Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Netstat Utility


  • Please log in to reply
13 replies to this topic

#1 Tom_Slick

Tom_Slick

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 22 February 2008 - 02:35 PM

Hello, I hope I am making this thread in the proper section, if not then please advise.
Just out of curiosity I ran "netstat -a" from command prompt and I have a question or two about what I'm seeing. The problem is, I can't figure out how to copy and paste the listed results. Can anyone tell me how to do that?
In the meantime, I'll type the results in manually, the very first entry is the one that I'm the most concerned about because I don't understand why I would be connected to another "home desktop". But I really don't understand any of it, is there a tutorial or something that explains the netstat utility and how to interprut the results or how to use it? If so, I can't seem to find it. Thanks in advance!

Proto - Local Address - Foreign Address - State
TCP - home-desktop:epmap - home-desktop:0 - Listening
UDP - home-desktop:isakmp - *:*
UDP - home-desktop:1040 - *:*
UDP - home-desktop:4500 - *:*
UDP - home-desktop:ntp - *:*
UDP - home-desktop:1900 - *:*
UDP - home-desktop:ntp - *:*
UDP - home-desktop:1369 - *:*
UDP - home-desktop:1900 - *:*

BC AdBot (Login to Remove)

 


#2 tswsl1989

tswsl1989

  • Members
  • 260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cymru/Wales
  • Local time:09:23 AM

Posted 22 February 2008 - 02:56 PM

To copy from the command prompt, right click the title bar and select Edit-> Mark.
Left click and drag to select the area you wish to copy.
Right click to copy.

To paste into command prompt: Right-click -> Edit -> Paste

Each entry returned by netstat is a connection from your PC to another PC, or a port that is being listened to on your PC for other PCs to connect to.
The word\number after the colon under each address is the port number or the main use for that port. NTP, for example, is the network time protocol. Your PC's trying to sync it's clock with other nearby computers.
Use google to lookup the ports if yuor concerned, but be aware that ports can be used for many things.

Brief guide:
Destination port 80\http : Connection to a webserver e.g TCP - 127.0.0.1:1068 www.bleepingcomputer.com:http
Destination port 21\ftp: FTP connection
Destination port 25\110\pop3\imap\smtp: Email connections
Destination port 443\https: Secure web page connection

Hope that helps,
Tom

Tswsl1989
Duct tape is like the force. It has a light side, a dark side, and it holds the universe together

#3 Tom_Slick

Tom_Slick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 22 February 2008 - 03:25 PM

Thanks for the help on how to copy the results! That does indeed help!
I still don't understand what I'm seeing though. I will Google the ports in question. But what does *:* mean? And why is my computer connected to another "home-desktop", I would expect to be connected to a "server" of some sort and not a home based pc when connected to the internet.
Maybe I'm in over my head on this one. While Googleing the ports listed in my netstat results, all the info that I find just confuses me more. For example, port "epmap", everything I've found concerning that port says that it is the most commonly used port for virus and worm attacks! That worries me.
Is there anything like a tutorial or guide that shows what to look for and what to "not" worry about?

Edited by Tom_Slick, 22 February 2008 - 03:46 PM.


#4 tswsl1989

tswsl1989

  • Members
  • 260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cymru/Wales
  • Local time:09:23 AM

Posted 23 February 2008 - 03:58 AM

home-desktop is the name of your PC.
If you want to see what program is responsible for each socket, run netstat -b or netstat -ab, which will give you he program name for each socket. You can then google the programs if you're still concerned.
Tom

Tswsl1989
Duct tape is like the force. It has a light side, a dark side, and it holds the universe together

#5 Tom_Slick

Tom_Slick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 23 February 2008 - 10:27 AM

Okay, "home desktop" is the name of my pc got ya, but it says "home desktop" under "foreign address" as well as under "local address", So I'm connecting to my own pc?? And what does *:* mean?
Also, I just ran netstat -ab and I get a warning box that popped up and says "There is no disk in the drive. Please insert a disk into drive D:." There are 3 boxes I can then click on in that warning box, Cancel, Try Again, Continue. No matter which one I click on, the warning box will not go away until I click on Cancel really fast, it finally did go away. Why would I need a disk in drive D when running netstat -ab? Drive D on my machine is my CD/DVD Rom.

This is what I see in the results list after running netstat -ab

Active Connections

Proto Local Address Foreign Address State PID
TCP home-desktop:epmap home-desktop:0 LISTENING 764
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP home-desktop:1040 *:* 840
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP home-desktop:4500 *:* 544
[lsass.exe]

UDP home-desktop:isakmp *:* 544
[lsass.exe]

UDP home-desktop:1900 *:* 884
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP home-desktop:ntp *:* 796
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP home-desktop:1900 *:* 884
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP home-desktop:ntp *:* 796
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP home-desktop:2673 *:* 2680
[IEXPLORE.EXE]

Edited by Tom_Slick, 23 February 2008 - 10:30 AM.


#6 tswsl1989

tswsl1989

  • Members
  • 260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cymru/Wales
  • Local time:09:23 AM

Posted 23 February 2008 - 10:48 AM

The *:* next to the UDP entries is because UDP does not specify a destination in the same way as TCP (I think, not a protocol expert though)

Not certain why you would need a disk in the D drive to run netstat -ab, unless you have a program running which launched from CD< but the CD has been removed.

Try netstat -b and netstat -ab after a reboot and see what it comes up with. An anti-virus scan wouldn't hurt either.

Connections to your local machine aren't uncommon. Software like iTunes, for example, can display connections that loopback onto your machine,as will certain windows processes.

The entries marked [svchost.exe] are Windows services. The DLLs let you work out which service e.g w32time = Windows Time Service.
A quick check of these on google will let you know what's going on.
Tom

Tswsl1989
Duct tape is like the force. It has a light side, a dark side, and it holds the universe together

#7 Tom_Slick

Tom_Slick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 23 February 2008 - 10:59 AM

Thanks, I'll reboot and run netstat again.
I have AVG Free antivirus, it scans my machine on a daily basis, as of my last scan I have no infections.
I'm a bit confused on what to Google, do I google the process that is running, the PID or the DLLs.
Thanks for your help and for being patient with me, I'm not a comp tech and I'm just trying to learn.

#8 tswsl1989

tswsl1989

  • Members
  • 260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cymru/Wales
  • Local time:09:23 AM

Posted 23 February 2008 - 11:07 AM

Since posting, I've compared your results against those on my PC.
Apart from the D drive prompt, I have no concerns about your results.

As for the google thing:
In most cases, look up the process that is running, which appears in [square brackets]
For Svchost.exe, google the DLLs, as these are what is actually running. Svchost just hosts the service from those DLLs
If you ever see an entry for rundll32, google the DLLs. I've never seen that as an entry, but it might show up.

Most PIDs mean nothing, so you would find little of worth by searching on google
Tom

Tswsl1989
Duct tape is like the force. It has a light side, a dark side, and it holds the universe together

#9 Tom_Slick

Tom_Slick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 23 February 2008 - 11:13 AM

Great! Thanks for clearing that up for me. Now I know what to Google, lol!
If I find anything that is of concern I will post again in this thread.
Thanks very much for your help, it is truely appreciated!!

#10 tswsl1989

tswsl1989

  • Members
  • 260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cymru/Wales
  • Local time:09:23 AM

Posted 24 February 2008 - 02:24 PM

Your welcome, and a belated welcome to Bleeping Computer :thumbsup:
Tom

Tswsl1989
Duct tape is like the force. It has a light side, a dark side, and it holds the universe together

#11 Tom_Slick

Tom_Slick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 24 February 2008 - 09:29 PM

Thanks for the welcome!
I ran netstat -ab again after a reboot and the only thing that I see in the results that is any different and of concern is the following:
UDP home-desktop:ntp *:* 784
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
-- unknown component(s) --
[svchost.exe]

Not sure what to think about the "unknown component(s)"

#12 tswsl1989

tswsl1989

  • Members
  • 260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cymru/Wales
  • Local time:09:23 AM

Posted 25 February 2008 - 11:05 AM

New one on me :thumbsup:
The port given (ntp) is used for the network time service
w32time.dll is the windows time service.

Odd, but I doubt it's major
Tom

Tswsl1989
Duct tape is like the force. It has a light side, a dark side, and it holds the universe together

#13 Tom_Slick

Tom_Slick
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:04:23 AM

Posted 26 February 2008 - 10:34 AM

It is odd and I surely hope that it isn't a major problem. If it's not too much trouble, I would like for you to look at the results that I see now when I run netstat -ab.
BTW, the D prompt that I got before I have not received again so I'm not sure what that was about. Here's the results from the last time I ran netstat -ab, which was while I was reading your reply. I now see 3 instances of "unknown component(s)".
Thanks again!

Active Connections

Proto Local Address Foreign Address State PID
TCP home-desktop:epmap home-desktop:0 LISTENING 768
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\RPCRT4.dll
[svchost.exe]

UDP home-desktop:1037 *:* 872
C:\WINDOWS\system32\mswsock.dll
c:\windows\system32\WS2_32.dll
c:\windows\system32\DNSAPI.dll
c:\windows\system32\dnsrslvr.dll
C:\WINDOWS\system32\RPCRT4.dll
-- unknown component(s) --
[svchost.exe]

UDP home-desktop:isakmp *:* 544
[lsass.exe]

UDP home-desktop:4500 *:* 544
[lsass.exe]

UDP home-desktop:ntp *:* 796
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
-- unknown component(s) --
[svchost.exe]

UDP home-desktop:1900 *:* 932
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP home-desktop:1900 *:* 932
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP home-desktop:ntp *:* 796
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
-- unknown component(s) --
[svchost.exe]

UDP home-desktop:1044 *:* 2968
[IEXPLORE.EXE]

#14 tswsl1989

tswsl1989

  • Members
  • 260 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cymru/Wales
  • Local time:09:23 AM

Posted 07 March 2008 - 01:17 PM

Sorry for the slow reply, things have been a little hectic.
I can't se anything untoward about those results, but I admit that I haven't been able to find out much about the unknown components error. The only information I found suggested it can be shown if your not an administrator (or running the command as an administrator under Vista)

:thumbsup: You know where to find help if you ever need it again.

Regards,
Tom

Tswsl1989
Duct tape is like the force. It has a light side, a dark side, and it holds the universe together




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users