What Is a Netstat?
In the Internet RFC standard, the definition of Netstat is: Netstat is a program that accesses network connection status and related information in the kernel. It can provide TCP connection, TCP and UDP monitoring, and related reports on process memory management.
Netstat
- On the internet
- The general format of the command is:
- netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval] [1]
- That is the connection state. There is no state in the original mode, and there is often no state in the user datagram protocol, so the state column can be left empty. If there is a status, the value is usually:
- The general format of this command (under Winxp) is:
- C: \> netstat /?
- Display protocol statistics and current TCP / IP network connection.
- NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v]
- -a Show all connections and listening ports.
- -b Displays the executable components included in creating each connection or listening port. Known executable components in some cases
- The sequence of components that have multiple independent components and in these cases involved in creating a connection or listening port is shown.
- In this case, the executable component name is in [] at the bottom, the component it calls at the top, etc., until TCP / IP
- section. Note that this option can take a long time and may fail if you do not have sufficient permissions.
- -e Display Ethernet statistics. This option can be used in combination with the -s option
- -n Displays the address and port number as numbers. This option can be used in combination with the -a option
- -o Displays the owning process ID associated with each connection.
- -p proto show connections for the protocol specified by proto; proto can be
- One of the following protocols: TCP, UDP, TCPv6, or UDPv6.
- If used with the -s option to display per-protocol statistics, proto can be one of the following protocols:
- IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
- -r Displays the routing table.
- -s Display statistics by protocol. By default, IP,
- Statistics for IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
- The -p option is used to specify a subset of the default.
- -v When used with the -b option, displays the components included in creating connections or listening ports for all executable components
- interval Redisplays selected statistics, between each display
- Pause interval (in seconds). Press CTRL + C to stop restarting
- Show statistics. If omitted, netstat displays the current
- Configuration information (only displayed once)
- The general format of this command (under Win2000) is:
- C: \> netstat /?
- Displays protocol statistics and current TCP / IP network connections.
- NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r]
- -a Displays all connections and listening ports.
- -e Displays Ethernet statistics. This may be combined with the -s
- option.
- -n Displays addresses and port numbers in numerical form.
- -p proto Shows connections for the protocol specified by proto; proto
- may be TCP or UDP. If used with the -s option to display
- per-protocol statistics, proto may be TCP, UDP, or IP.
- -r Displays the routing table.
- -s Displays per-protocol statistics. By default, statistics are
- shown for TCP, UDP and IP; the -p option may be used to specify
- a subset of the default.
- interval Redisplays selected statistics, pausing interval seconds
- between each display. Press CTRL + C to stop redisplaying
- statistics. If omitted, netstat will print the current
- configuration information once
- Microsoft intentionally hides this powerful command because it is a bit complicated for the average user. We already know: Netstat can be used to obtain information about your system's network connection (ports used, protocols in use, etc.), data received and sent, ports of remote systems to be connected, and Netstat reads in memory All network information.
Netstat Record
- Use examples to explain the use of various parameters in detail:
- C: \> netstat -a
- Active Connections
- Proto Local Address Foreign Address State
- TCP Eagle: ftp Eagle: 0 LISTENING
- TCP Eagle: telnet Eagle: 0 LISTENING
- TCP Eagle: smtp Eagle: 0 LISTENING
- TCP Eagle: http Eagle: 0 LISTENING
- TCP Eagle: epmap Eagle: 0 LISTENING
- TCP Eagle: https Eagle: 0 LISTENING
- TCP Eagle: microsoft-ds Eagle: 0 LISTENING
- TCP Eagle: 1030 Eagle: 0 LISTENING
- TCP Eagle: 6059 Eagle: 0 LISTENING
- TCP Eagle: 8001 Eagle: 0 LISTENING
- TCP Eagle: 8005 Eagle: 0 LISTENING
- TCP Eagle: 8065 Eagle: 0 LISTENING
- TCP Eagle: microsoft-ds localhost: 1031 ESTABLISHED
- TCP Eagle: 1031 localhost: microsoft-ds ESTABLISHED
- TCP Eagle: 1040 Eagle: 0 LISTENING
- TCP Eagle: netbios-ssn Eagle: 0 LISTENING
- TCP Eagle: 1213 218.85.139.65:9002 CLOSE_WAIT
- TCP Eagle: 2416 219.133.63.142: https CLOSE_WAIT
- TCP Eagle: 2443 219.133.63.142: https CLOSE_WAIT
- TCP Eagle: 2907 192.168.1.101:2774 CLOSE_WAIT
- TCP Eagle: 2916 192.168.1.101: telnet ESTABLISHED
- TCP Eagle: 2927 219.137.227.10: 4899 TIME_WAIT
- TCP Eagle: 2928 219.137.227.10: 4899 TIME_WAIT
- TCP Eagle: 2929 219.137.227.10: 4899 ESTABLISHED
- TCP Eagle: 3455 218.85.139.65:9002 ESTABLISHED
- TCP Eagle: netbios-ssn Eagle: 0 LISTENING
- UDP Eagle: microsoft-ds *: *
- UDP Eagle: 1046 *: *
- UDP Eagle: 1050 *: *
- UDP Eagle: 1073 *: *
- UDP Eagle: 1938 *: *
- UDP Eagle: 2314 *: *
- UDP Eagle: 2399 *: *
- UDP Eagle: 2413 *: *
- UDP Eagle: 2904 *: *
- UDP Eagle: 2908 *: *
- UDP Eagle: 3456 *: *
- UDP Eagle: 4000 *: *
- UDP Eagle: 4001 *: *
- UDP Eagle: 6000 *: *
- UDP Eagle: 6001 *: *
- UDP Eagle: 6002 *: *
- UDP Eagle: 6003 *: *
- UDP Eagle: 6004 *: *
- UDP Eagle: 6005 *: *
- UDP Eagle: 6006 *: *
- UDP Eagle: 6007 *: *
- UDP Eagle: 6008 *: *
- UDP Eagle: 6009 *: *
- UDP Eagle: 6010 *: *
- UDP Eagle: 6011 *: *
- UDP Eagle: 1045 *: *
- UDP Eagle: 1051 *: *
- UDP Eagle: netbios-ns *: *
- UDP Eagle: netbios-dgm *: *
- UDP Eagle: netbios-ns *: *
- UDP Eagle: netbios-dgm *: *
Netstat details
- Let's take one of them to explain:
- Proto Local Address Foreign Address State
- TCP Eagle: 2929 219.137.227.10: 4899 ESTABLISHED
- Protocol (Proto): TCP refers to Transmission Control Protocol.
- Local Address: Eagle, commonly known as the computer name, which is set when the system is installed, and can be modified in the "My Computer" properties. The port opened locally and used for connection: 2929
- Remote machine name (Foreign Address): 219.137.227.10
- Remote port: 4899
- Status: ESTABLISHED
- Status list
- LISTEN: In the listening state.
- ESTABLISHED: The connection is established.
- The -a parameter is often used to get the open ports on your local system. With it, you can check if a Trojan is installed on your system.
- If you Netstat yourself, find the following information:
- Port 12345 (TCP) Netbus
- Port 31337 (UDP) Back Orifice
Netstat related
- To continue our discussion, use the -n parameter. (Netstat -n)
- Netstat -n is basically the numeric form of the -a parameter:
- C: \> netstat -n
- Active Connections
- Proto Local Address Foreign Address State
- TCP 127.0.0.1:445 127.0.0.1:1031 ESTABLISHED
- TCP 127.0.0.1:1031 127.0.0.1:445 ESTABLISHED
- TCP 192.168.1.180:1213 218.85.139.65:9002 CLOSE_WAIT
- TCP 192.168.1.180:2416 219.133.63.142:443 CLOSE_WAIT
- TCP 192.168.1.180:2443 219.133.63.142:443 CLOSE_WAIT
- TCP 192.168.1.180:2907 192.168.1.101:2774 CLOSE_WAIT
- TCP 192.168.1.180:2916 192.168.1.101:23 ESTABLISHED
- TCP 192.168.1.180:2929 219.137.227.10:4899 ESTABLISHED
- TCP 192.168.1.180:3048 192.168.1.1:8004 SYN_SENT
- TCP 192.168.1.180:3455 218.85.139.65:9002 ESTABLISHED
- -a and -n are the two most commonly used. According to my incomplete test, the following results are obtained:
- 1. -n Display the digitized host name, that is, the IP address instead of compute_name [eagle]
- 2. -n show only TCP connections
- Obtaining an IP is equivalent to getting everything. It is the easiest thing to make the machine attacked, so it is very important for a hacker to hide your IP and obtain someone's IP.
- -a and -n are the most commonly used commands. If you want to display more detailed information of some protocols, you need to use the -p parameter. It is actually a variant of -a and -n. Understand: [netstat -p @@@ Where @@@ is TCP or UDP]
- C: \> netstat -ptcp
- Active Connections
- Proto Local Address Foreign Address State
- TCP Eagle: microsoft-ds localhost: 1031 ESTABLISHED
- TCP Eagle: 1031 localhost: microsoft-ds ESTABLISHED
- TCP Eagle: 1213 218.85.139.65:9002 CLOSE_WAIT
- TCP Eagle: 2416 219.133.63.142: https CLOSE_WAIT
- TCP Eagle: 2443 219.133.63.142: https CLOSE_WAIT
- TCP Eagle: 2907 192.168.1.101:2774 CLOSE_WAIT
- TCP Eagle: 2916 192.168.1.101: telnet ESTABLISHED
- TCP Eagle: 2929 219.137.227.10: 4899 ESTABLISHED
- TCP Eagle: 3455 218.85.139.65:9002 ESTABLISHED
- Continue our parameter explanation -e
- Meaning: This option is used to display statistics about Ethernet. The items it lists include the total number of bytes transmitted, the number of errors, the number of deletions, the number of datagrams, and the number of broadcasts. These statistics include both the number of datagrams sent and the number of datagrams received. This option can be used to count some basic network traffic.
