Identifying Inbound and Outbound Ports using Netstat

Home > Blogs > Cisco > Identifying Inbound and Outbound Ports using Netstat

Identifying Inbound and Outbound Ports using Netstat

Like This Blog 0Rick Trader
Added by June 19, 2019

This content is from our CompTIA Network + Video Certification Training Course. Start training today!


Netstat (Network Statistics) is a utility to help us determine whether or not we have inbound or outbound connections on our computer. The Netstat command line utility allows us to determine what ports (both TCP and UDP ) on our computer are listing.

Netstat can also show what connections have been made for TCP and UDP on ay computer, both inbound and outbound. It will also show us the status of the port, whether it’s actually established, has been disconnected by the remote computer or disconnected locally, and whether or not it has a finish statement.

Let’s take a look at what the Netstat utility can do for us.

We will bring up a standard command prompt. It doesn’t have to be an administrator prompt, it just needs to be a command prompt. We can clear the screen by typing “cls” and hitting enter and then type “cd/” and hit enter to give us more real estate.

If we type Netstat and hit enter, it’s going to go out and it’s going to pull the statistics on this machine. By typing “Netstat /?” and hitting enter,

It’s going to show what the actual parameters we can use.

There’s a series of parameters depending on what operating system we’re currently running. The couple that we’re going to use most is the –a parameter.

The ‑a will show the ports that are established connections, both inbound and outbound. It will also show what ports are currently listening on the computer.

The ‑q is going to display again those connections that are both listening or had been connected.

The difference between the two is the amount of data we get with each.

If we scroll down the list, the other two parameters or switches that are commonly used if we wanted to look at a protocol basis, ‑s.

This will show TCP, UDP in both IPV4, IPV6. It’ll show me the difference in the connections.

-a, -q and –s are the most common switches used in Netstat.

The –f switch can resolve the destination computers, or they call it the foreign address which is the destination computer. If we are able to resolve that from our IP address to a fully qualified domain name, you will see the name.

Let’s take a look at this in action.

In our command prompt, we’ll type “Netstat –a “and hit enter.

Notice it states all the ports are currently listening on this machine, in these TCP ports. (studio‑W10SPC2 happens to be the machine here in the room)

Notice it also starts to show we have other connections that are established. We’ll let it run for a few minutes and navigate to a couple of different options available in Netstat.

Scrolling down in the status column there is more information. Established means the connection’s in process, i.e, they’re talking to each other,

Scrolling back up, notice we have this port that says TIME_WAIT.

We also have a status of CLOSE_WAIT that we might see as a status.

The difference between the two is on the TIME_WAIT, the client or the source machine has closed the connection, but the connection is waiting for any package that might not arrived yet.

If you see a CLOSE_WAIT, that was closed by the foreign computer or the destination computer and were still waiting for the package to arrive. You may also see a FIN_SYNC. This means that we have closed a connection and received the final packet and now it is just in cache waiting to be released or to be dropped out of it.

Depending on what the connections are, you may see a couple of different options there besides just the other term listening or established or time wait.

We’ll run this again but this time we’ll use the ‑f switch. We’ll type “netstat –f“and hit enter.

This will take a little bit longer to run because it’s going to have to find any machine that is waiting to be established. We’ll not always resolve it’s a user‑friendly name.

Again, we get all the TIME_Wait status. Notice that it was able to resolve a connection to a user‑friendly name.

It resolved one to a user‑friendly name, but others are displayed with just their IP address.

It have done a reverse lookup on to find there’s no IP address or domain name established with it but it wasn’t able to resolve.

The Netstat utility allows us to be able to go in and look at both the ports that are listening on our computer, and can be valuable for security issues to find connections that have either been established inbound or outbound with our machine.

Note, Netstat can’t tell whether ports are in an inbound or outbound session it can only inform you that it is established, you don’t know what the connection is.

Netstat is an easy to use utility when we’re trying to determine what connections are made to our machine.

Until next time….

Rick Trader
CompTIA Network + Instructor – Interface Technical Training
Phoenix, AZ

Video Certification Training: CompTIA Network +

Videos You May Like

Agile Methodology in Project Management

0 112 0

In this video, you will gain an understanding of Agile and Scrum Master Certification terminologies and concepts to help you make better decisions in your Project Management capabilities. Whether you’re a developer looking to obtain an Agile or Scrum Master Certification, or you’re a Project Manager/Product Owner who is attempting to get your product or … Continue reading Agile Methodology in Project Management

How to clone a Windows Server 2012 or 2012 R2 Domain Controller

3 1105 3

One of the coolest new features in Window Server 2012 and Windows Server 2012 R2 is the ability to clone a Domain Controller. In the past, if we had virtualized Domain Controllers and we actually took a snapshot of it and then rolled back to that snapshot, it would break the logon service on that … Continue reading How to clone a Windows Server 2012 or 2012 R2 Domain Controller

Detailed Forensic Investigation of Malware Infections – April 21, 2015

4 435 3

In this IT Security training video, Security expert Mike Danseglio (CISSP / CEH) will perform several malware investigations including rootkits, botnets, viruses, and browser toolbars.

Write a Comment

Share your thoughts...

Please fill out the comment form below to post a reply.