To see all of the connections to websites on the
HTTP port, which is the
well-known port 80, I can
open a command prompt window and
use the netstat
command netstat -an and then
pipe its output into the
find
command, looking for ":80". The -a option shows all connections
and the -n option converts
IP addresses
and application layer protocols, such as HTTP, to numeric form.
C:\WINDOWS\system32>netstat -an | find ":80" TCP 192.168.1.20:54069 72.45.50.168:80 ESTABLISHED TCP 192.168.1.20:54566 72.45.50.168:80 ESTABLISHED TCP 192.168.1.20:54747 152.163.66.131:80 ESTABLISHED TCP 192.168.1.20:54759 8.247.90.236:80 TIME_WAIT TCP 192.168.1.20:54763 8.247.90.236:80 TIME_WAIT TCP 192.168.1.20:54766 8.247.90.236:80 TIME_WAIT TCP 192.168.1.20:54769 8.247.90.236:80 TIME_WAIT TCP 192.168.1.20:54772 8.247.90.236:80 TIME_WAIT TCP 192.168.1.20:54774 152.163.66.131:80 ESTABLISHED TCP 192.168.1.20:54775 152.163.66.131:80 TIME_WAIT TCP 192.168.1.20:58462 52.44.206.90:80 ESTABLISHED C:\WINDOWS\system32>
The -n option displays the IP addresses of the systems,
but if I want the
fully
qualified domain name (FDDN) for each system, then I need to replace the
-n option with the -f option. Without the -f
option, the FQDNs will likely be truncated as shown below:
C:\WINDOWS\system32>netstat -a | find ":http" TCP 192.168.1.20:54069 72-45-50-168-static:http ESTABLISHED TCP 192.168.1.20:54566 72-45-50-168-static:http ESTABLISHED TCP 192.168.1.20:54747 adtechus-ads-adtech-mtc-blue-a:http ESTABLISHED
But with the -f option, I can see the FQDNs, instead of IP
addresses, provided that an IP address does have a FQDN associated with it;
not all IP addresses will be associated with a FQDN as with the last
entry shown in the output below, which is for a connection to a webserver
via HTTPS:
C:\WINDOWS\system32>netstat -af | find ":http" TCP 192.168.1.20:54747 adtechus-ads-adtech-mtc-blue-a.evip.aol.com:http ESTABLISHED TCP 192.168.1.20:54986 text-lb.eqiad.wikimedia.org:https TIME_WAIT TCP 192.168.1.20:55007 upload-lb.eqiad.wikimedia.org:https TIME_WAIT TCP 192.168.1.20:55008 upload-lb.eqiad.wikimedia.org:https TIME_WAIT TCP 192.168.1.20:55013 65.55.44.109:https TIME_WAIT
If I want to know which program running on the system established the
connection to the remote web server, I can use the -b option with
the netstat command. However, if
you attempt to run the netstat command with that option from a regular user
command prompt, you will see the message "The requested operation requires
elevation." You can run the command from an administrator command prompt window
on a Windows 10 system by right-clicking on the Windows
Start button
and choosing Command Prompt (Admin) - for earlier Windows versions,
see Obtaining a command prompt
with administrator access under Windows 7.
That will likely show a lot of output lines, even if I drop the -a
option, which displays all connections and listening ports, though.
