Normally, if you want to discover all the ports that are already in use and listening, we can use the netstat command. Netstat is not a port scanning tool, and if you want to scan which ports the computer is opening, it is recommended that you use the method described in this article.
netstat command Basics
The netstat command is primarily used to display protocol statistics and current TCP/IP network connections.
The format is as follows:
NETSTAT [-A] [-b] [E] [-n] [-o] [P proto] [-r] [-S] [-v] [interval]
The meaning of each parameter is briefly described below:
-a displays all connections and listening ports.
-B Displays the executable components that are included in creating each connection or listening port. In some cases, an executable component is known to have multiple stand-alone components, and the sequence of components contained in these cases to create a connection or a listening port is displayed. In this case, the executable component name is at the bottom of [], the top is the component it calls, and so on, until the TCP/IP section. Note This option may take a long time and may fail if you do not have sufficient permissions.
-e Displays Ethernet statistics. This option can be used in combination with the-s option.
-N Displays the address and port number in digital form.
-O Displays the owning process ID associated with each connection.
-P proto Displays the connection proto the specified protocol; Proto can be one of the following protocols: TCP, UDP, TCPv6, or UDPV6. If used with the-s option to display by protocol statistics, Proto can be one of the following protocols: IP, IPV6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPV6.
-r Displays the routing table.
-S displays by protocol statistics. By default, statistics are displayed for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the-p option specifies a subset of the defaults.
The-V is used with the-B option to display components that are included in creating a connection or listening port for all executable components.
Interval the selected statistics again, pausing interval (in seconds) between each display. Press CTRL + C to stop the statistics from being displayed again. If omitted, netstat displays the current configuration information (only once).
use Netstat to discover listening or open ports on your computer
Open a Command Prompt window and type:
C:/windows>netstat-an |find/i "Listening" |
If the user wants to save the display results to a file (usually a text file) for future reference, you can use the redirect command, such as > or >>:
Netstat-an |find/i "Listening" > C:/openports.txt |
We can change "listening" to "established" to see what ports the computer is communicating with:
C:/windows>netstat-an |find/i "established" |
Note: In Windows XP and Windows Server2003, if a user wants to get an ID list of all their own processes associated with each connection, you can enter the Execute "netstat-o":
C:/windows>netstat-ao |find/i "Listening"
TCP pro1:epmap pro1.dpetri.net:0 listening 860
TCP pro1:microsoft-ds pro1.dpetri.net:0 listening 4
tcp pro1:1025 pro1.dpetri.net:0 Listening 908
TCP pro1:1084 pro1.dpetri.net:0 Listening 596
TCP pro1:2094 pro1.dpetri.net:0 listening 596
tcp pro1:3389 pro1.dpetri.net:0 Listening 908
TCP pro1:5000 pro1.dpetri.net:0 Listening 1068 |
Users can access http://www.petri.co.il/download_free_reskit_tools.htm.
Use Pulist to find the PID and the process to use it. For example, we might find that the computer has a connection to a remote IP address on TCP port 80, but there is no Internet Explorer or other browser window open on the computer. To see exactly what process is in use
In this session, we use the following command:
C:/windows>netstat-no
Active Connections Proto Local address Foreign address State
PID
TCP 192.168.0.100:2496 212.179.4.7:80 established 1536 |
Then use the "pulist" command with the "find" argument:
C:/windows>pulist |find/i "1536"
Process PID User
lucoms~1.exe 1536 dpetri/ Danielp |
As you can see, Danielp is running the Lucoms~1.exe, which is the Symantec Live update process.
To see all open, established, closed, and used ports, you can use the following command:
In Windows XP or 2003, we can use the-o switch: