Bookmark
Page

Using Netstat

One of the most overlooked and under-used tools available to a technician or network administrator is the NETSTAT command. When you run this command-line utility on any Windows system, it shows you the status of the network connections for that system, and possibly much more depending on the command-line switches used with it. It can even help you determine if the system is infected with a Trojan horse, which is a bit of malicious hacker code disguised as something useful.

To run NETSTAT in any version of Windows, open an MSDOS window and on the command line type NETSTAT followed by a space, a hyphen, and the letter(s) for one of the switches. The format should look like this:

C:\Windows>netstat -a

Here is a list of switches to use.

-a All. This shows information on all sockets that are open, listed in four columns called Protocol, Local Address, Foreign Address and State.

Protocol lists all active transport protocols, such as TCP and UDP.

Local Address shows all open ports

Foreign Address lists the names that remote systems can use to communicate to your system State tells what the ports are doing.

If the system is not in the middle of a network session these will normally say 'Listening'.

-an All, Numerical. Same as before but local and foreign addresses are shown as IP addresses instead of names. With dynamic addressing this is a very convenient way to see what IP addresses your system is using at the moment.

-e Ethernet Statistics. Shows traffic (in bytes), number of errors, etc.

-s Statistic. Similar to -e, but much more detailed because it breaks the statistics down by protocol. Can be combined with the above by using -es.

-r Routing Table. Shows the routing for each port, with separate columns for the network (destination) address, submask, gateway address and interface address.

For more information about the switches, you can run the command as netstat /? Normally NETSTAT will run just once each time you type it in, but you can run it repeatedly by placing a numerical value after the command. That value is the number of seconds between executions. Use Ctrl+C to halt it.

The web site http://doshelp.com/trojanports.htm provides a list of Trojan horse programs and the ports they use. Compare them to the ports detected on your system when you run netstat -a, and protect yourself from these insidious invaders.

Another timely tip from the friendly folks at Micro 2000.