NETSTAT command - displays network connection statistics. Description of the NETSTAT command (TCP active connection statistics) Active connections on the command line

    Team NETSTAT is designed to obtain information about the status of network connections and the TCP and UDP ports listening on this computer, as well as to display statistical data on network interfaces and protocols.

Command line format:

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-t] [interval]

Command line options:

-a- Displays all connections and waiting ports.
-b- Display the executable file involved in creating each connection, or the listening port. Sometimes known executable files contain multiple independent components. Then the sequence of components involved in creating the connection or the waiting port is displayed. In this case, the name of the executable file is at the bottom in parentheses, at the top is the component that it calls, and so on until TCP/IP is reached. Please note that this approach can be time consuming and requires sufficient permissions.
-e- Display Ethernet statistics. Can be used in conjunction with the -s option.
-f- Displays the fully qualified domain name (FQDN) for external addresses.
-n- Display addresses and port numbers in numeric format.
-o- Display the process code (ID) of each connection.
-p protocol- Displays the connections for the protocol specified by this parameter. Valid values ​​are TCP, UDP, TCPv6, or UDPv6. Used in conjunction with the -s parameter to display protocol statistics. Valid values ​​are IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-r- Display the contents of the route table.
-s- Display protocol statistics. By default, statistics are displayed for the IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6 protocols. The -p option allows you to specify a subset of the output.
-t- Display of the current connection in the state of transferring the load from the processor to the network adapter during data transfer ("offload").
-v- Detailed information output, if possible.
interval- Repeated output of statistical data at a specified interval in seconds. To stop outputting data, press CTRL+C. If the parameter is not specified, information about the current configuration is displayed once.

In practice, the utility netstat.exe convenient to use in a chain with page output commands ( more), redirecting standard output to a file ( > ) and searching for text in the output results ( find).

netstat -a | more- display all connections in page-by-page display mode.

netstat -a -n| more- the same as in the previous example, but with port numbers and IP addresses displayed in numeric format. Unlike the previous example, the command netstat with parameter -t works much faster.

netstat -a -f | more- the same as in the previous example, but with displaying the full DNS names of the nodes participating in the connection.

netstat -a > C:\netstatall.txt- display all connections and record the results in the file C:\netstatall.txt.

netstat -a | find /I "LISTENING"- display all connections with LISTENING status, i.e. display a list of network interfaces and ports that are listening for incoming connections (“listening” ports). Key /I in a team find indicates that when searching for text, it is not necessary to take into account the case of characters.

netstat -a | find /I "listening" > C:\listening.txt- display all connections with LISTENING status and write the results to the file C:\listening.txt.

Example of information displayed:

Active connections

Name- name of the protocol.

Local address- local IP address participating in the connection or associated with the service waiting for incoming connections (listening to the port). If 0.0.0.0 is displayed as an address, then this means “any address”, i.e. all IP addresses existing on a given computer can be used in the connection. The address 127.0.0.1 is a loopback interface used as an IP protocol means for communication between processes without actually transferring data.

External address The external IP address involved in creating the connection.

State- connection status. State Listening indicates that the status bar displays information about the network service that is waiting for incoming connections via the appropriate protocol to the address and port displayed in the "Local Address" column. State ESTABLISHED indicates an active connection. In the "Status" column for connections via the TCP protocol, the current stage of the TCP session can be displayed, determined by the processing of flag values ​​in the TCP packet header (Syn, Ask, Fin ...). Possible states:

CLOSE_WAIT- waiting for the connection to close.
CLOSED- connection is closed.
ESTABLISHED- connection is established.
LISTENING- connection is expected (listening port)
TIME_WAIT- response time exceeded.

The name of the software module associated with this connection is displayed if the parameter is specified -b on the command line when running netstat.exe.

netstat -a -b- get a list of all network connections and associated programs.

TCP 192.168.0.3:3389 89.22.52.11:5779 ESTABLISHED
CryptSvc

This example displays information about a connection that software components are involved in creating. CryptSvc And svchost.exe.

netstat -ab- command line parameters can be combined. Parameter -ab equivalent -a -b

netstat -e- receive statistical data for exchange via Ethernet protocol. Displays the total values ​​of received and received bytes for all Ethernet network adapters.

