Network+ Study Guide

Using netstat is a great way to see the TCP/IP connections (both inbound and outbound) on your machine. You can also use it to view packet statistics (similar to the MONITOR.NLM utility on a NetWare server console), such as how many packets have been sent and received, the number of errors, and so on.

When used without any options, netstat produces output similar to that in Figure 4.1, which shows all the outbound TCP/IP connections (in the case of Figure 4.1, a web connection). The netstat utility, used without any options, is particularly useful in determining the status of outbound web connections.

Figure 4.1: Output of the netstat command without any switches

The Proto column lists the protocol being used. Because this is a web connection, the protocol is TCP. The Local Address column lists the source address and the source port. In this case, default indicates that the local IP address and the source ports are four separate TCP ports used to open four separate TCP connections. The Foreign Address item for all four connections is 204.153.163.2:80, indicating that the address of the destination machine is 204.153.163.2 and that the destination port is TCP port 80 (in other words, HTTP for the Web). The State column indicates the status of each connection. This column shows statistics only for TCP connections. Usually, this column indicates ESTABLISHED once a connection between your computer and the destination computer is established.

Note 

If the address of either your computer or the destination computer can be found in the HOSTS file on your computer, the destination computer’s name, rather than the IP address, will show up in either the Local Address or Foreign Address column.

The output of the netstat utility depends on the switch. You can use the following switches:

–a –e –r –s –n –p

Simply type netstat , followed by a space, and then the switch. Some switches have options, but the syntax is basically the same.

The –a Switch

When you use the –a switch, netstat displays all TCP/IP connections and all UDP (User Datagram Protocol) connections. Figure 4.2 shows a sample output produced by the netstat -a command.

Figure 4.2: Sample output of the netstat -a command

The last two entries in Figure 4.2 show a protocol type of UDP and the source port addresses nbname and nbdatagram. These port addresses are commonly seen on networks that broadcast the NetBIOS name of a workstation on the TCP/IP network. You can tell that this is a broadcast because the destination address is listed as *:* (meaning “any address, any port”).

Note 

The State column has no entry because UDP is not a connection-oriented protocol and, therefore, has no connection state.

The most common use for the –a switch is to check the status of a TCP/IP connection that appears to be hung. You can determine if the connection is simply busy or is actually hung and no longer responding.

The –e Switch

This switch displays a summary of all the packets that have been sent over the NIC (network interface card) as of that instant. The two columns in Figure 4.3 show packets coming in as well as being sent.

Figure 4.3: Sample output of the netstat -e command

You can use the –e switch to display the following categories of statistics:

Bytes  The number of bytes transmitted or received since the computer was turned on. This statistic is useful in helping to determine if data is actually being transmitted and received or if the network interface isn’t doing anything.

Unicast Packets  The number of packets sent from or received at this computer. To register in one of these columns, the packet must be addressed directly from one computer to another, and the computer’s address must be in either the source or destination address section of the packet.

Non-unicast Packets  The number of packets not directly sent from one workstation to another. For example, a broadcast packet is a non-unicast packet. The number of non-unicast packets should be smaller than the number of unicast packets. If the number of non-unicast packets is as high or higher than that of unicast packets, too many broadcast packets are being sent on your network. You should find the source of these packets and make any necessary adjustments.

Discards  The number of packets that were discarded by the NIC during either transmission or reception because they weren’t assembled correctly.

Errors  The number of errors that occur during transmission or reception. These numbers may indicate problems with the network card.

Unknown Protocols  The number of received packets that the Windows networking stack couldn’t interpret. This statistic shows up only in the Received column, because if the computer sent them, they wouldn’t be unknown, would they?

Unfortunately, statistics don’t mean much unless they can be colored with time information. For example, if the Errors column shows 100 errors, is that a problem? It might be if the computer has been on for only a few minutes. But 100 errors could be par for the course if the computer has been operating for several days. Unfortunately, the netstat utility doesn’t have a way of indicating how much time has elapsed for these statistics.

Real World Secenario: Outsmarting netstat

On occasion, you may need to have netstat occur every few seconds. Try placing a number after the netstat -e command, like so:

netstat –e 15

The command executes, waits the number of seconds specified by the number (in this case, 15), and then repeats until you press Ctrl+C.

You can use this feature with any combination of switches.

The –r Switch

You use the –r switch to display the current route table for a workstation so that you can see how TCP/IP information is being routed. Figure 4.4 shows sample output using this switch. You can tell from this output which interface is being used to route to a particular network (useful if computers have multiple NICs).

Figure 4.4: Sample output of the netstat -r command

The –s Switch

Using the –s switch displays a variety of TCP, UDP, IP, and ICMP (Internet Control Message Protocol) protocol statistics. Below is some sample output using this switch.

C:\NETSTAT –s IP Statistics Packets Received = 17455 Received Header Errors = 0 Received Address Errors = 108 Datagrams Forwarded = 0 Unknown Protocols Received = 0 Received Packets Discarded = 0 Received Packets Delivered = 17346 Output Requests = 16374 Routing Discards = 255 Discarded Output Packets = 0 Output Packet No Route = 0 Reassembly Required = 2 Reassembly Successful = 1 Reassembly Failures = 0 Datagrams Successfully Fragmented = 0 Datagrams Failing Fragmentation = 0 Fragments Created = 0 ICMP Statistics Received Sent Messages 12 19 Errors 0 0 Destination Unreachable 0 7 Time Exceeded 0 0 Parameter Problems 0 0 Source Quenchs 0 0 Redirects 0 0 Echos 4 8 Echo Replies 8 4 Timestamps 0 0 Timestamp Replies 0 0 Address Masks 0 0 Address Mask Replies 0 0 TCP Statistics Active Opens = 715 Passive Opens = 0 Failed Connection Attempts = 35 Reset Connections = 638 Current Connections = 1 Segments Received = 15815 Segments Sent = 15806 Segments Retransmitted = 61 UDP Statistics Datagrams Received = 573 No Ports = 946 Receive Errors = 0 Datagrams Sent = 492

Note 

Because the Network+ exam doesn’t cover them, we won’t go into detail on what all these statistics mean. You can probably figure out some of them, such as Packets Received. For details, go to Microsoft’s support website at www.microsoft.com/support/.

The –n Switch

This switch is a modifier for the other switches. When used with other switches, it reverses the natural tendency of netstat to use names instead of network addresses. In other words, when you use the –n switch, the output always displays network addresses instead of their associated network names.

The –p Switch

Like the –n switch, the –p switch is a modifier. Typically used with the –s switch (discussed earlier), it specifies which protocol statistics to list in the output (IP, TCP, UDP, or ICMP). For example, if you want to view only ICMP statistics, you use the –p switch like so:

netstat -s -p ICMP

The netstat utility then displays the ICMP statistics instead of the gamut of TCP/IP statistics that the –s switch normally produces.

Категории