Netstat stands for Network Statistics and that is exactly what this tool produces — statistics of the local network as seen from the local hosts interface card. Netstat is used to provide troubleshooting statistics and insights into protocols, ports and connections from a local host computer. This makes Netstat a handy tool to have when troubleshooting TCP connectivity problems and interface performance issue.
Netstat provides insight into what is going on between your computer and another host. It also highlights TCP connections made in the background by spyware and malware. Netstat comes in many version and for many OS and distributions, so there is no definitive command set. For example, Windows XP has Netstat preloaded but has only some of the basic functions. The syntax for Netstat on Windows XP is
Netstat [-a] [-b] [-e] [-n] [-o] [-p] [-r] [-s] [-v] [interval]
The screenshot above detail the various options and switches there are for Netstat for Windows. Linux has several more as does IBM’s implementation. However, the core functionality and the statistics Netstat returns are much the same.
Here are some of the additional bells and whistles available with most Linux distributions.
- Netstat – f returns fully qualified domain names
- Netstat -g returns multicast group membership
- Netstat -I returns detailed interface information
- Netstat -m returns detailed memory allocation
Netstat provides statistics for the following;
- Local addresses based on the IP of the local computer and the ports assigned.
- Foreign address IPs and port number of the socket it is connected to
- State of the TCP connection
When running Netstat on Windows XP, it provides the above statistics, but it’s limited to the traffic on the interface card. This is because the interfaces in Windows only see and respond to traffic destined for their own MAC address. In order for Netstat to actually get network statistics, it would have to be in promiscuous mode. If the network card is placed in promiscuous mode (possible with Linux), the interface listens to and processes all traffic. When the interface is in promiscuous mode, it can give true traffic statistics for the entire wire, rather than just from its own perspective. Linux and IBM systems can place their interfaces into promiscuous mode, which is why they have more switches and dials on their Netstat applications.
Interfaces in Promiscous Mode
Placing an interface into promiscuous mode forces an interface to listen and process all traffic that crosses the wire. This is how wire sniffers work in both legitimate and unauthorized network analyzers. Having a central system that listens and samples data passing over the network is a prerequisite of any good network management toolkit. Netstat, though, is not that sort of tool. Netstat is fine for quick snapshots and a high-level view of network statistics. However, Netstat was never designed to be a network protocol analyzer and it just doesn’t compare to other specialist and open-source tools such as Wireshark, formerly Ethereal, which is a true network analyzer.
Netstat Practical Examples
Netstat is a command line tool preloaded on Linux and Windows systems. Netstat can provide information on the network connections to a local host such as which ports are open and listening, and which remote hosts are presently connected. This can be useful when troubleshooting TCP/IP issues or for quickly checking a machine for any active connections that should not be open. For example, a simple check using the following command will return a list of all open and listening ports. To try this: open Netstat on windows and run -> cmd
You will see a black command prompt windows open then type;
In the example above, using the Netstat –a switch, it returns a list of all the current TCP ports that the local machine is currently listening on or has TCP/IP connection already established. The thing of interest is it lists the TCP connections that are open for all the programs currently active. Notice the first two entries are for Firefox. Then there are a couple of connections lurking in the background, for example the connection to Dropbox and akamaitechologies.
The first thing to do is translate the addresses to decimal so they can be easier read. This is done using the –n switch like this:
Netstat –a –n
Now the output is easier to read and the logging server is on the local host using the loopback address 127.0.0.1. However, on the toolbarUpdater.exe connection, it is closed/waiting on a public IP address 126.96.36.199:80 which is alkamitechnologies. Just by checking the port numbers, Netstat was able to detect applications that were running and listening on TCP ports on the local system. This same technique can be used to hunt down Trojans and spyware.
It is likely though that they will be hard to identify. By running Netstat – o –n, you can determine what applications are running on the local host and initiated a connection. An example is shown below:
Netstat –o –n
For example, above there is a snapshot of the applications that have initiated outbound connections from the host computer. By checking the PID value shown in the screenshot above, for instance 4516, against the value in Windows task manager, the process can be identified.
By comparing the process ID in Netstat to the process in the windows task manager under Processes, the process running 4516 is Chrome browser.
In this next example, Netstat is configured to return all network statistics for the Ethernet interface.
In the example above, the traffic being seen through the Ethernet interface is incrementing as can be seen on the two passes. The bytes sent and received have incremented as have the non-unicast (broadcast/multicast) packets sent out and received.
Examining the host computers routing table
The host routing table can be interrogated using the netstat –r command
Netstat is a good and easy to use tool that enables quick and efficient troubleshooting of TCP/IP protocol issues, and it provides network statistics that can be very useful at detecting spyware and other rogue applications.