Home > Articles > Security > Network Security

  • Print
  • + Share This

Reading a Netstat Result

Netstat commands display as shown in Figure 1.

Figure 1 Netstat commands displayed.

In this figure, Proto stands for "protocol" and can be either TCP or UDP. Netstat gives statistics on both TCP and UDP traffic. Because UDP is connectionless, no connection information is shown for UDP packets. Local Address is the local address and port from which a connection is attached. Foreign Address is the IP or hostname and port of the remote computer. State is the state of that connection. A number of types of socket states may be returned. In the article "TCP Connection States and Netstat Output (Q137984)," Microsoft describes the states to be those listed here:

  • SYN_SEND—Active open.

  • SYN_RECEIVED—Server just received SYN from the client.

  • ESTABLISHED—Client received server's SYN, and session is established.

  • LISTEN—Server is ready to accept connection.

  • FIN_WAIT_1—Active close.

  • TIMED_WAIT—Client enters this state after active close.

  • CLOSE_WAIT—Passive close. Server just received first FIN from a client.

  • FIN_WAIT_2—Client just received acknowledgment of its first FIN from the server.

  • LAST_ACK—Server is in this state when it sends its own FIN.

  • CLOSED— Server received ACK from client and connection is closed.

To understand this output, it's important to understand a little about TCP connection states. The description above uses server and client arbitrarily not reflecting network architecture. The client is the computer initiating communication; the server is the computer responding. There are three phases to this relationship. The first phase initiates a connection, the middle phase is the established connection, and the final phase is the closing of the connection.

During the first phase, the client computer sends a packet with the SYN (synchronize) flag set. This packet contains information regarding the return path for the data. The server receives the packet and initiates an ACK (acknowledge) packet and its own SYN packet. The client then responds with its ACK packet. The connection is established. This is known as the TCP three-way handshake.

The second phase consists of the conversation between server and client.

The final phase begins when the client computer sends a FIN packet and goes into an active close state in which it sends no more data. The server responds with an ACK packet followed by a FIN packet. The client responds with an ACK packet. The connection is broken.

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.