netstat

The Windows help screen (analogous to a Linux or UNIX man page) for netstat reads as follows:

Displays protocol statistics and current TCP/IP network connections.

NETSTAT -a -b -e -n -o -p proto -r -s -v interval

-a	Displays all connections and listening ports.
-b	Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.
-e	Displays Ethernet statistics. This may be combined with the -s option.
-n	Displays addresses and port numbers in numerical form.
-o	Displays the owning process ID associated with each connection.
-p proto	Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be any of: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-r	Displays the routing table.
-s	Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default.
-v	When used in conjunction with -b, will display sequence of components involved in creating the connection or listening port for all executables.
interval	Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once.

Careful perusal of this information informs the reader that netstat not only documents active TCP and UDP connections and related port addresses but that it can also tie established TCP or UDP connections to the executable files, runtime components, and process IDs that opened or use them. Netstat can also provide counts of bytes and packets sent and received via Ethernet, including unicast and non-unicast packets, discards, errors, and unknown protocols. Netstat can also show connections for transport layer protocols for IPv4 and IPv6, display routing table contents, and can redisplay selected statistics at regular intervals.

Netstat can be a helpful forensic tool when trying to determine what processes and programs are active on a computer and involved in networked communications. It can provide telltale signs of malware compromise under some circumstances and is a good tool to use to observe what kinds of communications are underway at any given time.

Read more about netstat: - Learn Security Online offers an introductory tutorial about netstat. - Antionline forums explore netstat in 'Maximum security for a connected world.' - Microsoft Help and Support explains 'TCP Connection States and Netstat Output.' - Microsoft Windows XP Professional product documentation offers a netstat command help file.

Do you have something to add to this definition? Let us know. Send your comments to techterms@whatis.com

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Understand Windows tracert output to troubleshoot network connectivity Use this tip to troubleshoot Windows network connectivity problems from the command line interface using tracert. Each line in the tracert output is... Network management and monitoring market remains crowded, fragmented The network management and monitoring market is crowded and fragmented, and network managers have more tools than they know what to do with. When do applications suffer from poor network performance? Poor network performance causes applications to suffer in an enterprise. Find out at what point packet loss between client and server starts causing...

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary 10-high-day busy period  (SearchNetworking.com) ACK  (SearchNetworking.com)