Menu
homeErrors

Netstat network utilities. NETSTAT command - displays network connection statistics. Continuous printing of netstat information

Regularly, some - only for diagnostics. I belong to the latter category: I prefer to use this utility to identify the causes of system problems and problems.

The netstat command has ten parameters that provide detailed information for a variety of tasks. However, no less useful information can be obtained without any parameters.

The most common use of netstat is with the -a option to list all connections and listening ports. Listed below are a few other options that may come in handy when using this utility.

Fully qualified domain name. The -f parameter allows you to find out the FQDN for the external address. When using netstat with this option, names are resolved on both the internal and external networks. In Fig. A shows the output of the command.

Figure A

Which process is using which port. The combination of the -a -n -o options allows you to find out which process identifier (PID) a particular port corresponds to. (See) The output of the command is shown in Fig. B.


Figure B

And if you add the -b option to this combination, friendly names will be used for each process, as shown in Fig. C. However, this will require administrator rights.


Figure C

Note: remote addresses pointing to 192.168.1.220:3261 belong to the Windows iSCSI Initiator service and are labeled differently than other service addresses.

Output of the routing table. When you want to figure out why a network connection is working differently on one computer than on others on the same network, you can use the -r option, which prints the route for that system, as shown in Figure 1. D. Please note the "Persistent routes" section: this lists all static routes configured for Windows Server).


Figure D

These four variations of the netstat command make it much easier

Displays active TCP connections, ports the computer is listening on, Ethernet statistics, IP routing table, IPv4 statistics (for IP, ICMP, TCP, and UDP protocols) and IPv6 statistics (for IPv6, ICMPv6, TCP over IPv6, and UDP over IPv6 protocols). Command run without parameters nbtstat displays TCP connections.

Syntax

netstat [-a] [-e] [-n] [-o] [-p protocol] [-r] [-s] [interval]

Options

-a Lists all active TCP connections and the TCP and UDP ports the computer is listening on. -s-e Print Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with the key. -a, -n-n List active TCP connections, displaying addresses and port numbers in numeric format, without attempting to resolve names. -p. -p protocol-o List active TCP connections and include the process ID (PID) for each connection. Process code allows you to find the application on the tab protocol Processes protocol Windows Task Manager. This parameter can be combined with keys, And, Listing connections for the protocol specified by the parameter. In this case the parameter can take values tcp -s udp protocol tcpv6 This parameter can be combined with keys, And, or, udpv6, Listing connections for the protocol specified by the parameter, can take values, . If this parameter is used with the key to display protocol statistics, parameter may matter icmp -p ip icmpv6 or ipv6. netstat-s Display protocol statistics. By default, statistics are displayed for the TCP, UDP, ICMP and IP protocols. If IPv6 is installed for Windows XP, statistics are displayed for TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6. Parameter

can be used to specify a set of protocols.

  • -r Displays the contents of the IP routing table. This command is equivalent to the command - route print / ).
  • . interval Refresh selected data at an interval defined by the parameter interval
    • (in seconds). Pressing CTRL+C stops the update. If this parameter is omitted,

      displays the selected data only once.

    • /?

      Display help on the command line. -n Notes

    • Options used with this command must be preceded by a hyphen (

      ), rather than slash ( -n Team

    • Netstat

      displays statistics for the following objects.

      • Protocol

  • This command is available only if the component in the network adapter properties in the Network Connections object is set to Internet Protocol (TCP/IP).

Examples

To display Ethernet statistics and statistics for all protocols, enter the following command:

To display statistics for TCP and UDP protocols only, enter the following command:

netstat -s -p tcp udp

To display active TCP connections and process codes every 5 seconds, enter the following command:

To list active TCP connections and process IDs each using number format, enter the following command:

For questions, discussions, comments, suggestions, etc., you can use the forum section of this site (registration required).

Laboratory work No. 03-005

Netstat network utility. Operating principles and use.

The utility displays active and listening TCP ports, Ethernet statistics, IP routing tables, IPv4 statistics (for IP, ICMP, TCP and UDP protocols) and IPv6 (for IPv6, ICMPv6, TCP over IPv6 and UDP over IPv6 protocols). Command run without parameters netstat displays active TCP connections.

