening ports every 30 seconds. Passing optional parameters with the command will change output information. September. -an 30 No options When netstat statistics are displayed for TCP connections. the TCP state is displayed. available on both Windows and Unix / Linux computers. Display only open connections. Redisplay statistics every five seconds. All rights reserved. To display help information about the netstat command. UDP.CCNA Exploration Network Fundamentals: OSI Transport Layer Lab 4. Scenario In this lab the student will examine the netstat command on a pod host computer. This document is Cisco Public Information. as reported by netstat: All contents are Copyright © 1992–2007 Cisco Systems. This is a tricky problem. as shown: C:\> netstat /? <ENTER> Use the output of the netstat /? command as reference to fill in the appropriate option that best matches the description: Option -a -n 5 -p Description Display all connections and listening ports. and press OK. TCP. TCPv6. Type cmd. Task 1: Explain common netstat command parameters and outputs. proto may be any of: TCP.

issue the command netstat –an: C:\> netstat –an <ENTER> Use the window vertical scroll bar to go back and forth between the outputs of the two commands. and data may be exchanged through the connection. The connection should transition quickly through this state. Multiple connections in SYN_RECEIVED state may indicate a TCP SYN attack. Step 1: Use netstat to view existing connections. and State information. and will normally last between 30 . All rights reserved. noting how well-known port numbers are changed to names. A global address.CCNA Exploration Network Fundamentals: OSI Transport Layer Lab 4. Task 2: Use netstat to Examine Protocol Information on a Pod Host Computer.1: Observing TCP and UDP using Netstat State LISTEN ESTABLISHED TIME-WAIT CLOSE-WAIT SYN-SENT SYN_RECEIVED Connection Description The local connection is waiting for a connection request from any remote device. Foreign address. but is waiting for a termination request from the local user. From the terminal window. This is a normal condition.0 Remote Address Description This address refers to the local host. The local connection is waiting for a confirming connection request acknowledgment.1 0.0. Local address.5.0. Addresses and protocols that can be translated into names are displayed. issue the command netstat –a: C:\> netstat –a <ENTER> A table will be displayed that lists protocol (TCP and UDP). The connection should transition quickly through this state. The –n option forces netstat to display output in raw format.0. All contents are Copyright © 1992–2007 Cisco Systems. Compare outputs. The address of the remote device that has a connection with this computer. above. This is the normal state for the data transfer phase of the connection. From the terminal window in Task 1.120 seconds. meaning “ANY”. The connection is open. or this computer. The connection is closed. This document is Cisco Public Information. The local connection is waiting a default period of time after sending a connection termination request before closing the connection. The local connection is waiting for a response after sending a connection request.0. IP addresses displayed by netstat fall into several categories: IP Address 127. Page 3 of 5 . Inc.

port 25 TELNET.254.1:1070 TCP 127.0.Telnet server.254.0.1:1071 127.0.0:0 gw-deskop-hom:0 0.SMTP mail server.0:0 *:* *:* *:* *:* *:* *:* State LISTENING LISTENING LISTENING Refer to the following netstat output. In this task. port 23 All contents are Copyright © 1992–2007 Cisco Systems. If there are fewer than three connections that translate.1:123 Gw-desktop-hom:ntp 192. port 53 FTP. port 21 SMTP.0.0. Several network services on Eagle Server will respond to a telnet connection.0.1:137 GW-desktop-hom:netbios-ns 192.0. thus providing several protocols to examine with netstat. We will use: • • • • DNS.0.0.168. The four terminal windows that will be used for telnet connections to Eagle Server can be relatively small.0:135 gw-desktop-hom:microsoft-ds 0. approximately ½ screen width by ¼ screen height.1:1070 State ESTABLISHED ESTABLISHED F address is 127.168. Arrange the windows so that all are visible.1:137 Gw-desktop-hom:netbios-dgm 192. Connection TCP TCP TCP UDP UDP UDP Proto Local Address gw-desktop-hom:epmap 0.0.168.0.254. and the corresponding translated port numbers from the netstat –an output.0. The terminal windows that will be used to collect connection information should be ½ screen width by full screen height.0.0. The venerable telnet command will be used to access Eagle Server network services.FTP server.0:445 Gw-desktop-hom:netbios-ssn 192. note that in your table. Page 4 of 5 .0.CCNA Exploration Network Fundamentals: OSI Transport Layer Lab 4.5. Step 2: Establish multiple concurrent TCP connections and record netstat output.0.168.1. the host computer connects with itself over TCP. several simultaneous connections will be made with Eagle Server.254. Open an additional four terminal windows.1:138 Foreign Address gw-deskop-hom:0 0.0:0 gw-deskop-hom:0 0. How would you respond? C:\> netstat –n Active Connections Proto Local Address TCP 127.0. All rights reserved.domain name server. This document is Cisco Public Information.0. A new network engineer suspects that his host computer has been compromised by an outside attack against ports 1070 and 1071.0. Inc.1: Observing TCP and UDP using Netstat Write down three TCP and three UDP connections from the netstat –a output.0.1:1071 C:\> Foreign Address 127.

254:21 192. telnet on port 21.168. Microsoft Telnet>. In the second terminal window.1:1691 192.254. press the <CTRL> ] keys together. and interface statistics. All contents are Copyright © 1992–2007 Cisco Systems.168.168.com 53 In the large terminal window.168.168. Type quit <ENTER> to close the session.1:1688 192. Page 5 of 5 .1:1694 Foreign Address 192. record established connections with Eagle Server. That will bring up the telnet prompt. The netstat utility displays incoming and outgoing network connections (TCP and UDP).1:1693 192.example.168. To close a telnet connection. If typing is slow.168. and issue the netstat –an command. telnet to Eagle Server on port 53.254. Eventually. Task 4: Challenge.5.254. turn off power to the host computers. a connection may close before all connections have been made.254. Try to view connections in stages different from ESTABLISHED. Task 5: Cleanup. Output should look similar to the following. telnet on port 25. Unless directed otherwise by the instructor.254:25 192.1: Observing TCP and UDP using Netstat Why should telnet to UDP ports fail? Since Telnet is a TCP.254.254.168. connections should terminate from inactivity. In the third terminal window.254:23 State ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED Task 3: Reflection. Proto TCP TCP TCP TCP Local Address 192. In the fourth terminal window. and leave the room ready for the next class. The command for a telnet connection on port 21 is shown below: C:\> telnet eagle-server. Close Established sessions abruptly (close the terminal window). host computer routing table information. telnet on port 23. In the first telnet terminal window. Inc.CCNA Exploration Network Fundamentals: OSI Transport Layer Lab 4. UDP won’t create the TCP session. All rights reserved.254:53 192.254. This document is Cisco Public Information. Remove anything that was brought into the lab.254.