netstat

---

netsat command allows you to check the state of ports on the local host.

• used to:
  • check for service misconfigurations
    • e.g., host running a web or FTP server that a user installed without authorization
  • identify suspicious remote connections to services on the local host or from the host to remote IP addresses

Usage

Windows

• on Windows,
  • netstat outputs active TCP connections showing the local and foreign addresses and ports
  • netstat -a displays all open ports
    • includes:
      • active TCP and UDP connections
      • ports in the listening states
  • netstat -p TYPE shows connections by TYPE (TCP, TCPv6, UDP, or UDPv6)
  • -o shows the process ID (PID) that has opened the port
  • -b shows the process name
  • -e reports Ethernet statistics
  • netstat -nn runs netstat continuously, where nn is the refresh intervals in seconds

Linux

• on Linux,
  • netstat shows active connections of any type
  • to show different connection types:
    • -t for TCP
    • -u for UDP
    • -w for raw connections
    • -x for UNIX sockets/local server ports
  • netstat -a shows active connections and ports in the listening state
  • netstat -l shows only ports in the listening state
    • omits established connections
  • netstat -4/6 filters sockets by IPv4 or IPv6 addresses
  • -p shows the PID and process name
  • -I reports Internet (Ethernet) statistics
  • -c runs netstat continuously

Info

• netstat on Linux is part of the deprecated net-tools package
• the preferred package is iproute2
  • contains a number of different commands to replace netstat functionality
• most port scanning functions are performed by ss
• interface statistics are reports by nstat

Both

• Both OS,
  • netstat -n displays ports and addresses in numerical format
    • skipping name resolution speeds up each query
  • netstat -s reports per protocol statistics
    • packets received, errors, discards, unknown requests, port requests, failed connections, etc.
  • -r displays the routing table