E.g.:
C:\WINDOWS\system32>netstat -nb Active Connections Proto Local Address Foreign Address State TCP 127.0.0.1:5354 127.0.0.1:49701 ESTABLISHED [mDNSResponder.exe] TCP 127.0.0.1:5354 127.0.0.1:49702 ESTABLISHED [mDNSResponder.exe] TCP 127.0.0.1:27015 127.0.0.1:49790 ESTABLISHED [AppleMobileDeviceService.exe] TCP 127.0.0.1:49701 127.0.0.1:5354 ESTABLISHED [AppleMobileDeviceService.exe] TCP 127.0.0.1:49702 127.0.0.1:5354 ESTABLISHED [AppleMobileDeviceService.exe] TCP 127.0.0.1:49790 127.0.0.1:27015 ESTABLISHED [iTunesHelper.exe] TCP 127.0.0.1:50414 127.0.0.1:50415 ESTABLISHED [firefox.exe] TCP 127.0.0.1:50415 127.0.0.1:50414 ESTABLISHED [firefox.exe] TCP 127.0.0.1:55580 127.0.0.1:55581 ESTABLISHED [k-meleon.exe] TCP 127.0.0.1:55581 127.0.0.1:55580 ESTABLISHED [k-meleon.exe] TCP 192.168.1.20:135 192.168.1.6:50328 ESTABLISHED RpcSs [svchost.exe] TCP 192.168.1.20:3389 192.168.1.5:53688 ESTABLISHED TermService [svchost.exe] TCP 192.168.1.20:49671 192.168.1.6:50329 ESTABLISHED [spoolsv.exe] TCP 192.168.1.20:54069 72.45.50.168:80 ESTABLISHED [microsoftedgecp.exe] TCP 192.168.1.20:54566 72.45.50.168:80 ESTABLISHED [microsoftedgecp.exe] TCP 192.168.1.20:55672 152.163.66.131:80 ESTABLISHED [k-meleon.exe] TCP 192.168.1.20:55684 65.55.44.109:443 TIME_WAIT TCP 192.168.1.20:55685 65.55.44.108:443 TIME_WAIT TCP 192.168.1.20:55692 72.45.50.174:80 TIME_WAIT TCP 192.168.1.20:55693 8.247.90.236:80 TIME_WAIT TCP 192.168.1.20:55696 8.247.90.236:80 TIME_WAIT TCP 192.168.1.20:55699 8.247.90.236:80 TIME_WAIT TCP 192.168.1.20:55702 8.247.90.236:80 TIME_WAIT TCP 192.168.1.20:55705 8.247.90.236:80 TIME_WAIT TCP 192.168.1.20:55706 52.71.69.88:80 ESTABLISHED [k-meleon.exe] TCP 192.168.1.20:55707 68.67.178.138:80 ESTABLISHED [k-meleon.exe] TCP 192.168.1.20:55964 34.193.149.177:443 ESTABLISHED [k-meleon.exe] TCP 192.168.1.20:55965 52.72.45.37:443 ESTABLISHED [k-meleon.exe] TCP 192.168.1.20:58015 192.168.8.254:22 ESTABLISHED [putty.exe] TCP 192.168.1.20:58462 52.44.206.90:80 ESTABLISHED [k-meleon.exe] TCP 192.168.1.20:61789 192.168.1.5:445 ESTABLISHED Can not obtain ownership information TCP 192.168.1.20:61918 65.52.108.219:443 ESTABLISHED [explorer.exe] TCP 192.168.1.20:62214 65.52.108.199:443 ESTABLISHED ProfSvc [svchost.exe] C:\WINDOWS\system32>
The executable file for the program that made the connection is shown on the line below the IP address or addresses. E.g., for the connection shown below, I can see that the application that established the connection to port 80 was the K-Meleon web browser running on the sysem.
