Sometimes during the operation of a system, whether it is a home personal computer or a powerful server that serves many connections, it is useful to have a tool at hand that can display data on network activity. Why might this be needed? To control traffic, calculate applications that illegally go online, or users. This is exactly what the utility we are considering is doing.
What is Netstat?
This is an application with which you can find out what is happening at the moment on the web. To start, use the command line. In it, when starting Netstat, additional keys and parameters are used.
It is worth noting that the name of the utility is formed from two components - network statistics, that is, network statistics, which, in principle, is logical. Among the information that the program shows, we can distinguish statistics on TCP connections , ports, and routing.
Commands and keys
The syntax of the keys and parameters of the command is quite extensive. This allows you to get network statistics at various levels. The following is a description of the Netstat command, its parameters and keys:
- -a - launching with this parameter displays all active TCP connections, as well as TCP and UDP ports listened by the system;
- -e - display extended Ethernet statistics, for example, on the movement of bytes and packets;
- -n - the parameter allows you to show active TCP connections with addresses and port numbers;
- -o - the same as the previous key, displays active TCP connections, but process codes are added to the statistics, it is already possible to determine exactly which application uses the connection;
- -p - display information on a specific protocol specified in the parameter. Among the values may be tcp, udp, tcpv6 and udpv6;
- -s - displays statistics on the protocol screen, by default all known types are displayed;
- -r - this key will display the contents of the IP routing table , the parameter is equivalent to using the route command;
- interval - in the general line of the command you can use the value of the interval through which the selected statistics will be displayed; if it is omitted, the information will be displayed only once;
- /? - displays help information for the Netstat command.
Using Netstat on Windows
In order to display all connections on the command line screen, while placing them on several pages, you need to use the following syntax: “-a | more. " If you want to save all statistics to a specific file, you need to use "-a> C: \ file name". Thus, all the information collected will be written to the file specified by this path.
The result of the work can be a small table that contains the following data types:
- Name. This is the name of the found active protocol.
- Local address The IP address and port used by the local service to create the connection. Among the values can be found 0.0.0.0, which means any available address or 127.0.0.1. This indicates a local loop.
- External address The IP and port of the external service on the network with which you are connected.
- Condition. Shows the current connection status. May take different values. For example, Listening says that the service is “listening” and waiting for an incoming connection. Established means an active compound.
Netstat, launched with the -a and -b switches, will show all network connections, as well as related programs. This is very convenient if you need to calculate which program is actively using traffic and where it sends data.
Additional connection states
In addition to the above states of compounds, there are additional ones:
- closed - as the name implies, the connection is closed;
- syn_sent - an active attempt is being made to establish a connection;
- syn_received - shows the initial stage of synchronization;
- close_wait - the remote server is down and the connection is completed.
Using Netstat on Linux
Using the utility in a Linux environment, in fact, is not much different from Windows. There are only slight differences in the parameters of the command. Description of the Netstat command and its parameters with examples:
- To display all ports, you need to use the command - "netstat -a".
- Everything is the same, but only of type TCP - “-at”.
- UDP ports are “-au”.
- Map open ports to Netstat - “-l”. Their condition will be reflected as Listening.
- Map open TCP ports to Netstat - “netstat -lt.
- The output of the process identifier and its name is “netstat -p”.
- Show statistics for a separate network protocol - “netstat -s”.
Sometimes, to get more complete information about a network connection, you need to combine Netstat with some Linux commands and utilities. For example, like this:
netstat -ap | grep ssh
This line displays a list of ports that are currently being used by SSH. If, on the contrary, you need to find out which process occupies a particular port, you can use the following syntax:
netstat -an | grep `: 80`
Linux also has a universal key set for Netstat that can display everything you need at once. It looks like this: netstat -lnptux. The data set will reflect all open ports, TCP, UDP, UNIX Socket protocols, process names and their identifiers.
Some examples for defining an attack like DoS or DDoS
The following command will let you know how many connections are active on each IP address:
netstat -naltp | grep ESTABLISHED | awk '{print $ 5}' | awk -F: '{print $ 1}' | sort -n | uniq -c
We define a large number of requests from one IP address:
netstat -na | grep: 80 | sort
We determine the exact number of requests received per connection:
netstat -np | grep SYN_RECV | wc -l
When conducting a DoS attack, the number obtained as a result of this command should be quite large. In any case, it may depend on the specific system. That is, on one server it can be one, on the other - different.
Conclusion
In whatever operating system the command is used, it is an indispensable tool for scanning, analyzing and debugging the network. It is actively used by system administrators around the world.
Netstat can be used to infect a system with any virus software. It is able to show all applications with high activity of suspicious network traffic. This will help in the early stages to identify malware and neutralize it or to protect the server from unwanted intruders.
conclusions
The article provided a detailed description of the Netstat command and its parameters and keys. Full use of the program is possible after several stages of practice on a real device. Combining with other teams will give her even more efficiency. A complete set of Netstat command descriptions can be found in the manual on the utility’s official website. It is also worth noting that when used in a Linux environment, the Netstat team is outdated and is strongly recommended to use SS instead.