Documents  
Using Netstat to Monitor Your Computer's Connections   
Netstat is a useful Windows command-line utility for displaying active TCP/IP connections on a single computer. The utility can help you identify connections opened by software programs that are running on your computer and the ports that they are using.
Author:
Marr Madden
Date Posted:
4/13/04
@Copyright 2003 - The Bill & Melinda Gates Foundation

What is Netstat?

Netstat is a program run from the command prompt that shows your current connections, whether to the Internet or locally, and the ports your computer is willing to accept connections on.

This is useful information because it tells you which connections your computer is making to other computers, as well as the connections that other computers are making to your computer.

Netstat can help protect against hackers who load programs onto your computer, establish a connection to their own site, and transfer information from your computer. Netstat can be used to view these connections (although it is possible for hackers to change your Netstat command file).

How to use Netstat

  1. From the Start Menu in the lower left corner of your desktop, select Run.

  2. Type command or cmd and hit Enter. A black or blue DOS window should appear.

  3. Type netstat. Use netstat -an to produced a simplified output, as in the example below..

  4. To create a text file of the output, type netstat>output.txt. This will create a file called output.txt in the directory you executed the command prompt from. Typically this is c:\>, but it may also be c:\>Documents and Settings\username, or other path.

  5. Run the following commands when no other applications are running on your computer. Keep a copy of this file handy so that if you encounter strange behavior on a computer you can compare the output of the netstat commands.

Understanding Netstat output

To use Netstat most effectively, it is vital that you become familiar with what the standard output of the netstat command looks like, so that when unfamiliar connections happen you can identify them easily.

Below is a sample netstat -an output. The letters after the hyphen are options. All Netstat options are explained by typing netstat /? at the command prompt.

Active Connections

Proto Local Address Foreign Address State

TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING

TCP 172.16.189.27:139 0.0.0.0:0 LISTENING

TCP 172.16.189.27:1110 0.0.0.0:0 LISTENING

TCP 172.16.189.27:1789 64.58.79.230:80 ESTABLISHED

TCP 172.16.189.27:2929 64.236.16.116:80 ESTABLISHED

TCP 172.16.189.27:2933 66.150.9.247:80 ESTABLISHED

TCP 172.16.189.27:2938 172.16.10.98:1026 ESTABLISHED

UDP 172.16.189.27:137 *:*

UDP 172.16.189.27:138 *:*

UDP 172.16.189.27:1900 *:*

The numbers after the colons are ports. These are `doors' that applications use to enter your system, and remote systems. There are lists of established ports, (http://www.iana.org/assignments/port-numbers) but applications are free to use any port for their connection. Typical ports examples you'll see are port 80 for web traffic, 443 for secure web traffic, and 25 or 110 for mail. In the example above, the computer with IP address 172.16.189.27 has three active connections to the Internet at port 80.


Contribute to this topic
Do you have an article, presentation, or other content to share on this topic?
You can post it on this topic page. Find out more about submitting documents in the Member Center.
Ratings You must be signed in to rate this item
Average (0 Votes)
Comments