Windows Tip: Use Netstat to Track IPs
written by Morgan Webb on Wednesday, September 19, 2001
Track IPs and more with this hidden utility.
Netstat is a hidden utility that shows your computer's connections to the rest of the Internet. Netstat is useful to track the IP address of a friend, for example, or to find your own IP address. It gives you information on all your system's open connections, including local and remote ports and protocols. It can even tell you if you are infected with a Trojan.
You can run netstat from the command prompt or the run box along with a series of arguements as follows:
-a -- Displays all connections and listening ports.
-e -- Displays Ethernet Statistics. This may be combined with the -s option.
-n -- Displays addresses and port numbers in numerical form.
-p proto -- Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP.
-r -- Displays the routing table.
-s -- Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default.
interval -- Redisplays selected statistics, pausing interval seconds between each display. Press Ctrl+C to stop redisplaying statistics. If omitted, Netstat will print the current configuration information once.
These are the instructions included with the utility, and as such are particularly vague. I got them by typing "netstat ?" (without the quotes) into the command prompt. Don't worry -- I will explain the basics below.
Netstat -a will show you all the open connections on your machine (-a is for all). It will also tell you which remote systems you are connected to, the local port number, the remote port number, and the protocol. When I type Netstat -a into my command prompt, I get a number of lines. Following is the actual text returned on one of these lines. The output is in bold, my comments are in parentheses:
TCP (the protocol, in this case, Transmission Control Protocol. The protocol can also be UDP, or User Datagram Protocol. In rare cases you will see Internet Protocol or IP) morgan:1528 (my username followed by my local port #)
Google (a site I am connected to, followed by the port on the remote system) ESTABLISHED (is the state of my connection). Here is a list of common port assignments.
Netstat -an will show you all the information above, except in numeric (-n for numeric) form. This means that in the example above, you would get an IP address instead of "morgan" and "www.google.com." Both will still be followed by the port numbers. This is one way to get your own IP address, because your username from the first example is now replaced by your numeric IP address in the second. You can also use netstat to get the IP addresses of your friends on ICQ or AIM (AIM buddies will be on port :5190).
Netstat -p TCP or Netstat -p UDP will give you all the information in the above examples, isolated by protocol.
Netstat -e will tell you general information like bytes received and sent, discards and errors.
Netstat interval (in seconds, such as netstat 10 or netstat 20) This command will retabulate and redisplay netstat information each specified interval.
Three bonus netstat tips:
If you ever get bored of waiting for Netstat to finish what it's doing, hit Control + C to abort the operation and go back to the command prompt.
You can use netstat to see if you have a Trojan. Go here for a list of ports known Trojans attack. If one of these ports is open, you can bet you've got one on your system. Your anti-virus software should also tell you if you are infected, but sometimes it is nice to see the nuts and bolts of how your computer gets attacked.
Sometimes Netstat generates a lot of text, too much to see in the command window. Type 'netstat -an >c:\windows\desktop\log.txt' or any other directory you please. Netstat will create a file (in this case, log.txt on my desktop) and dump the output into it. Just open the file to see your results.
This will confuse you but thats ok, Go pick up a Networking+ book to troubleshoot propr.
This will confuse you but thats ok, Go pick up a Networking+ book to troubleshoot propr.
