Netstat - crupper/Forensics-Tool-Wiki GitHub Wiki
#Netstat
#####Source: It is a standard on Windows and Linux, however, it also is found in the net-tools suite.
##Description Netstat shows the active TCP connections. It can also show routing tables, protocol-specific networking statistics, and multicast memberships. It is often used for troubleshooting networks or seeing how much traffic it is sending and receiving.
##My Thoughts and Uses
Netstat is among the command that I run first on a system during a forensic analysis due to the volatility of the network connections. Thus it is very important to get this information as fast as possible and netcat it to a forensic machine. It also has many useful options.
-a - will show all listening and non-listening ports.
-p - will show the PID and name of program of each item
-r - will show informaiton about the routing table
-n - will show the numerical addresses
In forensic analysis, I will often run these as two commands.
netstat -anp
netstat -rn
The first will display the collection of all the network connections, their ports, and PIDs. The second will display the routing table.
##Resources and more information: The Microsoft Documentation of netstat.