What is the purpose of the netstat utility. Netstat Tips for Windows Server Administrators

Regularly, some - only for diagnostics. I belong to the latter category: I prefer to use this utility to identify the causes of system problems and problems.

The netstat command has ten parameters that allow you to get detailed information to solve a variety of problems. However, no less useful information can be obtained without any parameters.

The most common use of netstat is with the -a option to list all connections and listening ports. Listed below are a few other options that may come in handy when using this utility.

Fully qualified domain name. The -f parameter allows you to find out the FQDN for the external address. When using netstat with this option, names are resolved on both the internal and external networks. In Fig. A shows the output of the command.

Figure A

Which process is using which port. The combination of the -a -n -o options allows you to find out which process identifier (PID) a particular port corresponds to. (See) The output of the command is shown in Fig. B.

Figure B

And if you add the -b parameter to this combination, friendly names will be used for each process, as shown in Fig. C. However, this will require administrator rights.

Figure C

Note: remote addresses pointing to 192.168.1.220:3261 belong to the Windows iSCSI Initiator service and are labeled differently than other service addresses.

Output of the routing table. When you want to figure out why a network connection is working differently on one computer than on others on the same network, you can use the -r option, which prints the route for that system, as shown in Figure 1. D. Pay attention to the “Persistent routes” section: it lists all static routes configured for Windows Server).

Figure D

These four variations of the netstat command make it much easier

Laboratory work No. 03-005

Netstat network utility. Operating principles and use.

The utility displays active and listening TCP ports, Ethernet statistics, IP routing tables, IPv4 statistics (for IP, ICMP, TCP and UDP protocols) and IPv6 (for IPv6, ICMPv6, TCP over IPv6 and UDP over IPv6 protocols). Command run without parameters netstat displays active TCP connections.

Syntax:

netstat [-a] [-e] [-n] [-o] [-p protocol] [-r] [-s] [interval].

Options:

-a displays all active TCP connections and TCP and UDP ports listening on the computer;

- b display of executable files involved in creating active connections. If independent software components are used to create the socket, they are also displayed.

-e Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with the key -s;

-n displays active TCP connections, showing addresses and port numbers in numeric format without attempting to resolve names;

-o Lists active TCP connections and includes a process ID (PID) for each connection. Process code allows you to find the application on the tab Processes dispatcher Windows tasks. This parameter can be combined with the keys -a, -n And -p;

-p protocol output connections for the protocol specified by the parameter protocol. In this case the parameter protocol can take values tcp, udp, tcpv6 or udpv6. If this parameter is used with the key -s to display protocol statistics, parameter protocol may matter tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6 or ipv6;

-r Displays the contents of the IP routing table. This command is equivalent to the command route print;

-s output of protocol statistics. By default, statistics are displayed for the TCP, UDP, ICMP and IP protocols. If IPv6 is installed for Windows XP, statistics are displayed for TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6. Parameter -p can be used to specify a set of protocols;

- v used in conjunction with the parameter – b to display the sequence of software components involved in creating a socket

interval sets the selected data to be updated at an interval specified by the parameter interval(in seconds). Pressing CTRL+C stops the update. If this parameter is omitted, netstat displays the selected data only once.

/? O Display help on the command line.

At the network level in the TCP/IP protocol stack, addressing is carried out using IP addresses. But after the packet is delivered via the IP protocol to the recipient computer with the given IP address, the data must be sent to a specific recipient application process. Each computer can run multiple processes, and an application process can have multiple entry points that simultaneously act as data recipients.

Servicing the communication needs of application processes is carried out by the transport layer of the protocol stack, implemented programmatically in the kernel operating system, either as a separate user process or in the form of a library module loaded by a network application. Packets arriving at the transport layer are organized by the operating system in the form of many queues to the entry points of various application processes. In TCP/IP terminology, such system queues are called ports . Port is software concept, which is used by a client or server to send or receive messages; the port is identified by a 16-bit number. Thus, the destination address that is used by the transport entity is the application service port identifier (number). The port number, together with the network number and the end node number, uniquely identifies the application process on the network. This set of identifying parameters is called socket .

Port numbers are assigned to application processes either centrally, if these processes are popular public services (for example, number 21 is assigned to the remote access service FTP files, a 23 - for duty remote control telnet), or locally for those services that have not yet become so widespread that standard (reserved) numbers are assigned to them. Centralized assignment of port numbers to services is performed by the organization Internet Assigned Numbers Authority (IANA). These numbers are then fixed and published in Internet standards.

