Networking / Beginners

Viewing TCP/IP Statistic

You can use the netstat (short for network statistics) command to display information on any TCP/IP connections on your computer. You can use it show all the connections, ports, and applications involved with network connections. You can also use it to check TCP/IP statistics.

Table-6 shows the common netstat commands.

Switches can be combined. For example, the netstat -ano command combines the output of the -a, -n, and -o switches.

Table-6 Common netstat commands
CommandComments
Netstat -aShows all connections and listening ports.
Netstat -bShows connections that all applications are using to connect on the network (including the Internet if the client is connected to the Internet).
Netstat -eShows Ethernet statistics.
Netstat -fShows fully qualified domain names (FQDNs).
Netstat -nShows both addresses and port numbers in numerical form.
Netstat -oIncludes the process that owns the connection.
Netstat -p protocol Netstat -p TCPShows connections for specific protocols. You can use any of the following protocols: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6. For example, netstat -p TCP would show connections for TCP only.
Netstat -rShows the routing table. This is the same routing table you can see with the route print command.
Netstat -sShows statistics for the protocols running on the system. This includes packets received, packets sent, errors, and more.
Netstat interval Netstat 15Redisplays the statistics after waiting the interval period. The interval is specified in seconds as netstat 15 to wait 15 seconds before executing the netstat command again.

Listing-7 shows a basic listing of open ports for a computer running on a network without any Internet Explorer sessions opened. With a few web pages open in Internet Explorer, the number of open ports can easily fill a page.

Listing-7: Output of netstat command

C:\Users\Dar>netstat 
  
Active Connections 
  
  Proto  Local Address          Foreign Address        State 
  TCP    192.168.1.114:135      WIN7-PC:49766          ESTABLISHED 
  TCP    192.168.1.114:1030     WIN7-PC:49767          ESTABLISHED 
  TCP    192.168.1.114:1060     MYBOOKWORLD:microsoft-ds 
                                                       ESTABLISHED 
  TCP    192.168.1.114:2078     beta:http              ESTABLISHED 
  TCP    192.168.1.114:3389     Server08R2:56080       ESTABLISHED 
  TCP    [fe80::41f0:f763:5451:198a%10]:135  Darril-PC:50506
                                                       ESTABLISHED

The local address indicates the local computer (with an IP address of 192.168.1.114) and is in the format of IP address: port. The foreign address indicates the name or IP address of the remote computer. The State column indicates the state of the connection.

Some of the common states of a connection are as follows:

  • ESTABLISHED Indicates that a TCP session is established
  • LISTENING Indicates the system is ready to accept a connection
  • CLOSE_WAIT Indicates that the system is waiting for a final packet from the remote system to close the connection

For a full listing of all possible session connections, check out RFC 793 (www.faqs.org/rfcs/rfc793.html). Some connection states are described in RFC 793 with a hyphen, but netstat displays them with an underscore. For example, RFC 793 uses CLOSE-WAIT, but netstat displays CLOSE_WAIT.

If you want to search RFC 793, you need to search with the hyphen. For example, you can search CLOSE-WAIT, but you won't find anything if you search on CLOSE_WAIT.

You may run the netstat command and see something that looks suspicious. For example, the Foreign Address of beta:http looks a little odd, and you may want to get more information about it. You can use the netstat -b command to identify the application or process using the port, as shown in Listing 14-8. The netstat-b command is one of the commands that must be run from an administrator prompt.

netstat can be useful in detecting spyware and malware. If the applications are unknown, they may be malicious.

Listing-8: Using netstat -b to identify applications and processes 
C:\>netstat -b 
  
Active Connections 
  
  Proto  Local Address          Foreign Address           State 
  TCP    192.168.1.114:135      WIN7-PC:49766             ESTABLISHED 
  RpcSs 
 [svchost.exe] 
  TCP    192.168.1.114:1030     WIN7-PC:49767             ESTABLISHED 
 [spoolsv.exe] 
  TCP    192.168.1.114:1060     MYBOOKWORLD:microsoft-ds  ESTABLISHED 
 Can not obtain ownership information 
  TCP    192.168.1.114:2078     beta:http                 ESTABLISHED 
 [OUTLOOK.EXE] 
  TCP    192.168.1.114:3389     Server08R2:56080          ESTABLISHED 
  CryptSvc 
 [svchost.exe]

If you have a little information about ports, you can use the output of the netstat command, the names of the applications, and the port numbers to determine what each of the ports is doing.

Port 135 Port 135 is used for NetBIOS and Remote Procedure Calls (RPCs) in Windows systems. This shows an IPv4 connection (the first line) with another computer named Win7-PC in the network.

Port 1030 This is being used by the print spooler service (spoolsv.exe).

Port 1060 This port is being used to connect to a network drive (named MYBOOKWORLD) that is mapped to the system as an additional drive.

Port 2078 This is being used by Microsoft Outlook for a connection to the Internet.

Port 3389 CryptSvc is short for the Cryptographic Services service. Port 3389 is the port used by Microsoft for Remote Desktop Services (RDS). Combined, they indicate an RDS session is established with a remote computer named Server08R2.

That still may not be enough information if the application looks suspicious. You can use the following steps to get more information about any of these connections:

  1. Enter netstat at the command prompt.
  2. Review the listing, and determine whether there are ports you want to investigate more.
    Note the port number in the Local Address column. For example, you may want to investigate the beta:http line, which shows port 2078.
  3. Enter netstat -ano at the command prompt.
    This provides a more detailed listing including the process ID (PID). Look for the line with your port number. The following code snippet shows the line for this port: 
     
  Proto  Local Address       Foreign Address  State        PID 
  TCP    192.168.1.114:2078  65.55.11.163:80  ESTABLISHED  5356
    The PID column shows a PID of 5356 for port 2078.
  4. Launch Task Manager by pressing the Ctrl+Shift+Esc keys at the same time.
  5. Select the Processes tab.
  6. Click View, and click Select Columns.
  7. Select the PID (Process Identifier) box. Click OK.
  8. Look for the entry with the PID you're interested in.
    Notice that it shows that the Image Name value (the process) is Outlook.
  9. Launch the Performance Monitor by clicking Start, typing in perfmon, and pressing Enter.
    • In Windows Server 2008, the default display shows the resource overview. This provides the information you need.
    • In Windows Server 2008 R2 and Windows 7, you need to launch the Resource Monitor by right-clicking Monitoring Tools and selecting Resource Monitor.
  10. Look for the PID in the CPU, Disk, Network, and Memory sections.
    This allows you to get additional information on the process such as how much resources the process is consuming. The Resource Monitor on a Windows 7 system. You can get more advanced in your searches to narrow down the source of connections. The goal of these steps isn't to make you a master at identifying all the resources that an open port may be using but instead to show you some of the possibilities. It gives you a chance to dig into your system and learn a little more about it.
[Previous] [Contents] [Next]

In this tutorial:

  1. Troubleshooting TCPIP
  2. Using the Command Prompt
  3. Checking the TCP/IP Configuration with ipconfig
  4. Troubleshooting Connectivity with ping
  5. Identifying Routers with tracert
  6. Verifying the Routed Path with pathping
  7. Viewing TCP/IP Statistic
  8. Installing Telnet