This article was originally posted in 2012, right after my Microsoft TechEd New Zealand session, Updates on screenshots
This article is all about NETSTAT command. How it can help you to check the details on your network connections… (Network Statistics). It’s used to display very detailed information about how your computer is communicating with other computers or network devices.
can display details about individual network connections, overall and protocol-specific networking statistics, and much more, all of which could help troubleshoot certain kinds of networking issues. And netstat can really help you to see if there are any suspicious activities happening on your computer, which send out information like to a Command and Control Center. As these activities will happen over the “network” looking at network statistics is a key for any Security Professional
netstat : displays the status of active TCP and UDP ports
Netstat –a : displays all active connections and listening ports
netstat –b: Displays the executable program’s name involved in creating each connection or listening port.
netstat –e: Displays ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s
Netstat –f Displays fully qualified domain names <FQDN> for foreign addresses
netstat –n: Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
netstat –o: Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and –p
netstat –r: Displays the contents of the IP routing table. (This is equivalent to the route print command under Windows.)
netstat –v: When used in conjunction with -b it will display the sequence of components involved in creating the connection or listening port for all executables
Net stat –ano 5 (the 5 indicates the refresh rate,based on this example every 5 seconds, if you change 5 to 3 it will refers every 3 seconds)
Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default.
netstat -sp IP
This command will show you how many connection is opened by particular connection.
This command will list your Network Interface list as well as the routing table
netstat -e -t 5
This command will display your network interface statistics
netstat -n -p TCP
If you believe you are under SYN Flood attack, this command can help you get evidence, please be aware this cmd will only display results if there is a
SYN_RECV tab displayed, if not, please check from your firewall or other network devices to verify your suspicions