Articles

netstat how do i know who is on whi

sony vaio
November 9, 2006 at 02:29:20
Specs: win xp sp2, pentium 3.06, 1024mb ram

Hi there I read your interesting article/overview on the netstat command and it was helpful. The question I have is once you get a list of of the foreign ports connected to you. How do you know who or what this foreign is? where it originated from eho it belongs to. This way you can eliminate the harmless ports.

Whenever i report a problem to my cable provider he asks me to do a netat -a command and count the number of TCP/IP connections and if I have more than 8 then i probably have spyware on my system. I disagree with this blanket statement and would like to find out how to answer or refute his claims that x numbers of TCP ports means you have spyware lurking on your machine.

Can you help provide and information thanks in advance ...


jd76


See More: netstat how do i know who is on whi

Report •


#1
November 9, 2006 at 10:04:22

Hi there,

First of all you are totally right to question the statement of "if there are more than 8 TCP connections you have spyware", I cannot believe a tech support professional would say this - what a totally irresponsible thing to say to a customer!

It's quite possible that you might have a lot of TCP/IP applications running on your machine or you might have a couple of TCP/IP applications making quite a few number of valid TCP connections ( web browsers do this, they launch parallel threads to download page info, pictures etc ) and this might show many more than 8 established connections on a netstat display.

If you have hundreds and hundreds of established connections in your netstat output ( and you're not doing much or not running any applications that need IP connectivity ) then perhaps this might suggest that something isn't right.

The netstat tool allows you to see what sort of network services are running on your machine ( these will be in LISTENING state ), as well as seeing what sort of connections you have active ( these are TCP connections in ESTABLISHED state ).

There are 4 columns in the windows netstat output, these are Protocol, Local Address, Foreign Address and State. The foreign address is just the IP address ( or hostname ) of another machine which you have a connection to. So, if you're browsing google.com for example and quickly do a netstat, you should see an entry in there ending in a "google.com" address followed by ":http" or ":80".

It's good practice every now and then to shut down all networking applications that you know about ( don't forget ones that run in the background and in the systray! ) and do a netstat to see what else is in LISTENING state - this helps you to know what other services are running. Just google for them if you don't recognise them.

However, the best tools for checking for things like Spyware are spyware scanners themselves... I myself use a combination of "Spybot S&D" and "Adaware".

I hope this helps,
Cheers, Lofty.


Report •

#2
November 9, 2006 at 14:59:41

Lemme try to put something in focus.

Your computer connected to the internet is subject to attack no matter how smart you are. There is a whole process called best practices that can be used to help you avoid problems. They don't help much after you get problems. No computer maker seems to offer the process from an out of the box setting. So you and I are stuck to trying to fix it.

Choices are try to software to find and correct such as above mentioned. Spyware, virus and rootkits can all use your system. Other important things can also use your system such as update software and online programs such as weather and toys.

I might suggest that you also get a good firewall. Most firewalls offer a known set of programs that it allows. It then asks you in pop-up windows when unknown programs try to access the internet. They offer help pages to help you decide on what to do. Zonealarm free is OK as well as other top name brands.

Consider your system subject to attack. Never put any info on it that you may wish to keep secret. Credit cards, SSN's and what not are prime targets for data theft. Some firewall and security software target those for special protection. See Symantec and McAfee's sites for their protection suites.


I read it wrong and answer it wrong too. So get off my case you goober.


Report •

#3
November 9, 2006 at 19:44:13

Learn how to do whois lookups to find the owners of IP addresses. I use the whois command on my FreeBSD box for that but there are web sites and other programs to use.

Report •

Related Solutions

#4
November 10, 2006 at 00:59:26

Thanks Lofty, Jefro & Don for your excellent responses. Maybe I phrased my question wrongly or could have made it clearer. I understand the need for security on my network connections and PC. I currently have zonealarm, AVG, Spybot, AdaWare, Spywareblaster and MS Defender to protect my machine during operation. Thanks for the >8 connections response. Is it assumed then that the foreign address section of the Netstat output will always contain a http address and port number? If so I can just enter this into my browser and see where it takes me? Thanks Don for the ‘WHOIS’ command I’ll look into this. PS As stated in the above response how do you shutdown all network applications individually?
Thanks John.


jd76


Report •

#5
November 12, 2006 at 18:33:13

Entering the IP in the browser only helps if there is a web server on the other end. In other words the port would usually be 80 or 8080 after the : on the IP. If it's a machine receiving info from a trojan on your box, the browser won't help.
The task manager is probably the only way to kill apps in windows without 3rd party software but there is a great little program called fport from www.foundstone.com that shows all the PIDs. In unix, there is the kill command but windows doesn't have that.

Report •

#6
November 15, 2006 at 02:51:50

Thanks Don I'll bare this in mind. I think my initial exercise was to understand the netsta command and then how to trace what it is telling me. For example a netstat of open TCP ports then find a way to display what each of these ports are. This way I could eliminate and identify any nasties that are connected to my machine. I believe there is also a TCPview utility so I'll check this out...Thanks john

jd76


Report •

#7
November 19, 2006 at 14:05:14

If you want to trace IP addresses in the foreign address column of the netstat output, then there are a few ways to do that.

One is another command, tracert IP_address. That will show you the hops to that machine, providing it is up and running.

Ping IP_address will tell you if it's up and running.

The whois command (not on windows) will tell you who the owner of that IP is but won't tell you who is the actual user. There are whois web sites and a free program that does whois and other things. I can't think of the name of it.

nslookup is a windows command that doesn't do as much as whois but it does something.

fport (free) shows all processes, the PID and what port it's on.



Report •


Ask Question