How to Read Data From Tcp Port in Batch File

How to apply a netstat command in Windows to watch open up ports

Mike Cobb shows how a simple command line tool can provide invaluable information well-nigh what's happening on your system

Netstat, the TCP/IP networking utility, has a simple set of options and identifies a computer's listening ports, along with incoming and outgoing network connections. This data can be very helpful if you're trying to resolve a malware issue or diagnose a security trouble.

I have to admit, I much prefer graphical user interfaces when information technology comes to working on a figurer. I've never been a big fan of command line tools, but occasionally some, such as Netstat, do come up into their own.

Another reason I detect Netstat such a useful tool is that it tin can be found on near any computer by default, from Unix and Linux machines through to Windows and Macs. The fact you don't take to install and run a divide diagnostic tool can be a life saver when dealing with a customer's PC or a quarantined machine.

Every open up port on your estimator is an entry point that tin can be exploited to proceeds covert access. And so if yous need to know what connections a machine has to the internet and what services may be open up and running, Netstat can quickly tell you.

Let me explain how to Netstat command in Windows. First, just open up a control prompt window and blazon:

netstat -an

The -a parameter lists all the computer'south connections and listening ports, while the -north parameter displays addresses and port numbers in numerical format. A typical (truncated) issue from Netstat -an looks like this:

Agile Connections

Proto Local Address	Foreign Address	State
TCP 0.0.0.0:21	0.0.0.0:0	LISTENING
TCP 0.0.0.0:25	0.0.0.0:0	LISTENING
TCP 0.0.0.0:80	0.0.0.0:0	LISTENING
TCP 0.0.0.0:135	0.0.0.0:0	LISTENING
TCP 0.0.0.0:443	0.0.0.0:0	LISTENING
TCP 0.0.0.0:445	0.0.0.0:0	LISTENING
TCP 0.0.0.0:1035	0.0.0.0:0	LISTENING
TCP 0.0.0.0:3351	0.0.0.0:0	LISTENING
TCP 127.0.0.1:1040	0.0.0.0:0	LISTENING
TCP 127.0.0.1:1049	0.0.0.0:0	LISTENING
TCP 127.0.0.1:1059	127.0.0.i:27015	ESTABLISHED
TCP 127.0.0.1:1085	0.0.0.0:0	LISTENING
TCP 127.0.0.1:1434	0.0.0.0:0	LISTENING
TCP 127.0.0.i:5152	0.0.0.0:0	LISTENING
TCP 127.0.0.1:5152	127.0.0.1:3414	CLOSE_WAIT

The kickoff column (proto stands for protocol) lists all of the manual command protocol (TCP) and user datagram protocol (UDP) connections on the machine running Netstat. The second column is the machine's local IP address and port number, while the third is the remote or strange address and port number. The final column is called State, which is the state that the connection, or potential connexion, is in.

Built-in Windows commands that can detect hack attempts

"LISTENING" shows a classic open port listening for inbound connections. "ESTABLISHED" means in that location'southward an bodily connection between your automobile and the remote IP and port that is able to exchange traffic. Occasionally, you lot'll encounter "CLOSE_WAIT" in this column, which is a country TCP goes into while ending an established connection.

Equally you tin can run across, there are plenty of entries with a local address of 0.0.0.0 plus a port. This designation means the port is listening on all network interfaces and will accept any incoming connection on that port number.

The local accost entries beginning 127.0.0.1 are processes listening for connections from the PC itself, not from the Cyberspace or network. If the IP address in this column is your local network IP, then the port is only listening for connections from your local network. The port is listening for connections from the Net if information technology displays your online IP accost.

A quick glance through Netstat's output can alert you to many potential issues. For instance, if your security policy bans the use of internet relay chat (IRC), but in that location are numerous connections to port 6667 (the default IRC port) on a remote auto, so there'southward a chance that the PC has a Trojan connected to a remote IRC server waiting to receive commands. Although Netstat simply takes a snapshot, you can apply the interval option to refresh the output every so many seconds. Use the Netstat command below, for example:

netstat –an i | find "3333"

The command will bank check every second and print the results if a process starts listening on TCP port 3333.

If you want to notice out which process on a machine is sending out packets to a particular machine you can run:

netstat –ano 1 | find "Dest_IP_Addr"

The -o parameter outputs the process ID (PID) responsible for the connection. You can then detect the program associated with a PID by typing "tasklist" at the Netstat command prompt. You can also utilise netstat's -b flag, which outputs the EXE and its associated DLLs that are using the TCP and UDP ports. Finally, if you want to know when another system, such equally a bot controller, connects to a machine listening on a detail TCP port, such as port 4444, you tin run:

netstat –an ane | find "4444" | find "ESTABLISHED"

In this instance, Netstat will not display an output until it finds an established connection on port 4444, and it volition include the source IP accost connected to the port, a helpful bit of information in an investigation.

You can, of course, attain more accurate and detailed results using a port scanner such as Nmap.

However, Netstat is already built in and the commands are quick and easy to use. You may likewise be interested in Microsoft'south Sysinternals Process Monitor tool, an advanced monitoring utility for Windows that shows existent-fourth dimension file system, Registry and procedure/thread action.

*Notation: The –b and –o options are not available on Windows 2000 and exist aware that running them with the interval selection would be a drain on a system'south resources.

About the author: Michael Cobb, CISSP-ISSAP is the founder and managing manager of Fiber Applications Ltd., a consultancy that offers It training and support in data security and analysis. He co-authored the volume IIS Security and has written numerous technical manufactures for leading Information technology publications.