Local Port number assignment is where the application developer simply associates any available, randomly chosen numeric identifier with it, making sure that it is not one of the reserved port numbers. In the future, all remote requests to this application from other applications must be addressed with the port number assigned to it.

The client initiating the connection, before attempting to establish a connection with the remote application server, requests a free port number from its OS. Ports with numbers 0 -1023 are usually called privileged; they are almost all reserved and are not allocated to client processes. This does not mean that there are no assigned port numbers with large numbers, but they are used much less frequently and, being free on a given host, may well be made available to the client program.

UDP (UserDatagrammProtocol) is a simple datagram-oriented transport layer protocol: a process issues one UDP datagram at a time, resulting in one IP datagram being transmitted. The protocol does not establish a connection and does not confirm to the sender that the message has been delivered.

TCP (Transmission Control Protocol) provides a connection-based, reliable byte stream service. It is used in cases where guaranteed delivery of messages is required. It uses packet checksums to verify packet integrity and relieves application processes of the need for timeouts and retransmissions to ensure reliability.

The term connection-oriented means that two applications using TCP (typically a client and a server) must establish a TCP connection with each other before they can exchange data.

There are always two endpoints that communicate with each other using a TCP connection. TCP does not do broadcasts or multicasts.

The steps required to establish and terminate a TCP connection can be represented by:

lena in the form of a model with 11 possible states:

Condition Description

CLOSED Closed. The connection is not active and is not in the process of being established

LISTEN Waiting. The server is waiting for an incoming request

SYN RCVD A connection request has arrived. Waiting for confirmation

SYN SENT Connection request sent. The application started opening a connection

ESTABLISHED Installed. Normal data transmission state

FINWAIT 1 The application reported that it has nothing more to transfer

FINWAIT 2 The other party agrees to terminate the connection

TIMED WAIT Wait until all packets disappear from the network

CLOSING Both parties attempted to close the connection at the same time

CLOSE WAIT The other party has initiated a disconnect

LAST ACK Wait until all packets disappear from the network

In each of these states, allowed and prohibited events can occur. In response to any allowed event, a specific action can be taken. When prohibited events occur, an error is reported.

Each connection starts in the state CLOSED(closed). It can exit this state by making either an active (CONNECT) or passive (LISTEN) attempt to open a connection. If the opposite side does the opposite, the connection is established and enters the ESTABLISHED. Any party can initiate the termination of the connection. Once the disconnection process is complete, the connection returns to the CLOSED.

Self-test questions

Port as a transport layer addressing element. Socket.

Locally and centrally assigned ports.

Basic transport layer protocols of the TCP/IP stack. Their brief description.

Mapping network connections to processes running on a computer.

Netstat utility parameters.

Necessary equipment

IBM PC is a compatible computer with a licensed Windows operating system, connection to local network, Internet access.

Tasks

Before starting the tasks, restart your computer and do not launch any applications.

1. Using the netstat command, view the Ethernet connection statistics.

2. Using the netstat command, view the statistics of network protocols.

3. Using the netstat command, view the statistics of the ICMP protocol (the output should contain data only for this protocol).

4. Use the netstat command to view a list of all TCP connections and UDP listening ports.

5. Launch your browser and establish a connection to any site. Repeat the previous task and comment on the result.

6. Using the netstat command, identify any 5 processes listening on UDP ports. Specify the name of the processes and numbers of listening ports.

6. Using the netstat command, determine the active TCP connections, their port numbers, and the names of the executable files of the applications that use these connections.

Submit a report on the completion of the work in printed or electronic form with copies of the utility operation screens.

Hello everyone, earlier I started a story about network utilities system administrator in the article “The pathping utility or how to diagnose a problem on the route to the site. Network utilities part 3,” we move on and analyze another utility netstat or how to determine which ports your computer is listening on. This program will be an irreplaceable tool in the software baggage of any system engineer, it will help him carry out quick diagnostics situations and detect a number of various problems with services and their availability.

netstat commands

Netstat- Displays active TCP connections, ports listening on the computer, Ethernet statistics, IP routing table, IPv4 statistics (for IP, ICMP, TCP and UDP protocols) and IPv6 (for IPv6, ICMPv6, TCP over IPv6 and UDP over IPv6 protocols)

Let’s imagine a situation: you installed, for example, the MSM LSI utility to view the parameters of a RAID controller, you launch the utility, but it doesn’t find anything, because the port is closed and you don’t know which one, and it’s not always possible to quickly find information about this on the Internet, for this you can run netstat and see what port your server with the MSM process is listening on.