TCP 192.168.1.20:55707 68.67.178.138:80 ESTABLISHED [k-meleon.exe]
I could also use the -o option to see the
process ID (PID) of the
process that owns the connection. E.g.:
C:\WINDOWS\system32>netstat -no | find ":80" TCP 192.168.1.20:54069 72.45.50.168:80 ESTABLISHED 11132 TCP 192.168.1.20:54566 72.45.50.168:80 ESTABLISHED 11132 TCP 192.168.1.20:55672 152.163.66.131:80 ESTABLISHED 13260 TCP 192.168.1.20:56182 152.163.66.131:80 TIME_WAIT 0 TCP 192.168.1.20:56187 151.101.33.108:80 TIME_WAIT 0 TCP 192.168.1.20:56202 8.247.102.236:80 TIME_WAIT 0 TCP 192.168.1.20:56205 8.247.102.236:80 TIME_WAIT 0 TCP 192.168.1.20:56208 8.247.102.236:80 TIME_WAIT 0 TCP 192.168.1.20:56211 8.247.102.236:80 TIME_WAIT 0 TCP 192.168.1.20:56215 8.247.90.236:80 TIME_WAIT 0 TCP 192.168.1.20:56216 54.88.61.13:80 ESTABLISHED 13260 TCP 192.168.1.20:56217 68.67.178.109:80 ESTABLISHED 13260 TCP 192.168.1.20:58462 52.44.206.90:80 ESTABLISHED 13260 C:\WINDOWS\system32>
With that output, I would just need to identify the application associated with the process, which I could do through the Windows Task Manager. Or I could use the tasklist command to identify the executable file associated with a particular process ID. E.g.
C:\WINDOWS\system32>tasklist /fi "pid eq 13260" Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ k-meleon.exe 13260 RDP-Tcp#1 2 902,760 K C:\WINDOWS\system32
You can also combine the b and o options, e.g.,
netstat -nob.
Another command line interface (CLI) alternative to running the netstat
command in a command prompt window is to open a
PowerShell
window and use the Get-NetTCPConnection cmdlet. Without any
options that will show connections to all ports. To reduce the amount of output,
I could use the -AppliedSetting internet option as shown below:
PS C:\> Get-NetTCPConnection -AppliedSetting internet LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting ------------ --------- ------------- ---------- ----- -------------- 192.168.1.20 62214 65.52.108.199 443 Established Internet 192.168.1.20 61918 65.52.108.219 443 Established Internet 192.168.1.20 61789 192.168.1.5 445 Established Internet 192.168.1.20 58462 52.44.206.90 80 Established Internet 192.168.1.20 58015 198.168.8.254 22 Established Internet 192.168.1.20 56530 68.67.180.45 80 Established Internet 192.168.1.20 56529 54.88.61.13 80 Established Internet 192.168.1.20 56524 65.52.108.11 443 Established Internet 192.168.1.20 56523 65.52.108.11 443 Established Internet 192.168.1.20 56522 104.28.30.239 443 Established Internet 192.168.1.20 56521 104.28.30.239 443 Established Internet 192.168.1.20 56520 65.52.108.11 443 Established Internet 192.168.1.20 56519 65.52.108.11 443 Established Internet 192.168.1.20 56518 173.194.204.155 443 Established Internet 192.168.1.20 56517 104.117.15.144 443 Established Internet 192.168.1.20 56516 104.117.15.144 443 Established Internet 192.168.1.20 56515 31.13.80.36 443 Established Internet 192.168.1.20 56514 108.174.10.10 443 Established Internet 192.168.1.20 56513 172.217.3.46 443 Established Internet 192.168.1.20 56512 104.95.47.13 443 Established Internet 192.168.1.20 56511 208.80.154.224 443 Established Internet 192.168.1.20 56510 208.80.154.240 443 Established Internet 192.168.1.20 56509 208.80.154.224 443 Established Internet 192.168.1.20 56401 152.163.66.131 80 Established Internet 192.168.1.20 55965 52.72.45.37 443 Established Internet 192.168.1.20 55964 34.193.149.177 443 Established Internet 127.0.0.1 55581 127.0.0.1 55580 Established Internet 127.0.0.1 55580 127.0.0.1 55581 Established Internet 192.168.1.20 54566 72.45.50.168 80 Established Internet 192.168.1.20 54069 72.45.50.168 80 Established Internet 127.0.0.1 50415 127.0.0.1 50414 Established Internet 127.0.0.1 50414 127.0.0.1 50415 Established Internet 127.0.0.1 49790 127.0.0.1 27015 Established Internet 127.0.0.1 49702 127.0.0.1 5354 Established Internet 127.0.0.1 49701 127.0.0.1 5354 Established Internet 192.168.1.20 49671 192.168.1.6 50329 Established Internet 127.0.0.1 27015 127.0.0.1 49790 Established Internet 127.0.0.1 5354 127.0.0.1 49701 Established Internet 127.0.0.1 5354 127.0.0.1 49702 Established Internet 192.168.1.20 3389 192.168.1.5 53688 Established Internet 192.168.1.20 135 192.168.1.6 50328 Established Internet PS C:\>
