Jaycee's Networking

April 23, 2009

Netstat and Nbtstat

Filed under: Information — Jaycee @ 4:21 pm


1. Netstat shows TCP/IP statistics:

a. Current network session to and from the host
b. Protocol statistics
c. Routing Table
d. The number of bytes sent, received, or dropped

2. Windows-based:

-a displays all connections and listening ports.
-e displays Ethernet statistics.
-n displays addresses and port numbers in numerical form
-o displays process ID
-p proto shows connections for the protocol specified by proto
-r displays the routing table
-s displays per-protocol statistics
interval redisplays selected statistics, pausing interval seconds b/w each display

*SYN_RECEIVED state indicate a half-open TCP connection. It can be an indication of a SYN flood attack.

3. Linux-based:

-r displays routing table
-i displays interface table
-g displays multicast group memberships
-s displays networking statistics (like SNMP), a summary of IP, ICMP, TCP and UDP
-M displays masqueraded connections
-n doesn’t resolve names, in numeric format
-N resolves hardware names
-e displays other information
-p displays PID
-c views a continuous display that gets refreshed periodically until interrupted by Ctrl-C
-l displays listening server sockets
-a displays all sockets (default: connected)
-o displays timers
-F displays FIB
-C displays routing cache instead of FIB
-t displays the currently active TCP connetions

*Display all the active connections except the UNIX sockets: netstat -atuwp

4. Issue “netstat -s” command to get a summary of IP, ICMP, TCP and UDP statistics:

echo requests: 53
echo replies: 17
4 segments retransmitted
30 resets sent

a. Under ICMP, “Echo Requests” counter indicates the number of ping packets received by the host.
=> A rapid increase in “Echo Request” indicates that the host is under an ICMP flood attack.
b. Under TCP, a large number of “segments retransmitted” indicates packet loss.
c. A rapid increase in “resets sent” indicates that the host is being subjected to a TCP port scan.


1. Nbtstat to determine the user on a Windows machine with that IP address, it also provides the MAC address of the Ethernet interface.

nbtstat -A remote-ip-address

2. Example: use “nbstat” to trace a user

a. Use “show mac-address-table dynamic” on Cisco switch to obtain MAC:

Router#sh mac-address-table dynamic
vlan  mac address         type          protocol  ports
10     0080.1c93.8040  dynamic  ip              5/7

b. Use “show arp” on Cisco router to obtain MAC-to-IP:

Router#sh arp
Protocol Address

c. Use “nbtstat -A ip-address” to determine the user who is logged in to the machine with that IP:

C:\>nbtstat -A
SPOPE     <03>  UNIQUE    Registered
MAC Address – 0080.1c93.8040


1. “netstat -ao“: lists various TCP and UDP ports, the local and foreign addresses associated with the ports, and the current state of the ports.

C:\WINDOWS>netstat -ao

Active Connections

Proto Local Address Foreign Address State PID
TCP   pro1:epmap   pro1.dpetri.net:0   LISTENING   860
TCP   pro1:microsoft-ds   pro1.dpetri.net:0   LISTENING   4
TCP   pro1:1025   pro1.dpetri.net:0   LISTENING   908
TCP   pro1:1084   pro1.dpetri.net:0   LISTENING   596
TCP   pro1:2094   pro1.dpetri.net:0   LISTENING   596
TCP   pro1:3389   pro1.dpetri.net:0   LISTENING   908
TCP   pro1:5000   pro1.dpetri.net:0   LISTENING   1068
TCP   pro1:1084   srv1.dpetri.net:1026   ESTABLISHED   596
TCP   pro1:2094   srv1.dpetri.net:1166   ESTABLISHED   596
UDP   pro1:epmap   *:*   860
UDP   pro1:microsoft-ds   *:*   4
UDP   pro1:isakmp   *:*   680
UDP   pro1:1026   *:*   1040
UDP   pro1:1027   *:*   1040
UDP   pro1:1028   *:*   680
UDP   pro1:1038   *:*   908
UDP   pro1:1043   *:*   624
UDP   pro1:1085   *:*   596
UDP   pro1:1086   *:*   596
UDP   pro1:1242   *:*   1040
UDP   pro1:ntp   *:*   908
UDP   pro1:1649   *:*   596
UDP   pro1:1900   *:*   1068
UDP   pro1:2095   *:*   976
UDP   pro1:2217   *:*   1856
UDP   pro1:ntp   *:*   908
UDP   pro1:1900   *:*   1068

2. “netstat -es“: is useful in detecting the traffic generated or received by the machine. The interface statistics provide a summary of packets sent and received. A high number of discards, errors, or unknown protocols indicates problems at the Ethernet level caused by cabling, duplex and autonegotiation issues.


