Category Archives: Networking

netstat

Note: This post is primarily on using netstat on Windows

I’ve been using netstat more lately to keep track on websocket’s being left open etc. and thought it worth creating a post regarding what things mean in nestat, as I’m bound to forget once all the code I’m working on is complete.

We’ll start with a few obvious things by looking at the switch/params available (as taken from netstat -h but included here for completeness)

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [interval]

  • -h Display the help
  • -a Displays all connections and listening ports
  • -b Displays the executable involved in creating each connection. This option required elevated permissions, i.e. run as admin
  • -e Displays ethernet statistics (may be combined with -s)
  • -f Displays fully qualified domains names (FQDN) for foreign addresses
  • -n Displays address and port numbers in numerical form
  • -o Displays the owning process id (PID) associated with each connection
  • -p proto Shows connections for the protocol specified by the proto which may be TCP, UDP, TCPv6 or UDPv6. If used with the -s option proto may be IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP or UDCPv6.
  • -r Display the routing table
  • -s Displays per protocol statistics, by default statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP and UDPv6. The -p option may be used to specify a subset.
  • -t Displays the current connection offload state
  • internal Redisplays the selected data/statistics every interval seconds. Press CTRL+C to stop

Possible states displays might be

  • CLOSED indicates the server has received an ACK signal from the client and is closed
  • CLOSE_WAIT indicates the server has received the first FIN signal, to acknowledge no more data is to be sent from the client, hence the connection is closing
  • ESTABLISHED indicates that the server received a synchronize, SYN, signal. This is only sent in the first packet from the client and the session is established
  • FIN_WAIT_1 indicates the connection is still active but not being used
  • FIN_WAIT_2 indicates the client just received acknoledgement of the first FIN signal from the server
  • LAST_ACK indicates the server is in the process of sending it’s own FIN signal
  • LISTENING indicates the server is ready to accept a connection
  • SYN_RECEIVED indicates the server just received a SYN signal from the client
  • SYN_SEND indicates the connection is open and active
  • TIME_WAIT indicates the client recognizes the connection as active but it’s not currently being used

Obviously if you’ve got grep installed you might prefer to pipe through grep to locate specific data, in PowerShell use Select-String, i.e. the following will run netstat in default mode and then pipe to Select-String which will report lines with port 4000. Not wholly useful in all situations

netstat | Select-String :4000

Within PowerShell on Windows 10 is the Get-NetTCPConnection cmdlet which give us the power of PowerShell for querying the resultant data, for example

Get-NetTCPConnection | ? {$_.State -eq "Listen"}

This will show all results with the state of Listen.

On Windows 7 (without grep) we can use Find and pipe results like this

netstate -an | Find ":4000"

Don’t forget you can pipe this again to find LISTENING state using

netstat -an | Find ":4000" | Find "LISTENING"

What do the results mean?

Obviously the protocol is listed along with the state (possible options listed previously), but we’ll often see local or foreign addresses such as 0.0.0.0 which means the address/port is listening (etc.) on all network interfaces. 127.0.0.1 is ofcourse your local host and processes are listening for connections from the PC itself (i.e. not network). If the address is your local network IP then the port is listening to connections for the local network.

Common use cases

I’m going to stick with netstat (over Get-NetTCPConnection) as this post is, after all, about netstat.

Which software is making a connection to the outside world?

netstat -b

Get a summary of the current number of bytes send/received etc.

netstat -e

lookup index.docker.io no DNS servers error

I’ve been learning Docker lately and all was working well, then today I started seeing the following error lookup index.docker.io no DNS servers error when trying to pull a docker container from Docker Hub. Very strange as this worked fine previously.

For the record, I was able to use apt-get to update packages and I could ping the index.docker.io address, so I’m not sure what changed to make this break.

Anyway to solve the problem we can simply append dns-nameservers to the file /etc/network/interfaces

For example

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
address 192.x.x.x
netmask 255.255.255.0
gateway 192.x.x.1
dns-nameservers 8.8.8.8 8.8.4.4

In the above I’ve added the loopback and two google name servers to the interfaces file.

To activate these changes (without a reboot) just use

ifdown eth0 && ifup eth0

Downloading a file from URL using basic authentication

I had some code in an application which I work on which uses Excel to open a .csv file from a URL. The problem is that user’s have moved to Excel 2010 (yes we’re a little behind the latest versions) and basic authentication is no longer supported without registry changes (see Office file types fail to open from server).

So, to re-implement this I needed to write some code to handle the file download myself (as we’re no able to change user’s registry settings).

The code is simple enough , but I thought it’d be useful to document it here anyway

WebClient client = new WebClient();
client.Proxy = WebRequest.DefaultWebProxy;
client.Credentials = new NetworkCredential(userName, password);
client.DownloadFile(url, filename);

This code assumes that the url is supplied to this code along with a filename for where to save the downloaded file.

We use a proxy, hence the proxy is supplied, and then we supply the NetworkCredential which will handle basic authentication. Here we need to supply the userName and password, ofcourse with basic authentication these will be passed as plain text over the wire.