Lab 4.5.

1: Observing TCP and UDP using Netstat (Instructor Version)

Topology Diagram

Addressing Table
Device

Interface IP Address

Subnet Mask

Default Gateway

S0/0/0

10.10.10.6

255.255.255.252 N/A

Fa0/0

192.168.254.253 255.255.255.0

S0/0/0

10.10.10.5

255.255.255.252 10.10.10.6

Fa0/0

172.16.255.254

255.255.0.0

N/A

192.168.254.254 255.255.255.0

192.168.254.253

N/A

172.31.24.254

255.255.255.0

N/A

hostPod#A

N/A

172.16.Pod#.1

255.255.0.0

172.16.255.254

hostPod#B

N/A

172.16.Pod#.2

255.255.0.0

172.16.255.254

S1-Central

N/A

172.16.254.1

255.255.0.0

172.16.255.254

R1-ISP
N/A

R2-Central

Eagle Server

N/A

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 1 of 7

CCNA Exploration
Network Fundamentals: OSI Transport Layer

Lab 4.5.1: Observing TCP and UDP using Netstat

Learning Objectives

Explain common netstat command parameters and outputs.

Use netstat to examine protocol information on a pod host computer.

Background
netstat is an abbreviation for the network statistics utility, available on both Windows and Unix / Linux
computers. Passing optional parameters with the command will change output information. netstat
displays incoming and outgoing network connections (TCP and UDP), host computer routing table
information, and interface statistics.

Scenario
In this lab the student will examine the netstat command on a pod host computer, and adjust netstat
output options to analyze and understand TCP/IP Transport Layer protocol status.
Depending on the classroom situation, the lab topology may have been modified before this class. It is
best to use one host to verify infrastructure connectivity. If the default web page cannot be accessed from
eagle-server.example.com, troubleshoot end-to-end network connectivity:
1. Verify that all network equipment is powered on, and Eagle Server is on.
2. From a known good host computer, ping eagle-server.example.com. If the ping test fails,
ping S1-Central, R2-Central, R1-ISP, and finally eagle-server. Take corrective action on
devices that fail ping tests.
3. If an individual host computer cannot connect to Eagle Server, check the cable
connection between the host and S1-Central. Verify that the host computer has the
correct IP address, shown in the logical addressing table above, and can ping R2Central, 172.16.255.254. Verify that the host computer has the correct Gateway IP
address, 172.16.255.254, and can ping R1-ISP, 10.10.10.6. Finally, verify that the host
has the correct DNS address, and can ping eagle-server.example.com.

Task 1: Explain common netstat command parameters and outputs.

Open a terminal window by clicking on Start | Run. Type cmd, and press OK.
To display help information about the netstat command, use the /? options, as shown:
C:\> netstat /? <ENTER>

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 2 of 7

CCNA Exploration
Network Fundamentals: OSI Transport Layer

Lab 4.5.1: Observing TCP and UDP using Netstat

Use the output of the netstat /? command as reference to fill in the appropriate option that best
matches the description:
Option

Description
Display all connections and listening ports.
Display addresses and port numbers in numerical
form.
Redisplay statistics every five seconds. Press
CTRL+C to stop redisplaying statistics.
Shows connections for the protocol specified by
proto; proto may be any of: TCP, UDP, TCPv6, or
UDPv6. If used with the s option to display
per-protocol statistics, proto may be any of:
IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or
UDPv6.
Redisplay all connections and listening ports
every 30 seconds.
Display only open connections. This is a tricky
problem.

Answer:
Option
-a
-n
5
-p

-an 5
No options

Description
Display all connections and listening ports.
Display addresses and port numbers in numerical
form.
Redisplay statistics every five seconds. Press
CTRL+C to stop redisplaying statistics.
Shows connections for the protocol specified by
proto; proto may be any of: TCP, UDP, TCPv6, or
UDPv6. If used with the s option to display
per-protocol statistics, proto may be any of:
IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or
UDPv6.
Redisplay all connections and listening ports
every 30 seconds.
Display only open connections. This is a tricky
problem.

When netstat statistics are displayed for TCP connections, the TCP state is displayed. During the life of
a TCP connection, the connection passes through a series of states. The following table is a summary of
TCP states, compiled from RFC 793, Transmission Control Protocol, September, 1981, as reported by
netstat:

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 3 of 7

CCNA Exploration
Network Fundamentals: OSI Transport Layer

State
LISTEN
ESTABLISHED
TIME-WAIT
CLOSE-WAIT
SYN-SENT
SYN_RECEIVED

Lab 4.5.1: Observing TCP and UDP using Netstat

Connection Description
The local connection is waiting for a connection request from any remote
device.
The connection is open, and data may be exchanged through the
connection. This is the normal state for the data transfer phase of the
connection.
The local connection is waiting a default period of time after sending a
connection termination request before closing the connection. This is a
normal condition, and will normally last between 30 - 120 seconds.
The connection is closed, but is waiting for a termination request from the
local user.
The local connection is waiting for a response after sending a connection
request. The connection should transition quickly through this state.
The local connection is waiting for a confirming connection request
acknowledgment. The connection should transition quickly through this
state. Multiple connections in SYN_RECEIVED state may indicate a TCP
SYN attack.

IP addresses displayed by netstat fall into several categories:

IP Address
127.0.0.1
0.0.0.0
Remote
Address

Description
This address refers to the local host, or this computer.
A global address, meaning ANY.
The address of the remote device that has a connection with this computer.

Task 2: Use netstat to Examine Protocol Information on a Pod Host Computer.

