I use the NETSTAT command frequently during my consulting assignments, however apart from the common options; I never delved into using all options of the command. My curiosity got the better of me and I went on to explore all the options of the NETSTAT command, so here goes
NETSTAT (network statistics) is a command-line utility that displays incoming & outgoing network connections, routing tables and various network interface statistics. The command has various parameters that can be used and is available on Unix, Linux and Windows based operating systems
Parameters of the netsat command on Windows based systems. Linux, Unix, BSD based systems have most of the parameters common with a few exceptions
A quick output of the help of the netstat command by appending /? gives us the following parameter options
A detailed explanation of each parameter with examples follows
-a Displays all connections and listening ports
Running the netstat command with the -a parameter displays the of active connections as is displayed in the output below
C:\>netstat
Active Connections
Proto Local Address Foreign Address State
TCP host540:19208 microsoft.com:http CLOSE_WAIT
TCP host540:19473 yahoo.com:http ESTABLISHED
Starting with the protocol as the first column which could be either TCP/UDP based. The “host540:19208″ in the second column is a combination of the host name of the computer that the command is being run on which in this case is host540 and the local port number which is 19208. For well known services the protocol would be appended, for example host540:ntp but for services that are not well known the local port number would be mentioned
The foreign address is the website and the service that the connection was opened to which is microsoft.com:http in this case with port 80 (http) or web traffic and the connection state is CLOSE_WAIT
If the port is not yet established, the port number is shown as a * which would normally be seen in the output as “*:*”
-b Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed.
C:\>netstat -b
Active Connections
Proto Local Address Foreign Address State PID
TCP host540:19208 microsoft.com:http CLOSE_WAIT 1148
[iexplore.exe]TCP host540:19473 yahoo.com:http ESTABLISHED 7848
[firefox.exe]
Additionally the process id of the process is also available. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions
-e Displays Ethernet statistics. This may be combined with the -s option
C:\>netstat -e
Interface StatisticsReceived Sent
Bytes 41185465 10381455
Unicast packets 248414 246100
Non-unicast packets 48535 303
Discards 0 0
Errors 0 1
Unknown protocols 0
The number of packets, bytes, errors and other information received and sent is displayed. This may be useful when tracking network usage and can be combined with the -s option. For example one may only want to see received packets of type http, which can be done using the -e and -s options
-n Displays addresses and port numbers in numerical form
This is similar to the standard netstat option without any parameters, however dns queries are done to convert all addresses and port numbers into numerical form. For example, in the output microsoft.com would be listed as its corresponding ip address and http would be displayed as 80
-o Displays the owning process ID associated with each connection
The process ID which owns the connection can be viewed and then other utilities like Sysinternals Process Explorer can be used to drill down and get further information. The process id is also displayed other options like -b as was mentioned above
-p proto Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be any of IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6
This is one of the most useful options to view specific connections opened by the protocol specified. For example, if one wants to view the opened UDP connections, the command netstat -p proto UDP could be used
-r Displays the routing table
Here all interfaces present in the system with their netmask, gateway, metric and name of the ethernet adapter is displayed. It gives you a quick overview of ip addresses assigned and interface name, etc. Active as well as persistent routes are displayed
-s Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default
Another useful option to view statistics per protocol. For example, to view only UDP statistics, the following command could be used
C:\>netstat -s -p UDP
UDP Statistics for IPv4
Datagrams Received = 328852
No Ports = 16880
Receive Errors = 79
Datagrams Sent = 197475Active Connections
Proto Local Address Foreign Address State
The output above does not have any active UDP connections
-v When used in conjunction with -b, will display sequence of components involved in creating the connection or listening port for all executables.
After we have used the -b option to drill down and find out that a component [iexplore.exe] as well as other components were involved in creating the connection, we can further use the -v option to order the components involved in creating the connection. This is useful when understanding the sequencing of connection requests by an arbitrary application. It gives you an internal listing of .dll’s being called in real time
interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once
This is a good way to auto refresh the screen with any output desired. I might want to see the output of the netstat -n every 5 seconds. I would then use the netstat -n 5 command
To summarize, netstat is an external tool that is built into Windows, Unix, Linux, etc and displays a lot of useful information
Comments