Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
|  Netstat Prompt Results - What does this mean?
The first image "Guest Account" was what came up last night. "Guest Account 2" and "Admin Account 2" is from just a few minutes ago. Can anyone translate this for me?
(Screenshots were reposted.)
2kamaro posted this in another thread last night, and out of my endless sense of curiosity, I ran the command prompt "netstat" to see what would show up:
said by 2kmaro  :
...
One way to see if you've got any listening ports in XP is to go to a command window and type in "netstat /a" (without the quote marks) and see what shows up as listening. If you run a small network, you'll see some relating to listening to other systems on it, but you need to be looking for stuff listening that you either know is listening over the internet (as Kaaza or an http or ftp server) or that you have no clue about. You can ask about that last bunch here to get educated about them .
It's actually not all that hard to have a locked down Windows system. Most open systems are that way because NetBIOS is improperly set up to be bound to TCP/IP protocol - and that's what got/gets most people in trouble.
PS: Thank you to whomever deleted the image from the original posting 
--
oO^..^Oo
[text was edited by author 2003-09-15 22:33:00] |
|
Bubba
GIT-R-DONE
Premium,MVM
join:2002-08-19
Around, Us
 ·Comcast
| With XP I would suggest using netstat -o so you can see who owns the process ID(PID) of each port. You can then compare via Windows Task Manager with the PID's.
Take for example "Microsoft-DS"....it's the service/protocol name for tcp\udp port 445 which as you may know is for File\Print Sharing.
--
"Well, butter my butt and call me a biscuit." |
|
Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
| said by Bubba :
With XP I would suggest using netstat -so you can see who owns the process ID(PID) of each port. You can then compare via Windows Task Manager with the PID's.
Take for example "Microsoft-DS"....it's the service/protocol name for tcp\udp port 445 which as you may know is for File\Print Sharing.
Bubba, I did use netstat! That's what is posted. Did I miss anything else? (There is a lot more running in Task Manager than is showing up in netstat, however!)
--
oO^..^Oo
[text was edited by author 2003-09-15 23:02:39] |
|
Bubba
GIT-R-DONE
Premium,MVM
join:2002-08-19
Around, Us
·Comcast
| said by Sparrow :
Bubba, I did use netstat! That's what is posted. Did I miss anything else?
Yes you did use Netstat but what switch did you use ?
"Syntax
netstat [-a] [-e] [-n] [-o] [-p Protocol] [-r] [-s] [Interval]
Parameters
-a
Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.
-e
Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.
-n
Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.
______________________________________
-o
Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p.
________________________________________
-p Protocol
Shows connections for the protocol specified by Protocol. In this case, the Protocol can be tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display statistics by protocol, Protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6.
-s
Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 protocol for Windows XP is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols.
-r
Displays the contents of the IP routing table. This is equivalent to the route print command.
Interval
Redisplays the selected information every Interval seconds. Press CTRL+C to stop the redisplay. If this parameter is omitted, netstat prints the selected information only once"
--
"Well, butter my butt and call me a biscuit." |
|
Jason_DCS
join:2002-12-17
| reply to Sparrow
You may want to try some slightly better tools if you want a better output shown. "netstat -ano" is cumbersome as it doesn't even show the processes, only the PIDs. If you want another command line utility that is free try our own OpenPorts, it even includes other common displays like netstat and fport in it :-
»www.diamondcs.com.au/openports/
If you want a vanilla GUI version for free you can try TCPView (»www.sysinternals.com). And finally there is Port Explorer, which has a suite of tools and features, but it isn't free(shareware version available for download) (»www.diamondcs.com.au/portexplorer/).
With any of those tools you will be able to see which processes are listening much more easily. Port Explorer will also show you hidden processes and give you the ability to block/spy/throttle/kill on certain sockets also if you need that functionality.
