Open
Close

NETSTAT command - displays network connection statistics. Tips for using Netstat for Windows Server administrators List of sockets that are in listening state

10.10.2023 -
Drives

The Netstat command displays various network data such as network connections, routing table, interface statistics, masked connections, multicast space, etc.

In this article, let's look at 10 practical command examples NetStat on Unix.

1. List of all ports (both listening and non-listening ports)

List all ports using Netstat -a command

# netstat -a | more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:30037 *:* LISTEN udp 0 0 *:bootpc *:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 6135 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 5140 /var/run/acpid.socket

List all TCP ports using netstat -at

# netstat -at Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0..0.0 .0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN

Listing all UDP ports using netstat -au

# netstat -au Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 andreyex..ru:50053 google-public-dn:domain ESTABLISHED

2. List of sockets that are in listening state

List only listening ports using netstat -l

# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0..0.0. 0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN

List only TCP listening ports using netstat -lt

# netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0..0.0. 0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN

List only listening UDP ports using netstat -lu

# netstat -lu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 site:domain 0.0.0.0:* udp 0 0 localhost:domain 0.0.0..0.0.0:*

List only UNIX listening ports using netstat -lx

# netstat -lx Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 19693 tmp/core.adm.internal unix 2 [ ACC ] SEQPACKET LISTENING 8723 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 12566 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 16948 /var/run/fail2ban/fail2ban.sock unix 2 [ ACC ] STREAM LISTENING 19702 tmp/core.sock

Laboratory work No. 03-005

Netstat network utility. Operating principles and use.

The utility displays active and listening TCP ports, Ethernet statistics, IP routing tables, IPv4 statistics (for IP, ICMP, TCP and UDP protocols) and IPv6 (for IPv6, ICMPv6, TCP over IPv6 and UDP over IPv6 protocols). Command run without parameters netstat displays active TCP connections.

Syntax:

netstat [-a] [-e] [-n] [-o] [-p protocol] [-r] [-s] [interval].

Options:

-a displays all active TCP connections and TCP and UDP ports listening on the computer;

- b display of executable files involved in creating active connections. If independent software components are used to create the socket, they are also displayed.

-e Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with the key -s;

-n displays active TCP connections, showing addresses and port numbers in numeric format without attempting to resolve names;

-o Lists active TCP connections and includes a process ID (PID) for each connection. Process code allows you to find the application in the tab Processes Windows Task Manager. This parameter can be combined with the keys -a, -n And -p;

-p protocol output connections for the protocol specified by the parameter protocol. In this case the parameter protocol can take values tcp, udp, tcpv6 or udpv6. If this parameter is used with the key -s to display protocol statistics, parameter protocol may matter tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6 or ipv6;

-r Displays the contents of the IP routing table. This command is equivalent to the command route print;

-s output of protocol statistics. By default, statistics are displayed for the TCP, UDP, ICMP and IP protocols. If IPv6 is installed for Windows XP, statistics are displayed for TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6. Parameter -p can be used to specify a set of protocols;

- v used in conjunction with the parameter b to display the sequence of software components involved in creating a socket

interval sets the selected data to be updated at an interval specified by the parameter interval(in seconds). Pressing CTRL+C stops the update. If this parameter is omitted, netstat displays the selected data only once.

/? O Display help on the command line.

At the network level in the TCP/IP protocol stack, addressing is carried out using IP addresses. But after the packet is delivered via the IP protocol to the recipient computer with the given IP address, the data must be sent to a specific recipient application process. Each computer can run multiple processes, and an application process can have multiple entry points that simultaneously act as data recipients.

The communication needs of application processes are served by the transport layer of the protocol stack, implemented in software in the operating system kernel, in the form of a separate user process or in the form of a library module loaded by a network application. Packets arriving at the transport layer are organized by the operating system in the form of many queues to the entry points of various application processes. In TCP/IP terminology, such system queues are called ports . A port is a software concept that is used by a client or server to send or receive messages; the port is identified by a 16-bit number. Thus, the destination address that is used by the transport entity is the application service port identifier (number). The port number, together with the network number and the end node number, uniquely identifies the application process on the network. This set of identifying parameters is called socket .

Port numbers are assigned to application processes either centrally, if these processes are popular public services (for example, number 21 is assigned to the FTP remote file access service, and 23 is assigned to the telnet remote control service), or locally for those services that have not yet become widespread enough to be assigned to them standard (reserved) rooms. Centralized assignment of port numbers to services is performed by the organization Internet Assigned Numbers Authority (IANA). These numbers are then fixed and published in Internet standards.

