You have downloaded and installed all the critical updates for Windows as soon as they became available. You have your anti-virus and anti-spyware programs updated and have scanned your system for what seems an eternity without finding any malware. Still you feel that something is happening on your computer and you aren't sure what it is. You are sure that something is causing too much Internet activity when you are not surfing the web or down loading files and Windows update isn't running.
If you fit the profile of a careful Internet user and this scenario then you most likely have an updater running in the background. This seems to be a trend with all types of programs these days. Even though you may be aware that this is the probable cause of the activity on your computer, you may still want to know exactly what is using your bandwidth in order to make a decision as to whether or not to allow this activity to continue. This does not make you a "control freak" because this activity could just as easily be caused by a Bot Zombie and your computer has now been conscripted into one of the armies used in Denial of Service attacks.
There are several ways to investigate traffic in and out of your computer. Most involve third party software. Some personal firewalls will inform you of this traffic. There are also "traffic sniffers" available that can provide the same information. If you would rather not install another program and you don't have one of the personal firewalls that have this feature there is another alternative and it is built into your system. Run the netstat command from a command prompt window.
If you still have Windows XP click your Start Button and open the Start Menu. In the left hand column you will see the "Run" entry. Clicking this entry will open the "Run box".
When the "Run box" opens you will see a text box which is labeled "Open:". By default a flashing cursor is already present in this text box waiting for you to begin typing. If not then simply click inside the text box and the cursor will appear. Type "cmd" into the text box, without the quotation marks. This is short for command or command prompt. Now click the "OK" button.
If you have Windows Vista and haven't customized your Start Menu to list "Run", then it is just as quick for you to open the Command Prompt window directly. On the Start Menu click All Programs at the bottom or just hold your mouse pointer on this listing until it changes. Click on the Accessories folder to expand it. Right click on the Command Prompt listing. On the context menu click "Run as administrator".
With either Windows XP or Windows Vista you should now have a Command Prompt window open. Illustrated on the left the Windows XP version while the Windows Vista version is to the right.
The rest of the screen shots in this article will be from Windows XP. This is a matter of convenience not preference. It also reduces the number of graphics that need to be prepared, the page down load time for those that access this page with a dial up connection and the hard drive space that the extra graphics would require on the server. Since there is no difference in the procedure from this point on, one set of graphics should be more than sufficient.
When first opened the Command Prompt window shows copyright and version information at the top. Beneath that and shown here is the prompt. The prompt is followed by a flashing horizontal cursor, which does not show well in a screen shot. The subject of this article is the command "netstat" and is typed here without the quotes. When you finish typing it in press the "Enter" key.
As you can see in the above screen shot this command provides information on programs accessing the Internet without the use of any of its' switches. From left to right, The top line consists of column labels. Proto is protocol and those shown are using the TCP protocol or Transfer Control Protocol. The next column is labeled Local Address and here this consists of the computers Name, which in this instance was replaced with stars, and the port number that is being utilized. The column under the label Foreign Address represents the other end of the connection. The URL is given and either a port number or type of connection. The final column "State" tells you the condition of the connection. Of the two connections shown here one is "Established" or in existence the other "Syn_Sent" shows that a connection is in the process of being "Established".
Using switches with "netstat" will provide even more information. To see the full list of switches available type "netstat /?". Don't use the quotations and be sure to put a space between the command netstat and the switch "/?". There are quite a few more available than will be covered in this article.
The first switch we will examine is the "a" switch. Think of it as "a for all" because it shows even programs that are just listening for incoming traffic and all protocols being used. As you may have noticed the TCP is listed first then UDP (User Datagram Protocol or Universal Datagram Protocol). To use this switch type "netstat -a" then hit your "Enter" key or "netstat /a" then Enter. Be sure to leave out the quotes and place a space after netstat. The local machine name in this screen shot has again been replaced with a series of asterisks/stars. When a connection has not been established or a port has not been opened, netstat shows this in the report as an asterisk/star. This explains the star colon star entries in the foreign address column.
Since it is outside the scope of this article, the differences and purposes of the two protocols are explained well on the "Security Now!" net cast entitled "How the Internet Works" Part 1 & Part 2. You will find both MP3 and text versions of these net casts at the site to which these links will take you. Also there you can find a net cast on The Netstat Command.
Another helpful switch is the n option. Think of n as numeric, since all English references are replaced by IP numbers. This screenshot is exactly the same as the screen shot of netstat without the use of any switches. Instead of the local machine name you get the machines IP address. In the Foreign Address column, instead of URLs you get the site's IP address. Like the "a" switch/option netstat will except either "-n" or "/n".
Illustrated above is the use of switches/options in combination. Netstat is not fussy and excepts "-an", "/a /n" and "/an". This applies to most of netstats available switches. In the Local Address and Foreign Address columns, the IP address 0.0.0.0 is being reported. This is a wild card of sorts and represents any IP address. Also in the Local Address column, another special IP address is referenced, 127.0.0.1. This IP address is used to represent the Local Machine.
The next switch to be covered is the "b" switch. Shown here in use alone, the "b" stands for binary and when invoked reveals the executable involved in the connection. The executable is shown beneath the connection in brackets. In the illustration [blinksvc.exe] is part of the update function for the Blink computer protection program from eeye.com. A new column appears with this option, labeled PID. This is the "Process ID". This PID corresponds with the PID column in Windows Task Manager on the Process tab.
Combine all three options when calling netstat provides even more information. Not only are the executables identified but all the processes involved in creating the connection. This is by nature highly verbose and you will need to maximize your Command Prompt window for better viewing.
When running the netstat command, the report you receive is a snapshot. That is the report shows the status of your computers connections at that one particular moment. If you want to have the information updated append to your command line the number of seconds you want netstat to wait before reprinting the report. This switch/option requires a space between it and any other switches you may have selected. For instance, "netstat -abn 30" will present you with the report shown above every 30 seconds.
If you would like to check out the netstat command, you might find the "/help" switch to be helpful. Also, when playing with netstat your Command Prompt window will fill up in a hurry. If you would like to erase all the reports generated by netstat and more or less start over then you will find "cls" a very useful command. This is not a part of netstat but rather another command. At the prompt simply type "cls", without quotes, then hit the "Enter" key. The letters "cls" stand for clear screen and that is exactly what this command does.
For those who prefer a hard copy, you can use redirect to send the netstat report to a text file. The resulting text file can either be printed via "Notepad" or opened with a word processor for editing before it is printed. the command line for this would be something similar to this: "netstat -abn > filename.txt".
Microsoft, Microsoft Office, Windows, Windows XP and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other names have been included in the above text that are trademarks of the respective companies.
