Netstat Tutorial

Netstat is a command-line utility to view of active ports on your machine and their status. This helps user to understand which ports are open, closed, or listening for incoming connections. The information provided by netstat conveys an accurate assumption of how vulnerable PC might be to attacks on various ports.

Common attacks may include port 21 (ftp) and port 23 (telnet). A hacker can connect to these ports to obtain view of the directory structure, download and upload files, and, if the password is compromised, connect to the host with complete control.

Netstat examines both basic TCP and UDP connections. Netstat has ability to filter between TCP and UDP. Netstat can select a particular protocol, including IP, ICMP, TCPv6 and UDPv6, etc.

Netstat displays protocol statistics and current TCP/IP network connections using the following command switches:

NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

  -a            Displays all connections and listening ports.
  -e            Displays Ethernet statistics. This may be combined with the -s
                option.
  -n            Displays addresses and port numbers in numerical form.
  -o            Displays the owning process ID associated with each connection.
  -p proto      Shows connections for the protocol specified by proto; proto
                may be any of: TCP, UDP, TCPv6, or UDPv6.  If used with the -s
                option to display per-protocol statistics, proto may be any of:
                IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  -r            Displays the routing table.
  -s            Displays per-protocol statistics.  By default, statistics are
                shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
                the -p option may be used to specify a subset of the default.
  interval      Redisplays selected statistics, pausing interval seconds
                between each display.  Press CTRL+C to stop redisplaying
                statistics.  If omitted, netstat will print the current
                configuration information once.

Netstat Switch Summary

A

The first switch, a, is used as the syntax below:

netstat -a 

This command lists all active connections including listening ports.

E

The e switch lists the statistics of the internet connection, including how many packets were sent, recieved or how many bytes were recieved.

N

The n switch lists all connections and remote computers in numerical form, this being in IP form. For example if you would like to view the server IP in numerical form, use the n switch to transform the web address of to the corresponding IP.

O

This switch lists active connections, combined with its PID (Process Identification Number).

P

The p switch gives the user the ability to filter through protocols including TCP, UDP, IP, ICMP, TCPv6, UDPv6, IPv6 and ICMPv6.

R

The r switch lists information for your ethernet card, netmask, gateway, network destination, etc. For example,

netstat -nr 

analyzes the routing table.

S

The s switch prints to the screen statistics for each protocol, including those in the p switch. This switch can be combined with the p switch in order to display specific statistics for each specified protocol:

netstat -ps TCP 

The above command lists the statistics for the TCP protocol, plus its active connections. This query can be narrowed down to an even more specific or broader range of connections, as descibed below.

Interval

The interval switch allows you to give your computer a specific time, or interval, between the netstat probings of active connections. For example,

netstat -an 20 

lists all connections (switch a) in numeric form (switch n) and spaces each netstat command 20 seconds (interval (20)). Command returns a list of connections every 20 seconds.

Using Multiple Switches

The user can specify multiple switches on the command line. To combine multiple switched either of the following syntaxes will work and yield the same result:

netstat -an 
netstat -a -n 

There is no limit on how many switches you use, as long as the switches are compatible with each other. For example, using the n switch with the r switch yields results of a standard r switch.

Netstat Output

Netstat with no arguments gives a generic look at what ports are open on the system. User can identify which protocol is in use along with the ports, local PC name, TCP/IP network connections, foreign address, local address and the status of each connection.

The characters under the title "Proto" indicate the protocol type, in this case the only connections present include TCP which means that you and the remote host are communicating via TCP.

The local address specifies the name of your computer on the network along with the port number that you are using to recieve connections, which is randomly generated.

The foreign address lists the remote host's name and the port they are using to initiate the connection.

The state of the connection indicates exactly what it says, the state of the connection between a remote system and yours. Possible states of a connection are as follows:

ESTABLISHED - Both hosts are connected. 
CLOSING     - The remote host has agreed to close its connection. 
LISTENING   - Your computer is waiting to handle an incoming connection. 
SYN_RCVD    - A remote host has asked for you to start a connection. 
SYN_SENT    - Your computer has accepted to start a connection. 
LAST_ACK    - Your computer needs to obliterate (i.e. erase from memory)
              the packets before closing the connection. 
TIMED_WAIT  - See above. 
CLOSE_WAIT  - The remote host is closing its connection with your computer. 
FIN_WAIT 1  - A client is closing its connection. 
FIN_WAIT 2  - Both hosts have agreed to close the connection. 

Other network utilities and resources

See also: Foundstone network security utilities. For example, fport utility identifies open ports and running applications, associated with those ports.

A set of animated tutorials is available at www.grayhatplayground.com, a website developed by prof. Rick Leinecker and his students at Rockingham Community College, NC.