I already wrote long ago about the netstat command windows in post View the TCP / UDP sessions with the active command prompt .
Today I will explain how to identify malware or do not like applications with this simple but powerful tool.
Here is how to monitor TCP connections using netstat, and get a detailed log of the processes accessing the internet without our knowledge:
Before starting the monitoring phase is well close all programs that connect to the internet as browsers, chat programs, clients peer 2 peer, etc. .. As we want to get a log file as "clean" as possible.
Make sure that your computer no more active connections , and leaving the PC connected to interntet start the command prompt and type:
netstat -bn [intervallo] >connections.log
the output statistics will be saved in a file connections.log:
all TCP connections will be logged the IP ports (-n) and the name of the processes that have initialized connections (-b). The interval, specified in seconds, is the frequency with which the command is invoked in loop.
netstat -bn 10 >connections.log
This is potentially an infinite loop, but you can stop at any time by pressing Ctrl + C.
Ideally leave listening for several hours or overnight.
And the output, here you see a connection to MSN Messenger:
Active Connections
TCP 192.168.1.1:1031 207.46.108.86:1863 ESTABLISHED 288
[Msnmsgr.exe][...]
You could also automate the time tracking using AT to stop the process time favorite:
C:\>time
The current time is: 00.00.00,00
Enter the new time:
C:\>at 06:00 cmd /c "taskkill /F /IM cmd.exe"
C:\>netstat -bn 10 >connections.log
Want to know how many applications and processes which are connected to the network without your knowledge?
the command for you is netstat -ano . I trust that after the laughs do not hardly remember it and you will certainly treasure :-).
Anus as the set of properties that show the connections or listening (-a), on which ports and to / from which IP addresses (-n), the Process ID of the programs that have initialized these connections (-o) .
It only remains to translate the PID in the name of the process to do just use the command:
tasklist /FI “PID eq [PID di netstat]“
Conversely, if you want to know the PID for example Firefox, you use:
tasklist /FI “IMAGENAME eq firefox.exe”
A bit cumbersome but better than nothing, especially when you can not install utilities much more comfortable, complete and immediate as CurrPorts .
If you think you have found any suspected connection, you can check the site constantly updated nmap in the List of Well-Known Ports
Report this guide useful "pocket" format chm (Microsoft Compiled HTML Help), which Microsoft makes available on its Download Center.
This ebook contains the official documentation with practical examples of all the existing DOS commands.
Comfortable, just because just a stick, for geeks, systems analysts, network administrators and anyone who must often get their hands dirty with the system shell. It also includes the commands available on Windows Vista, Windows Server 2003 and Windows Server 2008.
Download: Windows Command Line Reference in CHM format
Also point out that the same version of the guide is also available on technet in HTML:
