\\Netstat – A Great Tool.

Netstat is sometimes very handy while troubleshoot and there are many people who are not aware of output shown. Netstat displays a listing of network connections that and their status. Let me try to explain in detail.

C:\>netstat -ano
Active Connections
Proto                 Local Address                    Foreign Address                 State                       PID
TCP                      0.0.0.0:445                       0.0.0.0:0                             LISTENING                 4
TCP                      10.204.4.xx:1065              0.0.0.0:0                             LISTENING                132
TCP                      10.204.4.xx:1083              12.120.5.14:80                   TIME_WAIT        0
TCP                      10.204.4.xx:337                 72.14.207.99:443            CLOSE_WAIT      737
TCP                      10.204.4.xx:997                 72.14.205.83:443            CLOSE_WAIT      737
TCP                      127.0.0.1:337                   0.0.0.0:0                                  LISTENING          737
TCP                      127.0.0.1:478                    127.0.0.1:881                         ESTABLISHED    737
TCP                      127.0.0.1:881                   127.0.0.1:881                         ESTABLISHED    737

Local address column tends to be bit complex in nature, computer always has at least two (and sometimes more) IP addresses that it will answer to. The above example shows that the computer will answer to 10.204.4.xx and 127.0.0.1 (loop back address). The three addresses shown have different and special meanings.

127.0.0.1:port#         – programs listening on this address will accept connections originating from only the local computer.
10.204.4.xx:port#  – programs listening on this address will accept connections originating from computers on the network/internet.
0.0.0.0:port#            – programs listening on this address will accept connections from anywhere, local or remote, sent to any of the addresses the computer will answer to (in this case 127.0.0.1 and 10.204.4.xx).

The State column refers to the state of the TCP connection. You won’t see this for UDP connections because the don’t have state like TCP does. Here is the list of options available.

LISTEN                    – represents waiting for a connection request from any remote TCP and port.
SYN-SENT              – represents waiting for a matching connection request after having sent a connection request.
SYN-RECEIVED – represents waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
ESTABLISHED   – represents an open connection, data received can be delivered to the user. The normal state for the data transfer phase of the connection.
FIN-WAIT-1          – represents waiting for a connection termination request from the remote TCP, or an acknowledgment of the connection termination request previously sent.
FIN-WAIT-2         – represents waiting for a connection termination request from the remote TCP.
CLOSE-WAIT       – represents waiting for a connection termination request from the local user.
CLOSING                – represents waiting for a connection termination request acknowledgment from the remote TCP.
LAST-ACK             – represents waiting for an acknowledgment of the connection termination request previously sent to the remote TCP (which includes an acknowledgment of its connection termination request).
TIME-WAIT        – represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request.
CLOSED                  – represents no connection state at all.

Thanks,
WintelAdmin.com