Search this site:

This is the
Ocean State Libraries

Support Site.

"It's all just stuff"

Comments or questions to:
Richard Payette
Technology Coordinator
738-2200
Best viewed in 1024x768 resolution or higher.
III Millennium
Search the Millennium OPAC

Membership
Purchasing
Security
Support Tools
How-To

Downloads

Library Links

OSL Support is a registered user of the menu system from Milonic Solutions

spacer




Ocean State Libraries Support: Using Netstat

Updated: July 11, 2005

Netstat is a TCP/IP network trouble-shooting tool that is run from a Command prompt in Microsoft Windows. To get a Command prompt in Windows 2000 or XP, click on the Start Menu and select Run. Then type CMD and click OK.

Uses

  • Display the addresses that a computer is connected to
  • Find out what is connected to a computer
  • Determine if TCP/IP is working correctly
  • Examine network routing

Selected Commands

  • netstat -a displays all connections and listening ports
  • netstat -an displays all connections, listening ports; addresses shown as IPs
  • netstat -e shows ethernet statistics, including errors
  • netstat -es shows ethernet statistics broken down by protocol
  • netstat -r displays routing table

If you are using Windows XP, one additional switch is available:

  • netstat -o : Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p.

Using Netstat to Find Worms

Netstat can aid in discovering Trojan horse and worm programs. Trojans and worms usually use specific TCP/IP ports. You might find one of these known ports in use with the netstat -an command. Here's a list of known Trojan ports. Ports commonly used by trojans and worms include: 135, 139 and 445.

Pay attention to the second column of the output when you do a 'netstat -an'. This column shows the 'Foreign Address' which usually means other computers. (Sometimes the computer you are running netstat on will send packets to itself at Local Host, which is 127.0.0.1) The second column lists the IP addresses and ports of the computers that are trying to connect to the computer you are running the netstat command on. The first column lists the IP of the machine you are on, although sometimes you'll see it listed as 0.0.0.0 or 127.0.0.1 in addition to its 10.92.xx.xx IP.

In the second column, look for IP addresses outside of your building's 10.92.xx.xx address range trying to connect to your local host. The other thing to look for are computers that are on your building's 10.92.xx.xx subnet connecting to your computer. If the computer in the second column isn't a server (either your domain controller, mail server, web server or ACS server), then you should investigate further. Of course, it could be that the computer is just accessing shared folders.

If you see a computer in the second column trying to connect to your computer on port 445, that's a big red flag, unless its your domain controller.

Ocean State Libraries
The Summit South, Suite 103
300 Centerville Road
Warwick RI, 02886-0226
401-738-2200

spacer