Thursday, 2 November 2017

windows - Strange entries in Netstat output


Out of curiosity, I ran Netstat on my Windows PC, and I found some strange entries like:


xx-fbcdn-shv-01-amt2:https
edge-star-mini-shv-01-frt3:https
mil04s03-in-f10:https
xx-fbcdn-shv-01-amt2:https
fra16s25-in-f14:https
lu7:http
40:https
mil04s04-in-f12:https
wb-in-f188:https
ec2-52-86-85-106:https
db5sch101101419:https
bam-6:https

What are these/how can I tell what these are?



Answer



You can get more useful information from the Netstat command by adding the -f and -b parameters, like this:


netstat -f -b

According to the help (netstat -?) the -f switch:



Displays Fully Qualified Domain Names (FQDN) for foreign addresses.



And the -b switch:



Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.



Put the two together and you'll see what processes are creating each connection and the full remote host name.


To aid in investigating the executables (and the connection's they're making) use Microsoft's Process Explorer. When you run the program you'll be presented with a list of everything running on your system, like this:


enter image description here


Then, to see the connections made by an executable, double-click it and have a look at the TCP/IP tab: enter image description here


No comments:

Post a Comment

Where does Skype save my contact's avatars in Linux?

I'm using Skype on Linux. Where can I find images cached by skype of my contact's avatars? Answer I wanted to get those Skype avat...