Local Port number assignment is where the application developer simply associates any available, randomly chosen numeric identifier with it, making sure that it is not one of the reserved port numbers. In the future, all remote requests to this application from other applications must be addressed using the port number assigned to it.

The client initiating the connection, before attempting to establish a connection with the remote application server, requests a free port number from its OS. Ports with numbers 0 -1023 are usually called privileged; they are almost all reserved and are not allocated to client processes. This does not mean that there are no assigned port numbers with large numbers, but they are used much less frequently and, being free on a given host, may well be made available to the client program.

UDP (User Datagram Protocol) is a simple datagram-oriented transport layer protocol: a process issues one UDP datagram at a time, resulting in one IP datagram being transmitted. The protocol does not establish a connection and does not confirm to the sender that the message has been delivered.

TCP (Transmission Control Protocol) provides a connection-based, reliable byte stream service. It is used in cases where guaranteed delivery of messages is required. It uses packet checksums to verify packet integrity and relieves application processes of the need for timeouts and retransmissions to ensure reliability.

The term connection-oriented means that two applications using TCP (typically a client and a server) must establish a TCP connection with each other before they can exchange data.

There are always two endpoints that communicate with each other using a TCP connection. TCP does not do broadcasts or multicasts.

The steps required to establish and terminate a TCP connection can be represented by:

lena in the form of a model with 11 possible states:

Condition Description

CLOSED Closed. The connection is not active and is not in the process of being established

LISTEN Waiting. The server is waiting for an incoming request

SYN RCVD A connection request has arrived. Waiting for confirmation

SYN SENT Connection request sent. The application started opening a connection

ESTABLISHED Installed. Normal data transmission state

FINWAIT 1 The application reported that it has nothing more to transfer

FINWAIT 2 The other party agrees to terminate the connection

TIMED WAIT Wait until all packets disappear from the network

CLOSING Both parties attempted to close the connection at the same time

CLOSE WAIT The other party has initiated a disconnect

LAST ACK Wait until all packets disappear from the network

In each of these states, allowed and prohibited events can occur. In response to any allowed event, a specific action can be taken. When prohibited events occur, an error is reported.

Each connection starts in the state CLOSED(closed). It can exit this state by making either an active (CONNECT) or passive (LISTEN) attempt to open a connection. If the opposite side does the opposite, the connection is established and enters the ESTABLISHED. Any party can initiate the termination of the connection. Once the disconnection process is complete, the connection returns to the CLOSED.

Self-test questions

    Port as a transport layer addressing element. Socket.

    Locally and centrally assigned ports.

    Basic transport layer protocols of the TCP/IP stack. Their brief description.

    Mapping network connections to processes running on a computer.

    Netstat utility parameters.

Necessary equipment

IBM PC is a compatible computer with a licensed Windows operating system, connection to a local network, Internet access.

Tasks

Before starting the tasks, restart your computer and do not launch any applications.

1. Using the netstat command, view the Ethernet connection statistics.

2. Using the netstat command, view the statistics of network protocols.

3. Using the netstat command, view the statistics of the ICMP protocol (the output should contain data only for this protocol).

4. Use the netstat command to view a list of all TCP connections and UDP ports listening.

5. Launch your browser and establish a connection to any site. Repeat the previous task and comment on the result.

6. Using the netstat command, identify any 5 processes listening on UDP ports. Specify the name of the processes and numbers of listening ports.

6. Using the netstat command, determine the active TCP connections, their port numbers, and the names of the executable files of the applications that use these connections.

Submit a report on the completion of the work in printed or electronic form with copies of the utility operation screens.

Netstat This is a very useful utility that some system administrators use every day, while others only use it to diagnose problems. But in any case, understanding this utility and being able to use it is very useful.

The command has only 10 parameters, of which probably the most frequently used is the parameter -a, which displays all connections and ports in use. However, even specifying parameters netstat from displays quite useful information.

Let us now consider the useful parameters of the utility netstat

Full domain name: When using the parameter -f The fully qualified domain names of connected remote hosts will be displayed. Names will be resolved by any available means. In the figure below you can see an example of this action:

Which process is using the open port: Using a combination of parameters -a -n -o You can track which process is using the open port. From the output of the command we find out the process identifier (PID), with which we can find the desired process in the task manager.

You can use another useful option to make the display more friendly. Parameter -b will show the name of each process, however it requires administrator rights.

Displaying the routing table: When using the parameter -r you can view the current routing table.

I most often use these 4 parameters to diagnose Windows problems. How else do you use netstat and why?

