NETSTAT COMMAND
1. The Windows netstat command shows network activity, focusing on TCP and UDP by default. Because malware often communicates across the network, users can look for unusual and unexpected connections in the output of netstat, run as follows:
C:\> netstat –nao
2. The -n option tells netstat to display numbers in its output, not the names of machines and protocols, and instead shows IP addresses and TCP or UDP port numbers. The -a indicates to display all connections and listening ports. The -o option tells netstat to show the processID number of each program interacting with a TCP or UDP port. If, instead of TCP and UDP, you are in interested in ICMP, netstat can be run as follows:
C:\> netstat -s -p icmp
3. This indicates that the command will return statistics (-s) of the ICMP protocol. Although not as detailed as the TCP and UDP output, users can see if a machine is sending frequent and unexpected ICMP traffic on the network. Some backdoors and other malware communicate using the payload of ICMP Echo messages, the familiar and innocuous-looking ping packets seen on most networks periodically.
4. Like WMIC, the netstat command also lets us run it every N seconds. But, instead of using the WMIC syntax of "/every:[N]", users simply follow their netstat invocation with a space and an integer. Thus, to list the TCP and UDP ports in use on a machine every 2 seconds, users can run:
C:\> netstat -na 2
0 comments:
Post a Comment