a little mans look at a big mans world

Sometimes we need to see if a computer is making the connections that we think it should be making. For those situations, netstat is there for us. There are any number of reasons why we would want to diagnose a connection. To ensure that a client is talking to a server, that is one big reason that I can see. In another case, if I have access, I like looking at a machine that I am scanning with nmap or some other tool when I am scanning it, it can be informative to see those connections pop open. If I was using netstat on a Linux machine then my command would probably look something like this:

sudo netstat -na -c | grep "192.168.0.2"

You would run this example on the computer that you were scanning. The IP address is the address of the host that you are scanning from, or the client that you want to make sure is connecting to the server. So what have you done here? First, you ran netstat, with a few options that provide detailed output, and tell it to run in a loop, checking for connections continuously. You then pipe that output (probably lots of it) into the searching tool grep. By filtering the output through grep, you find only the connections that you want. At first, there will be probably be nothing, just you blinking cursor. Soon after you start the scan though, you will see a line like this

tcp    0    0  192.168.0.5:22    192.168.0.2:51969    ESTABLISHED

When lines like this start appearing, you know that your scan has reached the target, or that your client is trying to communicate to the server. To stop the process you are going to have to use ctl-c. Now, for a little interpretation, for the curious. This line tells us several things. It tells us the type of connection (tcp), packets sent and received using the connection (0), the address and port that the connection was made on, as well as the address and port of the remote computer that is making the connection. The last word tells us the state of the connection. Sophisticated readers will notice that this is (most likely) a SSH connection. They could tell this from the port 22 on the server. In this case, you would be right, I was connected to this computer via SSH, checking a few things.

Now, what if there were lines returned and you know that you haven’t started the scan yet? The computers were already linked and communicating before the scan, that is all. There are tons of things that you can use netstat for, so play around with it, it can be a very useful tool.

Updated: For those who run windows, you can use netstat as well. However some of your syntax will change. Although I do not usually make concessions to Windows users, because you are running this type of thing on a client you are scanning, I have had to learn enough to run it at the Windows command line. Try this:

netstat -na 1 | find "192.168.0.8"

This should produce similar results on a Windows machine.