NETSTAT.exe TCP/IP Network
Statistics
Displays
protocol statistics and current TCP/IP network connections.
NETSTAT
[-a] [-e] [-n] [-s] [-p proto] [-r] [interval]
-a
Displays all connections and listening ports.
-e
Displays Ethernet statistics.
This may be combined with the
-s option.
-n
Displays addresses and port numbers in numerical form.
-p proto
Shows connections for the protocol specified by proto; proto
may be TCP or UDP. If used with the -s option to display
per-protocol statistics, proto may
be TCP, UDP, or IP.
-r
Displays the routing table.
-s
Displays per-protocol statistics.
By default, statistics
are shown for TCP, UDP and IP; the
-p option may be used
to specify a subset of the
default.
interval
Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.
First, I would
recommend that you always use the '-a' parameter so you can see UDP 'listening ports' as well (often used by trojans), and not
just the active TCP connections; then switch between using the '-a' and no
parameters at all, to see the differences. When you're offline, you
normally shouldn't see any connection data! If you do see an OPEN PORT
NUMBER 'listening' for a connection (using the '-a' parameter), it may be
that your computer has been infected with a trojan! Click this link
for a few more ideas on how you can check to see if your computer is Trojan
Free?
If you're running a server, such as the free XITAMI server, you might see something like this ("My_Comp" is the name of my computer):
If you're running a server, such as the free XITAMI server, you might see something like this ("My_Comp" is the name of my computer):
C:\WINDOWS>netstat -a
Active
Connections
Proto
Local Address Foreign
Address State
TCP My_Comp:ftp localhost:0 LISTENING
TCP
My_Comp:80
localhost:0 LISTENING
Or with the
"-an" parameters:
C:\WINDOWS>netstat -an
Active
Connections
Proto
Local Address Foreign
Address State
TCP
0.0.0.0:21
0.0.0.0:0 LISTENING
TCP
0.0.0.0:80
0.0.0.0:0 LISTENING
By simply opening a
browser connection to both the HTTP (port 80) and FTP (port 21) servers (while
still offline!), I saw the following:
C:\WINDOWS>netstat -a
Active
Connections
Proto
Local Address Foreign
Address State
TCP
My_Comp:ftp
localhost:0 LISTENING
TCP
My_Comp:80
localhost:0 LISTENING
TCP
My_Comp:1104
localhost:0 LISTENING
TCP
My_Comp:ftp
localhost:1104 ESTABLISHED
TCP
My_Comp:1102
localhost:0 LISTENING
TCP
My_Comp:1103
localhost:0 LISTENING
TCP
My_Comp:80
localhost:1111 TIME_WAIT
TCP
My_Comp:1104
localhost:ftp ESTABLISHED
TCP
My_Comp:1107
localhost:0 LISTENING
TCP
My_Comp:1112
localhost:80 TIME_WAIT
UDP
My_Comp:1102 *:*
UDP
My_Comp:1103 *:*
UDP
My_Comp:1107 *:*
This may be a bit
confusing to some people, but remember I'm running BOTH the servers and clients
on the same machine in these examples. A little later (using both 'a' and 'n')
I got this:
C:\WINDOWS>netstat -an
Active
Connections
Proto
Local Address Foreign
Address State
TCP
0.0.0.0:21
0.0.0.0:0 LISTENING
TCP
0.0.0.0:80 0.0.0.0:0 LISTENING
TCP
0.0.0.0:1104
0.0.0.0:0 LISTENING
TCP
127.0.0.1:21
127.0.0.1:1104 FIN_WAIT_2
TCP
127.0.0.1:1102
0.0.0.0:0 LISTENING
TCP
127.0.0.1:1103
0.0.0.0:0 LISTENING
TCP
127.0.0.1:1104
127.0.0.1:21 CLOSE_WAIT
TCP
127.0.0.1:1107
0.0.0.0:0 LISTENING
UDP
127.0.0.1:1102 *:*
UDP
127.0.0.1:1103 *:*
UDP
127.0.0.1:1107 *:*
After turning off my
server, I ended up with this for a while:
C:\WINDOWS>netstat -an
Active
Connections
Proto
Local Address Foreign
Address State
TCP
127.0.0.1:80 127.0.0.1:1150 TIME_WAIT
TCP
127.0.0.1:80
127.0.0.1:1151 TIME_WAIT
Usage:
ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
[-r count] [-s count] [[-j
host-list] | [-k host-list]]
[-w timeout] destination-list
Options:
-t Ping the specifed host until
interrupted.
