From the course: CompTIA Network+ (N10-009) Cert Prep

Introduction to netstat

From the course: CompTIA Network+ (N10-009) Cert Prep

Start my 1-month free trial Buy for my team

Introduction to netstat

- If you were going to ask me, "Mike, you only get one networking tool, what's it going to be?" Well, I'd probably say ping, but my second choice would be the popular Netstat program. One of the things that happens is that my computer is on a network right now, and actually on the internet as well. So there's all these connections going on at all times, and I want to know who is my computer connecting to at any given moment? And that's what Netstat does. It is a text based command that allows you to see what connections are established between your computer and other computers at any given moment. So let's run Netstat. To run Netstat, just get to a command prompt and type Netstat, N-E-T-S-T-A-T, and these are the results that you're going to get. So let's take a look at what we're looking at. First of all, these are active connections that we have right now. Each one of these is a separate connection. So I've got, wow, about 15 connections going right now. Most of them seem to be HTTPS. So let's read it. First of all, it tells us what protocol it is, TCP or UDP. Then it says, what's our local address, which is pretty much always going to be our own IP address. The next value is your source port number, and that's always going to be an ephemeral port there. Then the foreign address is, who are we connected to? So here's the name and then the protocol. Now I don't like this. So what we're going to do is we're going to type Netstat again, except this time, we're going to use the -n. When you do Netstat -n, what that says is, don't put nice words and stuff in there, just gimme the raw numbers. So now what it's telling me, this is easier for me to read, so I can see I've got a number of other computers out in the world someplace and they're connected on port number 443. Now the problem that you'll have with Netstat when you first get used to it is that you're not going to know what these port numbers are. So remember, you're going to be the client on this side and you know you're connecting to this guy on 443. So what is 443? Well, that's where web browsers come into play. Pretty much guarantee I have this web browser open, is why it happened. So what we'll do is we'll just do some research on port 443. So we take a look at port 443, and it tells us that it is HTTPS. It's a secure connection. So what's really happening here is, my web browser's open and I'm on secure websites. Now, just to let you know, the browser that I run always will go to a secure website. So if I've got a choice at a particular spot to go to a regular website, it will automatically as a security feature go to HTTPS. So all that's telling me right there is, I've got a bunch of web stuff open. Now you notice that I just closed Chrome. So over time, if I keep running Netstat, let's run it again. You'll see that things have gone from established, down to time weight. So what's basically happening here is that they've been closed, but we're waiting for the timeout to kick in and this will eventually shut down completely. Now after a while, you'll start to notice that sometimes, they don't close, and that's where things get a little bit interesting. So one of the things you're often going to want to do is you're going to say, okay, I've got all these programs running, but you got to keep in mind on your end, there is an executable program that's associated with every one of these. So what I'm going to do is I'm going to run Netstat again, except this time I'm going do the minus B option. Now watch what happens. It says the requested program requires elevation. What it's telling me is I have to run as an administrator. I fire up CMD, right click, and I hit run as administrator. You're not going to be tested on how to set up run as administrator for different OSes, but just be aware that that's there. So let's go ahead and run that stat, minus B, and it will show us who is making these connections. And right now, this looks like to be a Windows connection itself, so it's still running a little bit. We're going to give him a moment. Okay, so we can see we have a number of connections. Let me do VN. Now you see how I can concatenate different options and, ooh, bunch of stuff shutting down. Now there's a couple of other options I want to run through. You can type in O. Now when you type in O, what that's going to give you is the process ID. Every program that's running on your computer has a process ID. So I can hit task manager and I can use this to locate the process ID that is actually running that. So let's take a look. What do we got here? Anytime you've got something running and you're not sure what it is, doing the Netstat O option will give you the process ID and then you can actually go into task manager if you have a more recent version of Windows. And based on the process ID number, you can figure out who exactly is doing all this stuff to you. There's a couple other things I want to show you. For example, one of the things is, is I'm actually running a web server on this computer. So I'm going to do a Netstat, except this time, I'm going to do N 'cause I like the numbers better than the letters, and I'm going to do A. A means, show me all active ports, even the ones that I don't have connections on right now. And you get a big ugly list. Most of the stuff way down here has to do with IPV6, which we'll cover in later episodes. Anytime you see that double colon, that's IPV6 stuff, and I'm going to ignore that for the time being. So these are very powerful tools in terms of helping me watch what's open on my computer. You get good at it after a while. 135 and 445, that's naming convention. 2179 is neighbor discovery, you know, stuff like that. But when in doubt, all you do is go through here and start looking at this stuff to understand what all of these mean. All right, now there's one more tool, one more flag I want to use, and that's Netstat -r. Netstat -r has absolutely nothing to do with Netstat. When you run Netstat -r, this shows you your routing table. So you can actually look at the routing table on your own individual computer, just by typing Netstat -r. This is identical to typing in the command route print. Netstat is an amazingly powerful tool, and I recommend you use it. Now for the record, there is another tool, it's not on the network plus, but you ought to be aware of it. It's called Process Explorer. It's by Mark Russinovich with the CIS Internal Site. Process Explorer and TCP View are two programs that he runs that are absolutely fantastic. So anyway, the important thing for the Network Plus is to appreciate that Netstat keeps track of all the connections we have, and it also lets us know our listening ports. Whenever you run Netstat, always run it with the -n option. I like that because I like to see all the different port numbers, because that's the big clue to this. Anytime you see a connection and you don't know what the port numbers are, look it up. Nobody's got this stuff memorized.

Contents