What is NetStat & how can it help me?

My computer seems to be doing things when I am not using it. The hard drive light flashes, my Internet connection shows activity even when I don't have a browser open. Is there something in my system or am I just paranoid?

- Josh

This question was answered on October 16, 2003. Much of the information contained herein may have changed since posting.

---

With all of the vulnerabilities, Trojan horse programs, spyware, adware, worms and viruses that are floating around, it is prudent to be somewhat paranoid.

The specific causes of the activity that you are noticing could be nothing more than one of the many background utilities that is supposed to be running Or, it could be one of many malicious programs that has made its way into your computer and is using it for sending out spam, worms or is hosting pirated software for others to download without your knowledge.

Virtually every anti-virus program on the market automatically checks for updates on a regular basis as do all of the Windows XP operating systems, which could be some of what you are experiencing.

A somewhat technical method of checking to see if something is accessing the Internet from your computer is to use the ‘netstat’ (which stands for NETwork STATe) utility that is built-into most operating systems.

Before you use this utility, make sure that all of your programs are closed, especially your browser and e-mail programs.

Click the ‘Start’ button, then on ‘Run’, then type ‘command’ for Windows 95, 98 or ME And ‘cmd’ for Windows NT, 2000 or XP This will open a box that looks like an old DOS screen, known as a ‘command line’.

Once the box is open, type the command ‘netstat’ which will bring up a series of headings that read:

Proto Local Address Foreign Address State

If you closed all your programs, there should not be anything under any of the headings The headings will list the following information:

Proto lists the ‘protocol’ (usually either TCP - Transmission Control

Protocol or UDP - User Datagram Protocol)

Local Address is your machine

Foreign Address is another machine on the Internet or a local network

State lists the current state of any of the connections and is the one that you will be most interested in If the word ‘ESTABLISHED’ appears under the ‘State’ heading, than something is causing your computer to connect to another computer on the Internet.

To see what a normal connection looks like, open your browser and connect to any web site, then run ‘netstat’ again to see what a legitimate connection looks like.

If you see any ‘established’ connections when you run netstat and none of your Internet related programs is running, you likely have a program running in the background that is accessing the Internet.

The website address that it’s connecting to will generally appear under the ‘foreign address’ heading (ending with http) which is a starting point for figuring out whether this is a legitimate or malicious connection.

If you feel you have been infiltrated, try running programs such as Ad-Aware (Ad-Aware.com) or SpyBot (safer-networking.org) which will track down and remove known adware and spyware programs

About the author

Posted by Ken Colburn of Data Doctors on October 16, 2003

Need Help with this Issue?

We help people with technology! It's what we do.
Contact or Schedule an Appointment with a location for help!