NETSTAT.exe TCP/IP Network Statistics
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
-a Displays all connections and listening ports.
-e Displays Ethernet statistics. This may be combined with the
-s option.
-n Displays addresses and port numbers in numerical form.
-p proto Shows connections for the protocol specified by proto; proto
may be TCP or UDP. If used with the -s option to display
per-protocol statistics, proto may be TCP, UDP, or IP.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics
are shown for TCP, UDP and IP; the -p option may be used
to specify a subset of the default.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.
First, I would recommend that you always use the '-a' parameter so you can see UDP 'listening ports' as well (often used by trojans), and not just the active TCP connections; then switch between using the '-a' and no parameters at all, to see the differences. When you're offline, you normally shouldn't see any connection data! If you do see an OPEN PORT NUMBER 'listening' for a connection (using the '-a' parameter), it may be that your computer has been infected with a trojan! Click this link for a few more ideas on how you can check to see if your computer is Trojan Free?
If you're running a server, such as the free XITAMI server, you might see something like this ("My_Comp" is the name of my computer):
C:\WINDOWS>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP My_Comp:ftp localhost:0 LISTENING
TCP My_Comp:80 localhost:0 LISTENING Or with the "-an" parameters: C:\WINDOWS>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:21 0.0.0.0:0 LISTENING
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING By simply opening a browser connection to both the HTTP (port 80) and FTP (port 21) servers (while still offline!), I saw the following: C:\WINDOWS>netstat -a
Active Connections
Proto Local Address Foreign Address State
TCP My_Comp:ftp localhost:0 LISTENING
TCP My_Comp:80 localhost:0 LISTENING
TCP My_Comp:1104 localhost:0 LISTENING
TCP My_Comp:ftp localhost:1104 ESTABLISHED
TCP My_Comp:1102 localhost:0 LISTENING
TCP My_Comp:1103 localhost:0 LISTENING
TCP My_Comp:80 localhost:1111 TIME_WAIT
TCP My_Comp:1104 localhost:ftp ESTABLISHED
TCP My_Comp:1107 localhost:0 LISTENING
TCP My_Comp:1112 localhost:80 TIME_WAIT
UDP My_Comp:1102 *:*
UDP My_Comp:1103 *:*
UDP My_Comp:1107 *:* This may be a bit confusing to some people, but remember I'm running BOTH the servers and clients on the same machine in these examples. A little later (using both 'a' and 'n') I got this: C:\WINDOWS>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:21 0.0.0.0:0 LISTENING
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1104 0.0.0.0:0 LISTENING
TCP 127.0.0.1:21 127.0.0.1:1104 FIN_WAIT_2
TCP 127.0.0.1:1102 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1103 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1104 127.0.0.1:21 CLOSE_WAIT
TCP 127.0.0.1:1107 0.0.0.0:0 LISTENING
UDP 127.0.0.1:1102 *:*
UDP 127.0.0.1:1103 *:*
UDP 127.0.0.1:1107 *:* After turning off my server, I ended up with this for a while: C:\WINDOWS>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 127.0.0.1:80 127.0.0.1:1150 TIME_WAIT
TCP 127.0.0.1:80 127.0.0.1:1151 TIME_WAIT
No comments:
Post a Comment