Helpful information

Do you like to dress fashionably and beautifully? Go to an online clothing store from Korea and buy yourself items of excellent quality at an affordable price.

Regularly, some - only for diagnostics. I belong to the latter category: I prefer to use this utility to identify the causes of system problems and problems.

The netstat command has ten parameters that provide detailed information for a variety of tasks. However, no less useful information can be obtained without any parameters.

The most common use of netstat is with the -a option to list all connections and listening ports. Listed below are a few other options that may come in handy when using this utility.

Fully qualified domain name. The -f parameter allows you to find out the FQDN for the external address. When using netstat with this option, names are resolved on both the internal and external networks. In Fig. A shows the output of the command.

Figure A

Which process is using which port. The combination of the -a -n -o options allows you to find out which process identifier (PID) a particular port corresponds to. (See) The output of the command is shown in Fig. B.


Figure B

And if you add the -b option to this combination, friendly names will be used for each process, as shown in Fig. C. However, this will require administrator rights.


Figure C

Note: remote addresses pointing to 192.168.1.220:3261 belong to the Windows iSCSI Initiator service and are labeled differently than other service addresses.

Output of the routing table. When you want to figure out why a network connection is working differently on one computer than on others on the same network, you can use the -r option, which prints the route for that system, as shown in Figure 1. D. Please note the Persistent routes section: this lists all static routes configured for Windows Server.


Figure D

These four variations of the netstat command make it much easier

A useful command and utility at the same time, called netstat, allows you to view information about system connections using the UDP and TCP protocols.

The command can be run to run every n seconds and produce the following information in a tabular format:

  • Protocol name (TCP or UDP)
  • Local IP address and port number that is used by the socket connection
  • Remote IP address (destination address) and port number that is used by the socket connection
  • Connection Status ( Listening), Established) etc.)

Studying the state of the connection ports between the two systems allows us to exclude the TCP/IP protocol as one of the causes of the problem. To fully understand the information provided by this command, it is necessary to understand the principles of connection establishment in the TCP/IP protocol. Here are the main steps in the process of establishing a TCP/IP connection:

1. When attempting to establish a connection, the client sends a SYN message to the server.

2. The server responds with its own SYN message and an acknowledgment (ACK).

3. The client then sends an ACK message back to the server, completing the connection setup process.

The disconnection process consists of the following steps:

1. The client says "I'm done" by sending a FIN message to the server. At this stage, the client only receives data from the server, but does not send anything itself.

2. The server then sends an ACK message and sends its own FIN message to the client.

3. The client then sends an ACK message to the server, confirming the FIN server's request.

4. When the server receives an ACK message from the client, it closes the connection.

Understanding the steps in the connection setup and termination process allows you to more transparently interpret connection states in netstat command output. Connections in the list can be in the following states:

  • CLOSE_WAIT- indicates the passive phase of closing the connection, which begins after the server receives a FIN message from the client.
  • CLOSED- the connection was interrupted and closed by the server.
  • ESTABLISHED- the client established a connection with the server by receiving a SYN message from the server.
  • FIN_WAIT_1- the client initiated closing the connection (sent a FIN message).
  • FIN_WAIT_2- the client received ACK and FIN messages from the server.
  • LAST_ACK- the server sent a FIN message to the client.
  • LISTEN- the server is ready to accept incoming connections.
  • SYN_RECEIVED- the server received a SYN message from the client and sent it a response.
  • TIMED_WAIT- the client sent a FIN message to the server and is waiting for a response to this message.
  • YN_SEND- the specified connection is active and open.

Now all you need to know about the netstat command is the syntax for calling it:

Netstat [-a] [-e] [-n] [-o] [-p<протокол>] [-r] [-s] [interval]

netstat command options

Parameter

Usage

Displays all connections and listening ports

Displays Ethernet statistics

Shows addresses and ports in digital format (IP addresses instead of interface names

Displays the owning process ID for each connection

P<протокол>

Shows connections for the specified protocol. You can select one of the following protocols: TCP, TCPv6, UDP and UDPv6. When you specify the -s option, you can specify IP, IPv6, ICMP, and ICMPv6.

Displays the system routing table

Displays statistics for each protocol separately; By default, statistics are displayed for the TCP, TCPv6, UDP and UDPv6, IP, IPv6, ICMP and ICMPv6 protocols. A subset of protocols can be specified using the -p option.

interval

The interval in seconds at which the command updates its output. When specifying an interval, the command can be interrupted with a key combination .
Networks and communications
Online services