Cyber Forensics Tools

Netstat

Netstat is a command line utility that is available on most Windows NT based and Unix based systems. It can display active incoming and outgoing network connections as well as ports that applications on the system are listening on. Netstat can also display routing tables and IP and Ethernet statistics.

It can be run on either Windows or Linux command lines by simply typing:
netstat

Without using any flags, this command will display active TCP connections.

There are many parameters Netstat can use:

  • -a : displays all active TCP connections and TCP/UDP ports
  • -e : displays ethernet statistics
  • -i : displays table of network interfaces
  • -n : shows numerical addresses
  • -o : displays active TCP connections including the PID
  • -p [protocol] : displays connections for the protocol specified
  • -r : displays the IP routing table
  • -s : displays statistics by protocol
  • -v : verbose

Windows Technet netstat information.
Linux netstat man page.

Netstat is a useful forensics tool in that you can determine what processes and services are involved in network communications.

Some useful netstat flag combinations:

  • netstat -nao  – display TCP/UDP port with PID
  • netstat -rn  – display the internal routing table
  • netstat -ab  – display executables with active connections and their respective ports

Rekha has published a useful Netstat cheat sheet.

 

Leave a Reply