dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2155

aefstoggaflm
Open Source Fan
Premium Member
join:2002-03-04
Bethlehem, PA

aefstoggaflm

Premium Member

Check ports are reaching computer w/o installing software?

How does one use the netstat command to find out what check what TCP OR UDP ports are reaching a computer with out installing software?

Thanks

jaykaykay
4 Ever Young
MVM
join:2000-04-13
USA

jaykaykay

MVM

What is the Netstat Command?:

The netstat command is a Command Prompt command used to display very detailed information about how your computer is communicating with other computers or network devices.

Specifically, the netstat command can show details about individual network connections, overall and protocol-specific networking statistics, and much more, all of which could help troubleshoot certain kinds of networking issues.

Netstat Command Syntax:
netstat [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-t] [-x] [-y] [time_interval] [/?]

Tip: See How To Read Command Syntax if you're not sure how to read the netstat command syntax above.

Execute the netstat command alone to show a relatively simple list of all active TCP connections which, for each one, will show the local IP address (your computer), the foreign IP address (the other computer or network device), along with their respective port numbers, as well as the TCP state.

-a = This switch displays active TCP connections, TCP connections with the listening state, as well as UDP ports that are being listened to.

-b = This netstat switch is very similar to the -o switch listed below, but instead of displaying the PID, will display the process's actual file name. Using -b over -o might seem like it's saving you a step or two but using it can sometimes greatly extend the time it takes netstat to fully execute.

-e = Use this switch with the netstat command to show statistics about your network connection. This data includes bytes, unicast packets, non-unicast packets, discards, errors, and unknown protocols received and sent since the connection was established.

-f = The -f switch will force the netstat command to display the Fully Qualified Domain Name (FQDN) for each foreign IP addresses when possible.

-n = Use the -n switch to prevent netstat from attempting to determine host names for foreign IP addresses. Depending on your current network connections, using this switch could considerably reduce the time it takes for netstat to fully execute.

-o = A handy option for many troubleshooting tasks, the -o switch displays the process identifier (PID) associated with each displayed connection. See the example below for more about using netstat -o.

-p = Use the -p switch to show connections or statistics only for a particular protocol. You can not define more than one protocol at once, nor can you execute netstat with -p without defining a protocol.

protocol = When specifying a protocol with the -p option, you can use tcp, udp, tcpv6, or udpv6. If you use -s with -p to view statistics by protocol, you can use icmp, ip, icmpv6, or ipv6 in addition to the first four I mentioned.

-r = Execute netstat with -r to show the IP routing table. This is the same as using the route command to execute route print.

-s = The -s option can be used with the netstat command to show detailed statistics by protocol. You can limit the statistics shown to a particular protocol by using the -s option and specifying that protocol, but be sure to use -s before -p protocol when using the switches together.

-t = Use the -t switch to show the current TCP chimney offload state in place of the typically displayed TCP state.

-x = Use the -x option to show all NetworkDirect listeners, connections, and shared endpoints.

-y = The -y switch can be used to show the TCP connection template for all connection. You cannot use -y with any other netstat option.

time_interval = This is the time, in seconds, that you'd like the netstat command to re-execute automatically, stopping only when you use Ctrl-C to end the loop.

/? = Use the help switch to show details about the netstat command's several options.

Tip: Make all that netstat information in the command line easier to work with by outputting what you see on the screen to a text file using a redirection operator. See How To Redirect Command Output to a File for complete instructions.

StuartMW
Premium Member
join:2000-08-06

2 recommendations

StuartMW to aefstoggaflm

Premium Member

to aefstoggaflm
FYI I use the SysInternals TCPView utility to see what ports are being used by processes. Not sure if that's what you want.

PS: Like all SysInternal utilities it doesn't "install" as such. It's a standalone .exe.

therube
join:2004-11-11
Randallstown, MD

1 recommendation

therube

Member

(though it does write to the Registry, at the least, that you've agreed to their EULA

> HKEY_CURRENT_USER\Software\Sysinternals\TCPView
)

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to aefstoggaflm

Premium Member

to aefstoggaflm
Have you tried just looking in the Resource Monitor as well?

Netstat:

Once in task manager you have added the selection in View|Select Columns|PID (Process Identifier)
run at the command prompt netstat -ano

It will give you a tabled list of connections to cross reference with the task manager process list.

No extra software needed.

StuartMW
Premium Member
join:2000-08-06

StuartMW to therube

Premium Member

to therube
True. Not sure if that's an issue for aefstoggaflm See Profile or not.

[HKEY_CURRENT_USER\Software\Sysinternals\TCPView]
"EulaAccepted"=dword:00000001
"Settings"=hex:...
 

aefstoggaflm
Open Source Fan
Premium Member
join:2002-03-04
Bethlehem, PA

aefstoggaflm

Premium Member

It would help if the method was cross platform (Windows, Mac, Unix/Linux).

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

In that case NetStat is your baby.
quote:
It is available on Unix-like operating systems including OS X, Linux, Solaris, and BSD, and is available on Windows NT-based operating systems including Windows XP, Windows Vista, Windows 7 and Windows 8.
dave
Premium Member
join:2000-05-04
not in ohio

dave to aefstoggaflm

Premium Member

to aefstoggaflm
The question of what ports are 'reaching' a computer is a little unclear. Ports don't reach, they just are.