3. “netstat -r“: displays the route table.

BSD $ netstat -r
Routing tables

Destination        Gateway            Flags    Refs      Use  Netif Expire
default          UGSc        1        0    dc0
localhost          localhost          UH          1        0    lo0
192.168.1          link#1             UC          3        0    dc0        00:06:25:63:dd:ec  UHLW        2        0    dc0   1190
surf               00:a0:cc:28:8c:7a  UHLW        1      117    dc0   1135
smurf              localhost          UGHS        0        0    lo0      ff:ff:ff:ff:ff:ff  UHLWb       3       65    dc0

Linux :~> netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface     *        U         0 0          0
default         UG        0 0          0

C:\WINDOWS\Desktop>netstat -r
Route table

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
       1       1       1       1       1       1               2       1
Default Gateway:
Persistent Routes:

4. “netstat -t“: displays the currently active TCP connections.

         [root@Linux] /#netstat -t         
         Active Internet connections (w/o servers)
         Proto	Recv-Q	Send-Q	Local Address	Foreign Address	State
         Tcp	0	0	deep.openar:netbios-ssn	gate.openna.com:1045	ESTABLISHED
         Tcp	0	0	localhost:1032	localhost:1033	ESTABLISHED
         Tcp	0	0	localhost:1033	localhost:1032	ESTABLISHED
         Tcp	0	0	localhost:1030	localhost:1034	ESTABLISHED
         Tcp	0	0	localhost:1031	localhost:1030	ESTABLISHED
         Tcp	0	0	localhost:1028	localhost:1029	ESTABLISHED
         Tcp	0	0	localhost:1029	localhost:1028	ESTABLISHED
         Tcp	0	0	localhost:1026	localhost:1027	ESTABLISHED
         Tcp	0	0	localhost:1027	localhost:1026	ESTABLISHED
         Tcp	0	0	localhost:1024	localhost:1025	ESTABLISHED
         Tcp	0	0	localhost:1025	localhost:1024	ESTABLISHED

5. “netstat -atuwp“: display all the active connections except the UNIX sockets.

         [root@Linux] /#netstat -atuwp         
         Active Internet connections (servers and established)
         Proto	Recv-Q	Send-Q		Local Address		Foreign Address	       State	PID/Program name
	 Tcp	0	0		*:5902			*:*			LISTEN     4649/Xrealvnc
    	 Tcp	0	0		*:x11 			*:*			LISTEN      4433/XFree86
         Tcp	0	0		*:x11 -2		*:*			LISTEN      4649/XFree86
         Tcp	0	0		*:ssh 			*:*			LISTEN          882/sshd
         Tcp	0	0	ESTABLISHED       3438/0
         Tcp	0	0	ESTABLISHED 4649/Xrealvnc

6.”netstat -i“: displays the statistics of the Ethernet interface.

[root@Linux] /#netstat -i
Name Mtu  Net/Dest     Address   Ipkts    Ierrs Opkts    Oerrs  Collis  Queue
le0  1500 b5-spd-2f-cm tatra     14093893 8492  10174659 1119   2314178   0
lo0  8232 loopback     localhost 92997622 5442  12451748 0      775125    0

7.”netstat -s“: displays a summary of IP, ICMP, TCP and UDP.

[root@Linux] /#netstat -s

udpInDatagrams      =  39228     udpOutDatagrams     =  2455
udpInErrors         =     0


tcpRtoAlgorithm     =     4      tcpMaxConn          =    -1
tcpRtoMax           = 60000      tcpPassiveOpens     =     2
tcpActiveOpens      =     4      tcpEstabResets      =     1
tcpAttemptFails     =     3      tcpOutSegs          =   315

ipForwarding        =     2      ipDefaultTTL        =   255
ipInReceives        =  4518      ipInHdrErrors       =     0

icmpInMsgs          =     0      icmpInErrors        =     0
icmpInCksumErrs     =     0      icmpInUnknowns      =     0


0 messages received
0 messages received with too few bytes
0 messages received with bad checksum
0 membership queries received
0 membership queries received with invalid field(s)
0 membership reports received
0 membership reports received with invalid field(s)
0 membership reports received for groups to which we belong
0 membership reports sent

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at WordPress.com.

%d bloggers like this: