netstat – TCP connections and IP statistics tool in windows

In: IP Tools, Networking, Windows
Tagged: , , , , , , , , ,

netstat is one of the most commonly used tool in Windows and UNIX & Linux operating systems to troubleshoot TCP/IP connections. Netstat displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Used without parameters, netstat displays active TCP connections. The netstat tool can display all the active TCP/UDP connections on various ports on the source IP and ports along with the foreign IPs and ports. It also can display on the various ports on which the local IP/Ports are listening for incoming connections (ex: a webserver listens on port 80 for HTTP requests).

To simple display the active TCP connctions from the command prompt,

C:\>netstat

Active Connections

Proto Local Address Foreign Address State

TCP mytestpc:2325 ug-in-f189.google.com:http ESTABLISHED

TCP mytestpc:2337 eh-in-f191.google.com:http ESTABLISHED

TCP mytestpc:2370 cs27.msg.dcn.yahoo.com:5050 ESTABLISHED

TCP mytestpc:2374 sip47.voice.re2.yahoo.com:https ESTABLISHED

TCP mytestpc:2701 66.29.87.160:http CLOSE_WAIT TCP

mytestpc:2702 84.53.134.207:http CLOSE_WAIT

TCP mytestpc:2741 ug-in-f83.google.com:http ESTABLISHED

TCP mytestpc:2813 fg-in-f19.google.com:http CLOSE_WAIT

TCP mytestpc:2939 mg2e.mail.vip.dcn.yahoo.com:http ESTABLISHED

Using with the "-n" switch will not perform a DNS lookup and show the above in IP and port numbers only

C:\>netstat -n

Active Connections

Proto Local Address Foreign Address State

TCP 192.168.0.2:2325 66.249.93.189:80 ESTABLISHED

TCP 192.168.0.2:2337 72.14.207.191:80 ESTABLISHED

TCP 192.168.0.2:2370 216.155.193.154:5050 ESTABLISHED

TCP 192.168.0.2:2374 68.142.233.144:443 ESTABLISHED

TCP 192.168.0.2:2701 66.29.87.160:80 CLOSE_WAIT

TCP 192.168.0.2:2702 84.53.134.207:80 CLOSE_WAIT

TCP 192.168.0.2:2741 66.249.93.83:80 ESTABLISHED

TCP 192.168.0.2:2813 72.14.221.19:80 CLOSE_WAIT

To display all the TCP/UDP connections and the port listened on use "-a".

Note: When used with a "-n" will display the IPs and port numbers as it disables the DNS Lookup

C:\Program Files\Windows Resource Kits\Tools>netstat -an

Active Connections

Proto Local Address Foreign Address State

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING

TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING

TCP 0.0.0.0:5051 0.0.0.0:0 LISTENING

TCP 0.0.0.0:5101 0.0.0.0:0 LISTENING

TCP 0.0.0.0:52991 0.0.0.0:0 LISTENING

TCP 127.0.0.1:1072 0.0.0.0:0 LISTENING

TCP 127.0.0.1:4242 0.0.0.0:0 LISTENING

TCP 192.168.0.2:139 0.0.0.0:0 LISTENING

TCP 192.168.0.2:2325 66.249.93.189:80 ESTABLISHED

TCP 192.168.0.2:2337 72.14.207.191:80 ESTABLISHED

TCP 192.168.0.2:2370 216.155.193.154:5050 ESTABLISHED

TCP 192.168.0.2:2374 68.142.233.144:443 ESTABLISHED

TCP 192.168.0.2:2701 66.29.87.160:80 CLOSE_WAIT

TCP 192.168.0.2:2702 84.53.134.207:80 CLOSE_WAIT

TCP 192.168.0.2:2741 66.249.93.83:80 ESTABLISHED

TCP 192.168.0.2:2942 72.14.221.19:80 ESTABLISHED

UDP 0.0.0.0:445 *:* UDP 0.0.0.0:500 *:*

UDP 0.0.0.0:1041 *:*

UDP 0.0.0.0:1042 *:*

UDP 0.0.0.0:1052 *:*

UDP 0.0.0.0:4500 *:*

UDP 0.0.0.0:5051 *:*

UDP 127.0.0.1:123 *:*

UDP 127.0.0.1:1220 *:*

UDP 127.0.0.1:1435 *:*

UDP 127.0.0.1:1900 *:*

UDP 127.0.0.1:2313 *:*

UDP 127.0.0.1:2419 *:*

UDP 192.168.0.2:123 *:*

UDP 192.168.0.2:137 *:*

UDP 192.168.0.2:138 *:*

UDP 192.168.0.2:1900 *:*

UDP 192.168.0.2:2378 *:*

UDP 192.168.0.2:2383 *:*

UDP 192.168.0.2:2386 *:*

UDP 192.168.0.2:2387 *:*

To see the ethernet interface statistics,

C:\Program Files\Windows Resource Kits\Tools>netstat -e

Interface Statistics

                                             Received Sent

Bytes                                     42901938 25599009

Unicast packets                      185168 181830

Non-unicast packets                2406 1892

Discards                                0 0

Errors                                   0 43

Unknown protocols                 505

To show the owner process ID (PID) use the "-0"