Basically, it doesn't matter a damn if someone tries to address a datagram to port 'X' and there is nothing listening for datagrams addressed to port 'X'. So if you want to find out what is actually listening, then netstat -a is your tool.

With respect to the 'reaching' part of it - if you really meant what ports are reachable from the world outside, then you need to look at firewall and router settings.

If you meant what ports someone is actually trying to 'reach', then firewall logs (or similar auditing tools) are what you want.

So, what was the question?

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

said by dave:

With respect to the 'reaching' part of it - if you really meant what ports are reachable from the world outside, then you need to look at firewall and router settings.

The easy way is to run a port scan and look at the results.

e.g.

ShieldsUP!

aefstoggaflm
Open Source Fan
Premium Member
join:2002-03-04
Bethlehem, PA
Linksys E4200
ARRIS SB6141

aefstoggaflm to dave

Premium Member

to dave
said by dave:

The question of what ports are 'reaching' a computer is a little unclear. Ports don't reach, they just are.

Basically, it doesn't matter a damn if someone tries to address a datagram to port 'X' and there is nothing listening for datagrams addressed to port 'X'. So if you want to find out what is actually listening, then netstat -a is your tool.

With respect to the 'reaching' part of it - if you really meant what ports are reachable from the world outside, then you need to look at firewall and router settings.

If you meant what ports someone is actually trying to 'reach', then firewall logs (or similar auditing tools) are what you want.

So, what was the question?

Sorry if I was not clear.

Without installing (or even downloading) is there a way to detect port scans / connections (cross platform on the computer not in the router's logs)?

Thanks

StuartMW
Premium Member
join:2000-08-06

3 edits

StuartMW

Premium Member

Port scans and connections are different things and require different tools.

"Open ports" --that is port(s) that your firewall(s) allow through to one or more machines must be determined by a port scanner and/or inspecting your firewall rules. Just because a port is "open" doesn't mean there's any process(es) on machines listening on it.

On clients machine connections are usually established from a process through a firewall. That is they're established outbound from machines to a website etc. For servers (e.g. Web Server) the reverse is true.

As for detecting port scanners most router/firewalls allow you to log this kind of stuff. In my case mine sends such logs, via SysLog, to a machine that saves them.

aefstoggaflm
Open Source Fan
Premium Member
join:2002-03-04
Bethlehem, PA

aefstoggaflm

Premium Member

Oh, ok.

Solved.

Telling mods/admins to lock thread....

therube
join:2004-11-11
Randallstown, MD

therube

Member

> Solved.

And you're going to hide the solution from us?
Ah, I guess I'll just scan your ports & find out for myself.

aefstoggaflm
Open Source Fan
Premium Member
join:2002-03-04
Bethlehem, PA
Linksys E4200
ARRIS SB6141

aefstoggaflm

Premium Member

said by therube:

> Solved.

And you're going to hide the solution from us?

It seems to me that, what I asking is impossible.
wolfy339
join:2005-04-30
Edmonds, WA

wolfy339 to aefstoggaflm

Member

to aefstoggaflm
said by aefstoggaflm:

It seems to me that, what I asking is impossible.

With netstat yes, however, from what I understand of what you are attempting to do (check open ports on another computer) I would recommend Telnet (built into Windows). Granted it will be a lot slower than using a program like nmap, but should still get the job done.
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

That's a workable (but slow) solution for TCP ports, but not for UDP ports.

UDP is in general a harder issue in any case, by its very nature.

sivran
Vive Vivaldi
Premium Member
join:2003-09-15
Irving, TX

sivran to aefstoggaflm

Premium Member

to aefstoggaflm
Not sure what the point would be, other than making sure a server running on that computer is reachable... in which case, just try to access it from the other side of the firewall/router...
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to aefstoggaflm

MVM

to aefstoggaflm
First off aefstoggaflm See Profile, did you try looking at the command switches for netstat on the particular platform you
want to run it on? I haven't done a side by side comparison between say Windows and insert-Linux-flavor here,
but best place to start would be what particular options are available. Also, I distinctly recall netstat in Windows itself
was rather funky... Win2K didn't have the command switch to specify the EXE associated with the particular TCP / UDP
port; this wasn't possible till WinXP.
said by aefstoggaflm:

Without installing (or even downloading) is there a way to detect port scans / connections (cross platform on the computer not in the router's logs)?

The thing about port scans is they're like a knock / ring at the door... without looking outside and/or opening the door
there is no way to know if it's from the local Cub Scouts troop, the vaccum cleaner salesman, the mailman, or your
Aunt Nellie from Timbucktoo.

Same principle here -- Netstat will tell you the current ACTIVE TCP / UDP connections, but it has no way of telling
whether they are legitimate or not. Also, as StuartMW See Profile mentions, how do you go after a connection that
occurred 3days ago? Unless you're running Netstat as a cron job or similar, netstat is a run-once and stop till it's
told to start again kind of deal.

Taking this one further, and based on your post here, you've stumbled onto an interest with penetration scanning / testing,
or you're looking into network security / IDS kind of stuff -- specifically to determine if you are actually getting
hit by a port scan attack? I know I'm making a leap here....

Regards
wolfy339
join:2005-04-30
Edmonds, WA

wolfy339 to dave

Member

to dave
said by dave:

That's a workable (but slow) solution for TCP ports, but not for UDP ports.

RE: UDP ports, that is true and I didn't think of that