Advertising on the portal

All connections to the netstat server. NETSTAT command - displaying network connection statistics

Regularly, some - only for diagnostics. I belong to the latter category: I prefer to use this utility to identify the causes of system problems and problems.

The netstat command has ten parameters that allow you to get detailed information to solve a variety of problems. However, no less useful information can be obtained without any parameters.

The most common use of netstat is with the -a option to list all connections and listening ports. Listed below are a few other options that may come in handy when using this utility.

Fully qualified domain name. The -f parameter allows you to find out the FQDN for the external address. When using netstat with this option, names are resolved on both the internal and external networks. In Fig. A shows the output of the command.

Figure A

Which process is using which port. The combination of the -a -n -o options allows you to find out which process identifier (PID) a particular port corresponds to. (See) The output of the command is shown in Fig. B.


Figure B

And if you add the -b option to this combination, friendly names will be used for each process, as shown in Fig. C. However, this will require administrator rights.


Figure C

Please note: remote addresses pointing to 192.168.1.220:3261 belong to the Windows iSCSI Initiator service and are labeled differently than other service addresses.

Output of the routing table. When you want to figure out why a network connection is working differently on one computer than on others on the same network, you can use the -r option, which prints the route for that system, as shown in Figure 1. D. Please note the "Persistent routes" section: this lists all static routes configured for Windows Server).


Figure D

These four variations of the netstat command make it much easier

Sometimes when running a system, be it a home personal computer or a powerful server serving many connections, it is useful to have a tool on hand that can display data about network activity. Why might this be needed? To calculate applications that illegally access the Internet, or users. This is exactly what the utility we are considering does.

What is Netstat?

This is an application with which you can find out what is happening in at the moment on the web. To start, use the command line. It also uses additional keys and parameters when starting Netstat.

It is worth noting that the name of the utility is formed from two components - network statistics, that is, network statistics, which, in principle, is logical. Among the information that the program shows, one can highlight routing connection statistics.

Commands and Keys

The syntax of command keys and parameters is quite extensive. This allows you to get network statistics at the most different levels. The following is a description of the Netstat command, its parameters and keys:

  • -a - running with this parameter will display all active TCP connections, as well as TCP and UDP ports listening on the system;
  • -e - display extended Ethernet statistics, such as byte and packet movements;
  • -n - parameter allows you to show active TCP connections with addresses and port numbers;
  • -o - the same as the previous switch, outputs active TCP connections, but process codes have been added to the statistics, so you can already determine exactly which application is using the connection;
  • -p - display information on a specific protocol specified in the parameter. Values ​​may include tcp, udp, tcpv6, and udpv6;

  • -s - display protocol statistics; by default, all known types will be displayed;
  • -r - this switch will display the contents of the IP, the parameter is equivalent to using the route command;
  • interval - in the general command line you can use the value of the interval after which the selected statistics will be displayed; if it is omitted, the information will be displayed only once;
  • /? - will display background information by Netstat command.

Using Netstat on Windows

In order to display all connections on the command line screen, while placing them on several pages, you need to use the following syntax: “-a | more". If you need to save all statistics to a specific file, you need to use “ -a > C:\filename”. Thus, in the file specified by this path, all collected information will be recorded.

The result of the work can be a small table that contains the following types of data:

  • Name. The name of the found active protocol is indicated here.
  • Local address. The IP address and port used by the local service to create the connection. The values ​​may include 0.0.0.0, which means any available address, or 127.0.0.1. This indicates a local loop.
  • External address. IP and port of the external service on the network to which the connection is established.

  • State. Shows the current connection status. Can take different meanings. For example, Listening indicates that the service is “listening” and waiting for an incoming connection. Established means an active connection.

Netstat, launched with the -a and -b switches, will show all network connections, as well as the programs associated with them. This is very convenient if you need to figure out which program is actively using traffic and where it is sending data.

Additional connection states

In addition to the above connection states, there are additional ones:

  • closed - as the name suggests, the connection is closed;
  • syn_sent - there is an active attempt to establish a connection;
  • syn_received - shows initial stage synchronization;
  • close_wait - disabled and the connection is closed.

Using Netstat on Linux

Using the utility in a Linux environment is, in fact, not much different from Windows. There are only slight differences in the command parameters. Description of the Netstat command and its parameters with examples:

  • To display all ports, you need to use the command - “netstat -a”.
  • Everything is the same, but only the TCP type - “-at”.
  • UDP ports are "-au".
  • Display open ports in Netstat - “-l”. Their status will be shown as Listening.
  • Display open TCP ports in Netstat - “netstat -lt.
  • Display the process ID and its name - “netstat -p”.
  • Show statistics for an individual - "netstat -s".

Sometimes to get more full information about any network connection, you need to combine Netstat with some commands and Linux utilities. For example, like this:

netstat -ap | grep ssh

This line will display a list of ports that are currently used by the SSH utility. If, on the other hand, you want to find out which process is occupying a specific port, you can use the following syntax:

netstat -an | grep `:80`

Also for Netstat in Linux there is a universal set of keys that can display everything you need at once. It looks like this: netstat -lnptux. The data set will reflect all TCP, UDP, UNIX Socket protocols, names of processes and their identifiers.

Some examples to identify a DoS or DDoS attack

The following command will let you know how many connections are active on each IP address:

netstat -naltp | grep ESTABLISHED | awk "(print $5)" | awk -F: "(print $1)" | sort -n | uniq -c

We define large number requests from one IP address:

netstat -na | grep:80 | sort

We determine the exact number of requests received per connection:

netstat -np | grep SYN_RECV | wc -l

When conducting a DoS attack, the number obtained as a result of this command should be quite large. In any case, it may depend on the specific system. That is, on one server it can be one thing, on another it can be different.

Conclusion

Which operating system Whatever the command is used, it is an indispensable tool for scanning, analyzing and debugging a network. It is actively used by system administrators all over the world.

Netstat can be used when the system is infected with some kind of virus software. It is able to show all applications with a lot of suspicious network traffic activity. This will help on early stages identify malicious software and neutralize it, or protect the server from unwanted intrusion by intruders.

Conclusions

The article gave detailed description Netstat command and its parameters and switches. Full use of the program is possible after several stages of practice on a real device. Combining with other teams will make it even more effective. A complete set of descriptions of Netstat commands can be found in the manual on the utility's official website. It is also worth noting that when used in a Linux environment, the Netstat command is deprecated and it is strongly recommended to use SS instead.

Laboratory work No. 03-005

Netstat network utility. Operating principles and use.

The utility displays active and listening TCP ports, Ethernet statistics, IP routing tables, IPv4 statistics (for IP, ICMP, TCP and UDP protocols) and IPv6 (for IPv6, ICMPv6, TCP over IPv6 and UDP over IPv6 protocols). Command run without parameters netstat displays active TCP connections.

Syntax:

netstat [-a] [-e] [-n] [-o] [-p protocol] [-r] [-s] [interval].

Parameters:

-a output of all active connections TCP and the TCP and UDP ports the computer is listening on;

- b display of executable files involved in creating active connections. If independent software components are used to create the socket, they are also displayed.

-e Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with the key -s;

-n displays active TCP connections, showing addresses and port numbers in numeric format without attempting to resolve names;

-o Lists active TCP connections and includes a process ID (PID) for each connection. Process code allows you to find the application on the tab Processes dispatcher Windows tasks. This parameter can be combined with the keys -a, -n And -p;

-p protocol output connections for the protocol specified by the parameter protocol. In this case the parameter protocol can take values tcp, udp, tcpv6 or udpv6. If this parameter is used with the key -s to display protocol statistics, parameter protocol may matter tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6 or ipv6;

-r Displays the contents of the IP routing table. This command is equivalent to the command route print;

-s output of protocol statistics. By default, statistics are displayed for the TCP, UDP, ICMP and IP protocols. If IPv6 is installed for Windows XP, statistics are displayed for TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6. Parameter -p can be used to specify a set of protocols;

- v used in conjunction with the parameter b to display the sequence of software components involved in creating a socket

interval sets the selected data to be updated at an interval specified by the parameter interval(in seconds). Pressing CTRL+C stops the update. If this parameter is omitted, netstat displays the selected data only once.

/? O Display help on the command line.

At the network level in the TCP/IP protocol stack, addressing is carried out using IP addresses. But after the packet is delivered via the IP protocol to the recipient computer with the given IP address, the data must be sent to a specific recipient application process. Each computer can run multiple processes, and an application process can have multiple entry points that simultaneously act as data recipients.