Interface Statistics

netstat -e -v- in addition to summary statistics, information about data exchange through individual network interfaces is displayed.

netstat -e -s- in addition to Ethernet statistics, statistics for IP, ICMP, TCP, UDP protocols are displayed

Interface Statistics

IPv4 Statistics

Packets received Header errors received Received errors in addresses Datagrams sent Received packets dropped Withdrawal requests Discarded routes Output packets dropped Assembly required Successful build Build failures Fragments created

= 10877781 = 0 = 27307 = 0 = 0 = 448 = 11384479 = 11919871 = 0 = 1517 = 6 = 0 = 0 = 0 = 5918 = 0 = 11836

IPv6 Statistics

Packets received Header errors received Received errors in addresses Datagrams sent Unknown protocols received Received packets dropped Received packages delivered Withdrawal requests Discarded routes Output packets dropped Output packets without route Assembly required Successful build Build failures Datagram fragmented successfully Datagram fragmentation failures Fragments created

= 0 = 0 = 0 = 0 = 0 = 0 = 391 = 921 = 0 = 0 = 14 = 0 = 0 = 0 = 0 = 0 = 0

ICMPv4 statistics

ICMPv6 Statistics

TCP Statistics for IPv4

TCP Statistics for IPv6

UDP statistics for IPv4

UDP statistics for IPv6

netstat -s -p icmp- get statistics only via ICMP protocol

Example of displayed statistics:

ICMPv4 statistics

To cyclically poll the status of network connections, the program is launched, indicating the interval for displaying statistical data in seconds.

netstat -e 3- display Ethernet statistics at 3 second intervals.

netstat –f 10- display network connection statistics every 10 seconds using full DNS host names.

netstat -n 5 | find /i "Established"- display statistics on established connections every 5 seconds.

Team netstat, included in the standard UNIX network toolset, displays various network-related information, such as network connections, interface statistics, routing tables, masquerade, multicast, etc.

In this article we will look at ten practical examples of using the command netstat on Linux.

1. List of all ports (both listened and not)

List all ports: netstat -a

# netstat -a | more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain *:* LISTEN udp6 0 0 fe80::20c:29ff:fe68:ntp [::]:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 20492 /var/run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTENING 23323 /var/run/php5 -fpm.sock

List all TCP ports: netstat -at

# netstat -at Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp 0 0 *:http *:* LISTEN

List all UDP ports: netstat -au

# netstat -au Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 localhost:domain *:* udp 0 0 *:bootpc *:* udp6 0 0 fe80::20c: 29ff:fe68:ntp [::]:*

2. List of sockets in LISTEN state

List all listening ports: netstat -l

# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain *:* LISTEN tcp6 0 0 [::]:ssh [::]:* LISTEN udp 0 0 192.168.128.134:ntp *:*

List TCP listening ports: netstat -lt

# netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:domain *:* LISTEN tcp 0 0 localhost:ipp *:* LISTEN tcp6 0 0 [::] :ssh [::]:* LISTEN

List listening UDP ports: netstat -lu

# netstat -lu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 *:bootpc *:* udp6 0 0 [::]:ntp [::]:*

List UNIX listening sockets: netstat -lx

# netstat -lx Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 3141 /var/run/fail2ban/fail2ban.sock unix 2 [ ACC ] STREAM LISTENING 20492 /var/ run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTENING 23323 /var/run/php5-fpm.sock

3. View statistics for each protocol

Show statistics for all ports: netstat -s

# netstat -s Ip: 11150 total packets received 1 with invalid addresses 0 forwarded 0 incoming packets discarded 11149 incoming packets delivered 11635 requests sent out Icmp: 13791 ICMP messages received 12 input ICMP message failed. Tcp: 15020 active connections openings 97955 passive connection openings 135 failed connection attempts Udp: 2841 packets received 180 packets to unknown port received. .....

Show statistics for TCP ports only: netstat -st

# netstat -st

Show statistics for UDP ports only: netstat -su

# netstat -su

4. Display PID and process name in netstat output

Option netstat -p will add "PID/Program Name" to netstat output, and can be combined with any other set of options. This is very useful for debugging, to determine which program is running on a specific port.

