Though there are many tools to monitor the network connectivity .This command is often used by me in first place to check functioning of network. It helps to see what connections are present.
netstat [-a][-b][-e][-f][-n][-o][-p proto][-r][-s][-t][interval]
| Table I. Switches for Netstat command | |
| Switch | Description |
| -a | Displays all connections and listening ports |
| -b | Displays the executable involved in creating each connection or listening port. (Added in XP SP2.) |
| -e | Displays Ethernet statistics |
| -f | Displays Fully Qualified Domain Names for foreign addresses. (In Windows Vista/7 only) |
| -n | Displays addresses and port numbers in numerical form |
| -o | Displays the owning process ID associated with each connection |
| -p proto | Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6. |
| -r | Displays the routing table |
| -s | Displays per-protocol statistics |
| -t | Displays the current connection offload state, (Windows Vista/7) |
| -v | When used in conjunction with -b, will display sequence of components involved in creating the connection or listening port for all executables. (Windows XP SP2, SP3) |
| [interval] | An integer used to display results multiple times with specified number of seconds between displays. Continues until stopped by command ctrl+c. Default setting is to display once, |
Checking TCP/IP connections:
TCP and UDP connections and their IP and port addresses can be seen by entering a command combining two switches: netstat –an
| Table II. Description of various connection states | |
| State | Description |
| CLOSED | Indicates that the server has received an ACK signal from the client and the connection is closed |
| CLOSE_WAIT | Indicates that the server has received the first FIN signal from the client and the connection is in the process of being closed |
| ESTABLISHED | Indicates that the server received the SYN signal from the client and the session is established |
| FIN_WAIT_1 | Indicates that the connection is still active but not currently being used |
| FIN_WAIT_2 | Indicates that the client just received acknowledgment of the first FIN signal from the server |
| LAST_ACK | Indicates that the server is in the process of sending its own FIN signal |
| LISTENING | Indicates that the server is ready to accept a connection |
| SYN_RECEIVED | Indicates that the server just received a SYN signal from the client |
| SYN_SEND | Indicates that this particular connection is open and active |
| TIME_WAIT | Indicates that the client recognizes the connection as still active but not currently being used |
Checking for malware by looking at which programs initiate connections
To find out which programs are making connections with the outside world, we can use the command netstat -b
Actually, it is better to check over a period of time and we can add a number that sets the command to run at fixed intervals. Also, it is best to create a written record of the connections that are made over some period of time. The command can then be written
netstat -b 5 >> C:\connections.txt
netstat 5 is used for a period with 5 seconds interval. Use ctrl C to stop execution
find the PID in task manager and related program to add PID colum in task manager go to view and all column. You can end a pid program related from task manager.
we can use combination of switches for eg: netstat -ano or netstat -nb 20
No comments:
Post a Comment