netstat

Note: This post is primarily on using netstat on Windows

I’ve been using netstat more lately to keep track on websocket’s being left open etc. and thought it worth creating a post regarding what things mean in nestat, as I’m bound to forget once all the code I’m working on is complete.

We’ll start with a few obvious things by looking at the switch/params available (as taken from netstat -h but included here for completeness)

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [interval]

  • -h Display the help
  • -a Displays all connections and listening ports
  • -b Displays the executable involved in creating each connection. This option required elevated permissions, i.e. run as admin
  • -e Displays ethernet statistics (may be combined with -s)
  • -f Displays fully qualified domains names (FQDN) for foreign addresses
  • -n Displays address and port numbers in numerical form
  • -o Displays the owning process id (PID) associated with each connection
  • -p proto Shows connections for the protocol specified by the proto which may be TCP, UDP, TCPv6 or UDPv6. If used with the -s option proto may be IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP or UDCPv6.
  • -r Display the routing table
  • -s Displays per protocol statistics, by default statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP and UDPv6. The -p option may be used to specify a subset.
  • -t Displays the current connection offload state
  • internal Redisplays the selected data/statistics every interval seconds. Press CTRL+C to stop

Possible states displays might be

  • CLOSED indicates the server has received an ACK signal from the client and is closed
  • CLOSE_WAIT indicates the server has received the first FIN signal, to acknowledge no more data is to be sent from the client, hence the connection is closing
  • ESTABLISHED indicates that the server received a synchronize, SYN, signal. This is only sent in the first packet from the client and the session is established
  • FIN_WAIT_1 indicates the connection is still active but not being used
  • FIN_WAIT_2 indicates the client just received acknoledgement of the first FIN signal from the server
  • LAST_ACK indicates the server is in the process of sending it’s own FIN signal
  • LISTENING indicates the server is ready to accept a connection
  • SYN_RECEIVED indicates the server just received a SYN signal from the client
  • SYN_SEND indicates the connection is open and active
  • TIME_WAIT indicates the client recognizes the connection as active but it’s not currently being used

Obviously if you’ve got grep installed you might prefer to pipe through grep to locate specific data, in PowerShell use Select-String, i.e. the following will run netstat in default mode and then pipe to Select-String which will report lines with port 4000. Not wholly useful in all situations

netstat | Select-String :4000

Within PowerShell on Windows 10 is the Get-NetTCPConnection cmdlet which give us the power of PowerShell for querying the resultant data, for example

Get-NetTCPConnection | ? {$_.State -eq "Listen"}

This will show all results with the state of Listen.

On Windows 7 (without grep) we can use Find and pipe results like this

netstate -an | Find ":4000"

Don’t forget you can pipe this again to find LISTENING state using

netstat -an | Find ":4000" | Find "LISTENING"

What do the results mean?

Obviously the protocol is listed along with the state (possible options listed previously), but we’ll often see local or foreign addresses such as 0.0.0.0 which means the address/port is listening (etc.) on all network interfaces. 127.0.0.1 is ofcourse your local host and processes are listening for connections from the PC itself (i.e. not network). If the address is your local network IP then the port is listening to connections for the local network.

Common use cases

I’m going to stick with netstat (over Get-NetTCPConnection) as this post is, after all, about netstat.

Which software is making a connection to the outside world?

netstat -b

Get a summary of the current number of bytes send/received etc.

netstat -e