What Is a Netstat?

In the Internet RFC standard, the definition of Netstat is: Netstat is a program that accesses network connection status and related information in the kernel. It can provide TCP connection, TCP and UDP monitoring, and related reports on process memory management.

Netstat

On the internet
The general format of the command is:
netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval] [1]
That is the connection state. There is no state in the original mode, and there is often no state in the user datagram protocol, so the state column can be left empty. If there is a status, the value is usually:
The general format of this command (under Winxp) is:
C: \> netstat /?
Display protocol statistics and current TCP / IP network connection.
NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v]
-a Show all connections and listening ports.
-b Displays the executable components included in creating each connection or listening port. Known executable components in some cases
The sequence of components that have multiple independent components and in these cases involved in creating a connection or listening port is shown.
In this case, the executable component name is in [] at the bottom, the component it calls at the top, etc., until TCP / IP
section. Note that this option can take a long time and may fail if you do not have sufficient permissions.
-e Display Ethernet statistics. This option can be used in combination with the -s option
-n Displays the address and port number as numbers. This option can be used in combination with the -a option
-o Displays the owning process ID associated with each connection.
-p proto show connections for the protocol specified by proto; proto can be
One of the following protocols: TCP, UDP, TCPv6, or UDPv6.
If used with the -s option to display per-protocol statistics, proto can be one of the following protocols:
IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-r Displays the routing table.
-s Display statistics by protocol. By default, IP,
Statistics for IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
The -p option is used to specify a subset of the default.
-v When used with the -b option, displays the components included in creating connections or listening ports for all executable components
interval Redisplays selected statistics, between each display
Pause interval (in seconds). Press CTRL + C to stop restarting
Show statistics. If omitted, netstat displays the current
Configuration information (only displayed once)
The general format of this command (under Win2000) is:
C: \> netstat /?
Displays protocol statistics and current TCP / IP network connections.
NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r]
-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the -s
option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto
may be TCP or UDP. If used with the -s option to display
per-protocol statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are
shown for TCP, UDP and IP; the -p option may be used to specify
a subset of the default.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL + C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once
Microsoft intentionally hides this powerful command because it is a bit complicated for the average user. We already know: Netstat can be used to obtain information about your system's network connection (ports used, protocols in use, etc.), data received and sent, ports of remote systems to be connected, and Netstat reads in memory All network information.

Netstat Record

Use examples to explain the use of various parameters in detail:
C: \> netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP Eagle: ftp Eagle: 0 LISTENING
TCP Eagle: telnet Eagle: 0 LISTENING
TCP Eagle: smtp Eagle: 0 LISTENING
TCP Eagle: http Eagle: 0 LISTENING
TCP Eagle: epmap Eagle: 0 LISTENING
TCP Eagle: https Eagle: 0 LISTENING
TCP Eagle: microsoft-ds Eagle: 0 LISTENING
TCP Eagle: 1030 Eagle: 0 LISTENING
TCP Eagle: 6059 Eagle: 0 LISTENING
TCP Eagle: 8001 Eagle: 0 LISTENING
TCP Eagle: 8005 Eagle: 0 LISTENING
TCP Eagle: 8065 Eagle: 0 LISTENING
TCP Eagle: microsoft-ds localhost: 1031 ESTABLISHED
TCP Eagle: 1031 localhost: microsoft-ds ESTABLISHED
TCP Eagle: 1040 Eagle: 0 LISTENING
TCP Eagle: netbios-ssn Eagle: 0 LISTENING
TCP Eagle: 1213 218.85.139.65:9002 CLOSE_WAIT
TCP Eagle: 2416 219.133.63.142: https CLOSE_WAIT
TCP Eagle: 2443 219.133.63.142: https CLOSE_WAIT
TCP Eagle: 2907 192.168.1.101:2774 CLOSE_WAIT
TCP Eagle: 2916 192.168.1.101: telnet ESTABLISHED
TCP Eagle: 2927 219.137.227.10: 4899 TIME_WAIT
TCP Eagle: 2928 219.137.227.10: 4899 TIME_WAIT
TCP Eagle: 2929 219.137.227.10: 4899 ESTABLISHED
TCP Eagle: 3455 218.85.139.65:9002 ESTABLISHED
TCP Eagle: netbios-ssn Eagle: 0 LISTENING
UDP Eagle: microsoft-ds *: *
UDP Eagle: 1046 *: *
UDP Eagle: 1050 *: *
UDP Eagle: 1073 *: *
UDP Eagle: 1938 *: *
UDP Eagle: 2314 *: *
UDP Eagle: 2399 *: *
UDP Eagle: 2413 *: *
UDP Eagle: 2904 *: *
UDP Eagle: 2908 *: *
UDP Eagle: 3456 *: *
UDP Eagle: 4000 *: *
UDP Eagle: 4001 *: *
UDP Eagle: 6000 *: *
UDP Eagle: 6001 *: *
UDP Eagle: 6002 *: *
UDP Eagle: 6003 *: *
UDP Eagle: 6004 *: *
UDP Eagle: 6005 *: *
UDP Eagle: 6006 *: *
UDP Eagle: 6007 *: *
UDP Eagle: 6008 *: *
UDP Eagle: 6009 *: *
UDP Eagle: 6010 *: *
UDP Eagle: 6011 *: *
UDP Eagle: 1045 *: *
UDP Eagle: 1051 *: *
UDP Eagle: netbios-ns *: *
UDP Eagle: netbios-dgm *: *
UDP Eagle: netbios-ns *: *
UDP Eagle: netbios-dgm *: *

