1
00:00:00,270 --> 00:00:02,580
In this video, we have NetStat.

2
00:00:02,580 --> 00:00:05,100
NetStat is short for network statistics.

3
00:00:05,100 --> 00:00:07,080
NetStat is going to be used to display information

4
00:00:07,080 --> 00:00:09,270
for IP-based connections on a client,

5
00:00:09,270 --> 00:00:10,680
including its current sessions,

6
00:00:10,680 --> 00:00:13,830
its source and destination IPs, and its port numbers.

7
00:00:13,830 --> 00:00:16,620
Now, NetStat is used in Windows, Linux, UNIX,

8
00:00:16,620 --> 00:00:18,540
and OS X systems.

9
00:00:18,540 --> 00:00:21,270
You can just enter NetStat by itself and hit Enter,

10
00:00:21,270 --> 00:00:22,770
and you'll get a simplified display

11
00:00:22,770 --> 00:00:24,900
that contains four columns of information.

12
00:00:24,900 --> 00:00:27,300
This includes the protocol, the local address,

13
00:00:27,300 --> 00:00:29,250
the foreign address, and the state.

14
00:00:29,250 --> 00:00:31,050
In this example, all of my connections

15
00:00:31,050 --> 00:00:33,270
are using TCP as their protocol.

16
00:00:33,270 --> 00:00:35,400
There are two local addresses in my example.

17
00:00:35,400 --> 00:00:38,700
The local host of 127.0.0.1,

18
00:00:38,700 --> 00:00:43,700
and my network interface card, which is 192.168.105.3.

19
00:00:43,800 --> 00:00:45,210
Notice each of these has a colon

20
00:00:45,210 --> 00:00:46,890
and a port number after it.

21
00:00:46,890 --> 00:00:48,450
Next, we have the foreign address

22
00:00:48,450 --> 00:00:50,100
or the destination address.

23
00:00:50,100 --> 00:00:52,110
In this case, the local host address,

24
00:00:52,110 --> 00:00:54,450
they cannot communicate with other foreign IPs,

25
00:00:54,450 --> 00:00:56,190
so instead they're communicating directly

26
00:00:56,190 --> 00:00:57,870
with the Windows client itself.

27
00:00:57,870 --> 00:01:00,900
And this is using my host name for this Windows machine.

28
00:01:00,900 --> 00:01:02,340
For the other foreign addresses,

29
00:01:02,340 --> 00:01:05,129
if the host name is known, it will resolve to that host name

30
00:01:05,129 --> 00:01:06,780
like diontraining.com.

31
00:01:06,780 --> 00:01:09,360
If not, it'll just show the IP address.

32
00:01:09,360 --> 00:01:14,280
You can see here that 52.179.224.121

33
00:01:14,280 --> 00:01:16,320
was not able to be resolved to a host name.

34
00:01:16,320 --> 00:01:18,810
So that IP address is shown here on the screen.

35
00:01:18,810 --> 00:01:20,970
Since this was using Port 443,

36
00:01:20,970 --> 00:01:23,700
this is displayed as HTTPS instead

37
00:01:23,700 --> 00:01:26,070
because this is a well-known port number.

38
00:01:26,070 --> 00:01:28,260
Finally, we have the state column.

39
00:01:28,260 --> 00:01:31,500
This can be established, time wait, close wait,

40
00:01:31,500 --> 00:01:35,280
closed, listening, or other TCP connection states.

41
00:01:35,280 --> 00:01:37,800
Notice here we didn't see any listening ports.

42
00:01:37,800 --> 00:01:40,410
This is because we just entered the command NetStat.

43
00:01:40,410 --> 00:01:42,930
If instead we entered NetStat dash a,

44
00:01:42,930 --> 00:01:44,730
we're going to show all the sockets,

45
00:01:44,730 --> 00:01:48,060
both listening and non listening, as well as all protocols

46
00:01:48,060 --> 00:01:51,060
such as TCP, UDP, and ICMP.

47
00:01:51,060 --> 00:01:53,580
Again, here we can also see IPs are resolved

48
00:01:53,580 --> 00:01:55,470
to host names when it's possible.

49
00:01:55,470 --> 00:01:57,900
Now, if you prefer to see all IP address numbers

50
00:01:57,900 --> 00:01:59,940
instead of those host names, you can do this

51
00:01:59,940 --> 00:02:02,520
by entering the NetStat dash n command.

52
00:02:02,520 --> 00:02:04,920
But since I only used the dash n option,

53
00:02:04,920 --> 00:02:07,560
I'm no longer going to see the listening status anymore.

54
00:02:07,560 --> 00:02:09,330
Now, what would you do if you want to have

55
00:02:09,330 --> 00:02:12,360
both the IP address numbers and the listening status?

56
00:02:12,360 --> 00:02:14,310
Well, you combine the two options

57
00:02:14,310 --> 00:02:16,950
and you get NetStat dash an.