-Jason-
--
DiamondCS (Est. 1986) - The Anti-Trojan Specialistshttp://www.diamondcs.com.au |
|
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR
 ·Verizon FIOS
 ·Verizon Online DSL
| reply to Sparrow
Netstat results are too limited, I suggest you use Active Ports, but TCPView works also.
»www.ntutility.com/freeware.html
On NT systems there are some programs which make internal connections, many more which are just listening, few you should disable, and some you can only just block depending on your setup.
Unless your networked with other machines, go into the properties of each adapter, and in the advanced tcp/ip settings you can disable netbios over tcp/ip. If you do have a network only have it enabled for the adapters that connect with the network.
Start -> Run: services.msc
In the properties of the service, stop then Disable SSDP Discovery Protocol, and UPnP Universal Plug n Prey.
--
My hourly rates:
$25 per hour.
$35 per hour if you want to watch.
$45 per hour if you want to help.
$75 per hour if you tried to fix it, and failed.
[text was edited by author 2003-09-16 04:31:50] |
|
Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
| said by BlitzenZeus :
Netstat results are too limited, I suggest you use Active Ports, but TCPView works also.
»www.ntutility.com/freeware.html
Start -> Run: services.msc
In the properties of the service, stop then Disable SSDP Discovery Protocol, and UPnP Universal Plug n Prey.
SSDP Discovery Protocol, and UPnP PnP were already disabled. I disabled netbios over tcp/ip. I am not on a network, so I was able to safely disable at least a dozen other non-critical adapters that were running.
================================================
Thank you, Bubba for explaining the netstat
Thank you, Jason for the download sites, and
Thank you, BlitzenZeus for the download, and for the final assurance I needed to disable netbios over tcp/ip.
You all provided answers for a number of questions that I have been unsure of. Thank you again!
(And thank you, 2kmaro, wherever you are, for mentioning the netstat to begin with!)
--
oO^..^Oo |
|
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland | reply to Sparrow
Also read
Please read this, it will explain some/most of that...and how to close them down...
»www.hsc.fr/ressources/breves/min···.en.html |
|
Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
| I will read
said by jansson_mark :
Please read this, it will explain some/most of that...and how to close them down...
»www.hsc.fr/ressources/breves/min···.en.html
Thank you, Markus. I see I have a little more reading to do. The link is giving me the reasoning behind all this, which is again a good thing for my curiosity, since this is an area I am a bit in a lurch about.
I will read this thoroughly when I come home later this evening. I must have disabled one too many services earlier this morning, as I had to turn a couple back on to get back online. New rule of thumb, "Try one at a time, and test."
Thank you!
--
oO^..^Oo |
|
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland
| said by Sparrow :
I see I have a little more reading to do.
Dont we all?
quote:
The link is giving me the reasoning behind all this
There is even more, especially about those services etc. etc. Please see
»www.blkviper.com/
»www.markusjansson.net/exp.html
--
My computer security & privacy related homepage »www.markusjansson.net
Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy.
[text was edited by author 2003-09-16 13:09:00] |
|
Sparrow
Crystal Sky
Premium
join:2002-12-03
Sachakhand
|  BV & JM ??
Hi Markus! Those are two "old" links.
I wish I had a dollar for every time I have used them or referred someone else there! I also seem to have a Word.doc by someone with the same name as you...;)
...maybe I should get a commission...hmmm...
--
oO^..^Oo |
|
jansson_mark
Markus Jansson
Premium
join:2001-08-05
Finland
| said by Sparrow :
I wish I had a dollar for every time I have used them or referred someone else there! I also eem to have a Word.doc by someone with the same name as you...;)
LOL!
Actually its funny that there are only few good sites on the net that talk about disabling unneeded services and tweaking down open ports on WinXP. I mean, doing things that M$ should have done by default... 
--
My computer security & privacy related homepage »www.markusjansson.net Use HushTools or GnuPG/PGP to encrypt any email before sending it to me to protect our privacy. |
|