Netstat details

Let's take one of them to explain:
Proto Local Address Foreign Address State
TCP Eagle: 2929 219.137.227.10: 4899 ESTABLISHED
Protocol (Proto): TCP refers to Transmission Control Protocol.
Local Address: Eagle, commonly known as the computer name, which is set when the system is installed, and can be modified in the "My Computer" properties. The port opened locally and used for connection: 2929
Remote machine name (Foreign Address): 219.137.227.10
Remote port: 4899
Status: ESTABLISHED
Status list
LISTEN: In the listening state.
ESTABLISHED: The connection is established.
The -a parameter is often used to get the open ports on your local system. With it, you can check if a Trojan is installed on your system.
If you Netstat yourself, find the following information:
Port 12345 (TCP) Netbus
Port 31337 (UDP) Back Orifice

Netstat related

To continue our discussion, use the -n parameter. (Netstat -n)
Netstat -n is basically the numeric form of the -a parameter:
C: \> netstat -n
Active Connections
Proto Local Address Foreign Address State
TCP 127.0.0.1:445 127.0.0.1:1031 ESTABLISHED
TCP 127.0.0.1:1031 127.0.0.1:445 ESTABLISHED
TCP 192.168.1.180:1213 218.85.139.65:9002 CLOSE_WAIT
TCP 192.168.1.180:2416 219.133.63.142:443 CLOSE_WAIT
TCP 192.168.1.180:2443 219.133.63.142:443 CLOSE_WAIT
TCP 192.168.1.180:2907 192.168.1.101:2774 CLOSE_WAIT
TCP 192.168.1.180:2916 192.168.1.101:23 ESTABLISHED
TCP 192.168.1.180:2929 219.137.227.10:4899 ESTABLISHED
TCP 192.168.1.180:3048 192.168.1.1:8004 SYN_SENT
TCP 192.168.1.180:3455 218.85.139.65:9002 ESTABLISHED
-a and -n are the two most commonly used. According to my incomplete test, the following results are obtained:
1. -n Display the digitized host name, that is, the IP address instead of compute_name [eagle]
2. -n show only TCP connections
Obtaining an IP is equivalent to getting everything. It is the easiest thing to make the machine attacked, so it is very important for a hacker to hide your IP and obtain someone's IP.
-a and -n are the most commonly used commands. If you want to display more detailed information of some protocols, you need to use the -p parameter. It is actually a variant of -a and -n. Understand: [netstat -p @@@ Where @@@ is TCP or UDP]
C: \> netstat -ptcp
Active Connections
Proto Local Address Foreign Address State
TCP Eagle: microsoft-ds localhost: 1031 ESTABLISHED
TCP Eagle: 1031 localhost: microsoft-ds ESTABLISHED
TCP Eagle: 1213 218.85.139.65:9002 CLOSE_WAIT
TCP Eagle: 2416 219.133.63.142: https CLOSE_WAIT
TCP Eagle: 2443 219.133.63.142: https CLOSE_WAIT
TCP Eagle: 2907 192.168.1.101:2774 CLOSE_WAIT
TCP Eagle: 2916 192.168.1.101: telnet ESTABLISHED
TCP Eagle: 2929 219.137.227.10: 4899 ESTABLISHED
TCP Eagle: 3455 218.85.139.65:9002 ESTABLISHED
Continue our parameter explanation -e
Meaning: This option is used to display statistics about Ethernet. The items it lists include the total number of bytes transmitted, the number of errors, the number of deletions, the number of datagrams, and the number of broadcasts. These statistics include both the number of datagrams sent and the number of datagrams received. This option can be used to count some basic network traffic.
C: \> netstat -e
Interface Statistics
Received Sent
Bytes ????????? ????????
Unicast packets ?????? ??????
Non-unicast packets 886526 2386
Discards 0 0
Errors 0 0
Unknown protocols 4449
If the reception error and the transmission error are close to zero or all zeros, the network interface has no problem. However, when there are more than 100 error packets in these two fields, it can be considered a high error rate. A high sending error indicates that the local network is saturated or there is a bad physical connection between the host and the network; a high receiving error indicates that the overall network is saturated, the local host is overloaded, or there is a problem with the physical connection. You can use the Ping command to count the bit error rate to determine The extent of the failure. The combination of netstat -e and ping can solve most network failures.
Let's start with two more complicated parameters -r and -s.
-r is used to display routing table information, let's look at an example:
C: \> netstat -r
Route Table
Interface List
0x1 ............... MS TCP Loopback interface
0x10003 ... 00 0c f1 02 76 81 ... Intel (R) PRO / Wireless LAN 2100 3B Mini PCI
dapter
0x10004 ... 00 02 3f 00 05 cb ... Realtek RTL8139 / 810x Family Fast Ethernet
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.181 30
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.180 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.180 192.168.1.180 20
192.168.1.0 255.255.255.0 192.168.1.181 192.168.1.181 30
192.168.1.180 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.181 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.1.255 255.255.255.255 192.168.1.180 192.168.1.180 20
192.168.1.255 255.255.255.255 192.168.1.181 192.168.1.181 30
224.0.0.0 240.0.0.0 192.168.1.180 192.168.1.180 20
224.0.0.0 240.0.0.0 192.168.1.181 192.168.1.181 30
255.255.255.255 255.255.255.255 192.168.1.180 192.168.1.180 1
255.255.255.255 255.255.255.255 192.168.1.181 192.168.1.181 1
Default Gateway: 192.168.1.254 (default gateway)
======================================================== ===========================

