Updated date:

Use Netstat to check your Windows PC network traffic

use-netstat-to-check-your-windows-pc-network-traffic

In my article "Best Windows 7 Commands to get you started", I introduced the very basic starter Windows command line "cmd's" to persuade people to open the Windows cmd prompt and give it a try.

I then followed up with a another command line article, that dove a little deeper, but I left out a few, really good commands (quite a few, actually)....for a reason...

Most of the Windows cmd line commands available deserve an article to themselves, with a bit of explanation. The topic of this particular article is a good example of just that, and a good starting point. ...... the Windows command "Netstat".

Want to see who is connected to your PC right now? Grab that energy drink and let's get started!

use-netstat-to-check-your-windows-pc-network-traffic

First of all, open up your Windows Command prompt by typing "cmd" in the search window in the bottom right of your Windows 7 desktop.

Note: (I personally keep search off). I open the Run window by hitting the "Windows" key + "R" at the same time. Either way works for executables.

Then type "cmd" (without the quotes) and you'll see the Windows cmd prompt appear. (The black dos screen).

Next, within the cmd console, type "Netstat /?" (without the quotes) for a list of options and common usage.

use-netstat-to-check-your-windows-pc-network-traffic

You can read the list of options for yourself and experiment. In this article I'm going to cut right to the chase. In my world I use one set of parameters along with the Netstat cmd to see what connections my PC has.

Netstat -ano

  • Netstat -a will give you all of the connections and listening ports
  • Netstat -n will give you the foreign addresses in numerical form (critical for the next step in this article.... hint...hint)
  • Netstat -o will give you the process id associated with the connection, also good to know....

Combine the switches together ( -ano) with the Netstat command and you'll have a solid starting point to examine what network connections your PC currently has open.

Next, take a look at my screenshot below, see the column titled "Foreign Address"? That's the information we're looking for. We'll lookup these WAN IP's to see where and who they are coming from.

use-netstat-to-check-your-windows-pc-network-traffic

Under my "Foreign Address" column I see 74.125.26.106:80

The WAN IP is 74.125.26.106 , the second part :80 , means "port 80" , or "http"

which is the port you mainly surf the web on.

So where does one go to find out WHO exactly 74.125.26.106 IS? Read on my friends and I'll show you.

TIP: It's a good idea to familiarize yourself with common TCP\IP ports, such as 80, 25, 53, and so on. Some basic port knowledge can really go a long way in your digital lifetime.

The first website I'll use to check an IP address is THE authority (literally) on IP addresses:

www.IANA.org: Internet Assigned Numbers Authority.

When it comes to IP addresses, IANA is "Them" or "They". The people literally responsible for "DNS Root, IP Addressing, and other internet protocol resources".

The link we're interested in is right in the middle of their page: "IP Addresses and AS Numbers". (see pic below).

use-netstat-to-check-your-windows-pc-network-traffic

TIP: you can also bookmark www.iana.org/numbers , which is the IP lookup site I'm about to show you....

On the "numbers" page you'll see a world map along with the 5 main IP Registry authorities from all over the world. The very first place I'll search for my IP address information is ARIN (North American Region).

Note: This is where I start first, because I live in the United States and most of my web traffic will be contained in this registry database. If you live elsewhere you may wish to start with the IP registry in your region.

use-netstat-to-check-your-windows-pc-network-traffic

Lets click on the ARIN registry, then search for information on our IP 74.125.26.106 address --->

See the "Search WhoIs" box in the top right corner? We'll type the address (or paste) and hit enter and see what we get.

Note: If you get an address that's not in this registry, you will get referred to one of the other registry sites such as "Ripe" or "Lacnic". The layout on the sites vary a little bit, but on each you'll find a place to search for information on your address. I'll give you a table to reference below...

Tip: You may want to bookmark the numbers site, or, even better, add it to your IE "Favorites" Toolbar. In one of my latest articles I show you how to "Rock your IE favorites bar".

My iplookup on ARIN gave me google. AHA!

My iplookup on ARIN gave me google. AHA!

Easy right? Start looking at your IP addresses and you'll start to recognize certain ranges and patterns.

TIP: One of the first things I do as a network admin when a PC may be infected is pull it off the corporate network, put it on an external network, and use Netstat to check for activity.

Using Netstat and IANA, I can quickly check connections on a PC, as well as the ports being used and the associated Windows process ID (PID). I can then trace the WAN IP connection to a running process or program and go from there.....

Search Tips for the Registry Sites

Internet RegistryLinkWhere on page

AFRINIC

Search WhoIS

Top Right

APNIC

WhoIs Search

Top Right

LACNIC

WhoIs

Middle Right

RIPE

Ripe Database Search

Bottom Right

This article is accurate and true to the best of the author’s knowledge. Content is for informational or entertainment purposes only and does not substitute for personal counsel or professional advice in business, financial, legal, or technical matters.

© 2013 Jeff Boettner

Comments

Jeff Boettner (author) from Tampa, FL on April 26, 2020:

It seems like this article is gaining some traction, and I'm glad for those who read it. Many years ago, I remember having a client machine call out across to the other side of the planet at 12 pm exactly every day at lunch, while my cowkrer was off eating lunch of course. My router (Watchguard) showed the traffic in a nice little GUI (the whole network).....(Great Router). I saw the connection to an WAN IP Range I was aware of, so I ran virus scan on the machine...nothing. Ran through the procedure in this article and solved the issue, by backtracking the process, file, registry. Turns out they werer trying to send DAT files...(but couldnt get through my firewall TY). So the traffic failed, but I saw the attempt befoe it became a serious issue. I ended up blocking the entire offending country entirely at the WAN level on the router...since we did ZERO business with them.)

At any rate, for your client, one of the best way to start forecnsics on your home c, is to see who (and where) a computer is talking to. Then you look at the app running the connection (SYS Tools -- Process Explorer). Once removed, run Malwarebytes, install and run ccleaner....and last but not least.... don't surf internet as "administrator". ****This is one of the most important tips you'll ever here. ....click the wrong link, and uploaded malware has admin access immediately. Create an account (non admin), and use it for surfing the internet only. From any OS, click "ctrl" and "R" (or use search bar) and type computer management. Select users and groups...create a new user (non admin).

And, if you go out in public a lot, use a VPN!

Thanks again for your interest and comments! - jb

Jeff Boettner (author) from Tampa, FL on April 26, 2020:

Hey Richard, Thanks for the feedback! It seems this article is gaining traction lately, and I'm glad. Back when I was a network admin, it was surprising what you could find on a client machine. My favorite was a scheduled task that would run every day when my coworker went to lunch....his computer was automatically calling the other side of the planet every day at lunch...uploading dat files

Richard Nyarko on April 25, 2020:

thanks for the sharing information ...

Ronnie on October 28, 2019:

Thanks for good sharing information...

Jeff Boettner (author) from Tampa, FL on October 21, 2019:

Hey Bill thanks for stopping by!

Bill Nye the High Guy on October 17, 2019:

Very nice, I like.

Mahendra Kumar on April 29, 2019:

Thanks for sharing your valuable information.

anonymous on April 25, 2019:

nice article it is very helpful

niks on July 05, 2018:

very good article.

nat on March 24, 2018:

thankyou very informative

Stefan Lehmann on April 29, 2014:

Very helpful article. Alas the link http://www.dti.ulaval.ca/webdav/site/sit/shared/Li... is broken