Search Tools Links Login

IP and Port Info Using Netstat

Ever wonder if there is any easy way to find out what your computer is listening for? Want to know where it is connecting to? NetStat can tell you.

Use of Netstat

To open Netstat you must do the following: Click on the Start button then click Programs then look for Ms-Dos Prompt. If you're running Vista or Windows 7, you could simply press the Windows key, type CMD, then press Enter.

Netstat is a very helpful tool that has many uses. I personally use Netstat to monitor what ports my computer is listening on, as well as find out what remote computers my machine is talking to. Also you can use Netstat go monitor your port activity for attackers sending syn requests (part of the TCP/IP 3 way handshake) or just to see what ports are listening/Established. Look at the example below for the average layout of a response to typing Netstat at the command prompt.

C:\WINDOWS> netstat

Active Connections

Proto Local Address Foreign Address State
MyComputer:25872 SomeHost:1045 ESTABLISHED
MyComputer:25872 ESTABLISHED
MyComputer:31580 SomeHost:1046 ESTABLISHED
MyComputer:2980 ESTABLISHED
MyComputer:3039 ESTABLISHED

Now look above at the example. You will see Proto on the top left. This just tells you if the protocol is TCP/UDP etc.

Next, to the right you will see Local Address this just tells you the local IP/Hostname:Port open.

Moving a bit further to the right, you will see Foreign Address this will give you the remote computers IP/Hostname and port in the format of IP:Port with ":" in between the port and IP.

And finally you will see State Which simply states the STATE of the connection. This can be Established if it is connected or waiting connect if its listening.

Now with this knowledge we will dive into deeper on how to use this for monitoring and port activity and detecting open ports in use.

Detecting Open ports

Now so you are noticing something funny is going on with your computer? Your cd-rom tray is going crazy... opening and closing when your doing nothing. And you say What the heck is going on. Or you realize someones been messing with a trojan on your computer. So now your goal is to locate what trojan it is so you can remove it right? Well you're right. So you go to your command prompt. There are many different ways to use NetStat. I've excerpted the help file below, which includes the syntax, as well as an explanation of the switches.

NETSTAT [options] [-p protocol] [interval]
-a Display all connections and listening ports.
-e Display Ethernet statistics. (may be combined with -s)
-n Display addresses and port numbers in numerical form.
-r Display the routing table.
-o Display the owning process ID associated with each connection. (XP only)
-p protocol Show only connections for the protocol specified; may be either: TCP or UDP. Windows 2K/XP also allow: TCPv6 or UDPv6. If used with the -s option then the following protocols may also be specified: IP, IPv6, ICMP,or ICMPv6.
-s Display per-protocol statistics. By default, statistics are shown for IP, ICMP, TCP and UDP. Windows 2K/XP will also display: IPv6, ICMPv6, TCPv6 and UDPv6 The -p option may be used to specify a subset of the default.
interval Redisplay statistics, pausing interval seconds between each display. (default=once only) Press CTRL+C to stop.

I personally like using Netstat -an, which Displays all connections and listening ports in the form of IP instead of Hostname. Netstat -an combines two of the options at once no need for -a -n.

So now that you know how to use netstat to view all your connections and listening you can search for common ports like 12345(old Netbus Trojan), 1243(subseven) etc. This becomes very handy for everything you will soon find out.

Take a break on your couch and relax for about 5 minutes and let all this soak in then come back ready to learn more. Go ahead, I'll wait.


When you here SYN and ACK you do not think of the communication of packets on your system. Well let me tell you what SYN and ACK do.

If you have further questions try looking for texts on TCP/IP. Now onto the fun stuff.

Using Netstat it for ICQ and AIM

Let's say you are chatting with someone via ICQ or AOL Instant Messenger. Now let's say that you, for some reason, want to know the remote IP address of the system you are talking to. With NetStat, we can discover that remote IP address.

I'm not picking on AIM or ICQ here, just demonstrating the utility. Don't flame me with random "But I love AIM!" messages. If you use these communications tools, that's your choice, not mine.

Other Uses

Netstat can be used to get IPs of anything and anyone, as long as there's a direct connection between you and the target (i.e. direct messages, file transfers or ICQ chats in ICQ, DCC (Direct Client Connection) chat and file transfers in IRC etc etc).

Quick Tips

About this post

Posted: 2011-07-27
By: FortyPoundHead
Viewed: 4,769 times






Windows XP


No attachments for this post

Loading Comments ...


No comments have been added for this post.

You must be logged in to make a comment.