C:\Program Files\Windows Resource Kits\Tools>netstat -on

Active Connections

Proto Local Address Foreign Address State PID

TCP 192.168.0.2:2337 72.14.207.191:80 ESTABLISHED 2680

TCP 192.168.0.2:2370 216.155.193.154:5050 ESTABLISHED 3448

TCP 192.168.0.2:2374 68.142.233.144:443 ESTABLISHED 3448

TCP 192.168.0.2:2701 66.29.87.160:80 CLOSE_WAIT 3144

TCP 192.168.0.2:2702 84.53.134.207:80 CLOSE_WAIT 3144

TCP 192.168.0.2:2741 66.249.93.83:80 ESTABLISHED 2680

TCP 192.168.0.2:2942 72.14.221.19:80 CLOSE_WAIT 1780

TCP 192.168.0.2:2948 66.249.93.83:80 TIME_WAIT 0

TCP 192.168.0.2:2950 66.249.93.189:80 ESTABLISHED

A step further would be to show the process application which owns the connection, use "-b"

 C:\Program Files\Windows Resource Kits\Tools>netstat -bn

Active Connections

Proto Local Address Foreign Address State PID

TCP 192.168.0.2:2337 72.14.207.191:80 ESTABLISHED 2680 [IEXPLORE.EXE]

TCP 192.168.0.2:2370 216.155.193.154:5050 ESTABLISHED 3448 [YAHOOM~1.EXE]

TCP 192.168.0.2:2374 68.142.233.144:443 ESTABLISHED 3448 [YAHOOM~1.EXE]

TCP 192.168.0.2:2741 66.249.93.83:80 ESTABLISHED 2680 [IEXPLORE.EXE]

TCP 192.168.0.2:2950 66.249.93.189:80 ESTABLISHED 2680 [IEXPLORE.EXE]

TCP 192.168.0.2:2955 209.73.178.33:80 ESTABLISHED 2680 [IEXPLORE.EXE]

TCP 192.168.0.2:2701 66.29.87.160:80 CLOSE_WAIT 3144 [fdm.exe]

TCP 192.168.0.2:2702 84.53.134.207:80 CLOSE_WAIT 3144 [fdm.exe]

TCP 192.168.0.2:2942 72.14.221.19:80 CLOSE_WAIT 1780 [iexplore.exe]

To see at the protocol level use the "-p" switch with the protocol name,

Note: using with "-s" option shows protocol wise statistics

C:\Program Files\Windows Resource Kits\Tools>netstat -np tcp

Active Connections Proto Local Address Foreign Address State

TCP 192.168.0.2:2337 72.14.207.191:80 ESTABLISHED

TCP 192.168.0.2:2370 216.155.193.154:5050 ESTABLISHED

TCP 192.168.0.2:2374 68.142.233.144:443 ESTABLISHED

TCP 192.168.0.2:2701 66.29.87.160:80 CLOSE_WAIT

TCP 192.168.0.2:2702 84.53.134.207:80 CLOSE_WAIT

TCP 192.168.0.2:2741 66.249.93.83:80 ESTABLISHED

TCP 192.168.0.2:2942 72.14.221.19:80 CLOSE_WAIT

TCP 192.168.0.2:2950 66.249.93.189:80 ESTABLISHED

TCP 192.168.0.2:2964 68.180.207.182:80 TIME_WAIT

To display the Routing table on the system use "-r" switch. Note: Equivalent to the "route print" command in Windows

C:\Program Files\Windows Resource Kits\Tools>netstat -r

Route Table ============================================================== Interface List 0x1 ……………………… MS TCP Loopback

interface 0x3 …00 13 ce 85 0e e1 …… Intel(R) PRO/Wireless 2200BG Network Connection – Packet Scheduler Miniport

0x10005 …00 ff 28 e3 2e 8a …… Juniper Network Connect Virtual Adapter

0x50002 …00 14 22 fd 5b 8d …… Broadcom NetXtreme 57xx Gigabit Controller – Packet Scheduler Miniport ============================================================= Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.2 25

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

192.168.0.0 255.255.255.0 192.168.0.2 192.168.0.2 25

192.168.0.2 255.255.255.255 127.0.0.1 127.0.0.1 25

192.168.0.255 255.255.255.255 192.168.0.2 192.168.0.2 25

224.0.0.0 240.0.0.0 192.168.0.2 192.168.0.2 25

255.255.255.255 255.255.255.255 192.168.0.2 10005 1

255.255.255.255 255.255.255.255 192.168.0.2 192.168.0.2 1

255.255.255.255 255.255.255.255 192.168.0.2 50002 1

Default Gateway: 192.168.0.1 ============================================================== Persistent Routes: None

Note: using "-n" with any of the above will disable DNS lookup for faster response.

Leave a Reply

Your email address will not be published. Required fields are marked *