The communication needs of application processes are served by the transport layer of the protocol stack, implemented in software in the operating system kernel, in the form of a separate user process or in the form of a library module loaded by a network application. Packets arriving at the transport layer are organized by the operating system in the form of many queues to the entry points of various application processes. In TCP/IP terminology, such system queues are called ports . Port is software concept, which is used by a client or server to send or receive messages; the port is identified by a 16-bit number. Thus, the destination address that is used by the transport entity is the application service port identifier (number). The port number, together with the network number and the end node number, uniquely identifies the application process on the network. This set of identifying parameters is called socket .

Port numbers are assigned to application processes either centrally, if these processes are popular public services (for example, number 21 is assigned to the FTP remote file access service, and 23 is assigned to the service remote control telnet), or locally for those services that have not yet become so widespread that standard (reserved) numbers are assigned to them. Centralized assignment of port numbers to services is performed by the organization Internet Assigned Numbers Authority (IANA). These numbers are then fixed and published in Internet standards.

Local Port number assignment is where the application developer simply associates any available, randomly chosen numeric identifier with it, making sure that it is not one of the reserved port numbers. In the future, all remote requests to this application from other applications must be addressed using the port number assigned to it.

The client initiating the connection, before attempting to establish a connection with the remote application server, requests a free port number from its OS. Ports with numbers 0 -1023 are usually called privileged; they are almost all reserved and are not allocated to client processes. This does not mean that there are no assigned port numbers with large numbers, but they are used much less frequently and, being free on a given host, may well be made available to the client program.

UDP (UserDatagrammProtocol) is a simple datagram-oriented protocol transport layer: The process issues one UDP datagram at a time, resulting in one IP datagram being transmitted. The protocol does not establish a connection and does not confirm to the sender that the message has been delivered.

TCP (Transmission Control Protocol) provides a connection-based, reliable byte stream service. It is used in cases where guaranteed delivery of messages is required. It uses packet checksums to verify packet integrity and relieves application processes of the need for timeouts and retransmissions to ensure reliability.

The term connection-oriented means that two applications using TCP (usually a client and a server) must establish a TCP connection with each other before they can exchange data.

There are always two endpoints that communicate with each other using a TCP connection. TCP does not do broadcasts or multicasts.

The steps required to establish and terminate a TCP connection can be represented by:

lena in the form of a model with 11 possible states:

Condition Description

CLOSED Closed. The connection is not active and is not in the process of being established

LISTEN Waiting. The server is waiting for an incoming request

SYN RCVD A connection request has arrived. Waiting for confirmation

SYN SENT Connection request sent. The application started opening a connection

ESTABLISHED Installed. Normal data transmission state

FINWAIT 1 The application reported that it has nothing more to transfer

FINWAIT 2 The other party agrees to terminate the connection

TIMED WAIT Wait until all packets disappear from the network

CLOSING Both parties attempted to close the connection at the same time

CLOSE WAIT The other party has initiated a disconnect

LAST ACK Wait until all packets disappear from the network

In each of these states, allowed and prohibited events can occur. In response to any allowed event, a specific action can be taken. When prohibited events occur, an error is reported.

Each connection starts in the state CLOSED(closed). It can exit this state by making either an active (CONNECT) or passive (LISTEN) attempt to open a connection. If the opposite side does the opposite, the connection is established and enters the ESTABLISHED. Any party can initiate the termination of the connection. Once the disconnection process is complete, the connection returns to the CLOSED.

Self-test questions

    Port as a transport layer addressing element. Socket.

    Locally and centrally assigned ports.

    Basic transport layer protocols of the TCP/IP stack. Their brief description.

    Mapping network connections to processes running on a computer.

    Netstat utility parameters.

Required equipment

IBM PC is a compatible computer with a licensed Windows operating system, connection to local network, Internet access.

Quests

Before starting the tasks, restart your computer and do not launch any applications.

1. Using the netstat command, view the Ethernet connection statistics.

2. Using the netstat command, view the statistics of network protocols.

3. Using the netstat command, view the statistics of the ICMP protocol (the output should contain data only for this protocol).

4. Use the netstat command to view a list of all TCP connections and UDP listening ports.

5. Launch your browser and establish a connection to any site. Repeat the previous task and comment on the result.

6. Using the netstat command, identify any 5 processes listening on UDP ports. Specify the name of the processes and numbers of listening ports.

6. Using the netstat command, determine the active TCP connections, their port numbers, and the names of the executable files of the applications that use these connections.

Submit a report on the completion of the work in printed or electronic form with copies of the utility operation screens.

Hello everyone, earlier I started a story about the system administrator’s network utilities in the article “The pathping utility or how to diagnose a problem on the route to the site. Network utilities part 3,” let’s move on and look at another utility netstat or how to determine which ports your computer is listening on. This program will be an irreplaceable tool in the software baggage of any system engineer, it will help him carry out quick diagnostics situations and detect a number of various problems with services and their availability.

netstat commands

Netstat- Displays active TCP connections, ports listening on the computer, Ethernet statistics, IP routing table, IPv4 statistics (for IP, ICMP, TCP and UDP protocols) and IPv6 (for IPv6, ICMPv6, TCP over IPv6 and UDP over IPv6 protocols)

Let’s imagine a situation: you installed, for example, the MSM LSI utility to view the parameters of a RAID controller, you launch the utility, but it doesn’t find anything, because the port is closed and you don’t know which one, and it’s not always possible to quickly find information about this on the Internet, for this you can run netstat and see what port your server with the MSM process is listening on.

Open the command line Windows string and enter netstat?. The utility's help will pop up.

C:\Users\sem>netstat ?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-x] [-t]
[interval]

  • -a Displays all connections and listening ports.
  • -b Display the executable file involved in creation
  • each connection or listening port. Sometimes known executable files contain many independent components. The sequence of components involved in creating a connection or listening port is then displayed. In this case, the name of the executable file is at the bottom in brackets, at the top is the component it called, and so on until TCP/IP is reached. Please note that this approach can be time consuming and requires sufficient permissions.
  • -e Display Ethernet statistics. Can be used in conjunction with the -s option.
  • -f Display fully qualified domain name () for external addresses.
  • -n Display addresses and port numbers in numeric format.
  • -o Display the process ID of each connection.
  • -p protocol Display connections for the protocol specified by this parameter. Valid values: TCP, UDP, TCPv6 or UDPv6. When used in conjunction with the -s option to display protocol statistics, valid values ​​are: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  • -r Display the contents of the route table.
  • -s Display protocol statistics. By default, statistics are displayed for the IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6 protocols. The -p option allows you to specify a subset of the output.
  • -t Display the offload status for the current connection.
  • -x Displays NetworkDirect connections, listeners, and common endpoints.
  • -y Display the TCP connection template for all connections. Cannot be used in conjunction with other options. interval Repeated display of selected statistics with a pause between displays specified by the interval in seconds. To stop displaying statistics repeatedly, press CTRL+C. If this parameter is omitted, netstat will print the current configuration information once.

Let's look at the interesting keys of the netstat utility. The first thing we enter

and statistics on ethernet network packets will appear on our screen.

If we add the -s switch, we will get statistics on protocols.

It is very useful to see everything that your host is listening to, for this we write

The command output contains the Protocol type, either TCP or UDP, the local address with the port that is listening and the external address with the port, and the action status.

To fully understand the information provided by this command, you must understand the principles of connection establishment in the TCP/IP protocol. Here are the main steps in the process of establishing a TCP/IP connection:

1. When attempting to establish a connection, the client sends a SYN message to the server.

2. The server responds with its own SYN message and an acknowledgment (ACK).

3. The client then sends an ACK message back to the server, completing the connection setup process.

The disconnection process consists of the following steps:

1. The client says "I'm done" by sending a FIN message to the server. At this stage, the client only receives data from the server, but does not send anything itself.

2. The server then sends an ACK message and sends its own FIN message to the client.

3. The client then sends an ACK message to the server, confirming the FIN server's request.

4. When the server receives an ACK message from the client, it closes the connection.

Understanding the steps in the connection setup and termination process allows you to more transparently interpret connection states in netstat command output. Connections in the list can be in the following states:

  • CLOSE_WAIT- indicates the passive phase of closing the connection, which begins after the server receives a FIN message from the client.
  • CLOSED- the connection was interrupted and closed by the server.
  • ESTABLISHED- the client has established a connection to the server by receiving a SYN message from the server.
  • FIN_WAIT_1- the client initiated closing the connection (sent a FIN message).
  • FIN_WAIT_2- the client received ACK and FIN messages from the server.
  • LAST_ACK- the server sent a FIN message to the client.
  • LISTEN- the server is ready to accept incoming connections.
  • SYN_RECEIVED- the server received a SYN message from the client and sent it a response.
  • TIMED_WAIT- the client sent a FIN message to the server and is waiting for a response to this message.
  • YN_SEND- the specified connection is active and open.

If you add the -f switch, the names of remote external resources will be resolved