-a Resolve addresses to hostnames.
-n count Number of echo requests to send.
-l size Send buffer size.
-f Set "Don't Fragment"
flag in packet.
-i TTL Time To Live.
-v TOS Type Of Service.
-r count Record route for count hops.
-s count Timestamp for count hops.
-j host-list Loose source route along host-list.
-k host-list Strict source route along host-list.
-w timeout Timeout in milliseconds to wait for each
reply.
There's one special IP number
everyone should know about:
127.0.0.1 - localhost (or loopback).
This is used to connect ( through a browser, for example) to a Web server on your own computer. (127 being reserved for this purpose.) You can use this IP number at all times. It doesn't matter if you're connected to the Internet or not.
It's also called the loopback address because you can ping it and get returns even when you're offline (not connected to any network). If you don't get any valid replies, then there's a problem with the computer's Network settings. Here's a typical response to the 'ping' command:
127.0.0.1 - localhost (or loopback).
This is used to connect ( through a browser, for example) to a Web server on your own computer. (127 being reserved for this purpose.) You can use this IP number at all times. It doesn't matter if you're connected to the Internet or not.
It's also called the loopback address because you can ping it and get returns even when you're offline (not connected to any network). If you don't get any valid replies, then there's a problem with the computer's Network settings. Here's a typical response to the 'ping' command:
Here's another recent
example using the name of my computer which I have tied to the IP number
127.0.0.1 in my C:\WINDOWS\HOSTS file:
C:\WINDOWS>ping My_Comp
Pinging
My_Comp [127.0.0.1] with 32 bytes of data:
Reply
from 127.0.0.1: bytes=32 time=1ms TTL=128
Reply
from 127.0.0.1: bytes=32 time=1ms TTL=128
Reply
from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply
from 127.0.0.1: bytes=32 time=1ms TTL=128
Ping
statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0
(0% loss),
Approximate
round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
Usage:
tracert
[-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name
Options:
-d Do not resolve addresses to
hostnames.
-h maximum_hops Maximum number of hops to search for
target.
-j host-list Loose source route along host-list.
-w timeout Wait timeout milliseconds for each
reply.
Here's an example
which traces the route from some ISP in Los Angeles to the main server at UCLA
in California ( note how two computers relatively close to each other may be
routed way round about! ):
C:\WINDOWS>tracert www.ucla.edu
Tracing
route to www.ucla.edu [169.232.33.129]
over
a maximum of 30 hops:
1 141
ms 132 ms 140 ms
wla-ca-pm6.icg.net [165.236.29.85]
2 134
ms 131 ms 139 ms
whv-ca-gw1.icg.net [165.236.29.65]
3 157
ms 132 ms 143 ms
f3-1-0.lai-ca-gw1.icg.net [165.236.24.89]
4 194
ms 193 ms 188 ms
a0-0-0-1.dai-tx-gw1.icg.net [163.179.235.61]
5 300
ms 211 ms 214 ms
a1-1-0-1.ati-ga-gw1.icg.net [163.179.235.186]
6 236
ms 237 ms 247 ms
a5-0-0-1.was-dc-gw1.icg.net [163.179.235.129]
7 258
ms 236 ms 244
ms 163.179.243.205
8 231
ms 233 ms 230 ms
wdc-brdr-03.inet.qwest.net [205.171.4.153]
9 240
ms 230 ms 236 ms
wdc-core-03.inet.qwest.net [205.171.24.69]
10 262
ms 264 ms 263 ms
hou-core-01.inet.qwest.net [205.171.5.187]
11 281
ms 263 ms 259 ms
hou-core-03.inet.qwest.net [205.171.23.9]
12 272
ms 229 ms 222 ms
lax-core-02.inet.qwest.net [205.171.5.163]
13 230
ms 217 ms 230 ms
lax-edge-07.inet.qwest.net [205.171.19.58]
14 228
ms 219 ms 220 ms
63-145-160-42.cust.qwest.net [63.145.160.42]
15 218
ms 222 ms 218 ms
ISI-7507--ISI.POS.calren2.net [198.32.248.21]
16 232
ms 222 ms 214 ms
UCLA--ISI.POS.calren2.net [198.32.248.30]
17 234
ms 226 ms 226 ms
cbn5-gsr.calren2.ucla.edu [169.232.1.18]
18 245
ms 227 ms 235 ms
www.ucla.edu [169.232.33.129]
Trace
complete.