Netstat supplement

Persistent Routes: (static routes)
None
C: \>
The role of the -s parameter has been described in detail earlier, let's see an example
C: \> netstat -s
IPv4 Statistics
Packets Received = 369492
Received Header Errors = 0
Received Address Errors = 2
Datagrams Forwarded = 0
Unknown Protocols Received = 0
Received Packets Discarded = 4203 (number of packets discarded after receiving)
Received Packets Delivered = 3 6 5 2 8 7 (number of packets forwarded after reception)
Output Requests = 3 69066 (requests)
Routing Discards = 0
Discarded Output Packets = 2172
Output Packet No Route = 0
Reassembly Required = 0 (reassembly requests)
Reassembly Successful = 0
Reassembly Failures = 0
Datagrams Successfully Fragmented = 0 (number of datagrams successfully fragmented)
Datagrams Failing Fragmentation = 0
Fragments Created = 0 (fragments created)
ICMPv4 Statistics (Received and Sent)
Received Sent
Messages 285 784
Errors 0 0 (number of errors)
Destination Unreachable 53 548 (number of unreachable hosts)
Time Exceeded 0 0 (number of timeouts)
Parameter Problems 0 0
Source Quenches 0 0
Redirects 0 0 (number of redirects)
Echos 25 211 (responses)
Echo Replies 207 25 (replies to responses)
Timestamps 0 0 (timestamps)
Timestamp Replies 0 0
Address Masks 0 0 (number of address masks)
Address Mask Replies 0 0
TCP Statistics for IPv4
Active Opens = 5217
Passive Opens = 80
Failed Connection Attempts = 2944
Reset Connections = 529
Current Connections = 9 (current connections)
Segments Received = 350143 (number of messages currently received)
Segments Sent = 347561 (number of messages currently sent)
Segments Retransmitted = 6108 (number of retransmitted packets)
UDP Statistics for IPv4
Datagrams Received = 14309 (received packets)
No Ports = 1360 (no ports)
Receive Errors = 0
Datagrams Sent = 14524
-------------------------------------------------- ---
netstat -abnov displays the list of program processes or files initiated by this process. This command is often used to determine whether there is a suspicious process, and then perform related operations.

IN OTHER LANGUAGES

Was this article helpful? Thanks for the feedback Thanks for the feedback

How can we help? How can we help?