Introduction to Netstat Tutorial Page 1 of 6

Introduction to Netstat Tutorial

by: LearnSecurityOnline, 05/25/2005

http://www.securitydocs.com/library/3318

What is netstat?
Netstat is a versatile tool catered for the windows platform by means of the MS-DOS (now a days referred to as "Command
Prompt") command line. Netstat is also used in other platforms and operating systems apart from Windows such as Unix and
Linux. In the following thesis I will demonstrate the security-oriented uses for this basic DOS and bash command designed for
the newbie.

Note: To access Command Prompt on Windows platforms simply left click the start icon, click run, type “command” or
“cmd” (without quotations) in the text box and select open.

How does netstat associate with security?

The main use of this command is for the quick overview of active ports on your machine and their status, i.e. listening and
connected ports, types of ports, and on UNIX, any open streams and a lot of other useful information. This helps the user by
notifying he/she which ports are open, which are closed and/or listening for incoming connections which can give you an
accurate assumption of how vulnerable your PC is to attacks on the respective ports. For example common attacks that can
be avoided if treated proactively include basic vulnerabilities tied to ports such as 139 which a hacker, or novice user, can
exploit effectively by using a successive amount of standard Windows commands which primarily include “net”, or port 21 (ftp),
23 (telnet) in which a user can connect and obtain a banner of your system detailing your operating system or even, if they
guess your password correctly, connect to your system obtaining complete control. Netstat examines both basic TCP and
UDP connections and has the ability to filter between both or a selection of differing protocols (including IP, ICMP, TCPv6 and
UDPv6, etc.). The ability to complete the aforementioned filters relies on one of the basic traits of almost all fairly analytical
commands, this being, command switches. The switches relating to netstat are described further on in this tutorial in both
sections 3 and 4 (Operation of netstat in Windows/Linux).

Operation of netstat in Windows

As shown earlier, open DOS (Command Prompt). You should be met with a black screen and a prompt such as “C:>”. From
here you can gain information regarding netstat or virtually any other standard DOS command by simply typing “netstat /?” or
“netstat help” (without quotations). In this section I will elaborate on the switches found by typing the help command (shown
above) and going into detail on what happens when you type the generic “netstat” command without the aid of switches.

When a user enters a single netstat the output should be similar to the following.

Figure 1.0

http://www.securitydocs.com/link.php?action=detail&id=3318&headerfooter=no 5/25/2005
Introduction to Netstat Tutorial Page 2 of 6

This command gives you a generic look at what ports are open on your system. Upon further analyzation you can identify
which protocol is in usage along with the ports, your PCs name, TCP/IP network connections, foreign address, local address
and the status of connection.

The characters under the title "Proto" indicate the protocol type, in this case the only connections present include TCP which
means that you and the remote host are communicating via TCP.

The local address specifies the name of your computer on the network along with the port number you are using to recieve
connections which is randomly generated.

The foreign address lists the remote host's name and the port they are using to initiate the connection.

The state of the connection indicates exactly what it says, the state of the connection between a remote system and yours.
Below lists all of the possible states of connection.

ESTABLISHED - Both hosts are connected.

CLOSING - The remote host has agreed to close its connection.
LISTENING - Your computer is waiting to handle an incoming connection.
SYN_RCVD - A remote host has asked for you to start a connection.
SYN_SENT - Your computer has accepted to start a connection.
LAST_ACK - Your computer needs to obliterate the packets before closing the connection.
TIMED_WAIT - See above.
CLOSE_WAIT - The remote host is closing its connection with your computer.
FIN_WAIT 1 - A client is closing its connection.
FIN_WAIT 2 - Both hosts have agreed to close the connection.

http://www.securitydocs.com/link.php?action=detail&id=3318&headerfooter=no 5/25/2005
Introduction to Netstat Tutorial Page 3 of 6

With these main states of connectivity covered appropriately I can go on to talk about netstat's switches. The result you
recieve after typing "netstat /?" (without quotations) in DOS is as follows.

Figure 1.1

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

-a Displays all connections and listening ports.

-e Displays Ethernet statistics. This may be combined with the
option.
-n Displays addresses and port numbers in numerical form.
-o Displays the owning process ID associated with each connection
-p proto Shows connections for the protocol specified by proto; proto
may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the
option to display per-protocol statistics, proto may be any of
IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are
shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
the -p option may be used to specify a subset of the default.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.

A Switch Summary
The first switch, a, is used as the syntax below:

This command lists all active connections including listening ports, which is easily defined in figure 1.1.

E Switch Summary
The e switch is a bit more complicated, this lists the statistics of your internet connection, including how many packets were
sent, recieved or how many bytes were recieved for example.

N Switch Summary
The n switch is also fairly easy to understand, this lists all connections and remote computers in numerical form, this being in
IP form. For example if you are connected to IRC and you would like to view the server in numerical form, for whatever reason
that may be, you can use the n switch and it will transform the web address of it into an IP.

O Switch Summary
This switch lists active connections, combined with its PID (Process Identification Number).

P Switch Summary
The p switch gives the user the ability to filter through protocols including TCP, UDP, IP, ICMP, TCPv6, UDPv6, IPv6 and
ICMPv6.

R Switch Summary
The r switch lists information for your ethernet card, netmask, gateway, network destination, etc.

S Switch Summary

http://www.securitydocs.com/link.php?action=detail&id=3318&headerfooter=no 5/25/2005
Introduction to Netstat Tutorial Page 4 of 6

The s switch prints statistics for each protocol including the mentioned ones in the p switch to the screen. This switch can be
combined with the p switch in order to display specific statistics for each specified protocol, such as the following:

which lists the statistics for the TCP protocol, plus lists its active connections. This query can be narrowed down to an even
more specific or broader range of connections which will be descibed shortly.

Interval Switch Summary

The interval switch allows you to give your computer a specific time, or interval, inbetween netstat probings of your active
connections. This may be a bit confusing so I have listed an example below:

this lists all connections (switch a) in numeric form (switch n) and spaces each netstat command 20 seconds (interval (20)). If
you were to enter this into DOS you would obtain a list of connections every 20 seconds, so as you can see, you do not need
to enter the switch "interval", only the time (in seconds).

Using Multiple Switches

Though you may understand using multiple switches in the same command I will elaborate further. In order to combine two
commands either of the following syntaxes will work and yield the same result:

There is no limit on how many switches you use once they are compatible with each other, for example using the n switch with
the r switch will yield no more results than a standard r switch.

Operation of netstat in Linux

Firstly, load your bash (shell) in Linux. You should see a prompt something similar to “user@linux~>”. From here you are able
to obtain the necessary switches and information regarding this command by simply typing, “netstat --help” or “man netstat”.
Please note that I am documenting netstat on a SuSE Linux 8.0 system and your results may differ.

Figure 1.2

http://www.securitydocs.com/link.php?action=detail&id=3318&headerfooter=no 5/25/2005
Introduction to Netstat Tutorial Page 5 of 6

The above image illustrates a netstat command help menu (which can also be accessed by typing man netstat). You can see
linux has a much wider range of switches for the netstat command as opposed to windows, which is the case with virtually all
linux-based commands, which is why linux has gained so much appeal.

Figure 1.3

http://www.securitydocs.com/link.php?action=detail&id=3318&headerfooter=no 5/25/2005
Introduction to Netstat Tutorial Page 6 of 6

As was shown earlier, dealing with the Windows netstat, here is netstat (without arguments or switches) in operation within a
Linux shell.

Netstat GUI programs (non-command line)

If you dislike the command line there are programs with a Graphical User Interface which do exactly what netstat does in the
command line. The links for these freeware programs are listed below and are only for the Windows platform.

Warning: I have tested none of these, download at your own risk.

http://www.softpedia.com/public/cat/10/7/10-7-68.shtml
http://techrepublic.com.com/5100-6263-5149569.html

This paper is brought to your through Learn Security Online

http://www.securitydocs.com/link.php?action=detail&id=3318&headerfooter=no 5/25/2005