Introduction to netstat

The internet unifies various computer networks around the world and gives users excellent opportunities to exchange data and information. As soon as a file is transferred from point A to point B, the overview on the existing connection is lost. The result of this is that unwanted or resource-intensive network activities are often discovered too late or not at all. In order to find out which computers or networks a PC is connected to, netstat provides statistics on all active connections. The following text reveals what exactly makes this network tool tick and how it’s properly used. 

What is netstat?

netstat — derived from the words network and statistics — is a program that’s controlled via commands issued in the command line. It delivers basic statistics on all network activities and informs users on which ports and addresses the corresponding connections (TCP, UDP) are running and which ports are open for tasks. In 1983, netstat was first implemented into the Unix derivative BSD (Berkley Software Distribution), whose version 4.2 supported the first internet protocol family, TCP/IP. netstat has been integrated into Linux since its debut in 1991 and has been present in Windows since the appearance of version 3.11 (1993), which could also communicate via TCP/IP with the help of extensions. While the parameters of netstat’s commands (as well as their outputs) differ from system to system, when it comes to their functions, the various implementations are very similar.

Essentially, netstat is a command line program and for this reason doesn’t feature a graphical user interface. Programs like TCPView, which was developed by the Microsoft division Windows Sysinternals, makes it possible for statistics to be displayed graphically. 

Why using netstat makes sense

When dealing with excessive traffic and malicious software it’s advantageous to be informed about the inbound and outbound connections to your computer. These are created via their respective network addresses that indicate which ports were preemptively opened for exchanging data. Once a port is opened, it receives the status ‘LISTEN’ and waits for connection attempts. One problem of having these ports remain open is that your system is then left vulnerable to malware. What’s more, there’s also a chance that Trojan viruses already found in your system may install a backdoor, opening up a corresponding port in the process. For this reason, you should always regularly check the ports opened by your system, a task for which netstat is particularly well suited. Thanks to the fact that you’ll be able to find the diagnosis tool on virtually every system, whether it be Unix, Linux, Windows, or Mac, this program offers a unified solution for all computers and servers.

Possible infections can be caught based on unknown opened ports or unknown IP addresses. In order to obtain an informative result, all other programs, such as your internet browser, should be turned off. This is due to the fact that these are often connected with computers that possess unknown IP addresses. Thanks to the detailed statistics, users also receive information on the packets that have been transferred since the last system start as well as notices of any errors that have occurred. The routing table, which delivers information on the paths data packets takes through the net, can be displayed with the help of the system-specific netstat command. 

The most important netstat-Linux commands

Under Linux, netstat’s syntax follows the simple pattern as follows:

netstat [OPTION]

The options are composed of different modes (e.g. the default port analysis, the routing table display, or different protocol options) that help with transparency and/or specification of the results. Typical for Unix/Linux, all options contain a long name, which is preceded by two hyphens, and a short name, which is preceded by one single hyphen. The three modes start with the following commands: 

[OPTION] Abbreviation Command Mode description
    sudo netstat Standard mode that delivers information on all active network connections
--route -r sudo netstat -r Allows the routing table to be called up
--interface -i sudo netstat -i Statistics on transferred data packets sent to individual network interfaces
--statistics -s sudo netstat -s Detailed statistics
--groups -g sudo netstat -g Gives information on multicasting (network data traffic that’s sent to a group of terminal points)

While these modes cannot be combined with one another in a command, this does remain a possibility for protocol options, which are particularly relevant for the standard mode. One popular combination involves listing all of your system’s netstat ports that are accessible to other computers.

The following table shows which individual parameters this netstat command is composed of and which additional protocol options are possible:

[OPTION] Abbreviation Command Description of options
--listening -l sudo netstat -l Only open ports (‘LISTEN’ status) are displayed
--all -a sudo netstat -a Existing connections and open ports are shown
--tcp -t sudo netstat -t Lists al TCP connections
--udp -u sudo netstat -u Lists all UDP connections
--numeric -n sudo nestat -n All numbers (IP addresses, protocols, IDs) are displayed numerically in their original form
--extend -e sudo netstat -e Extended information
--program -p sudo netstat -p Provides information on process IDs and programs

netstat-cmd commands for Windows

In Windows operating systems, netstat services are also used via the command line (cmd.exe). These can be found in the start menu under ‘All programs’ -> ‘Accessories’ -> ‘Command Prompt’. Alternatively, you can also start the command line via ‘run’ (press Windows key + ‘R’ and enter ‘cmd’)

netstat [OPTION]

The individual parameters largely vary from one another and are only available in their shortened form, not in their written-out forms. Here’s an overview of the most important netstat-cmd commands: 

[OPTION] Command Option description
-i netstat -i Calls up the netstat overview menu
  netstat Standard listing of all active connections
-a netstat -a Additonally lists the open ports (‘LISTEN’)
-e netstat -e Interface statistic (received and sent data packets, etc.)
-n netstat -n Numeric display of addresses and port numbers
-o netstat -o Adds respective process IDs
-r netstat -r Displays the routing table
-p protocol netstat -p TCP Displays the connection for the indicated protocol, in this case TCP (UDP, TCPv6 or UDPv6 are also possible)

Combining individual options works, as is typically done with Linux, is possible by stringing together individual parameters as long as there is a connection. One popular netstat cmd command with which both open ports as well as active connections can be shown is:

An over view of the various Windows, Unix, Linux, and OS parameters can be found on the Wikipedia article on the matter.

Tags: Tools / Windows / Linux / Data Protection