Note:
Unless you're running a network, the following commands won't be of much use to
you...
Furthermore, if you're concerned about Security, my advice is to NEVER use NetBios on a computer that connects to the Internet.
Furthermore, if you're concerned about Security, my advice is to NEVER use NetBios on a computer that connects to the Internet.
NBTSTAT.exe Net Bios Stats
Displays
protocol statistics and current TCP/IP connections using NBT
(NetBIOS over TCP/IP).
NBTSTAT
[-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-s] [S]
[interval]
-a
(adapter status) Lists the remote machine's name table given its
name.
-A
(Adapter status) Lists the remote machine's name table given its
IP address.
-c
(cache) Lists the remote
name cache including the IP
addresses.
-n
(names) Lists local
NetBIOS names.
-r
(resolved) Lists names
resolved by broadcast and via WINS
-R
(Reload) Purges and
reloads the remote cache name table
-S
(Sessions) Lists sessions
table with the destination IP
addresses.
-s
(sessions) Lists sessions
table converting destination IP
addresses to host names
via the hosts file.
RemoteName
Remote host machine name.
IP address
Dotted decimal representation of the IP address.
interval
Redisplays selected statistics, pausing interval seconds
between each display. Press
Ctrl+C to stop redisplaying
statistics.
Manipulates
network routing tables.
ROUTE
[-f] [command [destination] [MASK netmask] [gateway]]
-f
Clears the routing tables of all gateway entries. If this is
used in conjunction with one of the
commands, the tables are
cleared prior to running the command.
command
Specifies one of four commands
PRINT Prints a route
ADD Adds a route
DELETE Deletes a route
CHANGE Modifies an existing route
destination
Specifies the host to send command.
MASK
If the MASK keyword is present, the next parameter is
interpreted as the netmask parameter.
netmask
If provided, specifies a sub-net mask value to be associated
with this route entry. If not
specified, if defaults to
255.255.255.255.
gateway
Specifies gateway.
All symbolic names used for destination or
gateway are looked up in the
network and host name database files NETWORKS
and HOSTS, respectively.
If the command is print or delete, wildcards
may be used for the
destination and gateway, or the gateway
argument may be omitted.
ARP.exe Address Resolution Protocol
ARP
-s inet_addr eth_addr [if_addr]
ARP
-d inet_addr [if_addr]
ARP
-a [inet_addr] [-N if_addr]
-a
Displays current ARP entries by interrogating the current
protocol data. If inet_addr is specified, the IP and
Physical
addresses for only the specified
computer are displayed. If
more than one network interface uses
ARP, entries for each ARP
table are displayed.
-g (Same as -a)
inet_addr
Specifies an internet address.
-N if_addr
Displays the ARP entries for the network interface
specified by if_addr.
-d
Deletes the host specified by inet_addr.
-s
Adds the host and associates the Internet address inet_addr
with the Physical address
eth_addr. The Physical address is
given as 6 hexadecimal bytes separated
by hyphens. The entry
is permanent.
eth_addr
Specifies a physical address.
if_addr
If present, this specifies the Internet address of the
interface whose address
translation table should be
modified. If not present, the first applicable
interface
will be used.
No comments:
Post a Comment