1 00:00:00,006 --> 00:00:02,001 - [Instructor] netstat is a great program 2 00:00:02,001 --> 00:00:04,009 for diagnosing port and session issues. 3 00:00:04,009 --> 00:00:06,009 On older machines, I can simply run it 4 00:00:06,009 --> 00:00:08,003 from a standard command line, 5 00:00:08,003 --> 00:00:10,004 but on newer versions of Windows, 6 00:00:10,004 --> 00:00:12,006 I'd need administrator privileges. 7 00:00:12,006 --> 00:00:17,002 I'll click on the Start button and type cmd. 8 00:00:17,002 --> 00:00:20,007 I'll then right click on Command Prompt 9 00:00:20,007 --> 00:00:22,006 and choose Run as administrator. 10 00:00:22,006 --> 00:00:26,004 Just typing netstat will begin to slowly give me information 11 00:00:26,004 --> 00:00:27,009 on active connections. 12 00:00:27,009 --> 00:00:30,008 To stop the program, hit Control + C. 13 00:00:30,008 --> 00:00:32,009 I never run netstat by itself, 14 00:00:32,009 --> 00:00:35,006 I always add some additional parameters. 15 00:00:35,006 --> 00:00:42,005 Running netstat -a will also display listening ports. 16 00:00:42,005 --> 00:00:44,006 That was a lot of information, fast. 17 00:00:44,006 --> 00:00:45,009 If I want to slow it down 18 00:00:45,009 --> 00:00:48,004 to a single page of output at a time, 19 00:00:48,004 --> 00:00:50,006 I can add pipe more modifier 20 00:00:50,006 --> 00:00:56,004 to netstat -a | more. 21 00:00:56,004 --> 00:00:58,004 The Enter key we'll move the results down 22 00:00:58,004 --> 00:00:59,008 a single line at a time, 23 00:00:59,008 --> 00:01:03,008 while the space bar moves it down a whole page at a time. 24 00:01:03,008 --> 00:01:06,007 Moving from left to right, it shows the protocol in use, 25 00:01:06,007 --> 00:01:08,006 the local IP in the connection, 26 00:01:08,006 --> 00:01:11,006 then a colon and the local port in use. 27 00:01:11,006 --> 00:01:14,008 Then, I see the remote host and remote ports, 28 00:01:14,008 --> 00:01:16,009 and finally, the state of the connection. 29 00:01:16,009 --> 00:01:18,005 This is a special useful 30 00:01:18,005 --> 00:01:20,009 if I'm troubleshooting a port conflict. 31 00:01:20,009 --> 00:01:25,001 So for example, I'm trying to run a web server on port 80, 32 00:01:25,001 --> 00:01:27,003 but that port is already in use. 33 00:01:27,003 --> 00:01:30,004 netstat -a only shows me listening ports, 34 00:01:30,004 --> 00:01:32,009 but not what has it locked open. 35 00:01:32,009 --> 00:01:36,005 If I add -b, then we'll also indicate the application 36 00:01:36,005 --> 00:01:40,002 using the port. 37 00:01:40,002 --> 00:01:44,007 So, the command will be netstat -ab. 38 00:01:44,007 --> 00:01:45,009 As you can see it lists 39 00:01:45,009 --> 00:01:48,008 the various applications in brackets. 40 00:01:48,008 --> 00:01:51,000 Say now that there are multiple instances 41 00:01:51,000 --> 00:01:54,007 of an application, but only one of them has the port locked. 42 00:01:54,007 --> 00:01:58,000 How do I identify the one offending app? 43 00:01:58,000 --> 00:02:00,005 I do this by adding the -o flag, 44 00:02:00,005 --> 00:02:04,001 which will show the process ID of the program too. 45 00:02:04,001 --> 00:02:11,004 So I type in netstat -abo. 46 00:02:11,004 --> 00:02:13,006 I can then note the process ID, 47 00:02:13,006 --> 00:02:18,004 and reference that in task manager to kill the program. 48 00:02:18,004 --> 00:02:21,003 The next flag I use most often is -n, 49 00:02:21,003 --> 00:02:24,006 which tells netstat to skip DNS resolution 50 00:02:24,006 --> 00:02:26,002 on all of the IPs. 51 00:02:26,002 --> 00:02:27,009 I combine all of this together 52 00:02:27,009 --> 00:02:31,005 on 99% of my netstat queries. 53 00:02:31,005 --> 00:02:37,008 This equates to netstat -abno. 54 00:02:37,008 --> 00:02:42,002 I remember all four letters by thinking of it as ab no, 55 00:02:42,002 --> 00:02:46,002 Do I have abs? Absolutely not. 56 00:02:46,002 --> 00:02:49,000 netstat also allows me to look at the local routing table 57 00:02:49,000 --> 00:02:53,007 on the machine by typing netstat -r. 58 00:02:53,007 --> 00:02:58,004 I can get the exact same information by typing route print. 59 00:02:58,004 --> 00:03:03,004 This gives me IPv4 and v6 routes along with our gateways. 60 00:03:03,004 --> 00:03:06,008 netstat -s | more 61 00:03:06,008 --> 00:03:09,005 gives a lot of good statistical information. 62 00:03:09,005 --> 00:03:12,000 It will tell me about some of the v4 information, 63 00:03:12,000 --> 00:03:14,007 like packets received, errors in those packets, 64 00:03:14,007 --> 00:03:17,000 fragmented packets, and so on. 65 00:03:17,000 --> 00:03:18,009 It will then give me the same information 66 00:03:18,009 --> 00:03:21,002 for IPv6. 67 00:03:21,002 --> 00:03:26,008 It next lists TCP, UDP, and ICNP statistical information. 68 00:03:26,008 --> 00:03:30,006 To supplement the -s information, I can add a -p 69 00:03:30,006 --> 00:03:34,001 and then specify a specific protocol I'm interested in, 70 00:03:34,001 --> 00:03:37,007 like TCP, UDP, or ICNP. 71 00:03:37,007 --> 00:03:39,009 This will allow me to keep rerunning the command 72 00:03:39,009 --> 00:03:42,000 to watch those counters increment. 73 00:03:42,000 --> 00:03:49,000 So now, my command is netstat -sp ICMP. 74 00:03:49,000 --> 00:03:51,002 If I want the command to keep refreshing, 75 00:03:51,002 --> 00:03:54,000 I can add an interval number in seconds at the end. 76 00:03:54,000 --> 00:03:56,005 I'm going to view ICNP statistics every second 77 00:03:56,005 --> 00:04:04,006 by entering netstat -sp ICMP 1. 78 00:04:04,006 --> 00:04:07,002 While this is running, I can open another command prompt 79 00:04:07,002 --> 00:04:11,005 and start a ping so that I can see the counters increment. 80 00:04:11,005 --> 00:04:13,007 Again, this is one of those utilities 81 00:04:13,007 --> 00:04:15,008 that aren't used too frequently, 82 00:04:15,008 --> 00:04:18,002 but this is the only built-in application 83 00:04:18,002 --> 00:04:21,000 that shows port status on a machine.