Netstat is one of those programs that most computer people use but very few understand. Because I am one of those people, I decided to write this to change that. Netstat displays a listing of network connections that and their status which can be very useful for anyone concerned with the security of their machine. Not only does it tell you who your machine is talking to currently but it also tells you if there are programs listening to accept connections from foreign computers. Typically the output of the command is pretty alarming because of the startling number of connections and pretty arcane descriptions that go with them:
C:\>netstat -ano
Active Connections
Proto |
Local Address |
Foreign Address |
State |
PID |
TCP |
0.0.0.0:135 |
0.0.0.0:0 |
LISTENING |
1104 |
TCP |
0.0.0.0:445 |
0.0.0.0:0 |
LISTENING |
4 |
TCP |
0.0.0.0:1025 |
0.0.0.0:0 |
LISTENING |
1336 |
TCP |
0.0.0.0:2996 |
0.0.0.0:0 |
LISTENING |
2912 |
TCP |
0.0.0.0:3172 |
0.0.0.0:0 |
LISTENING |
2912 |
TCP |
0.0.0.0:3173 |
0.0.0.0:0 |
LISTENING |
2912 |
TCP |
0.0.0.0:5000 |
0.0.0.0:0 |
LISTENING |
1672 |
TCP |
74.104.77.xxx:139 |
0.0.0.0:0 |
LISTENING |
4 |
TCP |
74.104.77.xxx:3071 |
12.120.5.14:80 |
TIME_WAIT |
0 |
TCP |
74.104.77.xxx:3172 |
72.14.207.99:443 |
CLOSE_WAIT |
2912 |
TCP |
74.104.77.xxx:3173 |
72.14.205.83:443 |
CLOSE_WAIT |
2912 |
TCP |
127.0.0.1:2995 |
0.0.0.0:0 |
LISTENING |
2912 |
TCP |
127.0.0.1:2995 |
127.0.0.1:2996 |
ESTABLISHED |
2912 |
TCP |
127.0.0.1:2996 |
127.0.0.1:2995 |
ESTABLISHED |
2912 |
Probably the most confusing column is the local address column. Your computer always has at least two (and sometimes more) IP addresses that it will answer to. The above example shows that the computer will answer to 74.104.77.xxx and 127.0.0.1 (the computers equivalent of “me”). The three addresses shown have different and special meanings.
127.0.0.1:port# – programs listening on this address will accept connections originating from only the local computer.
74.104.77.xxx:port# – programs listening on this address will accept connections originating from computers on the network/internet.
0.0.0.0:port# – programs listening on this address will accept connections from anywhere, local or remote, sent to any of the addresses the computer will answer to (in this case 127.0.0.1 and 74.104.77.xxx).
The State column refers to the state of the TCP connection. You won’t see this for UDP connections because the don’t have state like TCP does. Here is the list of options (plagiarised from some site I don’t remember):
LISTEN – represents waiting for a connection request from any remote TCP and port.
SYN-SENT – represents waiting for a matching connection request after having sent a connection request.
SYN-RECEIVED – represents waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
ESTABLISHED – represents an open connection, data received can be delivered to the user. The normal state for the data transfer phase of the connection.
FIN-WAIT-1 – represents waiting for a connection termination request from the remote TCP, or an acknowledgment of the connection termination request previously sent.
FIN-WAIT-2 – represents waiting for a connection termination request from the remote TCP.
CLOSE-WAIT represents waiting for a connection termination request from the local user.
CLOSING – represents waiting for a connection termination request acknowledgment from the remote TCP.
LAST-ACK – represents waiting for an acknowledgment of the connection termination request previously sent to the remote TCP (which includes an acknowledgment of its connection termination request).
TIME-WAIT – represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request.
CLOSED – represents no connection state at all.
Hopefully that will help make sense of the output netstat gives. It helped me at least :)