Netstat tutorial
Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Netstat tutorial

  1. #1
    Senior Member
    Join Date
    Sep 2001
    Posts
    138

    Netstat tutorial

    To start, I didn't see any tutorials dealing with the use of netstat, which surprised me, considering how useful it was, so I decided to write one. Here it is:

    In it's purest form a netstat is 100% useful, just drop to a command prompt (this tutorial is only covering Windows based netstats, so flags and such from the *nix versions will not be covered) and type 'netstat'. When running a simple netstat the coloums should be: Proto, Local Address, Foreign Address, and State.

    The protocol coloum should hold the protocol that is used by the open socket (valid choices are IP, TCP, UDP, or ICMP), two sockets can use the same port assignment as long as long as they use a different protocol.

    The Local Address coloum should contain the address of the local machine, either the machine name, loopback IP (127.0.0.1) or 0.0.0.0, which states that the socket will accept information from any interface on the machine. Also shown under this field is the outgoing port. This is the number (or name) that is after the colon. This number will normally (unless you are using some strange software) be 1025 or up. so basically an entry in this coloum should look like "0.0.0.0:1031".

    The Foreign Address field is the address and port number the socket is "addressing" the information to. it will either be by hostname (if availible) or by IP address, and much like the Local address field it will have a colon then the destination port number. So an entry in this field will appear as "65.252.12.5:80". This basically means that there is a connection to 65.252.12.5 on port 80, if you look in the Proto section this will probably be a TCP connection (normally web browser traffic).

    The State field is used to tell what the socket is currently doing, valid choices are CLOSED, FIN_WAIT_1, FIN_WAIT_2, SYN_RECEIVED, CLOSE_WAIT, SYN_SEND, ESTABLISHED, LISTEN, TIMED_WAIT, and LAST_ACK. ESTABLISHED basically means what it says, that the socket is sending and receiving and has an active connection going. SYN_SENT means that the socket is attempting to establish a connection, waiting on an ACK from the remote host. SYN_RECEIVED means that the connection has been initalized, AKA, one step past the SYN_SENT state. The FIN_WAIT_1 state means the socket is closed, and it has started shutting down the connection. FIN_WAIT_2 is the same as _1 only it is waiting for the socket to close and for a remote unit to send a shutdown packet. The CLOSED state means the socket is not in use. The CLOSE_WAIT state means that the remote end has already shutdown and is waiting to close. LAST_ACK means the socket is waiting for acknowledgement, the remote end has already shutdown and the socket is closed. LISTEN means the socket is listening for an incoming connection. UNKNOWN will sometimes populate the field, this is a very strange thing to have happen and basically means that the OS does not know what the socket is doing, and is basically lost.

    Now, let's go a little farther, let's try some of the parameters used with netstat, for starters the -p switch, so type 'netstat -p <protocol name from above>'. Lets say you wanted to see all the TCP sockets you have open? Well...type 'netstat -p TCP' and it will list them. Valid choices are any that are listed above including ICMP, UDP, and IP. Just as a note, on some unix machines it is possible to add protocols by editing /etc/protocols naming the packet type, and then making a program to construct a packet of this type (this is slightly beyond the scope of this tutorial though, just a widdle!)...Now that we understand somewhat how to limit the output of netstat lets look at how to get useful stuff out of it.

    Ever wondered how to tell if your NIC is sending/receiving traffic? Well.we have two choices avalible to us, we could use the -e switch to check for ethernet frames sent and received, or the -s switch to get the sent/received for the difference protocols. These switches can be combined making the switch -es or -se which will display the information that both the switches would give. There is also other very useful information that these switches provide but that is slightly beyond what this tutorial was intended to show.

    The -r switch can be used to display the interface list and the routing table. This information is useful when troubleshooting a network or dialup connection that is not pingable and can not ping out. This shows how information is being routed out of the computer and how it is being looped around to the local host.

    I hope this was slightly useful to someone, I got an email from someone asking for more information about mainly the states the sockets are in. If anyone has any questions or finds any misinformation in this, email me or PM me and I will fix it.

    -Cheeseball

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    138

    Netstat tutorial

    To start, I didn't see any tutorials dealing with the use of netstat, which surprised me, considering how useful it was, so I decided to write one. Here it is:

    In it's purest form a netstat is 100% useful, just drop to a command prompt (this tutorial is only covering Windows based netstats, so flags and such from the *nix versions will not be covered) and type 'netstat'. When running a simple netstat the coloums should be: Proto, Local Address, Foreign Address, and State.

    The protocol coloum should hold the protocol that is used by the open socket (valid choices are IP, TCP, UDP, or ICMP), two sockets can use the same port assignment as long as long as they use a different protocol.

    The Local Address coloum should contain the address of the local machine, either the machine name, loopback IP (127.0.0.1) or 0.0.0.0, which states that the socket will accept information from any interface on the machine. Also shown under this field is the outgoing port. This is the number (or name) that is after the colon. This number will normally (unless you are using some strange software) be 1025 or up. so basically an entry in this coloum should look like "0.0.0.0:1031".

    The Foreign Address field is the address and port number the socket is "addressing" the information to. it will either be by hostname (if availible) or by IP address, and much like the Local address field it will have a colon then the destination port number. So an entry in this field will appear as "65.252.12.5:80". This basically means that there is a connection to 65.252.12.5 on port 80, if you look in the Proto section this will probably be a TCP connection (normally web browser traffic).