Open the command line Windows string and enter netstat?. The utility's help will pop up.

C:\Users\sem>netstat ?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-x] [-t]
[interval]

• -a Displays all connections and listening ports.
• -b Display the executable file involved in creation
• each connection or listening port. Sometimes known executable files contain many independent components. The sequence of components involved in creating a connection or listening port is then displayed. In this case, the name of the executable file is at the bottom in brackets, at the top is the component it called, and so on until TCP/IP is reached. Please note that this approach can be time consuming and requires sufficient permissions.
• -e Display Ethernet statistics. Can be used in conjunction with the -s option.
• -f Display fully qualified domain name () for external addresses.
• -n Display addresses and port numbers in numeric format.
• -o Display the process ID of each connection.
• -p protocol Display connections for the protocol specified by this parameter. Valid values ​​are TCP, UDP, TCPv6, or UDPv6. When used in conjunction with the -s option to display protocol statistics, valid values ​​are: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
• -r Display the contents of the route table.
• -s Display protocol statistics. By default, statistics are displayed for the IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6 protocols. The -p option allows you to specify a subset of the output.
• -t Display the offload status for the current connection.
• -x Displays NetworkDirect connections, listeners, and common endpoints.
• -y Display the TCP connection template for all connections. Cannot be used in conjunction with other options. interval Repeated display of selected statistics with a pause between displays specified by the interval in seconds. To stop displaying statistics repeatedly, press CTRL+C. If this parameter is omitted, netstat will print the current configuration information once.

Let's look at the interesting keys of the netstat utility. The first thing we enter

and statistics on ethernet network packets will appear on our screen.

If we add the -s switch, we will get statistics on protocols.

It is very useful to see everything that your host is listening to, for this we write

The command output contains the Protocol type, either TCP or UDP, local address with the port that is listening and the external address with the port and the state of the action.

To fully understand the information provided by this command, you must understand the principles of connection establishment in the TCP/IP protocol. Here are the main steps in the process of establishing a TCP/IP connection:

1. When attempting to establish a connection, the client sends a SYN message to the server.

2. The server responds with its own SYN message and an acknowledgment (ACK).

3. The client then sends an ACK message back to the server, completing the connection setup process.

The disconnection process consists of the following steps:

1. The client says "I'm done" by sending a FIN message to the server. At this stage, the client only receives data from the server, but does not send anything itself.

2. The server then sends an ACK message and sends its own FIN message to the client.

3. The client then sends an ACK message to the server, confirming the FIN server's request.

4. When the server receives an ACK message from the client, it closes the connection.

Understanding the steps in the connection setup and termination process allows you to more transparently interpret connection states in netstat command output. Connections in the list can be in the following states:

• CLOSE_WAIT- indicates the passive phase of closing the connection, which begins after the server receives a FIN message from the client.
• CLOSED- the connection was interrupted and closed by the server.
• ESTABLISHED- the client established a connection with the server by receiving a SYN message from the server.
• FIN_WAIT_1- the client initiated closing the connection (sent a FIN message).
• FIN_WAIT_2- the client received ACK and FIN messages from the server.
• LAST_ACK- the server sent a FIN message to the client.
• LISTEN- the server is ready to accept incoming connections.
• SYN_RECEIVED- the server received a SYN message from the client and sent it a response.
• TIMED_WAIT- the client sent a FIN message to the server and is waiting for a response to this message.
• YN_SEND- the specified connection is active and open.

If you add the -f switch, the names of remote external resources will be resolved

The Netstat command displays various network data such as network connections, routing table, interface statistics, masked connections, multicast space, etc.,

In this article, let's look at 10 practical examples teams NetStat on Unix.

