Netstat

Netstat is one of those programs that most computer people use but very few understand. Because I am one of those people, I decided to write this to change that. Netstat displays a listing of network connections that and their status which can be very useful for anyone concerned with the security of their machine. Not only does it tell you who your machine is talking to currently but it also tells you if there are programs listening to accept connections from foreign computers. Typically the output of the command is pretty alarming because of the startling number of connections and pretty arcane descriptions that go with them:

C:\>netstat -ano

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 1104
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 1336
TCP 0.0.0.0:2996 0.0.0.0:0 LISTENING 2912
TCP 0.0.0.0:3172 0.0.0.0:0 LISTENING 2912
TCP 0.0.0.0:3173 0.0.0.0:0 LISTENING 2912
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING 1672
TCP 74.104.77.xxx:139 0.0.0.0:0 LISTENING 4
TCP 74.104.77.xxx:3071 12.120.5.14:80 TIME_WAIT 0
TCP 74.104.77.xxx:3172 72.14.207.99:443 CLOSE_WAIT 2912
TCP 74.104.77.xxx:3173 72.14.205.83:443 CLOSE_WAIT 2912
TCP 127.0.0.1:2995 0.0.0.0:0 LISTENING 2912
TCP 127.0.0.1:2995 127.0.0.1:2996 ESTABLISHED 2912
TCP 127.0.0.1:2996 127.0.0.1:2995 ESTABLISHED 2912

Probably the most confusing column is the local address column. Your computer always has at least two (and sometimes more) IP addresses that it will answer to. The above example shows that the computer will answer to 74.104.77.xxx and 127.0.0.1 (the computers equivalent of “me”). The three addresses shown have different and special meanings.

127.0.0.1:port#programs listening on this address will accept connections originating from only the local computer.

74.104.77.xxx:port#programs listening on this address will accept connections originating from computers on the network/internet.

0.0.0.0:port#programs listening on this address will accept connections from anywhere, local or remote, sent to any of the addresses the computer will answer to (in this case 127.0.0.1 and 74.104.77.xxx).

The State column refers to the state of the TCP connection. You won’t see this for UDP connections because the don’t have state like TCP does. Here is the list of options (plagiarised from some site I don’t remember):

LISTEN – represents waiting for a connection request from any remote TCP and port.

SYN-SENT – represents waiting for a matching connection request after having sent a connection request.

SYN-RECEIVED – represents waiting for a confirming connection request acknowledgment after having both received and sent a connection request.

ESTABLISHED – represents an open connection, data received can be delivered to the user. The normal state for the data transfer phase of the connection.

FIN-WAIT-1 – represents waiting for a connection termination request from the remote TCP, or an acknowledgment of the connection termination request previously sent.

FIN-WAIT-2 – represents waiting for a connection termination request from the remote TCP.

CLOSE-WAIT represents waiting for a connection termination request from the local user.

CLOSING – represents waiting for a connection termination request acknowledgment from the remote TCP.

LAST-ACK – represents waiting for an acknowledgment of the connection termination request previously sent to the remote TCP (which includes an acknowledgment of its connection termination request).

TIME-WAIT – represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request.

CLOSED – represents no connection state at all.

Hopefully that will help make sense of the output netstat gives. It helped me at least :)

Advertisements

2 thoughts on “Netstat”

  1. “CLOSE-WAIT represents waiting for a connection termination request from the local user.”

    200.27.79.101:42239 CLOSE_WAIT
    202.99.32.43:58902 CLOSE_WAIT
    211.144.97.242:18473 CLOSE_WAIT

    I do not grasp the practicality of remote connections waiting for me to request their termination.
    1) Why involve me?
    2) Why even wait? Extremely unlikely that a local user would know or bother.
    (BTW, waitings continue a full day.)
    3) How do I request termination?

  2. Hi! This involves you as the termination of the connection needs your response. E.g, in the case of a website you opened on your browser. It will not close till you close the website.

    Cheers

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s