# netstat -pt Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 org-ru-putty.vm.udf:www 52-106.plus.kerch :55723 ESTABLISHED 9486/nginx: worker tcp 0 0 org-ru-putty.vm.udf:www 52-106.plus.kerch:55757 ESTABLISHED 9486/nginx: worker

5. Name resolution in netstat output

When you don't need to resolve hostname, portname, username, use the option netstat -n to display values ​​in digital format. The command will show IP address instead of host, port number instead of port name, UID instead of username.

This will also speed up the output since netstat will not perform unnecessary searches.

# netstat -an

To display the numerical values ​​of only some of these items, use the following commands:

# netsat -a --numeric-ports # netsat -a --numeric-hosts # netsat -a --numeric-users

6. Netstat output continuously

Option netstat -c will output information continuously, in style top, refreshing the screen every few seconds.

# netstat -c Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 org-ru-putty.vm.udf:www 182.131.74.202:59933 FIN_WAIT2 tcp 0 0 org- ru-putty.vm.udf:www 182.131.74.202:63761 FIN_WAIT2 tcp 0 0 org-ru-putty.vm.udf:www 92-181-66-102-irk.:4585 ESTABLISHED ^C

7. Address families not supported by the system

Option netstat --verbose will show detailed output, and at the very end will display unsupported Address Families.

Netstat: no support for `AF IPX" on this system. netstat: no support for `AF AX25" on this system.

netstat: no support for `AF X25" on this system. netstat: no support for `AF NETROM" on this system.

Show kernel routing table: netstat -r

# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default 192.168.128.2 0.0.0.0 UG 0 0 0 eth0 192.168.128.0 * 255.255.255.0 U 0 0 0 eth0

Note: Use netstat -rn to view the route in digital format without resolving host names.

9. Compliance of ports and processes

Find out which port is occupied by a certain program:

# netstat -ap | grep ssh (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 *:ssh *:* LISTEN - tcp6 0 0 [::] :ssh [::]:* LISTEN -

Find out which process is using a specific port:

# netstat -an | grep ":80"

10. Network interfaces

Show list of network interfaces: netstat -i

# netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1500 0 1911037 0 0 0 1382056 0 0 0 BMRU lo 16436 0 0 0 0 0 0 0 0 0 LRU

Show extended information about interfaces (same as ifconfig): netstat -ie

# netstat -ie Kernel Interface table eth0 Link encap:Ethernet HWaddr 00:0c:29:68:4c:a4 inet addr:192.168.128.134 Bcast:192.168.128.255 Mask:255.255.255.0 inet6 addr: fe80::20c:29ff: fe68:4ca4/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:24278 errors:0 dropped:0 overruns:0 frame:0 TX packets:11275 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:33203025 (33.2 MB) TX bytes:665822 (665.8 KB) Interrupt:19 Base address:0x2000

11. netstat -lnptux

Let's summarize the above and combine the keys into one useful command that will show:

• -l all open ports (LISTEN)
• -t over TCP protocol
• -u over UDP protocol
• -x via UNIX Socket protocol
• -n without resolving IP/names
• -p but with process names and PIDs

Note: Not all processes can be identified by the last key; other processes will not be shown. You must be root to see everything.

# netstat -lnptux Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 9614/nginx tcp 0 0 0.0.0.0 :22 0.0.0.0:* LISTEN 601/sshd udp 0 0 8.8.4.4:123 0.0.0.0:* 574/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 574/ntpd udp 0 0 0.0.0.0: 123 0.0.0.0:* 574/ntpd Active UNIX domain sockets (servers only) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 4233 826/python /var/run/fail2ban/fail2ban. sock unix 2 [ ACC ] STREAM LISTENING 8122 2561/mysqld /var/run/mysqld/mysqld.sock unix 2 [ ACC ] STREAM LISTENING 160413 7301/php-fpm.conf /var/run/php5-fpm.sock

January 2013, website

Please enable JavaScript

© 2009–2019, site - When using site materials, please indicate the source.

The Netstat command displays various network data such as network connections, routing table, interface statistics, masked connections, multicast space, etc.

In this article, let's look at 10 practical command examples NetStat on Unix.

