NETSTAT Shows Multiple Connections

January 4, 2007 at 09:15:24
Specs: WinXP Pro, AMD 2500+ /768
In CMD when I run netstat -p TCP I get multiple listing of my Local Address...

http://members.cox.net/jaymom2/nets...

Hopefully someone can tell me why.

This is the computer of a friend. My own computer does not do this.

Harold


See More: NETSTAT Shows Multiple Connections

Report •


#1
January 4, 2007 at 10:16:15
When I use netstat -p tcp I get four listings.
My computer is on a local network with three other computers, connected via network cables to 4 wired ports on a router (a fifth one on the router is for WAN and goes to my ADSL modem).
In my case the Local address is the same except each has, in order, a :1075, :1076, :1077 and :1078 appended to it. The Foreign address is identical in each case, and is that of my router. State is TIME_WAIT.
I get four listings even if only one computer is on or even if not all the network cables are plugged into the router.

Does your friend have a router or ethernet hub connected that has 3 ports other than for WAN, and you do not?


Report •

#2
January 4, 2007 at 11:20:06
No she doesn't. Im wondering if it is caused by having 3 ports open and being used by her ISP.

Harold


Report •

#3
January 4, 2007 at 12:23:31
Hi Harold, Tubesandwires, hi everyone

Sorry Tubesandwires but your response (#1) doesn't make any sense to me. :-|
I have a similar set up as yours and on my WinXP box there aren't any active connections at this very moment, and yes the box is turned on and connected to the LAN.

Little over one hour ago, when the WinXP box checked for it's daily Anti-Virus software update, there were six FTP entries in the list.
Now the list is completely empty, no surfing activities are preformed at this moment on the WinXP box.
This reply is being typed on my good old dinosaur running Win98, and yes netstat -p tcp shows three active connections.
Local ports: 1284, 1285, 1287. External: pop3, pop3, nbssession (to the WinXP box). Status: TIME_WAIT (3x).

I think that there must be some kind of Active Connections that aren't supposed to be, and would suspect a virus or other malware.

Harold, if I was you I would start looking in the direction of a virus or other malware if there aren't any Internet activities (IE, OE) performed and not wonder about haveing 3 ports open or not.

Best Regards and Wishes,
The Count, Co-webmaster of mesich.com


Report •

Related Solutions

#4
January 4, 2007 at 13:38:35
The Count,

Thanks and yes I am going to work with my niece and see if that is what she actually has.

Harold


Report •

#5
January 4, 2007 at 15:26:37
Hi Harold, Tubesandwires, hi everyone

In addition to my earlier response (#3), other Internet activity could be any type of messenger which commonly is started when Windows loads and directed to the system tray (usually right bottom of the screen).

Have your niece shut down all the obvious Internet programs; Internet browser, E-mail program, Messenger, RSS-feeds etc. on a reboot and than wait a little while.
After having waited a while, five or more minutes, run the netstat -p tcp command and check if there still are active connections listed.

Another option would be to disable all and only all the familiar looking Internet related items in the Startup tab of Msconfig.
Start => Run => msconfig => OK, click on the Startup tab. Reboot.
Once rebooted, run the netstat -p tcp command and check if there still are active connections listed.

If there are still entries listed in the Active Connections after either of the above procedures, and there is no home network or Internet related activity performed by your niece, than you can pretty sure suspected a virus or other malware. :-(

If your niece doesn't have a Anti-Virus, or outdated, program here are two online scanners:
Trend Micro - Free online virus scan,
McAfee FreeScan.
(http://housecall65.trendmicro.com/)
(http://us.mcafee.com/root/mfs/default.asp)

Also get a copy of Hitman Pro, it comes with Ad-Aware, Spybot S&D etc...
(http://www.hitmanpro.nl/hitmanpro/index.php?lang=en)

When the system finally comes clean, and there isn't a Anti-Virus program installed aside of the 30 day's trial version of NOD32 which comes with Hitman Pro, there is: AVG Anti-Virus
(http://free.grisoft.com/doc/1/)

Good luck and keep us posted.

Best Regards and Wishes,
The Count, Co-webmaster of mesich.com


Report •

#6
January 5, 2007 at 13:26:02
Cessna did not say his friend's computer was having problems.
To search for a virus or other malware when there's no clear evidence anything is wrong is a waste of time - if it ain't broke, you don't try to fix it.

I don't know much about this netstat command, or how to interpret the results displays. The displayed info in response 1 is what I see, regardless of what others may see on their own computer. I have discovered that if I run netstat -p tcp shortly after booting, I get seven entries - after a
few minutes it reverts to the same four.
There is no evidence of any virus or other malware on that computer. The internet is not being accessed in any abnormal way.
FYI: it has the original XP Pro, updated to SP1. IE 6.0. There are no wireless internet connections on the network, and no encryption of network connections. There is no firewall other than the default settings in the router. Nearly all of the critical updates have been installed via Microsoft Update.


Report •

#7
January 5, 2007 at 18:18:36
Hi Harold, Tubesandwires, hi everyone

By no means I want to get wind up in a endless discussion, but I partially disagree with you Tubesandwires.

It's a matter of interpretation I guess, to me Harold AKA Cessna his wordings were pretty clear and describing a oddness.

Out of precautionary measure one can very well search for viruses and/or malware, there are those as you may or may not be aware of dormant viruses. Another thing viruses and/or malware like to do is cloak or hide themselves, thus stay out of (immediate) sight (from the computer user), and in the meanwhile do what they are designed for to do: make use of the available processor time and/or available Internet connection etc. for whatever illegal reason(s).

"The internet is... ...any abnormal way."
If there isn't any TCP traffic occurring, nor reason for it with out your knowledge, there shouldn't be any Active Connections listed when you execute the netstat -p TCP command.
While typing this reply I fired up two other PC's running Windows XP Pro with SP2 and all available updates installed, one with IE 7.0 and the other with IE 6.0 SP2, neither of them show any active connections after they have automatically downloaded/received their daily Anti-Virus software update. Even the PC with WinXP SP2 and IE 7.0, and this old dinosaur running Win98 with IE 5.5, which I talked about yesterday and have been turned on for the most part of day don't show any active connections at this time.
Momentarily my LAN seems to be set up pretty much the same as yours, no wireless connections, no encryption on the network connections merely the firewall set active within the router.

The above is my point of view and are my findings, and like I started: I don't want to get wind up in a endless discussion. :-)

Best Regards and Wishes,
The Count, Co-webmaster of mesich.com


Report •


Ask Question