Netstat command
The netstat command is a very handy command available for use on all OS’s. When invoked netstat shows the network connections made by your computer, the ports used, and the status of these connections. It will also show you what services that may open waiting for connections. This knowledge can help in ascertaining if your system is vulnerable to attack.
Ok. Let’s see our connection to google that is established so I can write this blog. In the command prompt I typed ‘netstat’.
As you can see, the last line shows a TCP connection the local information showing the outbound port; next you have the foreign address where you see google’s host information separated by a colon showing the port as http or 80 and last you have the state of this connection, which in my case, is established. If connection is established that the line represents a socket, that is an endpoint for communication between two machines.
There can be defend states for each connection or potential connection if it’s listening.
ESTABLISHED – connection has been made, the TCP three way handshake has taken place.
LISTENING – port on your computer is listening for incoming traffic.
TIME_WAIT - occurs at the end of an established connection, before connection is torn down it waits for any packets that didn’t make it across. This is done so as not to confuse things if a new connection gets established.
SYN_RECIEVED – unlikely to see this, since it happens so quickly; it’s part of the three way handshake that happens when connection is being set up.
SYN_SENT – unlikely to see this too as it’s part of the three way handshake when connection is being set up.
It is important to note that if you see a line in netstat showing LISTENING, it means that you have a port on your computer waiting for incoming traffic. No, don’t get all freaked out, “does that mean someone can hack into my computer at take control of it”? No, it does not. Most people today have routers that sit between their computers and the Internet. If someone wanted to make a connection to, say, some port that I found was in a listening state, they would not be able to. The router acts as a firewall for all inbound traffic (also called ingress filtering, hope to discuss this further on a new post). So, if you have a port in a listening state on a specific port, try to find out what application/process is using this port and then try to google the “exe” file. Now you will know if this process should, in fact, be listening for incoming requests or if it’s a Trojan.
Netstat can be passed a bunch of different parameters depending on what you’re looking to do.
Here is a really great feature – ‘netstat -b’ will show you the actual process that is using this connection. Back to me writing this blog. The process that made the connection would be my browser and you see below iexpolorer.exe shows underneath the connection line. So, if you see a connection made that you’re not sure about, you can use the -b parameter and then you can see the process. If you see an .exe file that haven’t heard of just type in google to see if it’s something safe, perhaps it’s malware on your computer; if that’s the case backup important files and reinstall your operating system.
It’s important to remember when you issue the Netstat command it will give you a snapshot of what is happening right then. You can use an interval, so that it keeps running. There is a really great, free program that is worth checking out called TCPView This is a windows GUI version of Netstat and it updates in real time. And just in case you need it to figure out why your mom’s Internet connection is slow, Netstat is always available on all OS’s; just fire it up; there is no need to install anything.
