Viewing TCP/IP Statistic
You can use the netstat (short for network statistics) command to display information on any TCP/IP connections on your computer. You can use it show all the connections, ports, and applications involved with network connections. You can also use it to check TCP/IP statistics.
Table-6 shows the common netstat commands.
Switches can be combined. For example, the netstat -ano command combines the output of the -a, -n, and -o switches.Table-6 Common netstat commands
|Netstat -a||Shows all connections and listening ports.|
|Netstat -b||Shows connections that all applications are using to connect on the network (including the Internet if the client is connected to the Internet).|
|Netstat -e||Shows Ethernet statistics.|
|Netstat -f||Shows fully qualified domain names (FQDNs).|
|Netstat -n||Shows both addresses and port numbers in numerical form.|
|Netstat -o||Includes the process that owns the connection.|
|Netstat -p protocol Netstat -p TCP||Shows connections for specific protocols. You can use any of the following protocols: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6. For example, netstat -p TCP would show connections for TCP only.|
|Netstat -r||Shows the routing table. This is the same routing table you can see with the route print command.|
|Netstat -s||Shows statistics for the protocols running on the system. This includes packets received, packets sent, errors, and more.|
|Netstat interval Netstat 15||Redisplays the statistics after waiting the interval period. The interval is specified in seconds as netstat 15 to wait 15 seconds before executing the netstat command again.|
Listing-7 shows a basic listing of open ports for a computer running on a network without any Internet Explorer sessions opened. With a few web pages open in Internet Explorer, the number of open ports can easily fill a page.
Listing-7: Output of netstat command
C:\Users\Dar>netstat Active Connections Proto Local Address Foreign Address State TCP 192.168.1.114:135 WIN7-PC:49766 ESTABLISHED TCP 192.168.1.114:1030 WIN7-PC:49767 ESTABLISHED TCP 192.168.1.114:1060 MYBOOKWORLD:microsoft-ds ESTABLISHED TCP 192.168.1.114:2078 beta:http ESTABLISHED TCP 192.168.1.114:3389 Server08R2:56080 ESTABLISHED TCP [fe80::41f0:f763:5451:198a%10]:135 Darril-PC:50506 ESTABLISHED
The local address indicates the local computer (with an IP address of 192.168.1.114) and is in the format of IP address: port. The foreign address indicates the name or IP address of the remote computer. The State column indicates the state of the connection.
Some of the common states of a connection are as follows:
- ESTABLISHED Indicates that a TCP session is established
- LISTENING Indicates the system is ready to accept a connection
- CLOSE_WAIT Indicates that the system is waiting for a final packet from the remote system to close the connection
For a full listing of all possible session connections, check out RFC 793 (www.faqs.org/rfcs/rfc793.html). Some connection states are described in RFC 793 with a hyphen, but netstat displays them with an underscore. For example, RFC 793 uses CLOSE-WAIT, but netstat displays CLOSE_WAIT.
If you want to search RFC 793, you need to search with the hyphen. For example, you can search CLOSE-WAIT, but you won't find anything if you search on CLOSE_WAIT.
You may run the netstat command and see something that looks suspicious. For example, the Foreign Address of beta:http looks a little odd, and you may want to get more information about it. You can use the netstat -b command to identify the application or process using the port, as shown in Listing 14-8. The netstat-b command is one of the commands that must be run from an administrator prompt.
netstat can be useful in detecting spyware and malware. If the applications are unknown, they may be malicious.Listing-8: Using netstat -b to identify applications and processes
C:\>netstat -b Active Connections Proto Local Address Foreign Address State TCP 192.168.1.114:135 WIN7-PC:49766 ESTABLISHED RpcSs [svchost.exe] TCP 192.168.1.114:1030 WIN7-PC:49767 ESTABLISHED [spoolsv.exe] TCP 192.168.1.114:1060 MYBOOKWORLD:microsoft-ds ESTABLISHED Can not obtain ownership information TCP 192.168.1.114:2078 beta:http ESTABLISHED [OUTLOOK.EXE] TCP 192.168.1.114:3389 Server08R2:56080 ESTABLISHED CryptSvc [svchost.exe]
If you have a little information about ports, you can use the output of the netstat command, the names of the applications, and the port numbers to determine what each of the ports is doing.
Port 135 Port 135 is used for NetBIOS and Remote Procedure Calls (RPCs) in Windows systems. This shows an IPv4 connection (the first line) with another computer named Win7-PC in the network.
Port 1030 This is being used by the print spooler service (spoolsv.exe).
Port 1060 This port is being used to connect to a network drive (named MYBOOKWORLD) that is mapped to the system as an additional drive.
Port 2078 This is being used by Microsoft Outlook for a connection to the Internet.
Port 3389 CryptSvc is short for the Cryptographic Services service. Port 3389 is the port used by Microsoft for Remote Desktop Services (RDS). Combined, they indicate an RDS session is established with a remote computer named Server08R2.
That still may not be enough information if the application looks suspicious. You can use the following steps to get more information about any of these connections:
- Enter netstat at the command prompt.
- Review the listing, and determine whether there are ports you want to investigate more.
Note the port number in the Local Address column. For example, you may want to investigate the beta:http line, which shows port 2078.
- Enter netstat -ano at the command prompt.
This provides a more detailed listing including the process ID (PID). Look for the line with your port number. The following code snippet shows the line for this port:
Proto Local Address Foreign Address State PID TCP 192.168.1.114:2078 126.96.36.199:80 ESTABLISHED 5356The PID column shows a PID of 5356 for port 2078.
- Launch Task Manager by pressing the Ctrl+Shift+Esc keys at the same time.
- Select the Processes tab.
- Click View, and click Select Columns.
- Select the PID (Process Identifier) box. Click OK.
- Look for the entry with the PID you're interested in.
Notice that it shows that the Image Name value (the process) is Outlook.
- Launch the Performance Monitor by clicking Start, typing in perfmon, and pressing Enter.
- In Windows Server 2008, the default display shows the resource overview. This provides the information you need.
- In Windows Server 2008 R2 and Windows 7, you need to launch the Resource Monitor by right-clicking Monitoring Tools and selecting Resource Monitor.
- Look for the PID in the CPU, Disk, Network, and Memory sections.
This allows you to get additional information on the process such as how much resources the process is consuming. The Resource Monitor on a Windows 7 system. You can get more advanced in your searches to narrow down the source of connections. The goal of these steps isn't to make you a master at identifying all the resources that an open port may be using but instead to show you some of the possibilities. It gives you a chance to dig into your system and learn a little more about it.