To start, I didn't see any tutorials dealing with the use of netstat, which surprised me, considering how useful it was, so I decided to write one. Here it is:
In it's purest form a netstat is 100% useful, just drop to a command prompt (this tutorial is only covering Windows based netstats, so flags and such from the *nix versions will not be covered) and type 'netstat'. When running a simple netstat the coloums should be: Proto, Local Address, Foreign Address, and State.
The protocol coloum should hold the protocol that is used by the open socket (valid choices are IP, TCP, UDP, or ICMP), two sockets can use the same port assignment as long as long as they use a different protocol.
The Local Address coloum should contain the address of the local machine, either the machine name, loopback IP (127.0.0.1) or 0.0.0.0, which states that the socket will accept information from any interface on the machine. Also shown under this field is the outgoing port. This is the number (or name) that is after the colon. This number will normally (unless you are using some strange software) be 1025 or up. so basically an entry in this coloum should look like "0.0.0.0:1031".
The Foreign Address field is the address and port number the socket is "addressing" the information to. it will either be by hostname (if availible) or by IP address, and much like the Local address field it will have a colon then the destination port number. So an entry in this field will appear as "126.96.36.199:80". This basically means that there is a connection to 188.8.131.52 on port 80, if you look in the Proto section this will probably be a TCP connection (normally web browser traffic).
The State field is used to tell what the socket is currently doing, valid choices are CLOSED, FIN_WAIT_1, FIN_WAIT_2, SYN_RECEIVED, CLOSE_WAIT, SYN_SEND, ESTABLISHED, LISTEN, TIMED_WAIT, and LAST_ACK. ESTABLISHED basically means what it says, that the socket is sending and receiving and has an active connection going. SYN_SENT means that the socket is attempting to establish a connection, waiting on an ACK from the remote host. SYN_RECEIVED means that the connection has been initalized, AKA, one step past the SYN_SENT state. The FIN_WAIT_1 state means the socket is closed, and it has started shutting down the connection. FIN_WAIT_2 is the same as _1 only it is waiting for the socket to close and for a remote unit to send a shutdown packet. The CLOSED state means the socket is not in use. The CLOSE_WAIT state means that the remote end has already shutdown and is waiting to close. LAST_ACK means the socket is waiting for acknowledgement, the remote end has already shutdown and the socket is closed. LISTEN means the socket is listening for an incoming connection. UNKNOWN will sometimes populate the field, this is a very strange thing to have happen and basically means that the OS does not know what the socket is doing, and is basically lost.
Now, let's go a little farther, let's try some of the parameters used with netstat, for starters the -p switch, so type 'netstat -p <protocol name from above>'. Lets say you wanted to see all the TCP sockets you have open? Well...type 'netstat -p TCP' and it will list them. Valid choices are any that are listed above including ICMP, UDP, and IP. Just as a note, on some unix machines it is possible to add protocols by editing /etc/protocols naming the packet type, and then making a program to construct a packet of this type (this is slightly beyond the scope of this tutorial though, just a widdle!)...Now that we understand somewhat how to limit the output of netstat lets look at how to get useful stuff out of it.
Ever wondered how to tell if your NIC is sending/receiving traffic? Well.we have two choices avalible to us, we could use the -e switch to check for ethernet frames sent and received, or the -s switch to get the sent/received for the difference protocols. These switches can be combined making the switch -es or -se which will display the information that both the switches would give. There is also other very useful information that these switches provide but that is slightly beyond what this tutorial was intended to show.
The -r switch can be used to display the interface list and the routing table. This information is useful when troubleshooting a network or dialup connection that is not pingable and can not ping out. This shows how information is being routed out of the computer and how it is being looped around to the local host.
I hope this was slightly useful to someone, I got an email from someone asking for more information about mainly the states the sockets are in. If anyone has any questions or finds any misinformation in this, email me or PM me and I will fix it.