The Windows™ 95/98 Network Programs
NETSTAT.exe TCP/IP Network StatisticsDisplays protocol statistics and current TCP/IP network connections.NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval] -a Displays all connections and listening ports. -e Displays Ethernet statistics. This may be combined with the -s option. -n Displays addresses and port numbers in numerical form. -p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP. -r Displays the routing table. -s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default. interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once.
First, I would recommend that you always use the '-a' parameter so you can see UDP 'listening ports' as well (often used by trojans), and not just the active TCP connections; then switch between using the '-a' and no parameters at all, to see the differences. When you're offline, you normally shouldn't see any connection data! If you do see an OPEN PORT NUMBER 'listening' for a connection (using the '-a' parameter), it may be that your computer has been infected with a trojan! Click this link for a few more ideas on how you can check to see if your computer is Trojan Free?If you're running a server, such as the free XITAMI server, you might see something like this ("My_Comp" is the name of my computer):C:\WINDOWS>netstat -aActive Connections Proto Local Address Foreign Address State TCP My_Comp:ftp localhost:0 LISTENING TCP My_Comp:80 localhost:0 LISTENINGOr with the "-an" parameters: C:\WINDOWS>netstat -anActive Connections Proto Local Address Foreign Address State TCP 0.0.0.0:21 0.0.0.0:0 LISTENING TCP 0.0.0.0:80 0.0.0.0:0 LISTENINGBy simply opening a browser connection to both the HTTP (port 80) and FTP (port 21) servers (while still offline!), I saw the following: C:\WINDOWS>netstat -aActive Connections Proto Local Address Foreign Address State TCP My_Comp:ftp localhost:0 LISTENING TCP My_Comp:80 localhost:0 LISTENING TCP My_Comp:1104 localhost:0 LISTENING TCP My_Comp:ftp localhost:1104 ESTABLISHED TCP My_Comp:1102 localhost:0 LISTENING TCP My_Comp:1103 localhost:0 LISTENING TCP My_Comp:80 localhost:1111 TIME_WAIT TCP My_Comp:1104 localhost:ftp ESTABLISHED TCP My_Comp:1107 localhost:0 LISTENING TCP My_Comp:1112 localhost:80 TIME_WAIT UDP My_Comp:1102 *:* UDP My_Comp:1103 *:* UDP My_Comp:1107 *:*This may be a bit confusing to some people, but remember I'm running BOTH the servers and clients on the same machine in these examples. A little later (using both 'a' and 'n') I got this: C:\WINDOWS>netstat -anActive Connections Proto Local Address Foreign Address State TCP 0.0.0.0:21 0.0.0.0:0 LISTENING TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 0.0.0.0:1104 0.0.0.0:0 LISTENING TCP 127.0.0.1:21 127.0.0.1:1104 FIN_WAIT_2 TCP 127.0.0.1:1102 0.0.0.0:0 LISTENING TCP 127.0.0.1:1103 0.0.0.0:0 LISTENING TCP 127.0.0.1:1104 127.0.0.1:21 CLOSE_WAIT TCP 127.0.0.1:1107 0.0.0.0:0 LISTENING UDP 127.0.0.1:1102 *:* UDP 127.0.0.1:1103 *:* UDP 127.0.0.1:1107 *:*After turning off my server, I ended up with this for a while: C:\WINDOWS>netstat -anActive Connections Proto Local Address Foreign Address State TCP 127.0.0.1:80 127.0.0.1:1150 TIME_WAIT TCP 127.0.0.1:80 127.0.0.1:1151 TIME_WAIT