Syntax:

netstat [-a] [-e] [-n] [-o] [-p protocol] [-r] [-s] [ipv6].

Options:

-a displays all active TCP connections and TCP and UDP ports listening on the computer;

- b display of executable files involved in creating active connections. If independent software components are used to create the socket, they are also displayed.

-e Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with the key -s;

-n displays active TCP connections, showing addresses and port numbers in numeric format without attempting to resolve names;

-o Lists active TCP connections and includes a process ID (PID) for each connection. Process code allows you to find the application in the tab This parameter can be combined with the key Windows Task Manager. This parameter can be combined with keys -a, -n And -p;

-p protocol output connections for the protocol specified by the parameter protocol. In this case the parameter protocol can take values This parameter can be combined with keys, And, Listing connections for the protocol specified by the parameter or can take values. If this parameter is used with the key -s to display protocol statistics, parameter protocol may matter This parameter can be combined with keys, And, or, udpv6, Listing connections for the protocol specified by the parameter, can take values, . If this parameter is used with the key or may matter;

-r Displays the contents of the IP routing table. This command is equivalent to the command route print;

-s output of protocol statistics. By default, statistics are displayed for the TCP, UDP, ICMP and IP protocols. If IPv6 is installed for Windows XP, statistics are displayed for TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6. Parameter -p can be used to specify a set of protocols;

- v used in conjunction with the parameter b to display the sequence of software components involved in creating a socket

ipv6 sets the selected data to be updated at an interval specified by the parameter ipv6(in seconds). Pressing CTRL+C stops the update. If this parameter is omitted, netstat displays the selected data only once.

/? O Display help on the command line.

At the network level in the TCP/IP protocol stack, addressing is carried out using IP addresses. But after the packet is delivered via the IP protocol to the recipient computer with the given IP address, the data must be sent to a specific recipient application process. Each computer can run multiple processes, and an application process can have multiple entry points that simultaneously act as data recipients.

The communication needs of application processes are served by the transport layer of the protocol stack, implemented in software in the operating system kernel, in the form of a separate user process or in the form of a library module loaded by a network application. Packets arriving at the transport layer are organized by the operating system in the form of many queues to the entry points of various application processes. In TCP/IP terminology, such system queues are called ports . A port is a software concept that is used by a client or server to send or receive messages; the port is identified by a 16-bit number. Thus, the destination address that is used by the transport entity is the application service port identifier (number). The port number, together with the network number and the end node number, uniquely identifies the application process on the network. This set of identifying parameters is called socket .

Port numbers are assigned to application processes either centrally, if these processes are popular public services (for example, number 21 is assigned to the FTP remote file access service, and 23 is assigned to the telnet remote control service), or locally for those services that have not yet become widespread enough to be assigned to them standard (reserved) rooms. Centralized assignment of port numbers to services is performed by the organization Internet Assigned Numbers Authority (IANA). These numbers are then fixed and published in Internet standards.

Local Port number assignment is where the application developer simply associates any available, randomly chosen numeric identifier with it, making sure that it is not one of the reserved port numbers. In the future, all remote requests to this application from other applications must be addressed using the port number assigned to it.

The client initiating the connection, before attempting to establish a connection with the remote application server, requests a free port number from its OS. Ports with numbers 0 -1023 are usually called privileged; they are almost all reserved and are not allocated to client processes. This does not mean that there are no assigned port numbers with large numbers, but they are used much less frequently and, being free on a given host, may well be made available to the client program.

UDP (UserDatagrammProtocol) is a simple datagram-oriented transport layer protocol: a process issues one UDP datagram at a time, resulting in one IP datagram being transmitted. The protocol does not establish a connection and does not confirm to the sender that the message has been delivered.

TCP (Transmission Control Protocol) provides a connection-based, reliable byte stream service. It is used in cases where guaranteed delivery of messages is required. It uses packet checksums to verify packet integrity and relieves application processes of the need for timeouts and retransmissions to ensure reliability.

The term connection-oriented means that two applications using TCP (typically a client and a server) must establish a TCP connection with each other before they can exchange data.

There are always two endpoints that communicate with each other using a TCP connection. TCP does not do broadcasts or multicasts.