- C: \> netstat -e
- Interface Statistics
- Received Sent
- Bytes ????????? ????????
- Unicast packets ?????? ??????
- Non-unicast packets 886526 2386
- Discards 0 0
- Errors 0 0
- Unknown protocols 4449
- If the reception error and the transmission error are close to zero or all zeros, the network interface has no problem. However, when there are more than 100 error packets in these two fields, it can be considered a high error rate. A high sending error indicates that the local network is saturated or there is a bad physical connection between the host and the network; a high receiving error indicates that the overall network is saturated, the local host is overloaded, or there is a problem with the physical connection. You can use the Ping command to count the bit error rate to determine The extent of the failure. The combination of netstat -e and ping can solve most network failures.
- Let's start with two more complicated parameters -r and -s.
- -r is used to display routing table information, let's look at an example:
- C: \> netstat -r
- Route Table
- Interface List
- 0x1 ............... MS TCP Loopback interface
- 0x10003 ... 00 0c f1 02 76 81 ... Intel (R) PRO / Wireless LAN 2100 3B Mini PCI
- dapter
- 0x10004 ... 00 02 3f 00 05 cb ... Realtek RTL8139 / 810x Family Fast Ethernet
- Active Routes:
- Network Destination Netmask Gateway Interface Metric
- 0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.181 30
- 0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.180 20
- 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
- 192.168.1.0 255.255.255.0 192.168.1.180 192.168.1.180 20
- 192.168.1.0 255.255.255.0 192.168.1.181 192.168.1.181 30
- 192.168.1.180 255.255.255.255 127.0.0.1 127.0.0.1 20
- 192.168.1.181 255.255.255.255 127.0.0.1 127.0.0.1 30
- 192.168.1.255 255.255.255.255 192.168.1.180 192.168.1.180 20
- 192.168.1.255 255.255.255.255 192.168.1.181 192.168.1.181 30
- 224.0.0.0 240.0.0.0 192.168.1.180 192.168.1.180 20
- 224.0.0.0 240.0.0.0 192.168.1.181 192.168.1.181 30
- 255.255.255.255 255.255.255.255 192.168.1.180 192.168.1.180 1
- 255.255.255.255 255.255.255.255 192.168.1.181 192.168.1.181 1
- Default Gateway: 192.168.1.254 (default gateway)
- ======================================================== ===========================
Netstat supplement
- Persistent Routes: (static routes)
- None
- C: \>
- The role of the -s parameter has been described in detail earlier, let's see an example
- C: \> netstat -s
- IPv4 Statistics
- Packets Received = 369492
- Received Header Errors = 0
- Received Address Errors = 2
- Datagrams Forwarded = 0
- Unknown Protocols Received = 0
- Received Packets Discarded = 4203 (number of packets discarded after receiving)
- Received Packets Delivered = 3 6 5 2 8 7 (number of packets forwarded after reception)
- Output Requests = 3 69066 (requests)
- Routing Discards = 0
- Discarded Output Packets = 2172
- Output Packet No Route = 0
- Reassembly Required = 0 (reassembly requests)
- Reassembly Successful = 0
- Reassembly Failures = 0
- Datagrams Successfully Fragmented = 0 (number of datagrams successfully fragmented)
- Datagrams Failing Fragmentation = 0
- Fragments Created = 0 (fragments created)
- ICMPv4 Statistics (Received and Sent)
- Received Sent
- Messages 285 784
- Errors 0 0 (number of errors)
- Destination Unreachable 53 548 (number of unreachable hosts)
- Time Exceeded 0 0 (number of timeouts)
- Parameter Problems 0 0
- Source Quenches 0 0
- Redirects 0 0 (number of redirects)
- Echos 25 211 (responses)
- Echo Replies 207 25 (replies to responses)
- Timestamps 0 0 (timestamps)
- Timestamp Replies 0 0
- Address Masks 0 0 (number of address masks)
- Address Mask Replies 0 0
- TCP Statistics for IPv4
- Active Opens = 5217
- Passive Opens = 80
- Failed Connection Attempts = 2944
- Reset Connections = 529
- Current Connections = 9 (current connections)
- Segments Received = 350143 (number of messages currently received)
- Segments Sent = 347561 (number of messages currently sent)
- Segments Retransmitted = 6108 (number of retransmitted packets)
- UDP Statistics for IPv4
- Datagrams Received = 14309 (received packets)
- No Ports = 1360 (no ports)
- Receive Errors = 0
- Datagrams Sent = 14524
- -------------------------------------------------- ---
- netstat -abnov displays the list of program processes or files initiated by this process. This command is often used to determine whether there is a suspicious process, and then perform related operations.