But, if I'm only interested in looking at connections to web servers on port 80, I can use the command shown below:
PS C:\> Get-NetTCPConnection -RemotePort 80 LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting ------------ --------- ------------- ---------- ----- -------------- 192.168.1.20 58462 52.44.206.90 80 Established Internet 192.168.1.20 56664 52.71.69.88 80 Established Internet 192.168.1.20 56663 8.247.90.236 80 Established Internet 192.168.1.20 56662 8.247.90.236 80 TimeWait 192.168.1.20 56657 198.41.215.182 80 Established Internet 192.168.1.20 56631 8.247.90.236 80 TimeWait 192.168.1.20 56630 198.41.215.182 80 Established Internet 192.168.1.20 56623 8.247.90.236 80 TimeWait 192.168.1.20 56618 8.247.90.236 80 TimeWait 192.168.1.20 56616 8.247.90.236 80 TimeWait 192.168.1.20 56602 8.247.90.236 80 TimeWait 192.168.1.20 56597 8.247.90.236 80 TimeWait 192.168.1.20 56401 152.163.66.131 80 Established Internet 192.168.1.20 54566 72.45.50.168 80 Established Internet 192.168.1.20 54069 72.45.50.168 80 Established Internet PS C:\>
If I knew the PID of the K-meleon process associated with k-meleon.exe was
13260, I could specify it or combine it with the -RemotePort
parameter as shown below:
PS C:\> Get-NetTCPConnection -OwningProcess 13260 LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting ------------ --------- ------------- ---------- ----- -------------- 0.0.0.0 58462 0.0.0.0 0 Bound 0.0.0.0 56744 0.0.0.0 0 Bound 0.0.0.0 56743 0.0.0.0 0 Bound 0.0.0.0 56734 0.0.0.0 0 Bound 0.0.0.0 56401 0.0.0.0 0 Bound 0.0.0.0 55965 0.0.0.0 0 Bound 0.0.0.0 55964 0.0.0.0 0 Bound 0.0.0.0 55581 0.0.0.0 0 Bound 192.168.1.20 58462 52.44.206.90 80 Established Internet 192.168.1.20 56744 68.67.178.176 80 Established Internet 192.168.1.20 56743 54.88.61.13 80 Established Internet 192.168.1.20 56734 152.163.66.131 80 Established Internet 192.168.1.20 56401 152.163.66.131 80 Established Internet 192.168.1.20 55965 52.72.45.37 443 Established Internet 192.168.1.20 55964 34.193.149.177 443 Established Internet 127.0.0.1 55581 127.0.0.1 55580 Established Internet 127.0.0.1 55580 127.0.0.1 55581 Established Internet PS C:\> Get-NetTCPConnection -OwningProcess 13260 -RemotePort 80 LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting ------------ --------- ------------- ---------- ----- -------------- 192.168.1.20 58462 52.44.206.90 80 Established Internet 192.168.1.20 56734 152.163.66.131 80 Established Internet 192.168.1.20 56401 152.163.66.131 80 Established Internet PS C:\>
If I only wanted the remote IP address displayed, I could add the parameter
SELECT RemoteAddress as shown below:
PS C:\> Get-NetTCPConnection -OwningProcess 13260 -RemotePort 80 | SELECT RemoteAddress RemoteAddress ------------- 52.44.206.90 68.67.180.45 54.88.61.13 8.247.90.236 152.163.66.131 152.163.66.131 PS C:\>
Another way to find only the port 80 (HTTP) connections from a specific PID, in this case PID 13260, is to use the command below:
PS C:\> Get-NetTCPConnection -OwningProcess 13260 | Where-Object RemotePort -eq 80 LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting ------------ --------- ------------- ---------- ----- -------------- 192.168.1.20 58023 68.67.178.176 80 Established Internet 192.168.1.20 58022 52.71.69.88 80 Established Internet 192.168.1.20 58004 152.163.66.131 80 Established Internet 192.168.1.20 57904 34.192.66.172 80 Established Internet PS C:\>
If I want to see both port 80 and port 443 connections for that process, I can modify the command above by specifying a logical or condition.
