BlooPlace – IT Blog

October 11th, 2011

How to quickly find all connections from and to your computer via netstat on any OS

How-to, by admin.

Have you ever wondered how to or just had to check all of the connections coming to your computer, going out from it or just running locally?

This guide will explain to you how to do this on almost all OS (Operating Systems). We will be using the famous command NETSTAT (stands for NETwork STATistics).

This technique works both on WindowsOS (XP, vista, 7, etc.), Linux (Ubuntu, OpenSuse, Backtrack, etc.) and MacOS . I’ll explain first how to do it on Windows, then on some Linux based distributions such as Ubuntu and OpenSuse and lastly on MacOS.

For Windows XP, Vista, 7, 8 (this probably works also on Win98 SE, ME, 2000, server editions, etc.) proceed by:
Click Start->Run->type CMD->hit the OK button.

A small screen with black background and white font color will appear. This is the famous Windows Command Prompt.
Once there, type netsat and hit the Enter key from your keyboard. Then you’ll have to wait for all of the data to be shown. The time, needed for the data to be listed, may vary a lot, based on your computer’s hardware and also the amount of the connections you currently have. This is how it should look

Netsat shown in CMD on windows 7

You will see a grid with a lot of numbers, starting with a line “Proto Local Address Foreign Address State”
Proto – One of the internet protocols with which your system can work, such be TCP or UDP.
Local Address – the local address on your machine. It can be either your localhost (127.0.0.1) or your local IP (such as 192.168.1.1) or your actual internet IP (such as 74.125.39.147). If your system supports IPv6 it will also displays them as well.
Foreign Address – the target or the server which is either accepting or sending the connection. If your system supports IPv6 it will also displays them as well.
State – the current state of the connection. It can be either LISTENING, ESTABLISHED, SYN_WAIT, FIN_WAIT, CLOSE_WAIT, etc.

Most people know this well. Well at least the IT guys xD What most don’t know is that this command actually has quite a few subcommands which give a better overview of the whole mess.

This time type: netstat /? This will show you the help file regarding this command. It should display something like this:

C:\Users\Blooplace.eu>netstat/?
Displays protocol statistics and current TCP/IP network connections.
NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [interval]

-a Displays all connections and listening ports.
-b Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.
-e Displays Ethernet statistics. This may be combined with the -s option.
-f Displays Fully Qualified Domain Names (FQDN) for foreign addresses.
-n Displays addresses and port numbers in numerical form.
-o Displays the owning process ID associated with each connection.
-p proto Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be any of: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default.
-t Displays the current connection offload state.
interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once.

Once there you can pretty much go wild and experiment with every command. Personally I choose the following command since it gives me the most helpful information.

netstat -n -p tcp

This shows all of the addresses in a numerical form (-n) and also shows only the current TCP connections (-p tcp). Of course, for UDP you can modify it to netstat -n -p udp

Another nifty option which this program gives is netstat -e. This will show you all of the currently transmitted data going in and out from your network adapters (such as WLAN, LAN Cards) in bytes.

Netsat shown in CMD on windows 7
How to do it on Linux based systems:

The logic is pretty much the same. Only the information given out may differ. The most important thing is to get in to shell/bash/terminal to execute it.

For Ubuntu, click on Applications->Accessories->Terminal->type netstat and hit enter from your keyboard. It will show you a very long and detailed information.

Netsat shown in CMD on windows 7

For OpenSuSe, click on Computer->input in the Search bar “Terminal” and hit Enter. At least 1  search result will be shown. Click on it and write netstat and then hit Enter from your keyboard. It will show you a very long and detailed information.

Netsat shown in CMD on windows 7

How to do it on MacOS based system:

Click on Applications->Utilities-> Terminal->write netstat and hit Enter from your overpriced keyboard.

Netsat shown in CMD on windows 7

 

You can read a Bulgarian version of this text here.

Back Top

Leave a Reply