Netstat - KadeTheKade/ForensicTools GitHub Wiki

Displays active TCP connections and a number of other statistics including those related to network interfaces, protocols, and routing tables. It is used as a tool for finding network problems and making it possible to determine the amount and type of traffic on a network.

There are many useful parameters that allow for customized reporting, such as:

-a : Displays all active TCP connections and the TCP and UDP ports on which the computer is listening.

-e : Displays Ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.

-n : Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.

-o : Displays active TCP connections and includes the process ID (PID) for each connection. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p.

-p Protocol : Shows connections for the protocol specified by Protocol. In this case, the Protocol can be tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display statistics by protocol, Protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6.

-s : Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 protocol for Windows XP is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols.

-r : Displays the contents of the IP routing table. This is equivalent to the route print command. Interval : Redisplays the selected information every Interval seconds. Press CTRL+C to stop the redisplay. If this parameter is omitted, netstat prints the selected information only once.

/? : Displays help at the command prompt.

Without any of these parameters netstat will just display active TCP connections.

Knowing the network connections that are currently on a live victim is a vital step in discovering what is happening in a compromised system. Netstat allows the user to do that in a simple command format through the terminal.