The steps required to establish and terminate a TCP connection can be represented by:

lena in the form of a model with 11 possible states:

Condition Description

CLOSED Closed. The connection is not active and is not in the process of being established

LISTEN Waiting. The server is waiting for an incoming request

SYN RCVD A connection request has arrived. Waiting for confirmation

SYN SENT Connection request sent. The application started opening a connection

ESTABLISHED Installed. Normal data transmission state

FINWAIT 1 The application reported that it has nothing more to transfer

FINWAIT 2 The other party agrees to terminate the connection

TIMED WAIT Wait until all packets disappear from the network

CLOSING Both parties attempted to close the connection at the same time

CLOSE WAIT The other party has initiated a disconnect

LAST ACK Wait until all packets disappear from the network

In each of these states, allowed and prohibited events can occur. In response to any allowed event, a specific action can be taken. When prohibited events occur, an error is reported.

Each connection starts in the state CLOSED(closed). It can exit this state by making either an active (CONNECT) or passive (LISTEN) attempt to open a connection. If the opposite side does the opposite, the connection is established and enters the ESTABLISHED. Any party can initiate the termination of the connection. Once the disconnection process is complete, the connection returns to the CLOSED.

Self-test questions

    Port as a transport layer addressing element. Socket.

    Locally and centrally assigned ports.

    Basic transport layer protocols of the TCP/IP stack.

    Their brief description.

    Mapping network connections to processes running on a computer.

Netstat utility parameters.

Necessary equipment

IBM PC is a compatible computer with a licensed Windows operating system, connection to a local network, Internet access.

Tasks

Before starting the tasks, restart your computer and do not launch any applications.

1. Using the netstat command, view the Ethernet connection statistics.

2. Using the netstat command, view the statistics of network protocols.

3. Using the netstat command, view the statistics of the ICMP protocol (the output should contain data only for this protocol).

4. Use the netstat command to view a list of all TCP connections and UDP listening ports.

5. Launch your browser and establish a connection to any site. Repeat the previous task and comment on the result.

6. Using the netstat command, identify any 5 processes listening on UDP ports. Specify the name of the processes and numbers of listening ports.

Submit a report on the completion of the work in printed or electronic form with copies of the utility operation screens.

    Team NETSTAT is designed to obtain information about the status of network connections and the TCP and UDP ports listening on this computer, as well as to display statistical data on network interfaces and protocols.

Command line format:

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-t] [interval]

Command line options:

-a- Displays all connections and waiting ports.
-b- Displays the executable file involved in creating each connection, or the listening port. Sometimes known executable files contain multiple independent components. Then the sequence of components involved in creating the connection or the waiting port is displayed. In this case, the name of the executable file is at the bottom in brackets, at the top is the component that it calls, and so on until TCP/IP is reached. Please note that this approach can be time consuming and requires sufficient permissions.
-e- Display Ethernet statistics. Can be used in conjunction with the -s option.
-f- Displays the Fully Qualified Domain Name (FQDN) for external addresses.
-n- Display addresses and port numbers in numeric format.
-o- Display the process code (ID) of each connection.
-p protocol- Displays the connections for the protocol specified by this parameter. Valid values ​​are TCP, UDP, TCPv6, or UDPv6. Used in conjunction with the -s parameter to display protocol statistics. Valid values ​​are IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-r- Display the contents of the route table.
-s- Display protocol statistics. By default, statistics are displayed for the IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6 protocols. The -p option allows you to specify a subset of the output.
-t- Display of the current connection in the state of transferring the load from the processor to the network adapter during data transfer ("offload").
-v- Detailed information output, if possible.
ipv6- Repeated output of statistical data at a specified interval in seconds. To stop outputting data, press CTRL+C. If the parameter is not specified, information about the current configuration is displayed once.

In practice, the utility netstat.exe convenient to use in a chain with page output commands ( more), redirecting standard output to a file ( > ) and searching for text in the output results ( find).

netstat -a | more- display all connections in page-by-page display mode.

netstat -a -n| more- the same as in the previous example, but with port numbers and IP addresses displayed in numeric format. Unlike the previous example, the command netstat with parameter -t works much faster.

netstat -a -f | more- the same as in the previous example, but with displaying the full DNS names of the nodes participating in the connection.

netstat -a > C:\netstatall.txt- display all connections and record the results in the file C:\netstatall.txt.

netstat -a | find /I "LISTENING"- display all connections with LISTENING status, i.e. display a list of network interfaces and ports that are listening for incoming connections ("listening" ports). Key /I in a team find indicates that when searching for text, it is not necessary to take into account the case of characters.

netstat -a | find /I "listening" > C:\listening.txt- display all connections with LISTENING status and write the results to the file C:\listening.txt.