1. List of all ports (both listening and non-listening ports)

List all ports using Netstat -a command

# netstat -a | more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:30037 *:* LISTEN udp 0 0 *:bootpc *:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 6135 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 5140 /var/run/acpid.socket

List all TCP ports using netstat -at

# netstat -at Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0..0.0 .0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN

Listing all UDP ports using netstat -au

# netstat -au Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 andreyex..ru:50053 google-public-dn:domain ESTABLISHED

2. List of sockets that are in listening state

List only listening ports using netstat -l

# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0..0.0. 0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN

List only TCP listening ports using netstat -lt

# netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0..0.0. 0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN

List only listening UDP ports using netstat -lu

# netstat -lu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 site:domain 0.0.0.0:* udp 0 0 localhost:domain 0.0.0..0.0.0:*

List only UNIX listening ports using netstat -lx

# netstat -lx Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 19693 tmp/core.adm.internal unix 2 [ ACC ] SEQPACKET LISTENING 8723 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 12566 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 16948 /var/run/fail2ban/fail2ban.sock unix 2 [ ACC ] STREAM LISTENING 19702 tmp/core.sock

Laboratory work No. 03-005

Netstat network utility. Operating principles and use.

The utility displays active and listening TCP ports, Ethernet statistics, IP routing tables, IPv4 statistics (for IP, ICMP, TCP and UDP protocols) and IPv6 (for IPv6, ICMPv6, TCP over IPv6 and UDP over IPv6 protocols). Command run without parameters netstat displays active TCP connections.

Syntax:

netstat [-a] [-e] [-n] [-o] [-p protocol] [-r] [-s] [interval].

Options:

-a displays all active TCP connections and TCP and UDP ports listening on the computer;

- b display of executable files involved in creating active connections. If independent software components are used to create the socket, they are also displayed.

-e Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with the key -s;

-n displays active TCP connections, showing addresses and port numbers in numeric format without attempting to resolve names;

-o Lists active TCP connections and includes a process ID (PID) for each connection. Process code allows you to find the application on the tab Processes Windows Task Manager. This parameter can be combined with the keys -a, -n And -p;

-p protocol output connections for the protocol specified by the parameter protocol. In this case the parameter protocol can take values tcp, udp, tcpv6 or udpv6. If this parameter is used with the key -s to display protocol statistics, parameter protocol may matter tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6 or ipv6;

-r Displays the contents of the IP routing table. This command is equivalent to the command route print;

-s output of protocol statistics. By default, statistics are displayed for the TCP, UDP, ICMP and IP protocols. If IPv6 is installed for Windows XP, statistics are displayed for TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6. Parameter -p can be used to specify a set of protocols;

- v used in conjunction with the parameter – b to display the sequence of software components involved in creating a socket

interval sets the selected data to be updated at an interval specified by the parameter interval(in seconds). Pressing CTRL+C stops the update. If this parameter is omitted, netstat displays the selected data only once.

/? O Display help on the command line.

At the network level in the TCP/IP protocol stack, addressing is carried out using IP addresses. But after the packet is delivered via the IP protocol to the recipient computer with the given IP address, the data must be sent to a specific recipient application process. Each computer can run multiple processes, and an application process can have multiple entry points that simultaneously act as recipients of data.

The communication needs of application processes are served by the transport layer of the protocol stack, implemented in software in the operating system kernel, in the form of a separate user process or in the form of a library module loaded by a network application. Packets arriving at the transport layer are organized by the operating system in the form of many queues to the entry points of various application processes. In TCP/IP terminology, such system queues are called ports . A port is a software concept that is used by a client or server to send or receive messages; the port is identified by a 16-bit number. Thus, the destination address that is used by the transport entity is the application service port identifier (number). The port number, together with the network number and the end node number, uniquely identifies the application process on the network. This set of identifying parameters is called socket .

Port numbers are assigned to application processes either centrally, if these processes are popular public services (for example, number 21 is assigned to the FTP remote file access service, and 23 is assigned to the telnet remote control service), or locally for those services that have not yet become widespread enough to be assigned to them standard (reserved) rooms. Centralized assignment of port numbers to services is performed by the organization Internet Assigned Numbers Authority (IANA). These numbers are then fixed and published in Internet standards.

Local Port number assignment is where the application developer simply associates any available, randomly chosen numeric identifier with it, making sure that it is not one of the reserved port numbers. In the future, all remote requests to this application from other applications must be addressed using the port number assigned to it.

The client initiating the connection, before attempting to establish a connection with the remote application server, asks its OS for a free port number. Ports with numbers 0 -1023 are usually called privileged; they are almost all reserved and are not allocated to client processes. This does not mean that there are no assigned port numbers with large numbers, but they are used much less frequently and, being free on a given host, may well be made available to the client program.

UDP (User Datagram Protocol) is a simple datagram-oriented transport layer protocol: a process issues one UDP datagram at a time, resulting in one IP datagram being transmitted. The protocol does not establish a connection and does not confirm to the sender that the message has been delivered.

TCP (Transmission Control Protocol) provides a connection-based, reliable byte stream service. It is used in cases where guaranteed delivery of messages is required. It uses packet checksums to verify packet integrity and relieves application processes of the need for timeouts and retransmissions to ensure reliability.

The term connection-oriented means that two applications using TCP (usually a client and a server) must establish a TCP connection with each other before they can exchange data.

There are always two endpoints that communicate with each other using a TCP connection. TCP does not do broadcasts or multicasts.

The steps required to establish and terminate a TCP connection can be represented by:

lena in the form of a model with 11 possible states:

Condition Description

CLOSED Closed. The connection is not active and is not in the process of being established

LISTEN Waiting. The server is waiting for an incoming request

SYN RCVD A connection request has arrived. Waiting for confirmation

SYN SENT Connection request sent. The application started opening a connection

ESTABLISHED Installed. Normal data transmission state

FINWAIT 1 The application reported that it has nothing more to transfer

FINWAIT 2 The other party agrees to terminate the connection

TIMED WAIT Wait until all packets disappear from the network

CLOSING Both parties attempted to close the connection at the same time

CLOSE WAIT The other party has initiated a disconnect

LAST ACK Wait until all packets disappear from the network

In each of these states, allowed and prohibited events can occur. In response to any allowed event, a specific action can be taken. When prohibited events occur, an error is reported.

Each connection starts in the state CLOSED(closed). It can exit this state by making either an active (CONNECT) or passive (LISTEN) attempt to open a connection. If the opposite side does the opposite, the connection is established and enters the ESTABLISHED. Any party can initiate the termination of the connection. Once the disconnection process is complete, the connection returns to the CLOSED.

Self-test questions

Port as a transport layer addressing element. Socket.

Locally and centrally assigned ports.

Basic transport layer protocols of the TCP/IP stack.

Their brief description.

Mapping network connections to processes running on a computer.

Netstat utility parameters.

Necessary equipment

IBM PC is a compatible computer with a licensed Windows operating system, connection to a local network, Internet access.

Tasks

Before starting the tasks, restart your computer and do not launch any applications.

1. Using the netstat command, view the Ethernet connection statistics.

3. Using the netstat command, view the statistics of the ICMP protocol (the output should contain data only for this protocol).

4. Use the netstat command to view a list of all TCP connections and UDP listening ports.

5. Launch your browser and establish a connection to any site. Repeat the previous task and comment on the result.

6. Using the netstat command, identify any 5 processes listening on UDP ports. Specify the name of the processes and numbers of listening ports.

6. Using the netstat command, determine the active TCP connections, their port numbers, and the names of the executable files of the applications that use these connections.

Submit a report on the completion of the work in printed or electronic form with copies of the utility operation screens.

Sometimes when running a system, be it a home personal computer or a powerful server serving many connections, it is useful to have a tool on hand that can display data about network activity. Why might this be needed? To calculate applications that illegally access the Internet, or users. This is exactly what the utility we are considering does.

What is Netstat?

This is an application with which you can find out what is currently happening on the Internet. To start, use the command line. It also uses additional keys and parameters when starting Netstat.

It is worth noting that the name of the utility is formed from two components - network statistics, that is, network statistics, which, in principle, is logical. Among the information that the program shows, one can highlight routing connection statistics.

Commands and Keys

The syntax of command keys and parameters is quite extensive. This allows you to obtain network statistics at a variety of levels. The following is a description of the Netstat command, its parameters and keys:

• -a - running with this parameter will display all active TCP connections, as well as TCP and UDP ports listening on the system;
• -e - display extended Ethernet statistics, such as byte and packet movements;
• -n - parameter allows you to show active TCP connections with addresses and port numbers;
• -o - just like the previous switch, displays active TCP connections, but process codes have been added to the statistics, using them you can already determine exactly which application is using the connection;
• -p - display information on a specific protocol specified in the parameter. Values ​​may include tcp, udp, tcpv6, and udpv6;

• -s - display protocol statistics; by default, all known types will be displayed;
• -r - this switch will display the contents of the IP, the parameter is equivalent to using the route command;
• interval - in the general command line you can use the value of the interval through which the selected statistics will be displayed; if it is omitted, the information will be displayed only once;
• /? - will display help information on the Netstat command.

Using Netstat on Windows

In order to display all connections on the command line screen, while placing them on several pages, you need to use the following syntax: “-a | more". If you need to save all statistics to a specific file, you need to use “ -a > C:\filename”. Thus, all collected information will be written to the file specified in this path.

The result of the work can be a small table that contains the following types of data:

• Name. The name of the found active protocol is indicated here.
• Local address. The IP address and port used by the local service to create the connection. The values ​​may include 0.0.0.0, which means any available address, or 127.0.0.1. This indicates a local loop.
• External address. IP and port of the external service on the network to which the connection is established.

• State. Shows the current connection status. Can take on different meanings. For example, Listening indicates that the service is “listening” and waiting for an incoming connection. Established means an active connection.

Netstat, launched with the -a and -b switches, will show all network connections, as well as the programs associated with them. This is very convenient if you need to figure out which program is actively using traffic and where it is sending data.

Additional connection states

In addition to the above connection states, there are additional ones:

• closed - as the name suggests, the connection is closed;
• syn_sent - there is an active attempt to establish a connection;
• syn_received - shows the initial stage of synchronization;
• close_wait - disabled and the connection is closed.

Using Netstat on Linux

Using the utility in a Linux environment is, in fact, not much different from Windows. There are only slight differences in the command parameters. Description of the Netstat command and its parameters with examples:

• To display all ports, you need to use the command - “netstat -a”.
• Everything is the same, but only the TCP type - “-at”.
• UDP ports are "-au".
• Display open ports in Netstat - “-l”. Their status will be shown as Listening.
• Display open TCP ports in Netstat - “netstat -lt.
• Display the process ID and its name - “netstat -p”.
• Show statistics for an individual - "netstat -s".

Sometimes, to get more complete information about a network connection, you need to combine Netstat with some Linux commands and utilities. For example, like this:

netstat -ap | grep ssh

This line will display a list of ports that are currently used by the SSH utility. If, on the other hand, you want to find out which process is occupying a specific port, you can use the following syntax:

netstat -an | grep `:80`

Also for Netstat in Linux there is a universal set of keys that can display everything you need at once. It looks like this: netstat -lnptux. The data set will reflect all TCP, UDP, UNIX Socket protocols, names of processes and their identifiers.

Some examples to identify a DoS or DDoS attack

The following command will let you know how many connections are active on each IP address:

netstat -naltp | grep ESTABLISHED | awk "(print $5)" | awk -F: "(print $1)" | sort -n | uniq -c

We determine a large number of requests from one IP address:

netstat -na | grep:80 | sort

We determine the exact number of requests received per connection:

netstat -np | grep SYN_RECV | wc -l

When conducting a DoS attack, the number obtained as a result of this command should be quite large. In any case, it may depend on the specific system. That is, on one server it can be one thing, on another it can be different.

Conclusion

Whatever operating system the command is used in, it is an indispensable tool for scanning, analyzing and debugging the network. It is actively used by system administrators all over the world.

Netstat can be used when the system is infected with any virus software. It is able to show all applications with a lot of suspicious network traffic activity. This will help to identify malicious software at an early stage and neutralize it, or protect the server from unwanted intrusion by attackers.

conclusions

The article gave a detailed description of the Netstat command and its parameters and switches. Full use of the program is possible after several stages of practice on a real device. Combining with other teams will make it even more effective. A complete set of descriptions of Netstat commands can be found in the manual on the utility's official website. It is also worth noting that when used in a Linux environment, the Netstat command is deprecated and it is strongly recommended to use SS instead.