Netstat for Security Professionals

This article was originally posted in 2012, right after my Microsoft TechEd New Zealand session, Updates on screenshots

This article is all about NETSTAT command. How it can help you to check the details on your network connections… (Network Statistics). It’s used to display very detailed information about how your computer is communicating with other computers or network devices.

netstat command

can display details about individual network connections, overall and protocol-specific networking statistics, and much more, all of which could help troubleshoot certain kinds of networking issues. And netstat can really help you to see if there are any suspicious activities happening on your computer, which send out information like to a Command and Control Center. As these activities will happen over the “network” looking at network statistics is a key for any Security Professional

netstat : displays the status of active TCP and UDP ports

Netstat –a : displays all active connections and listening ports

netstat –b: Displays the executable program’s name involved in creating each connection or listening port.

netstat –e: Displays ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s

netstat –es

Netstat –f Displays fully qualified domain names <FQDN> for foreign addresses

netstat –n: Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.

netstat –o: Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and –p

netstat –ano

netstat –r: Displays the contents of the IP routing table. (This is equivalent to the route print command under Windows.)

netstat –s: Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols

netstat –v: When used in conjunction with -b it will display the sequence of components involved in creating the connection or listening port for all executables

netstat –vb

netstat –na

Net stat –ano 5 (the 5 indicates the refresh rate,based on this example every 5 seconds, if you change 5 to 3 it will refers every 3 seconds)

netstat -sp

Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default.

netstat-sp tcp

netstat -sp IP

This command will show you how many connection is opened by particular connection.

netstat -rn

This command will list your Network Interface list as well as the routing table

netstat -e -t 5

This command will display your network interface statistics


netstat -n -p TCP

If you believe you are under SYN Flood attack, this command can help you get evidence, please be aware this cmd will only display results if there is a
SYN_RECV tab displayed, if not, please check from your firewall or other network devices to verify your suspicions

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *