The netstat Command
Sometimes it is necessary to know which active TCP connections are open and running on a networked host. netstat command is a useful network tool for checking and verifying those connections. The verification of TCP connection is important because unexplained TCP connections are a major security risk. The TCP connection shows that something or someone is connected to the localhost.
This netstat command shows detailed information about individual network connections, overall and protocol-specific networking statistics, all listening ports, along with incoming and outgoing network connections and much more, all of which could help troubleshoot certain kinds of networking issues.
By default, the netstat command resolves IP addresses to domain names and port numbers to well-known applications. We can use a variety of switches with netstat command.
To apply the netstat command in your computer open the Command Prompt and execute the netstat command alone to show a comparatively simple list of all active TCP connections which, for each one, will show the local IP address, the foreign IP address, along with their relevant port numbers, as well as the TCP state.
Command Syntax
netstat[-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-t] [-x] [-y] [time_interval] [/?]
| Switch | Description |
|---|---|
| -a | The -a switch shows all active TCP connections and the TCP and UDP ports on which the computer is listening |
| -b | The -b switch shows executable concerned in creating each connection or listening port. This switch is added in XP SP2. |
| -e | This switch shows Ethernet statistics, such as the data includes the number of bytes and packet sent and received including unicast packets, non-unicast packets, discards, errors, and unknown protocols since the connection was established. |
| -f | The switch -f will force the netstat command to show the (FDQN) fully Qualified Domain Names for each foreign host IP addresses when possible. |
| -n | This switch could significantly decrease the time it takes for netstat to fully execute. The switch will also show active TCP connections, but addresses and port numbers are expressed numerically. |
| -o | This switch display active TCP connection and includes the process ID (PID) for all connections. You can find the application based on the PID on the processes tab in windows Task Manager. This parameter can be combined with -a, -n, and -p |
| -p proto | The -p switch show connections or state only for a particular protocol. You can't define more than one protocol at once, nor can you execute netstat with -p switch without defining a protocol. proto may be any of TCP, UDP, TCPv6 or UDPv6. If you use -s with -p to view statistics by protocol, you can use icmp, ip, icmpv6 or ipv6 addition to the first four I mentioned. |
| -f | This switch displays the contents of the IP routing table. this equivalent to the route print command. |
| -s | The -s switch shows statistics per-protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. the -p parameter can be used to specify a set of protocols, but be sure to use -s before -p protocol when using the switches together. |
| -t | This switch displays the current TCP pipe offload state in place of the type displayed TCP state. |
| [Interval] | An integer used to display results multiple times with a specified number of seconds between displays. Continues until stopped by command ctrl+c. the default setting is to display once. |
| /? | This switch is used to display the details about the netstat command's several option. |
Examples of netstat command
netstat -f
The example of a netstat with -f switch shows all active TCP connections. but, I do want to see the computers I’m connected to in Fully Qualified Domain Name format [-f] instead of a simple IP address. Here’s an example of what you might see:
The command displays all active TCP connections at the time of execution. The only protocol (in the Proto column) listed is TCP, if UDP is required then you can use -a switch with n switch (netstat –an) to reduce the execution time.
The information above is displayed in the result of the command with –an switch including the protocol, the local address and port number, the foreign address and port number, and the connection status. An explanation of the different connection states is given below.
| Status | Description |
|---|---|
| LISTENING | LISTENING status show that the server is ready to accept a connection. |
| CLOSED | This status shows that the server has received an ACK signal from the client and the connection is closed now. |
| CLOSE_WAIT | This status display that the server has received an ACK signal from the client and the connection is closed now. |
| ESTABLISHED | ESTABLISHED status means that the server received the SYN signal from the client and the session is now established. |
| FIN_WAIT_1 | This status means that the connection is still active but not currently in use. |
| FIN_WAIT_2 | This status means that the client now received ack of the FIN signal from the server. |
| LAST_ACK | This status show that the server is in the process of sending its own FIN. |
| SYN_SEND | This status means that this particular connection is open and active. |
| SYN_RECEIVED | The status means that the server just recived an SYN signal from the client. |
| TIME_WAIT | TIME_WAIT status means that the client recognizes the connection as still active but not currently being used. |