PS C:\> Get-NetTCPConnection -OwningProcess 13260 | Where-Object {($_.RemotePort -eq 80) -or ($_.RemotePort -eq 443)} LocalAddress LocalPort RemoteAddress RemotePort State AppliedSetting ------------ --------- ------------- ---------- ----- -------------- 192.168.1.20 58004 152.163.66.131 80 Established Internet 192.168.1.20 57904 34.192.66.172 80 Established Internet 192.168.1.20 55965 52.72.45.37 443 Established Internet 192.168.1.20 55964 34.193.149.177 443 Established Internet PS C:\>
If I just want to see the remote IP addresses, I can add | SELECT
RemoteAddress, i.e., Get-NetTCPConnection -OwningProcess 13260 |
Where-Object {($_.RemotePort -eq 80) -or ($_.RemotePort -eq 443)} | SELECT
RemoteAddress to the end of the line.
PS C:\> Get-NetTCPConnection -OwningProcess 13260 | Where-Object {($_.RemotePort -eq 80) -or ($_.RemotePort -eq 443)} | SELECT RemoteAddress RemoteAddress ------------- 152.163.66.131 54.85.221.46 54.208.75.35 52.4.16.223 PS C:\>
If you want to also eliminate the "RemoteAddress" line and the line of dashes that are output before the IP addresses, you can pipe the output into the findstr command and use a logical or operator with the findstr command.
PS C:\> Get-NetTCPConnection -OwningProcess 13260 | Where-Object {($_.RemotePort -eq 80) -or ($_.RemotePort -eq 443)} | SELECT RemoteAddress | findstr /v "RemoteAddress | ---" 152.163.66.131 54.85.221.46 54.208.75.35 52.4.16.223 PS C:\>
If I want to see a list of all the connections to ports 80 or 443 and just the remote IP address, port number, and process ID, I can use the command shown below. The columns I want displayed are chosen with the SELECT option and are comma-separated.
PS C:\> Get-NetTCPConnection | Where-Object {($_.RemotePort -eq 80) -or ($_.RemotePort -eq 443)} | SELECT RemoteAddress, RemotePort, OwningProcess RemoteAddress RemotePort OwningProcess ------------- ---------- ------------- 8.247.90.236 80 0 8.247.90.236 80 0 8.247.90.236 80 0 8.247.90.236 80 0 8.247.90.236 80 0 172.217.3.46 443 7176 173.194.204.91 443 7176 152.163.66.131 80 13260 54.85.221.46 443 13260 54.208.75.35 443 13260 52.4.16.223 80 13260 65.52.108.199 443 1376 65.52.108.219 443 2120 PS C:\>
I could then use the tasklist command as I did with the command prompt method to determine what executable file is associated with the process identifiers, which I then should be able to associate with an application name.
PS C:\> tasklist /fi "pid eq 7176" Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ chrome.exe 7176 RDP-Tcp#3 2 46,752 K PS C:\>
In the above example, I can see that the application associated with PID 7176 is the Google Chrome browser.
References: