Netstat is a utility that you can use to display your computer’s connections to the Internet. It’s a useful tool for monitoring connections and diagnosing problems. You can tweak netstat commands by adding arguments at the end of the command. Since netstat is run from a command prompt, it doesn’t require you to install special software
The command syntax is
netstat [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval] A brief description of the switches is given in Table I below. Note that switches for Netstat use the dash symbol “-” rather than the slash “/”.
|-a||This switch displays all connections and listening ports|
|-b||This switch displays the executable involved in creating each connection or listening port.|
|-e||Use this switch to see statistics|
|-n||This switch displays addresses and port numbers|
|-o||This switch displays ID of the owning process, associated with each connection|
|-r||Use this to see routing table|
|-s||Displays per-protocol statistics|
|-v||When used in conjunction with -b, will display sequence of components involved in creating the connection or listening port for all executables|
|-p proto||This shows you connections for the protocol specified by proto; proto may take any value out of : TCP, UDP, TCPv6, or UDPv6.|
It is a command-line tool, which is very useful to check the behaviour of your network. It allows you to check all aspects of TCP/IP. It also tells you what all connections your machine is making presently. You can also check if any virus, malware or other unwanted script is making connection to other harmful sources and stealing your information through this command.
Some examples of usage of netstat command for non-professional users are:
TCP and UDP connections and their IP and port addresses can be seen by entering a command combining two switches:
This command displays protocol, the local address, the remote address, and the connection state along with port.
Table II. Description of various connection states
|CLOSED||server has received an ACK signal from the client and the connection is closed|
|CLOSE_WAIT||server has received the first FIN signal from the client and the connection is in the process of being closed|
|ESTABLISHED||server received the SYN signal from the client and the session is established|
|FIN_WAIT_1||connection is still active but not currently being used|
|FIN_WAIT_2||client just received acknowledgment of the first FIN signal from the server|
|LAST_ACK||server is in the process of sending its own FIN signal|
|LISTENING||server is ready to accept a connection|
|SYN_RECEIVED||server just received a SYN signal from the client|
|SYN_SEND||particular connection is open and active|
|TIME_WAIT||client recognizes the connection as still active but not currently being used|
How to check for unwanted or risky connections?
If u doubt that there are unwanted malwares on ur system trying to establish risky connections. You can find out which programs are making connections with the outside world, we can use the command
Actually, it is better to check over a period of time and we can add a number that sets the command to run at fixed intervals. Also, it is best to create a written record of the connections that are made over some period of time. The command can then be written
netstat -b 5 >> C:\connections.txt
Note that as written, this command will run with five-second intervals until stopped by entering “Ctrl+c“, which is a general command to exit. (Some reports say that this can be fairly CPU intensive so it may cause a slower, single-core machine to run sluggishly. Note that the Process ID (PID) is given. This command can be combined with other tools such as Task Manager to analyze what executable files and processes are active and are trying to make Internet connections.