Netstat -b

Phrosen · 16 Jun 2011

Hi.

I used the command netstat -b in the command prompt and I got a bunch of text that I don't know what it is. (I closed down all internet connections first, such as steam, web browser, etc.)
Could you guys help me find out what these things are?

Here's what it looks like:

Prot. Lokal adress Extern adress Status
[System]
TCP 192.168.***** 213-155-158-73:http TIME_WAIT
TCP 192.168.***** 213-155-158-73:http FIN_WAIT_2
[System]
TCP 192.168.***** 213-155-158-73:http TIME_WAIT
TCP 192.168.***** www-12-02-ash3:http TIME_WAIT
TCP 192.168.***** channel-150-155:http TIME_WAIT
TCP 192.168.***** 195-12-231-50:http FIN_WAIT_2
[System]
TCP 192.168.***** 195-12-231-50:http FIN_WAIT_2
[System]
TCP 192.168.1.***** 195-12-231-50:http FIN_WAIT_2
[System]
TCP 192.168.1.***** 195-12-231-50:http FIN_WAIT_2
[System]
TCP 192.168.1.***** 195-12-231-50:http FIN_WAIT_2
[System]
TCP 192.168.1.***** 195-12-231-50:http FIN_WAIT_2
[System]
TCP 192.168.1.***** 199.7.79.171:http FIN_WAIT_2
[System]
TCP 192.168.1.***** 213-155-158-73:http TIME_WAIT
TCP 192.168.1.***** www-12-02-ash3:http TIME_WAIT
TCP 192.168.1.***** www-12-02-ash3:http TIME_WAIT
TCP 192.168.1.***** 199.7.79.171:http FIN_WAIT_2
[System]
TCP 192.168.1.***** ip-69:http TIME_WAIT
TCP 192.168.1.***** 193-45-3-138:http TIME_WAIT

(I blanked out the local ip, just in case.)

fseal · 16 Jun 2011

Those are a bunch of sockets that were going to web sites that are now cut off (probably ungracefully) and waiting to close after the sockets time out.

If you do a netstat after a few minutes they should all be gone.

Can't tell what program was originally opening them though... legitimate programs and nefarious programs alike can leave hung sockets quite often. When they are all gone, open your programs one at a time andyou can see what matches up if you want.

The TIME_WAITs and FIN_WAITS are nothing to be worried about in themselves unless you had like thousands of them.

[Edit] Or did you want to know specifically if anyone know what "System" process was opening them?[/edit]

Phrosen · 16 Jun 2011

Thanks.

I shut everything down, waited for about 20 mins and tried again.
Now I got a few stuff (for example one saying steampowered - even though steam was offline.) They all said ESTABLISHED in the "status".
One said: cdce:http as "external ip" -What's this?

fseal · 17 Jun 2011

netstat abbreviates names when it can to maintain formatting. For example is you were connected to www.sevenforums.com it would just say "sevenforums:http". The name can also be a local MS network name as well. I.e. the name of another computer on your local network.

If you want to know what the IP address is, do a netstat -bn. Then you'll get the IP addresses instead and you can do a reverse lookup on the IP address and get the full name using:
nslookup <ipaddress>

Though sometimes your default DNS server wont do reverse lookups, if it can't find the name and the address you got is not on your local network do a:
nslookup <ipaddress> 8.8.8.8

That will use Google's DNS to do the name lookup for you.