Identifying Inbound and Outbound Ports using Netstat
Identifying Inbound and Outbound Ports using Netstat
This content is from our CompTIA Network + Video Certification Training Course. Start training today!
Netstat (Network Statistics) is a utility to help us determine whether or not we have inbound or outbound connections on our computer. The Netstat command line utility allows us to determine what ports (both TCP and UDP ) on our computer are listing.
Netstat can also show what connections have been made for TCP and UDP on ay computer, both inbound and outbound. It will also show us the status of the port, whether it’s actually established, has been disconnected by the remote computer or disconnected locally, and whether or not it has a finish statement.
Let’s take a look at what the Netstat utility can do for us.
We will bring up a standard command prompt. It doesn’t have to be an administrator prompt, it just needs to be a command prompt. We can clear the screen by typing “cls” and hitting enter and then type “cd/” and hit enter to give us more real estate.
If we type Netstat and hit enter, it’s going to go out and it’s going to pull the statistics on this machine. By typing “Netstat /?” and hitting enter,
It’s going to show what the actual parameters we can use.
There’s a series of parameters depending on what operating system we’re currently running. The couple that we’re going to use most is the –a parameter.
The ‑a will show the ports that are established connections, both inbound and outbound. It will also show what ports are currently listening on the computer.
The ‑q is going to display again those connections that are both listening or had been connected.
The difference between the two is the amount of data we get with each.
If we scroll down the list, the other two parameters or switches that are commonly used if we wanted to look at a protocol basis, ‑s.
This will show TCP, UDP in both IPV4, IPV6. It’ll show me the difference in the connections.
-a, -q and –s are the most common switches used in Netstat.
The –f switch can resolve the destination computers, or they call it the foreign address which is the destination computer. If we are able to resolve that from our IP address to a fully qualified domain name, you will see the name.
Let’s take a look at this in action.
In our command prompt, we’ll type “Netstat –a “and hit enter.
Notice it states all the ports are currently listening on this machine, in these TCP ports. (studio‑W10SPC2 happens to be the machine here in the room)
Notice it also starts to show we have other connections that are established. We’ll let it run for a few minutes and navigate to a couple of different options available in Netstat.
Scrolling down in the status column there is more information. Established means the connection’s in process, i.e, they’re talking to each other,
Scrolling back up, notice we have this port that says TIME_WAIT.
We also have a status of CLOSE_WAIT that we might see as a status.
The difference between the two is on the TIME_WAIT, the client or the source machine has closed the connection, but the connection is waiting for any package that might not arrived yet.
If you see a CLOSE_WAIT, that was closed by the foreign computer or the destination computer and were still waiting for the package to arrive. You may also see a FIN_SYNC. This means that we have closed a connection and received the final packet and now it is just in cache waiting to be released or to be dropped out of it.
Depending on what the connections are, you may see a couple of different options there besides just the other term listening or established or time wait.
We’ll run this again but this time we’ll use the ‑f switch. We’ll type “netstat –f“and hit enter.
This will take a little bit longer to run because it’s going to have to find any machine that is waiting to be established. We’ll not always resolve it’s a user‑friendly name.
Again, we get all the TIME_Wait status. Notice that it was able to resolve a connection to a user‑friendly name.
It resolved one to a user‑friendly name, but others are displayed with just their IP address.
It have done a reverse lookup on to find there’s no IP address or domain name established with it but it wasn’t able to resolve.
The Netstat utility allows us to be able to go in and look at both the ports that are listening on our computer, and can be valuable for security issues to find connections that have either been established inbound or outbound with our machine.
Note, Netstat can’t tell whether ports are in an inbound or outbound session it can only inform you that it is established, you don’t know what the connection is.
Netstat is an easy to use utility when we’re trying to determine what connections are made to our machine.
Until next time….
Video Certification Training: CompTIA Network +
You May Also Like
In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management
In this video, Cisco CCNA and CompTIA Network + Instructor Mark Jacob demonstrates how to do port redirections in IPv6. If you have any questions or comments, please feel free to post them. Until next time. Mark Jacob Cisco and CompTIA Network + Instructor – Interface Technical Training Phoenix, AZ
How does an investigator hunt down and identify unknown malware? In this recording of our IT Security training webinar on April 21, 2015, Security expert Mike Danseglio (CISSP / CEH) performed several malware investigations on infected computers and identify symptoms, find root cause, and follow the leads to determine what’s happening. He demonstrated his preferred … Continue reading Detailed Forensic Investigation of Malware Infections – April 21, 2015