Advanced NetStat Usage

What is NetStat?
Netstat is a tool that has been included with windows ever since at least 95/NT 3.5 (UNIX/Linux has it also). It was designed to do a lot more then just monitor your connections, but that is what most people use it for, or to at least watch who has been established to your computer. That is why I am writing this article is for people who are curious on how to take that one step further and make the most out of it.
Why would I use NetStat?
Well, suppose you do not have a firewall, but you need something that can monitor your connectivity while you are away. Believe it or not, NetStat is the perfect command for you. Once you read up this article you will see just how powerful NetStat is. So, lets get started. I will include generic scenario for each use of NetStat.
Global Step (Applies always before each next step to each scenario)
First thing you will do is open up my command prompt, if you are on an NT based machine, open up “cmd” not “command”.
Scenario 1
Someone has been flooding my network, taking out my web servers and just reeking havoc in general. I want to be able to monitor this person and what they are doing. But, I am not going to be around my machine while they are attacking me. So, the answer is simple.
1. We must tell NetStat to keep a log file for us, so we can check it when we get home, but we want it to be continuous so its constantly monitoring it, much like a simple IDS. So, type in the following
“netstat 10 > conlog.txt”
First we type in the basic command NetStat, then we want to have it refresh itself every 10 seconds so we have a pretty accurate log when we come home. Next we use the command to dump your commands to a text file after its been successfully executed. That is what the “> conlog.txt” is doing. Now you can specify that to any directory, such as “c:\log.txt” or whatever base folder your command prompt is set to, such as “C:>”.
Now, if you are wanting to just view the IP address of the user and not the actual host names, simply do a little addition to the command. Use the command netstat -n. This tells NetStat to use the numerical values of the hostname aka IP address. It is a lot cleaner this way, since some host names are enormous once converted, it makes the logs sort of hard to read. If you wish to filter the attacks out by what protocl they are using (TCP/UDP/ICMP) simply issue the command “netstat -p tcp”. You can replace tcp with udp or icmp.
Scenario 2
My network has been acting up lately. I believe that maybe we have a worm or some type of machine that has been trojaned as a DDoS bot. I have to monitor these statistics for the machines. Preferably each machine.
The first step to doing this is the be able to see how much data is going on and coming in. Which would be considering Interface Monitoring because its monitor your Network Interface Card (NIC). You will want to keep a log of this also, so you can see how much information is being sent through and into your NIC. The first thing we would want to do is tell netstat to monitor these statistics as followed:
“netstat -e 10 > activity.txt”
This will update the Interface statistics every 10 seconds to the file activity.txt so we can check it when we get home. You will notice a dramatic increase in times, or a constant flow of data while there should be none. Always check the “Received” and “Sent”. If the Sent is much larger than received then we know that something is going on our network. Now, if you are wanting to see more advanced statistics, you can use the command “netstat -s” and this will display a lot more information on your connection which will be able to determine if something’s going on.

Scenario 3
You’re not to worried about DoS and DDoS attacks being sent from your machine without you knowing it (aka Zombie). But, you are really worried about a Trojan being remotely uploaded to your machine, or even worse, a program you use all the time is establishing odd connections but you are not sure if these connections are assigned to that port. Netstat will be able to tell you what process is assigned to what port.
Before we get started, you will need a tool called TaskList, which can be downloaded Here, it comes with XP Professional. It should work for any NT machine once downloaded. Make sure to place it in your system32 folder, so you can call it globally from any folder you are browsing in command prompt.
First we will type in “tasklist” in the command prompt. You will see a bunch of process names, and next to that you will see numbers. These numbers are uniquely given ID’s for that process, called a PID (Process Identification). Now, I would recommend dumping it to a text file on your desktop or somewhere you have quick access to, so it would look like
“tasklist > pids.txt”.
Now, we have the process and PID’s next to it, so we know what each PID is assigned to. Now, its time to load up that trusty netstat! In the command prompt, I want you to type out
“netstat -no > cpids.txt”
This will dump the statistics for each established connection using numerical form, but this time it will display the PID next to it. Now, simply open up each text file and compare them. See which process is using that connection by determining the PID is for that process. Once you have determined that something is suspicious or just normal, you can choose what to do. If you have XP Pro, you can use the command “tskill” which will allow you to kill a process by its PID. You may or may not want to do this if you find something suspicious.
This concludes the NetStat article. I hope you learned something and can now use NetStat to your benefit.