Example of information displayed:

Active connections

Name- name of the protocol.

Local address- local IP address participating in the connection or associated with the service waiting for incoming connections (listening to the port). If 0.0.0.0 is displayed as an address, then this means “any address”, i.e. all IP addresses existing on a given computer can be used in the connection. The address 127.0.0.1 is a loopback interface used as an IP protocol means for communication between processes without actually transferring data.

External address The external IP address involved in creating the connection.

State- connection status. State Listening indicates that the status bar displays information about the network service that is waiting for incoming connections using the appropriate protocol to the address and port displayed in the "Local Address" column. State ESTABLISHED indicates an active connection. In the "Status" column for connections via the TCP protocol, the current stage of the TCP session can be displayed, determined by the processing of flag values ​​in the TCP packet header (Syn, Ask, Fin ...). Possible states:

CLOSE_WAIT- waiting for the connection to close.
CLOSED- connection is closed.
ESTABLISHED- connection is established.
LISTENING- connection is expected (listening port)
TIME_WAIT- response time exceeded.

The name of the software module associated with this connection is displayed if the parameter is specified -b on the command line when running netstat.exe.

netstat -a -b- get a list of all network connections and related programs.

TCP 192.168.0.3:3389 89.22.52.11:5779 ESTABLISHED
CryptSvc

This example displays information about a connection that software components are involved in creating. CryptSvc-n List active TCP connections, displaying addresses and port numbers in numeric format, without attempting to resolve names. svchost.exe.

netstat -ab- command line parameters can be combined. Parameter -ab equivalent -a -b

netstat -e- receive statistical data for exchange via Ethernet protocol. Displays the total values ​​of received and received bytes for all Ethernet network adapters.

Interface Statistics

netstat -e -v- in addition to summary statistics, information about data exchange through individual network interfaces is displayed.

netstat -e -s- in addition to Ethernet statistics, statistics for IP, ICMP, TCP, UDP protocols are displayed

Interface Statistics

IPv4 Statistics

Packets received
Header errors received
Received errors in addresses
Datagrams sent

Received packets dropped

Withdrawal requests
Discarded routes
Output packets dropped

Assembly required
Successful build
Build failures


Fragments created
= 10877781
= 0
= 27307
= 0
= 0
= 448
= 11384479
= 11919871
= 0
= 1517
= 6
= 0
= 0
= 0
= 5918
= 0
= 11836

IPv6 Statistics

Packets received
Header errors received
Received errors in addresses
Datagrams sent
Unknown protocols received
Received packets dropped
Received packages delivered
Withdrawal requests
Discarded routes
Output packets dropped
Output packets without route
Assembly required
Successful build
Build failures
Datagram fragmented successfully
Datagram fragmentation failures
Fragments created
= 0
= 0
= 0
= 0
= 0
= 0
= 391
= 921
= 0
= 0
= 14
= 0
= 0
= 0
= 0
= 0
= 0

ICMPv4 Statistics

ICMPv6 Statistics

TCP Statistics for IPv4

TCP Statistics for IPv6

UDP statistics for IPv4

UDP statistics for IPv6

netstat -s -p icmp- get statistics only via ICMP protocol

Example of displayed statistics:

ICMPv4 statistics

To cyclically poll the status of network connections, the program is launched, indicating the interval for displaying statistical data in seconds.

netstat -e 3- display Ethernet statistics at 3 second intervals.

netstat –f 10- display network connection statistics every 10 seconds using full DNS host names.

netstat -n 5 | find /i "Established"- display statistics on established connections every 5 seconds.