    The State field is used to tell what the socket is currently doing, valid choices are CLOSED, FIN_WAIT_1, FIN_WAIT_2, SYN_RECEIVED, CLOSE_WAIT, SYN_SEND, ESTABLISHED, LISTEN, TIMED_WAIT, and LAST_ACK. ESTABLISHED basically means what it says, that the socket is sending and receiving and has an active connection going. SYN_SENT means that the socket is attempting to establish a connection, waiting on an ACK from the remote host. SYN_RECEIVED means that the connection has been initalized, AKA, one step past the SYN_SENT state. The FIN_WAIT_1 state means the socket is closed, and it has started shutting down the connection. FIN_WAIT_2 is the same as _1 only it is waiting for the socket to close and for a remote unit to send a shutdown packet. The CLOSED state means the socket is not in use. The CLOSE_WAIT state means that the remote end has already shutdown and is waiting to close. LAST_ACK means the socket is waiting for acknowledgement, the remote end has already shutdown and the socket is closed. LISTEN means the socket is listening for an incoming connection. UNKNOWN will sometimes populate the field, this is a very strange thing to have happen and basically means that the OS does not know what the socket is doing, and is basically lost.

    Now, let's go a little farther, let's try some of the parameters used with netstat, for starters the -p switch, so type 'netstat -p <protocol name from above>'. Lets say you wanted to see all the TCP sockets you have open? Well...type 'netstat -p TCP' and it will list them. Valid choices are any that are listed above including ICMP, UDP, and IP. Just as a note, on some unix machines it is possible to add protocols by editing /etc/protocols naming the packet type, and then making a program to construct a packet of this type (this is slightly beyond the scope of this tutorial though, just a widdle!)...Now that we understand somewhat how to limit the output of netstat lets look at how to get useful stuff out of it.

    Ever wondered how to tell if your NIC is sending/receiving traffic? Well.we have two choices avalible to us, we could use the -e switch to check for ethernet frames sent and received, or the -s switch to get the sent/received for the difference protocols. These switches can be combined making the switch -es or -se which will display the information that both the switches would give. There is also other very useful information that these switches provide but that is slightly beyond what this tutorial was intended to show.

    The -r switch can be used to display the interface list and the routing table. This information is useful when troubleshooting a network or dialup connection that is not pingable and can not ping out. This shows how information is being routed out of the computer and how it is being looped around to the local host.

    I hope this was slightly useful to someone, I got an email from someone asking for more information about mainly the states the sockets are in. If anyone has any questions or finds any misinformation in this, email me or PM me and I will fix it.

    -Cheeseball

  3. #3
    Junior Member
    Join Date
    May 2002
    Posts
    2

    Thumbs up cool

    that was cool and intresting i'm just starting to learn about netstat amnd netbios. I really glad that you were able to explain netsat easyly with out over staing the technical part of it. If you can tell me more or if you can send me some stuff like the one you posted that be cool. thanks

  4. #4
    Senior Member cwk9's Avatar
    Join Date
    Feb 2002
    Posts
    1,211
    Good post. Full of netstat goodness. Greenies for you.
    Its not software piracy. Iím just making multiple off site backups.

  5. #5
    Banned
    Join Date
    Mar 2002
    Posts
    520
    Awesome man.... Thanks.. I'd give ya greenies but the focmaster guy gave me negs for no reason and I only got one green. Sorry man....

  6. #6
    Senior Member
    Join Date
    Sep 2001
    Posts
    138
    Just to note, this post is ungodly old... Anyway...I just noticed I forgot to add in a thing about having netstat repeat itself if you do a netstat -an 2 it will repeat ever 2 seconds....
    http://www25.brinkster.com/cheeseball

    -- Do not dwell in the past, do not dream of the future, concentrate the mind on the present moment--

  7. #7
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    To start, I didn't see any tutorials dealing with the use of netstat, which surprised me, considering how useful it was, so I decided to write one.
    lol coz we didnt think that "netstat" had to be taught.. i mean the idea of making a tut for netstat was treated as a joke.. hehehe

  8. #8
    I agree with s0nIc... good tutorial, but most of that can be picked up just by typing "netstat ?".
    WE ARE the anti cancer...
    WE ARE the only answer...
    email

  9. #9
    Member
    Join Date
    Aug 2001
    Posts
    42
    If 1 person learns something from any Tut,
    then that Tut has value.

    Seems that alias-lobo did.


    As 'Senior members' are fond of saying to newbies, read all the Tut's and read them again, it would seem strange that Cheeseball should get such a post as from Sonic, Fiends post being ignored.

    As a wanderer of the Tuts, always looking for knowledge, i'd like to thank Cheeseball for the Tut.
    Who Cares Wins

  10. #10
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584
    lol the reason why i never thought of creating a tut for netstat is because u can type "netstat" or "netstat /?" on the command line and u get what u need. but never the less.. i do think this tut is nice..

    and about response to the newbies.. when someone asks us how to use netstat.. normally we reply to them by telling them to type "netstat" or "netstat /?" on the command line. we cant say "look at the tut" coz we know there isnt any tut for netstat (well not untill now) coz we thought it doesnt need any.. netstat to us was just simple basic common command. same as "dir" or "cd"

    but yeah.. this tut is nice.. and i do think it is useful. im just explaining why Cheezball didnt find any tut on netstat here in AO..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •