Though
there are many tools to monitor the network connectivity .This command is often
used by me in first place to check functioning of network. It helps to see what
connections are present.
netstat [-a][-b][-e][-f][-n][-o][-p proto][-r][-s][-t][interval
|
Table I. Switches for Netstat command
|
|
|
Switch
|
Description
|
|
-a
|
Displays all
connections and listening ports
|
|
-b
|
Displays the
executable involved in creating each connection or listening port. (Added in
XP SP2.)
|
|
-e
|
Displays Ethernet
statistics
|
|
-f
|
Displays Fully
Qualified Domain Names for foreign addresses. (In Windows Vista/7 only)
|
|
-n
|
Displays addresses and
port numbers in numerical form
|
|
-o
|
Displays the owning
process ID associated with each connection
|
|
-p proto
|
Shows connections for
the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or
UDPv6.
|
|
-r
|
Displays the routing
table
|
|
-s
|
Displays per-protocol
statistics
|
|
-t
|
Displays the current
connection offload state, (Windows Vista/7)
|
|
-v
|
When used in
conjunction with -b, will display sequence of components involved in creating
the connection or listening port for all executables. (Windows XP SP2, SP3)
|
|
[interval]
|
An integer used to
display results multiple times with specified number of seconds between
displays. Continues until stopped by command ctrl+c. Default setting
is to display once,
|
Checking TCP/IP connections
TCP and UDP connections and their IP and port addresses can be
seen by entering a command combining two switches: netstat –an
|
Table II. Description of various connection states
|
|
|
State
|
Description
|
|
CLOSED
|
Indicates that the
server has received an ACK signal from the client and the connection is
closed
|
|
CLOSE_WAIT
|
Indicates that the
server has received the first FIN signal from the client and the connection
is in the process of being closed
|
|
ESTABLISHED
|
Indicates that the
server received the SYN signal from the client and the session is established
|
|
FIN_WAIT_1
|
Indicates that the
connection is still active but not currently being used
|
|
FIN_WAIT_2
|
Indicates that the
client just received acknowledgment of the first FIN signal from the server
|
|
LAST_ACK
|
Indicates that the
server is in the process of sending its own FIN signal
|
|
LISTENING
|
Indicates that the
server is ready to accept a connection
|
|
SYN_RECEIVED
|
Indicates that the
server just received a SYN signal from the client
|
|
SYN_SEND
|
Indicates that this
particular connection is open and active
|
|
TIME_WAIT
|
Indicates that the
client recognizes the connection as still active but not currently being used
|
Checking for malware
by looking at which programs initiate connections
To find out which programs are making connections with the outside
world, we can use the command
netstat -b
Actually, it is better to check over a period of time and we can
add a number that sets the command to run at fixed intervals. Also, it is best
to create a written record of the connections that are made over some period of
time. The command can then be written
netstat
-b 5 >> C:\connections.txt
netstat 5 is
used for a period with 5 seconds interval. Use ctrl C to stop execution
find the PID in task manager and related program
to add PID colum in task manager go to view and all column. You can end a pid
program related from task manager.
we
can use combination of switches for eg: netstat -ano or netstat -nb
20
No comments:
Post a Comment