1. List of all ports (both listening and non-listening ports)

List all ports using Netstat -a command

# netstat -a | more Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 localhost:30037 *:* LISTEN udp 0 0 *:bootpc *:* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 6135 /tmp/.X11-unix/X0 unix 2 [ ACC ] STREAM LISTENING 5140 /var/run/acpid.socket

List all TCP ports using netstat -at

# netstat -at Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0..0.0 .0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN

Listing all UDP ports using netstat -au

# netstat -au Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 andreyex..ru:50053 google-public-dn:domain ESTABLISHED

2. List of sockets that are in listening state

List only listening ports using netstat -l

# netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0..0.0. 0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN

List only TCP listening ports using netstat -lt

# netstat -lt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 localhost:webcache 0.0.0..0.0. 0:* LISTEN tcp 0 0 localhost:domain 0.0.0.0:* LISTEN

List only listening UDP ports using netstat -lu

# netstat -lu Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State udp 0 0 site:domain 0.0.0.0:* udp 0 0 localhost:domain 0.0.0..0.0.0:*

List only UNIX listening ports using netstat -lx

# netstat -lx Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ACC ] STREAM LISTENING 19693 tmp/core.adm.internal unix 2 [ ACC ] SEQPACKET LISTENING 8723 /run/udev/control unix 2 [ ACC ] STREAM LISTENING 12566 /var/run/dbus/system_bus_socket unix 2 [ ACC ] STREAM LISTENING 16948 /var/run/fail2ban/fail2ban.sock unix 2 [ ACC ] STREAM LISTENING 19702 tmp/core.sock

3. Show statistics for each protocol

Show statistics for all ports using netstat -s

# netstat -s Ip: 190566 total packets received 0 forwarded 0 incoming packets discarded 189618 incoming packets delivered 170462 requests sent out 16 dropped because of missing route Icmp: 74 ICMP messages received 0 input ICMP message failed. ICMP input histogram: destination unreachable: 22 echo requests: 52 .....

Show statistics for TCP (or) UDP ports using netstat -st (or) -su

# netstat -st # netstat -su

4. PID and program names in netstat output using netstat -p command

Option netstat -p can be combined with any other option netstat. This will add "PID/Program Name" to the output netstat. This is very useful in debugging to determine which program is running on a specific port.

# netstat -pt Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 localhost:56642 localhost:46846 TIME_WAIT - tcp 0 0 localhost:56642 localhost:46748 TIME_WAIT -

5. Don't resolve host, port and username in netstat output

If you do not want to display the hostname, port, or user, use netstat with the -n option. This will display in numbers, and will not resolve hostname, portname, username.

This also speeds up the output since netstat doesn't do any lookups.

# netstat -an

If you don't want one of these three items (port or host or user), use the following commands.

# netsat -a --numeric-ports # netsat -a --numeric-hosts # netsat -a --numeric-users

6. Continuous printing of netstat information

netstat will print information continuously every few seconds.

132.93.178:24080 ESTABLISHED tcp 0 0 localhost:56642 localhost:47258 TIME_WAIT tcp 0 0 localhost:56642 localhost:47150 TIME_WAIT ^C

Exit print: Ctrl+C.

7. Find numbers supporting address families in your system

netstat --verbose

Eventually you will have something like this.

Netstat: no support for `AF IPX" on this system. netstat: no support for `AF AX25" on this system. netstat: no support for `AF X25" on this system. netstat: no support for `AF NETROM" on this system.

8. Display kernel routing information with netstat -r

# netstat -r Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface default gw.msk.ispsyste 0.0.0.0 UG 0 0 0 eth0 213.159.208.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0

Note:

Use netstat -rn to display routes in digital format without hostname resolution.

9. Find out what port the program is running on

# netstat -ap | grep ssh (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 0.0.0.0:28456 0.0.0..132.93..132.93. 178:13106 ESTABLISHED 2393/sshd: andreyex tcp6 0 0 [::]:28456 [::]:* LISTEN 779/sshd

Find out which process is using a specific port:

# netstat -an | grep ":80"

10. Show a list of network interfaces

# netstat -i Kernel Interface table Iface MTU RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg eth0 1555 2765202 0 0 0 86602 0 0 0 BMRU lo 65536 93149 0 0 0 93149 0 0 0 LRU

Display extended information about interfaces (similar to ifconfig) using netstat -ie:

# netstat -ie Kernel Interface table eth0: flags=4163 mtu 1550 inet 213.159.209.228 netmask 255.255.254.0 broadcast 213.159.209.255 inet6 fe80::5054:ff:fe80:19a4 prefixlen 64 scopeid 0x20 ether 52:54:00:80:19:a4 txqueuelen 1000 (Ethernet) RX packets 2772322 bytes 189451708 (180.6 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 86767 bytes 137897931 (131.5 MiB) TX errors 0 dropped 0 over runs 0 carrier 0 collisions 0