Hello everyone, earlier I started a story about the system administrator’s network utilities in the article “The pathping utility or how to diagnose a problem on the route to the site. Network utilities part 3,” let’s move on and look at another utility netstat or how to determine which ports your computer is listening on. This program will be an irreplaceable tool in the software baggage of any system engineer; it will help him quickly diagnose the situation and detect a number of various problems with services and their availability.

netstat commands

interval Refresh selected data at an interval defined by the parameter- Displays active TCP connections, ports listening on the computer, Ethernet statistics, IP routing table, IPv4 statistics (for IP, ICMP, TCP and UDP protocols) and IPv6 (for IPv6, ICMPv6, TCP over IPv6 and UDP over IPv6 protocols)

Let’s imagine a situation: you installed, for example, the MSM LSI utility to view the parameters of a RAID controller, you launch the utility, but it doesn’t find anything, because the port is closed and you don’t know which one, and it’s not always possible to quickly find information about this on the Internet, for this you can run netstat and see what port your server with the MSM process is listening on.

Open the Windows command line and enter netstat?. The utility's help will pop up.

C:\Users\sem>netstat ?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-x] [-t]
[interval]

  • -a Displays all connections and listening ports.
  • -b Display the executable file involved in creation
  • each connection or listening port. Sometimes known executable files contain many independent components. The sequence of components involved in creating a connection or listening port is then displayed. In this case, the name of the executable file is at the bottom in brackets, at the top is the component it called, and so on until TCP/IP is reached. Please note that this approach can be time consuming and requires sufficient permissions.
  • -e Display Ethernet statistics. Can be used in conjunction with the -s option.
  • -f Display fully qualified domain name () for external addresses.
  • -n Display addresses and port numbers in numeric format.
  • -o Display the process ID of each connection.
  • -p protocol Display connections for the protocol specified by this parameter. Valid values ​​are TCP, UDP, TCPv6, or UDPv6. When used in conjunction with the -s option to display protocol statistics, valid values ​​are: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
  • -r Display the contents of the route table.
  • -s Display protocol statistics. By default, statistics are displayed for the IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6 protocols. The -p option allows you to specify a subset of the output.
  • -t Display the offload status for the current connection.
  • -x Displays NetworkDirect connections, listeners, and common endpoints.
  • -y Display the TCP connection template for all connections. Cannot be used in conjunction with other options. interval Repeated display of selected statistics with a pause between displays specified by the interval in seconds. To stop displaying statistics repeatedly, press CTRL+C. If this parameter is omitted, netstat will print the current configuration information once.

Let's look at the interesting keys of the netstat utility. The first thing we enter

and statistics on ethernet network packets will appear on our screen.

If we add the -s switch, we will get statistics on protocols.

It is very useful to see everything that your host is listening to, for this we write

The command output contains the Protocol type, either TCP or UDP, the local address with the port that is listening and the external address with the port, and the action status.

To fully understand the information provided by this command, it is necessary to understand the principles of connection establishment in the TCP/IP protocol. Here are the main steps in the process of establishing a TCP/IP connection:

1. When attempting to establish a connection, the client sends a SYN message to the server.

2. The server responds with its own SYN message and an acknowledgment (ACK).

3. The client then sends an ACK message back to the server, completing the connection setup process.

The disconnection process consists of the following steps:

1. The client says "I'm done" by sending a FIN message to the server. At this stage, the client only receives data from the server, but does not send anything itself.

2. The server then sends an ACK message and sends its own FIN message to the client.

3. The client then sends an ACK message to the server, confirming the FIN server's request.

4. When the server receives an ACK message from the client, it closes the connection.

Understanding the steps in the connection setup and termination process allows you to more transparently interpret connection states in netstat command output. Connections in the list can be in the following states:

  • CLOSE_WAIT- indicates the passive phase of closing the connection, which begins after the server receives a FIN message from the client.
  • CLOSED- the connection was interrupted and closed by the server.
  • ESTABLISHED- the client established a connection with the server by receiving a SYN message from the server.
  • FIN_WAIT_1- the client initiated closing the connection (sent a FIN message).
  • FIN_WAIT_2- the client received ACK and FIN messages from the server.
  • LAST_ACK- the server sent a FIN message to the client.
  • LISTEN- the server is ready to accept incoming connections.
  • SYN_RECEIVED- the server received a SYN message from the client and sent it a response.
  • TIMED_WAIT- the client sent a FIN message to the server and is waiting for a response to this message.
  • YN_SEND- the specified connection is active and open.

If you add the -f switch, the names of remote external resources will be resolved