Windows System Port Monitoring

usually. Suppose you want to discover all the ports that are already in use and are listening, we can use the netstat command. Netstat is not a port scan tool. Let's say you want to scan which ports the computer opens. It is recommended that you use the methods described in this article.

Netstat Command basics

The netstat command is primarily used to display protocol statistics and current TCP/IP network connections.

Its format is as follows:

NETSTAT [-A] [-b] [-e] [-n] [-O] [-P proto] [-r] [-S] [-v] [interval]

The following is a brief description of the meaning of each of the parameters:

-a displays all connections and listens to port.

The-b display is included to create a running component for each connection or listening port. In some cases, it is known that a running component has multiple independent components, and in these cases a sequence of components that are included in creating a connection or listening to a port is displayed. In such a case, the component name can be run in the bottom []. The top is the component to which it is called. Wait a minute. Until the TCP/IP section. Note This option may take a very long time, assuming that insufficient permissions may fail.

-e Displays Ethernet statistics.

This option can be used in combination with the-s option.

-N Displays the address and port number in digital form.

-O Displays the owning process ID associated with each connection.

-p proto shows the connection to the protocol specified by proto; Proto can be one of the following protocols: TCP, UDP, TCPv6, or UDPV6.

Assuming that it is used with the-s option to display per-protocol statistics, Proto can be one of the following protocols: IP, IPV6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPV6.

-r Displays the routing table.

-S displays statistical information by protocol.

By default, statistics are displayed for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the-p option specifies a subset of the default conditions.

The-V, when used with the-B option, displays components that are included to create a connection or listen for ports for all of the running components.

Interval displays the selected statistics again, pausing the interval (in seconds) between each display.

Press CTRL + C to stop displaying statistics again.

Assumptions are omitted. Netstat Displays the current configuration information (displayed only once).

Use Netstat to discover listening or opening ports on your computer

Open a command prompt form, and type:

C:/windows>netstat-an |find/i "Listening"

Assume that the user wants to save the displayed results to a file (typically a text file) for future reference and be able to use the redirect command, such as ">" or ">>":

Netstat-an |find/i "Listening" > C:/openports.txt

We can change "listening" to "established" to see which ports the computer is communicating with:

C:/windows>netstat-an |find/i "established"

Note: In Windows XP and Windows Server2003, assume that a user wants to get a list of all their own processes associated with each connection, to be able to enter run "Netstat-o":

C:/windows>netstat-ao |find/i "Listening" TCP pro1:epmap pro1.dpetri.net:0 listening 860TCP pro1:microsoft-ds pro1.dpetri.net:0 LISTENING 4TCP pro1:1025 pro1.dpetri.net:0 LISTENING 908TCP pro1:1084 pro1.dpetri.net:0 LISTENING 596TCP pro1:2094 pro1.dpetri.net:0 LISTENING 596TCP pro1:3389 pro1.dpetri.net:0 LISTENING 908TCP pro1:5000 pro1.dpetri.net:0 LISTENING 1068

Users are able to access http://www.petri.co.il/download_free_reskit_tools.htm.

Use Pulist to find the PID and the process that uses it.

For example, we may find that the computer has a connection to the remote IP address on the TCPPORT80, but there is no Internet Explorer or other browser form open on the computer. In order to see exactly what process is being used

For this session, we use commands such as the following:

C:/windows>netstat-noactive Connectionsproto Local Address Foreign address State pidtcp 192.168.0.100:2496 212.179.4.7:80 Established 1536

Then use the "pulist" command with the "FIND" parameter:

C:/windows>pulist |find/i "1536" Process PID userlucoms~1.exe 1536 dpetri/danielp

As you can see, Danielp is performing Lucoms~1.exe, which is the Symantec Live update process.

To see all open, established, closed, and used ports, you can use commands such as the following:

C:/windows>netstat-a

In Windows XP or 2003, we are able to use the-o switch:

C:/windows>netstat-ao

Windows System Port Monitoring