Windows

Netstat tips and tricks for Windows Server admins

Maintaining command-line finesse is an important objective for Windows Server administrators. Rick Vanover offers some pointers on using the netstat command.

Netstat is a command that some Windows Server admins use every day, while others only use it when there is a problem. I fall into the latter category; I use netstat as a diagnosis tool when something has gone awry, or when I am trying to track something down.

The 10 parameters to the Windows netstat command can display scores of additional information for troubleshooting or everyday use. The most common iteration of netstat is to use the -a parameter, which displays all connections and listening ports. However, netstat displays useful information even without parameters. Here are some pointers on using the netstat command:

Fully qualified domain name: The -f parameter will display the fully qualified domain name (FQDN) of the foreign address in the netstat display. This will resolve names internally and externally if possible. Figure A shows the FQDN resolution within netstat. Figure A

What process is running on the open port: Tracking down which process identifier (PID) has a port open is quite easy when netstat is run with the -a -n -o combination of parameters. Read my Windows Server 2008 tip on this sequence of commands, and see it in action in Figure B. Figure B

You can take this one step further with the implementation of friendly names for each process with the -b netstat parameter. This parameter requires administrative permissions and is shown in Figure C. Figure C

Note that the remote addresses pointing to the 192.168.1.220:3261 address are the Windows iSCSI initiator service and display differently than the other services listed.

Display routing table: If you need to determine why one system has a different experience than another on the same network, netstat can display a route of the current system with the -r parameter. Figure D shows this in use (note the persistent routes section that would display any static routes added to the Windows Server). Figure D

These four netstat commands can greatly add to the troubleshooting efforts for Windows administrators. How else do you use netstat? Share your tips in the discussion.

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

17 comments
Spitfire_Sysop
Spitfire_Sysop

You could use a perimier defence device capable of doing behaviour analysis. A good one will identify the activity you describe and automatically block all the traffic from the offending IP for a predefined period of time. This will slow them down considerably and throw a flag in log file so you know exactly when the attack occured and why it was blocked. They may move on after they stop getting responses.

reisen55
reisen55

Two years ago using NetStat, a consultant I work with determined that my server had an FTP session open. We traced the IP address and it was from - THIS IS TRUE - China!!! Somebody from the Beijing Railroad tobe precise, trying to password blast my server. We stared at this for about 5 min - I have good passwords, improved it too - and learned what an FTP hack attack looks like. Turned off the FTP service and that ended that. My server is just a little thing and YET China was attempting to get into it. Which is interesting for larger servers with real data on them!!!!!

JCitizen
JCitizen

if you just want to make a quick assessment of who is using or"snooping" on your server/network. I've used it despite not having a server as such. Very useful if malware is causing outgoing/incoming block alerts on the firewall. It is easier reading than IDS logs!

jithinkcs
jithinkcs

netstat -f is now working for wm. ( Windows server 2003 SBS, Windows xp sp3)

p.domanski
p.domanski

Some time ago one of the machines couldn't log on to domain quite often, I've even reinstalled windows. Still had bad user name or passwords response from server. Even if I managed to login, the same issue was with Outlook. Then I typed "netstat -s -t 1" in command prompt, and sent huge file to server. It showed me in real time that number of "segments retransmitted" was bigger than number of "segments sent". Replacing of the network adapter solved the problem.

mercedesman1981
mercedesman1981

Good tips, thank you Rick. In the past I have just used -a to hunt nefarious activity (with success), and hadn't tried the other options.

steve
steve

I presume that of course should say, Windows Server 2008 Admins > as netstat -f does not seem to exist pre 2008 SB

kama410
kama410

I didn't even know there was a netstat for Windoze. I was just thinking about that earlier today; that is, that it would be nice if there was a netstat equivalent for the Tinylimp (Yes, Microsoft) world.

JCitizen
JCitizen

when they find such a device, they re-asses and re-attack, because such a device indicates their is something to hide. This could be the case in default SSIDs, but in wired communication, the Chinese have never stopped trying to break into my gateway. However, it isn't a full UTM, but it does report attack IPs and analysis at the end of the month for my benefit. I do encourage my clients to buy full UTMs; my more economically minded clients buy the ZoneAlarm Z100G. They have streaming AV/AM services for very reasonable yearly charges. I would think a bank would want something better than a Barracuda, but I'm really not privy to their liking.

JCitizen
JCitizen

They hit me pretty regularly from about 2006 to 2008, and then got smart enough to start doing it from Universities, so they could crow about how their smart-aleck college kids were doing it. Ya! RIGHT!

JCitizen
JCitizen

I could imagine a lot of handy uses for this command. Even if you are not a server administrator!

b4real
b4real

To quickly track something down. Thanks, Mike!

Kimandu
Kimandu

For interface statistics Rising errors can indicate half-duplex settings besides other ethernet issues

jfuller05
jfuller05

I also like to use arp commands, tracert, and of course PING. Just getting my feet wet in the land ruled by Network admins; it's going to be fun I hear.

davids
davids

for those of us that are too lazy to type all that, you can combine the switches... netstat -ano same as netstat -a -n -o (saves typing four characters :)

Kimandu
Kimandu

to find a port number - very useful when you are trying to troubleshoot firewall related issues - like a specific port is denied even though you have connectivity to the destination. Check to see the ESTABLISHED keyword This one can be combined with -a -b etc experiment

Editor's Picks