The nbtstat Command The netstat command utility is a great tool for finding what ports are open and what services may be causing certain ports to become unusable. This utility can also be used to help determine whether there are outside attacks on your network and obtain network statistics by protocol. Let's look at the syntaxes for the netstat command. -
-a . Displays the established TCP and UDP sessions as an interface. One of the best uses of this syntax is to identify potential teardrop attacks or other possible problems that could cause a server to accumulate excessive TCP listens or initiated sessions. C:\> netstat -a Active Connections Proto Local Address Foreign Address State TCP Laptop101009:echo .:0 LISTENING TCP Laptop101009:discard .:0 LISTENING TCP Laptop101009:daytime .:0 LISTENING TCP Laptop101009:epmap .:0 LISTENING TCP Laptop101009:microsoft-ds .:0 LISTENING TCP Laptop101009:38292 .:0 LISTENING TCP Laptop101009:pop3 .:0 LISTENING TCP Laptop101009:1031 .:0 LISTENING TCP Laptop101009:netbios-ssn .:0 LISTENING TCP Laptop101009:1984 webmail.surewest.net:http ESTABLISHED -
“e . This syntax displays Ethernet interface statistics, including error and discarded packets, as shown below. Interface Statistics Received Sent Bytes 646455 9735466 Unicast packets 8763 29846 Non-unicast packets 3242 467 Discards 0 0 Errors 1 2 Unknown protocols 0 -
“n . This syntax displays local addresses and protocol port numbers for the various sessions and listens, as well as the current state of each session. C:\> netstat -n Active Connections Proto Local Address Foreign Address State TCP 172.16.1.33:2187 64.236.44.71:80 ESTABLISHED TCP 172.16.1.33:2188 64.236.44.71:80 ESTABLISHED TCP 172.16.1.33:2189 64.236.44.71:80 ESTABLISHED TCP 172.16.1.33:2190 64.236.44.71:80 ESTABLISHED TCP 172.16.1.33:2191 64.236.44.71:80 ESTABLISHED TCP 172.16.1.33:2192 64.236.44.71:80 ESTABLISHED TCP 172.16.1.33:2193 64.236.44.71:80 ESTABLISHED -
“p [tcp] [udp] [ip] . This syntax followed by a protocol is similar to “n syntax, but lists the host name instead of the IP Address. C:\> netstat -p tcp Active Connections Proto Local Address Foreign Address State TCP Laptop101009:1224 web3.digitalcrawlspaces.com:5631 ESTABLISHED -
netstat “r. Displays the contents of the local routing table. The listing also includes the active ports: -r displays the IP routing table and active connections. -p replaces protocol with the name of the protocol for which connection statistics will be seen. You can combine this option with the -s option to see active connections on the protocol. C:\> netstat -r Route Table Interface List 0x1 ........................... MS TCP Loopback interface 0x1000003 ...00 08 02 63 d4 54 ...... Intel 8255x-based Integrated Fast Ethernet 0x1000004 ...00 08 a1 42 3c 0e ...... WLAN 11Mbps PCMCIA ADAPTER(5V) Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.1.1.1 10.1.2.173 1 10.1.0.0 255.255.0.0 10.1.2.173 10.1.2.173 1 10.1.2.173 255.255.255.255 127.0.0.1 127.0.0.1 1 10.2.0.0 255.255.0.0 10.1.1.1 10.1.2.173 3 10.3.0.0 255.255.0.0 10.1.1.1 10.1.2.173 3 10.4.0.0 255.255.0.0 10.1.1.1 10.1.2.173 4 10.255.255.255 255.255.255.255 10.1.2.173 10.1.2.173 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 224.0.0.0 224.0.0.0 10.1.2.173 10.1.2.173 1 255.255.255.255 255.255.255.255 10.1.2.173 1000003 1 Default Gateway: 10.1.1.1 -
-s . This syntax displays statistics for each protocol. The “p syntax can be used in conjunction with this syntax to select a particular protocol statistics for TCP, UDP, ICMP, or IP. C:\> netstat -s IP Statistics Packets Received = 8893 Received Header Errors = 0 Received Address Errors = 9 Datagrams Forwarded = 0 Unknown Protocols Received = 0 Received Packets Discarded = 0 Received Packets Delivered = 8890 Output Requests = 8160 Routing Discards = 0 Discarded Output Packets = 0 Output Packet No Route = 0 Reassembly Required = 0 Reassembly Successful = 0 Reassembly Failures = 0 Datagrams Successfully Fragmented = 0 Datagrams Failing Fragmentation = 0 Fragments Created = 0 ICMP Statistics Received Sent Messages 179 184 Errors 0 0 Destination Unreachable 0 5 Time Exceeded 0 0 Parameter Problems 0 0 Source Quenches 0 0 Redirects 0 0 Echos 179 0 Echo Replies 0 179 Timestamps 0 0 Timestamp Replies 0 0 Address Masks 0 0 Address Mask Replies 0 0 TCP Statistics Active Opens = 124 Passive Opens = 0 Failed Connection Attempts = 16 Reset Connections = 38 Current Connections = 1 Segments Received = 8022 Segments Sent = 7282 Segments Retransmitted = 40 UDP Statistics Datagrams Received = 670 No Ports = 19 Receive Errors = 0 Datagrams Sent = 648 C:\> The above output shows the sent packets, received packets, messages, and open connections for each protocol being used by the LAN connection to the PC. The route Command The route command is used to display the hosts routing table or to make static changes to the table. With this command you can specify a local router to use to reach a specific remote network or individual host. | Cisco expects you to have a good understanding of the syntaxes to the route command. Make sure you also understand how you add or delete a route using the route command. | The route command has subcommands called the print , add , delete , or change commands. These commands are used to print, add, delete, or change route table entries, respectively. Output from the route print command is shown below. C:\> route print Interface List 0x1 ........................... MS TCP Loopback interface 0x1000003 ...00 08 02 63 d4 54 .. Intel 8255x-based Integrated Fast Ethernet 0x1000004 ...00 08 a1 42 3c 0e .. WLAN 11Mbps PCMCIA ADAPTER(5V) Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 10.1.1.1 10.1.2.173 1 10.1.0.0 255.255.0.0 10.1.2.173 10.1.2.173 1 10.1.2.173 255.255.255.255 127.0.0.1 127.0.0.1 1 10.2.0.0 255.255.0.0 10.1.1.1 10.1.2.173 3 66.209.77.34 255.255.255.255 10.1.1.2 10.1.2.173 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 168.143.113.20 255.255.255.255 10.1.1.2 10.1.2.173 1 216.200.14.151 255.255.255.255 10.1.1.2 10.1.2.173 1 224.0.0.0 224.0.0.0 10.1.2.173 10.1.2.173 1 255.255.255.255 255.255.255.255 10.1.2.173 1000003 1 Default Gateway: 10.1.1.1 Persistent Routes: None C:\> The above output displays all the routes to different networks and devices known by the PC. If you want to display routes only for a specific network, specify the network number. In the following output, the Class A network of 10 is displayed. C:\> route print 10* Interface List 0x1 ........................... MS TCP Loopback interface 0x1000003 ...00 08 02 63 d4 54....Intel 8255x-based Integrated Fast Ethernet 0x1000004 ...00 08 a1 42 3c 0e....WLAN 11Mbps PCMCIA ADAPTER(5V) Active Routes: Network Destination Netmask Gateway Interface Metric 10.1.0.0 255.255.0.0 10.1.2.179 10.1.2.179 1 10.1.2.179 255.255.255.255 127.0.0.1 127.0.0.1 1 10.2.0.0 255.255.0.0 10.2.2.207 10.2.2.207 1 10.2.0.0 255.255.0.0 10.1.1.1 10.1.2.179 3 10.2.2.207 255.255.255.255 127.0.0.1 127.0.0.1 1 10.3.0.0 255.255.0.0 10.1.1.1 10.1.2.179 3 10.4.0.0 255.255.0.0 10.1.1.1 10.1.2.179 4 10.255.255.255 255.255.255.255 10.1.2.179 10.1.2.179 1 10.255.255.255 255.255.255.255 10.2.2.207 10.2.2.207 1 Default Gateway: 10.1.1.1 Persistent Routes: None C:\> You can add a route or delete a route using the add or delete subcommands. The following output shows how to add a route to reach the subnetwork 192.16.1.0 through the router at IP address 10.1.1.2. In this example, the subnetwork has a subnet mask of 255.255.255.0. To delete the route, you can use the same command, but replace the subcommand add with the subcommand delete . > route add 192.16.1.0 mask 255.255.255.0 10.1.1.2. | You can make an added route a persistent route by specifying the “p syntax. A persistent route is a route that will remain in the routing table even after the dynamically learned routes have expired. By using a persistent route, you ensure that a route to another network will not be removed from the routing table after the normal expiration time for non-persistent routes has expired . | |