Netstat on the Command Line

Netstat is a built in utility typically used to troubleshoot remote connection issues. It is also used in the security field to see what external IPs and URLs the computer is actively communicating with and to what ports are passively open waiting for a connection. To run netstat, launch the Command Prompt in administrator mode.

It is important to remember that running the command is a one and done. It does not auto refresh unless you tell it to using a switch. To get a list of switches, run “netstat /?“. The most important for netstat switches are:

-a = Display all connections and listening ports
-b = Display the executable involved.
-f = Display FQDN.
-n = Display IP and ports in number format.
-o = Display process ID associated with the connection.
-r = Display routing table.

Let’s go over some commands. First, ‘netstat -ab’ is unusually slow to provide results and the results are not in a easy to read format. For this reason many users do not like it. But it will provide the process name that opened or established the connection.

Next is ‘netstat -ano’. It provides very fast results, but does not provide the name of the running service. However, you can get the process ID’s and then lookup the running process in task manager to find the service or executable. Finally, you can lookup up the foreign addresses in an online URL lookup to find the ‘whois’ or the IP registration.

Display the TCP active connections with the FQDN.

You can pipe the results from netstat to include only specific outputs.

You can pipe to exclude results by using the /V switch.

Using TCPView

Think of TCPView (or the older CURRPorts) as a netstat GUI interface. TCPView is produced by Microsoft System Internals and is actively supported. It is easier to read then the command line, auto refreshed every 2 seconds, and provides both fast results as well as the process name.

You can quickly track down what service is attempting to make an external connection, what remote IP or URL it is communicating with, and over what port. The results can be combined with some google searches to get a complete picture. I find it easier than trying to interpret the netstat command line results.

The color scheme is tricky. Red means a connection is about to close, green means a connection was just opened, and yellow means a connection has just refreshed. Notice the green bar in the picture below.

Related Posts