Use Netstat to check your Windows PC network traffic
In my article "Best Windows 7 Commands to get you started", I introduced the very basic starter Windows command line "cmd's" to persuade people to open the Windows cmd prompt and give it a try.
I then followed up with a "Command Line part 2" hub, that dives a little deeper, but I left out a few, really good commands (quite a few, actually)....for a reason...
Most of the Windows cmd line commands available deserve an article to themselves, with a bit of explanation. The topic of this particular article is a good example of just that, and a good starting point. ...... the Windows command "Netstat".
Want to see who is connected to your PC right now? Grab that energy drink and let's get started!
First of all, open up your Windows Command prompt by typing "cmd" in the search window in the bottom right of your Windows 7 desktop.
Note - (I personally keep search off). I open the Run window by hitting the "Windows" key + "R" at the same time. Either way works for executables.
Then type "cmd" (without the quotes) and you'll see the Windows cmd prompt appear. (The black dos screen).
Next, within the cmd console, type "Netstat /?" (without the quotes) for a list of options and common usage.
You can read the list of options for yourself and experiment. In this article I'm going to cut right to the chase. In my world I use one set of parameters along with the Netstat cmd to see what connections my PC has.
- Netstat -a will give you all of the connections and listening ports
- Netstat -n will give you the foreign addresses in numerical form (critical for the next step in this article.... hint...hint)
- Netstat -o will give you the process id associated with the connection, also good to know....
Combine the switches together ( -ano) with the Netstat command and you'll have a solid starting point to examine what network connections your PC currently has open.
Next, take a look at my screenshot below, see the column titled "Foreign Address"? That's the information we're looking for. We'll lookup these WAN IP's to see where and who they are coming from.
TIP -- You can read about WAN vs LAN IP addresses here.
Under my "Foreign Address" column I see 220.127.116.11:80
The WAN IP is 18.104.22.168 , the second part :80 , means "port 80" , or "http"
which is the port you mainly surf the web on.
So where does one go to find out WHO exactly 22.214.171.124 IS? Read on my friends and I'll show you.
TIP - It's a good idea to familiarize yourself with common TCP\IP ports, such as 80, 25, 53, and so on. Some basic port knowledge can really go a long way in your digital lifetime.
The first website I'll use to check an IP address is THE authority (literally) on IP addresses:
www.IANA.org --- Internet Assigned Numbers Authority.
When it comes to IP addresses, IANA is "Them" or "They". The people literally responsible for "DNS Root, IP Addressing, and other internet protocol resources".
The link we're interested in is right in the middle of their page -- "IP Addresses and AS Numbers". (see pic below).
TIP - you can also bookmark www.iana.org/numbers , which is the IP lookup site I'm about to show you....
On the "numbers" page you'll see a world map along with the 5 main IP Registry authorities from all over the world. The very first place I'll search for my IP address information is ARIN (North American Region).
Note -- This is where I start first, because I live in the United States and most of my web traffic will be contained in this registry database. If you live elsewhere you may wish to start with the IP registry in your region.
Lets click on the ARIN registry, then search for information on our IP 126.96.36.199 address --->
See the "Search WhoIs" box in the top right corner? We'll type the address (or paste) and hit enter and see what we get.
Note --- If you get an address that's not in this registry, you will get referred to one of the other registry sites such as "Ripe" or "Lacnic". The layout on the sites vary a little bit, but on each you'll find a place to search for information on your address. I'll give you a table to reference below...
Tip - You may want to bookmark the numbers site, or, even better, add it to your IE "Favorites" Toolbar. In one of my latest articles I show you how to "Rock your IE favorites bar".
Easy right? Start looking at your IP addresses and you'll start to recognize certain ranges and patterns.
TIP - One of the first things I do as a network admin when a PC may be infected is pull it off the corporate network, put it on an external network, and use Netstat to check for activity.
Using Netstat and IANA, I can quickly check connections on a PC, as well as the ports being used and the associated Windows process ID (PID). I can then trace the WAN IP connection to a running process or program and go from there.....
Search Tips for the Registry Sites
Where on page
Ripe Database Search