How to read NETSTAT -AN results
11324 단어 netstat
This document is mainly written for
news.grc.com , for the *ahem* newbies that heard about the Netstat command showing hidden trojans/servers on your system in an obfuscated way. After answering a few of those posts, I noticed I was pretty much the only one actually analyzing those Netstat listings myself, instead of posting a link to a document that explains those listings. So to fall in line with the others, I created this document to refer to myself. :)
Netstat is a old-school DOS program that displays all TCP connections on your Windows system. The command line parameter -A adds all listening ports (both TCP and UDP) and any other TCP pseudo-connections. The N parameter makes all ports and IP addresses numerical instead of named (like nbname instead of 137, localhost instead of 127.0.0.1). A typical result from NETSTAT -AN looks like this: (this is a slightly edited result of my (online) machine)
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
TCP 0.0.0.0:27374 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1963 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1964 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1965 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1966 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1967 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1969 0.0.0.0:0 LISTENING
TCP 10.0.0.17:135 0.0.0.0:0 LISTENING
TCP 10.0.0.17:137 0.0.0.0:0 LISTENING
TCP 10.0.0.17:138 0.0.0.0:0 LISTENING
TCP 10.0.0.17:139 0.0.0.0:0 LISTENING
TCP 10.0.0.17:5000 0.0.0.0:0 LISTENING
TCP 10.0.0.17:1963 195.40.6.34:80 ESTABLISHED
TCP 10.0.0.17:1964 195.40.6.34:80 ESTABLISHED
TCP 10.0.0.17:1965 195.40.6.34:80 ESTABLISHED
TCP 10.0.0.17:1966 195.40.6.34:80 ESTABLISHED
TCP 10.0.0.17:1967 204.152.184.80:6667 ESTABLISHED
TCP 10.0.0.17:1969 207.71.92.194:119 ESTABLISHED
UDP 0.0.0.0:44334 *:*
UDP 10.0.0.17:137 *:*
UDP 10.0.0.17:138 *:*
I can imagine that anyone seeing this for the first time must be instantly freaking out over all the 'LISTENING' entries - their machine must be infested with trojans! But if they know a little more about Netstat, they'll calm down again. Now, read and learn: So, if we look at the above list again, adding explanations for each line:
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
TCP 0.0.0.0:27374 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1963 0.0.0.0:0 LISTENING <- from TCP #1
TCP 0.0.0.0:1964 0.0.0.0:0 LISTENING <- from TCP #2
TCP 0.0.0.0:1965 0.0.0.0:0 LISTENING <- from TCP #3
TCP 0.0.0.0:1966 0.0.0.0:0 LISTENING <- from TCP #4
TCP 0.0.0.0:1967 0.0.0.0:0 LISTENING <- from TCP #5
TCP 0.0.0.0:1969 0.0.0.0:0 LISTENING <- from TCP #6
TCP 10.0.0.17:135 0.0.0.0:0 LISTENING
TCP 10.0.0.17:137 0.0.0.0:0 LISTENING
TCP 10.0.0.17:138 0.0.0.0:0 LISTENING
TCP 10.0.0.17:139 0.0.0.0:0 LISTENING
TCP 10.0.0.17:5000 0.0.0.0:0 LISTENING
TCP 10.0.0.17:1963 195.40.6.34:80 ESTABLISHED <- TCP #1
TCP 10.0.0.17:1964 195.40.6.34:80 ESTABLISHED <- TCP #2
TCP 10.0.0.17:1965 195.40.6.34:80 ESTABLISHED <- TCP #3
TCP 10.0.0.17:1966 195.40.6.34:80 ESTABLISHED <- TCP #4
TCP 10.0.0.17:1967 204.152.184.80:6667 ESTABLISHED <- TCP #5
TCP 10.0.0.17:1969 207.71.92.194:119 ESTABLISHED <- TCP #6
UDP 0.0.0.0:44334 *:* <- \
UDP 10.0.0.17:137 *:* <- |- who cares?
UDP 10.0.0.17:138 *:* <- /
Breaking down the TCP connections: So what entries are left that are important?
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:44334 0.0.0.0:0 LISTENING
TCP 0.0.0.0:27374 0.0.0.0:0 LISTENING
TCP 10.0.0.17:135 0.0.0.0:0 LISTENING
TCP 10.0.0.17:137 0.0.0.0:0 LISTENING
TCP 10.0.0.17:138 0.0.0.0:0 LISTENING
TCP 10.0.0.17:139 0.0.0.0:0 LISTENING
TCP 10.0.0.17:5000 0.0.0.0:0 LISTENING
That doesn't look so bad, does it now? Time to break down the last listening ports: Closing ports
I'll try to keep this list as complete as possible, but if you happen to find an open port on your system you can't explain or have an addition to this list, email me at the address at the bottom of this article. (If you're including a line from a Netstat listing, include the
entire listing please!)
Hope this all clears up some things for you :)
document.write('Klont, <'+'A HREF="mailto:klont@'); document.write('windhoos2000.nl'); document.write('?subject=Netstat%20-an%20results'); document.write('">klont@'); document.write('windhoos2000.nl<'+'/A>'); Klont,
[email protected]
이 내용에 흥미가 있습니까?
현재 기사가 여러분의 문제를 해결하지 못하는 경우 AI 엔진은 머신러닝 분석(스마트 모델이 방금 만들어져 부정확한 경우가 있을 수 있음)을 통해 가장 유사한 기사를 추천합니다:
서버 네트워크 연결 보기텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
CC BY-SA 2.5, CC BY-SA 3.0 및 CC BY-SA 4.0에 따라 라이센스가 부여됩니다.