Step 1: Use netstat to view existing connections.
From the terminal window in Task 1, above, issue the command netstat a:
C:\> netstat a <ENTER>
A table will be displayed that lists protocol (TCP and UDP), Local address, Foreign address, and State
information. Addresses and protocols that can be translated into names are displayed.
The n option forces netstat to display output in raw format. From the terminal window, issue the
command netstat an:
C:\> netstat an <ENTER>
Use the window vertical scroll bar to go back and forth between the outputs of the two commands.
Compare outputs, noting how well-known port numbers are changed to names.

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 4 of 7

CCNA Exploration
Network Fundamentals: OSI Transport Layer

Lab 4.5.1: Observing TCP and UDP using Netstat

Write down three TCP and three UDP connections from the netstat a output, and the corresponding
translated port numbers from the netstat an output. If there are fewer than three connections that
translate, note that in your table.
Connection

Proto

Local Address

Foreign Address

State

Answers will vary. Following is a list of several common services on a host computer:
Connection Proto Local Address
Foreign Address
State
TCP GW-desktop-hom:epmap
GW-desktop-hom:0
LISTENING
TCP 0.0.0.0:135
0.0.0.0:0
LISTENING
TCP GW-desktop-hom:microsoft-ds GW-desktop-hom:0 LISTENING
TCP 0.0.0.0:445
0.0.0.0:0
LISTENING
TCP GW-desktop-hom:netbios-ssn GW-desktop-hom:0 LISTENING
TCP 192.168.254.1:139
0.0.0.0:0
LISTENING
UDP
GW-desktop-hom:ntp
*:*
UDP
192.168.254.1:123
*:*
UDP
GW-desktop-hom:netbios-ns *:*
UDP
192.168.254.1:137
*:*
UDP
GW-desktop-hom:netbios-dgm *:*
UDP
192.168.254.1:138
*:*

Refer to the following netstat output. A new network engineer suspects that his host computer has
been compromised by an outside attack against ports 1070 and 1071. How would you respond?
C:\> netstat n
Active Connections
Proto Local Address
TCP
127.0.0.1:1070
TCP
127.0.0.1:1071
C:\>

Foreign Address
127.0.0.1:1071
127.0.0.1:1070

State
ESTABLISHED
ESTABLISHED

_______________________________________________________________________________
_______________________________________________________________________________
Because the foreign address is 127.0.0.1, the host computer has made a TCP connection with itself.

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 5 of 7

CCNA Exploration
Network Fundamentals: OSI Transport Layer

Lab 4.5.1: Observing TCP and UDP using Netstat

Step 2: Establish multiple concurrent TCP connections and record netstat output.
In this task, several simultaneous connections will be made with Eagle Server. The venerable telnet
command will be used to access Eagle Server network services, thus providing several protocols to
examine with netstat.
Open an additional four terminal windows. Arrange the windows so that all are visible. The four terminal
windows that will be used for telnet connections to Eagle Server can be relatively small, approximately
screen width by screen height. The terminal windows that will be used to collect connection information
should be screen width by full screen height.
Several network services on Eagle Server will respond to a telnet connection. We will use:

DNS- domain name server, port 53

FTP- FTP server, port 21
SMTP- SMTP mail server, port 25
TELNET- Telnet server, port 23

Why should telnet to UDP ports fail?

_______________________________________________________________________________
_______________________________________________________________________________
Telnet is a TCP protocol, and UDP cannot build the TCP session.
To close a telnet connection, press the <CTRL> ] keys together. That will bring up the telnet prompt,
Microsoft Telnet>. Type quit <ENTER> to close the session.
In the first telnet terminal window, telnet to Eagle Server on port 53. In the second terminal window, telnet
on port 21. In the third terminal window, telnet on port 25. In the fourth terminal window, telnet on port 23.
The command for a telnet connection on port 21 is shown below:
C:\> telnet eagle-server.example.com 53
In the large terminal window, record established connections with Eagle Server. Output should look
similar to the following. If typing is slow, a connection may close before all connections have been made.
Eventually, connections should terminate from inactivity.
Proto Local Address
Foreign Address
State
TCP
192.168.254.1:1688
192.168.254.254:21
ESTABLISHED
TCP
192.168.254.1:1691
192.168.254.254:25
ESTABLISHED
TCP
192.168.254.1:1693
192.168.254.254:53
ESTABLISHED
TCP
192.168.254.1:1694
192.168.254.254:23
ESTABLISHED
Answer:
Proto Local Address
Foreign Address
State
TCP
192.168.254.1:1688
192.168.254.254:21
ESTABLISHED
TCP
192.168.254.1:1691
192.168.254.254:25
ESTABLISHED
TCP
192.168.254.1:1693
192.168.254.254:53
ESTABLISHED
TCP
192.168.254.1:1694
192.168.254.254:23
ESTABLISHED

Task 3: Reflection.
The netstat utility displays incoming and outgoing network connections (TCP and UDP), host
computer routing table information, and interface statistics.

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 6 of 7

CCNA Exploration
Network Fundamentals: OSI Transport Layer

Lab 4.5.1: Observing TCP and UDP using Netstat

Task 4: Challenge.
Close Established sessions abruptly (close the terminal window), and issue the netstat an command.
Try to view connections in stages different from ESTABLISHED.

Task 5: Cleanup.
Unless directed otherwise by the instructor, turn off power to the host computers. Remove anything that
was brought into the lab, and leave the room ready for the next class.

All contents are Copyright 19922007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.

Page 7 of 7