MASINDE MULIRO UNIVERSITY OF SCIENCE & TECHNOLOGY
ECE 422 - DATA COMMUNICATIONS & NETWORKS

USING NETSTAT
 

1.0. INTRODUCTION

The netstat command is available from within the Command Prompt in most versions of Windows including Windows 8, Windows 7, Windows Vista, Windows XP, Windows Server operating systems, and some older versions of Windows too.

Netstat allows you to display statistics about your Ethernet interface. If any errors are indicated in the display, you might have problems with your network connection that are slowing the network down. If the error packets approach 1% of the total number of packets, something is probably wrong with your NIC or physical interface.

2.0 EXERCISES

1.      In the command prompt or DOS prompt.

2.      Type in netstat to list all current network connections, not just inbound but outbound as well.

3.      You should see a list of connections listed. Useful again for finding live attacks.

4.      Type in netstat -? to see options with this command. You should see -a, -e and others.

5.      Now type in netstat -a

6.      Type in netstat -e. These statistics include the number of bytes and packets received and sent through the Ethernet interface.

7.      Type in netstat -f. This show statistics for all active connections.

8.      To see statistics for all protocols, type netstat -s and press Enter.

9.      To limit the display to just IP statistics, type netstat -ps IP and press Enter.

10.  To see your active network statistics updated every 5 seconds, type netstat -e -t 5 and press Enter. Press Ctrl+C to stop the program.

11.  Type netstat -o. This shows active TCP connections, but it also displays the corresponding process identifier [-o] for each connection so you can determine which program on your computer initiated each one.

12.  Pay attention to the PID column. In somes cases, the PIDs are all the same, meaning that the same program on your computer opened these connections. However, to determine what program is represented by the PID of say 2948 on your computer, all you have to do is open Task Manager, click on the Processes tab, and note the Image Name listed next to the PID your are looking for in the PID column. Go ahead and try this.... Also, please be aware that using the netstat command with the -o option can be very helpful when tracking down which program is using too big a share of your bandwidth. It can also help locate the destination where some kind of malware, or even an otherwise legitimate piece of software, might be sending information without your permission.

Note: While this and the previous example were both run on the same computer, and within just a minute of each other, you can see that the list of active TCP connections is considerably different. This is because your computer is constantly connecting to, and disconnecting from, various other devices on your network and over the Internet.

13.  To display ICMP information, type netstat -ps ICMP and press Enter. A variety of ICMP message types are displayed along with how many of each type of message were received and sent. Most, if not all, will be Echo and Echo Reply messages.

14.  Ask a fellow student for their IP address. Then use that e.g. Type ping 193.61.191.71 and press Enter. This command should generate ICMP Destination Unreachable messages.

15.  To see whether the number of Destination Unreachable messages has increased, type netstat -ps ICMP and press Enter. The ICMP TTL-Expired messages used in Tracert are called Time Exceeded messages in Netstat.

16.  Type tracert www.mmust.ac.ke and press Enter.

17.  To see whether the number of Time Exceeded messages has increased, type netstat -ps ICMP and press Enter.

18.  To display your computer’s routing table, type netstat -r and press Enter. Every computer has a routing table it uses to decide which interface to send packets to. The first entry lists the network destination as 0.0.0.0, which is the entry for your default gateway.

19.  Finally, type netstat -s -p tcp -f. Here we wish to see protocol specific statistics [-s] but not all of them, just TCP stats [-p tcp]. We also want the foreign addresses displayed in FQDN format [-f]. Please scroll up in the command windows to see TCP stats displayed before the list of active connections was created.