58
00:02:16,950 --> 00:02:19,140
Now, personally, when I run NetStat,

59
00:02:19,140 --> 00:02:22,590
I tend to run it using NetStat dash ano.

60
00:02:22,590 --> 00:02:24,000
This gives me all the states,

61
00:02:24,000 --> 00:02:26,520
both listening and non listening, because of the dash a,

62
00:02:26,520 --> 00:02:28,260
as well as the IP address numbers,

63
00:02:28,260 --> 00:02:29,880
because I have that dash n,

64
00:02:29,880 --> 00:02:31,650
but I also added this dash o,

65
00:02:31,650 --> 00:02:34,560
which gives me a fifth column called the PID.

66
00:02:34,560 --> 00:02:37,590
Now, PID is the process identification number

67
00:02:37,590 --> 00:02:41,280
and the dash o I added in the dash an o stands for owner,

68
00:02:41,280 --> 00:02:43,230
and it's going to tell me which process owns

69
00:02:43,230 --> 00:02:45,330
each network connection that we're seeing.

70
00:02:45,330 --> 00:02:46,950
Now by adding this fifth column,

71
00:02:46,950 --> 00:02:49,920
I can determine what application or service is communicating

72
00:02:49,920 --> 00:02:53,040
over the network, using which IPs and which ports.

73
00:02:53,040 --> 00:02:55,200
Then if I run the task list command,

74
00:02:55,200 --> 00:02:56,910
I can get a list of all the applications

75
00:02:56,910 --> 00:02:58,530
and their PID numbers.

76
00:02:58,530 --> 00:03:00,780
In my case, I see a bunch of network connections

77
00:03:00,780 --> 00:03:05,070
were created by the application with PID 6776.

78
00:03:05,070 --> 00:03:07,410
As I look at my output from the task list command,

79
00:03:07,410 --> 00:03:08,850
I can then cross reference it

80
00:03:08,850 --> 00:03:13,850
and see that PID 6776 is the application GoogleDriveFS.exe,

81
00:03:14,580 --> 00:03:16,620
which is the file synchronization process

82
00:03:16,620 --> 00:03:19,050
for Google Drive on this Windows workstation.

83
00:03:19,050 --> 00:03:20,760
So this makes a lot of sense

84
00:03:20,760 --> 00:03:22,860
that I'm seeing a lot of network connections on the system

85
00:03:22,860 --> 00:03:25,830
using this process ID because it sends a lot of files

86
00:03:25,830 --> 00:03:28,140
and receives a lot of files using Google Drive

87
00:03:28,140 --> 00:03:30,000
as I'm syncing up data.

88
00:03:30,000 --> 00:03:32,640
Now, if I suspect a client is infected with malware

89
00:03:32,640 --> 00:03:34,920
or may have become a zombie as part of a botnet,

90
00:03:34,920 --> 00:03:37,320
I can run the NetStat dash ano command

91
00:03:37,320 --> 00:03:40,050
and really help identify what applications or services

92
00:03:40,050 --> 00:03:41,580
are creating all these connections

93
00:03:41,580 --> 00:03:43,290
and sending data back and forth.

94
00:03:43,290 --> 00:03:45,210
Then I can use this information

95
00:03:45,210 --> 00:03:47,370
to remove those malicious programs.

96
00:03:47,370 --> 00:03:49,230
Now, the final option we have with NetStat

97
00:03:49,230 --> 00:03:53,010
is known as the dash s option, which stands for statistics.

98
00:03:53,010 --> 00:03:55,380
Now, this is going to create an output on your screen

99
00:03:55,380 --> 00:03:59,040
with the statistics for the IPv4, IPv6,

100
00:03:59,040 --> 00:04:02,340
ICMPv4, and ICMPv6 connections,

101
00:04:02,340 --> 00:04:05,130
as well as breaking down those statistics into TCP

102
00:04:05,130 --> 00:04:09,600
and UDP statistics for both IPv4 and IPv6.

103
00:04:09,600 --> 00:04:10,860
This information can be used

104
00:04:10,860 --> 00:04:13,140
to help you determine the health of your network connection

105
00:04:13,140 --> 00:04:15,120
by showing you how many packets were delivered,

106
00:04:15,120 --> 00:04:17,670
how many were discarded, how many couldn't be routed,

107
00:04:17,670 --> 00:04:18,720
how many had errors,

108
00:04:18,720 --> 00:04:20,910
and how many were fragmented during transit.

109
00:04:20,910 --> 00:04:23,160
Overall, this information is really helpful

110
00:04:23,160 --> 00:04:24,420
as you create your baselines

111
00:04:24,420 --> 00:04:26,910
for what normal looks like on a given client.

112
00:04:26,910 --> 00:04:28,950
Then you can use that as your baseline

113
00:04:28,950 --> 00:04:31,620
and compare your current stats against that baseline

114
00:04:31,620 --> 00:04:33,720
to see if you have any unexpected results.