howto://macgyver netstat into a sniffer-part two

by Ed Fisher on 2010-04-02

in Infrastructure

 cli

Welcome back! In part one of this post, we covered some of the functionality of netstat, and how we can use the command to diagnose our network connections at layers four, three, and two. In part two, we’re going to use that knowledge, the pipe (|) operator, and the find command to cobble together a workable tool for analysing traffic.  If you haven’t had a chance to read part one yet, or if you just want to do a quick review, go ahead and check with that, and then come back. It’s cool…I’ll wait right here for you.

 

Okay, looks like we’re all here and ready to rock and roll.

Of course, knowing Mac, he would have cobbled something together with Notepad, an undocumented call to the NDIS driver, and raw sockets. That, or asked Colonel Carter for help!

Let’s MacGyver this netstat thing into a sniffer!

Who’s got a paperclip?

 

 

If you were paying attention to part one, you probably noticed the interval option. This runs netstat in a loop, refreshing and redisplaying the output every N seconds. If you just want to see what active connections are on your machine, updating the information every 3 seconds, you would enter the command
netstat 3 [enter]

image14
The top of the display shows the active connections, the bottom of the display shows them again three seconds later. This will update every three seconds until you hit CTRL-C to stop it. Of course, a lower value will give you a faster refresh, with 1 as the lowest allowed value.

 Hi guys! Remember me?
Paperclip NOT required. 

But wait, we’re just getting started. To kick it up a notch, we need to bring in the old cmd-line standbys pipe (|), and find. If we take the output of our netstat cmd and pipe it into the find cmd, specifying some value we’re interested in, we can use this to monitor status changes on a particular port. For example, say we are troubleshooting a web service on our server, and we want to see if requests from a client are getting across the network and through the firewall to us. If we know the source ip.addr of the client, we can see whether or not traffic comes in from him by doing this…

netstat –an 1 | find "192.168.100.201" [enter] 
image[8] 
This will sit with a blinking cursor until a TCP SYN packets comes in, at which time you will see a line indicating either SYN_RECV, or ESTABLISHED. It’s not perfect, since our refresh rate is one second and it takes less time than that to establish a session, but if you never see anything, you know you never got the SYN packet. CTRL-C to stop this process and get your prompt back.

If we instead wanted to simply monitor the web service to see when a connection was established, regardless of the source, we could do this
netstat –an 1 | find ":80" | find /i "established" [enter]
image[13]
This will check port 80 every second, and list all established connections.

Want the total count of those connections? Try this…
netstat –an | find ":80" | find /i "established" /c [enter]
image[18]
Incidentally, this was the answer I gave to one of my pre-screen questions when I interviewed with Google.

We can use this trick from the client side, too. Let’s say we are trying to troubleshoot a PPTP VPN connection. If we open a cmd prompts, and run
netstat –an | find ":1723" [enter]
and then we either launch our VPN connection or just use TELNET in another cmd prompt, we’ll see if we are making contact or not.

image25

See all those SYN_SENT lines? It means our client is trying, but not getting a response from the server. Most likely a firewall on our network is either dropping (silently) our outbound connection attempts, or a firewall at the server side is dropping (silently) the incoming traffic. Either way, we’re not connecting to that PPTP server, but we know that our client is trying.

  • A word about egress filtering. Folks, I don’t blame you one bit for dropping (silently) unsolicited and undesired traffic from the internet, but on your internal network, especially at your border firewall, block, don’t drop. Blocking means you will send back ICMP administratively prohibited messages (or RST ACKS if you’re an IPS,) so our clients can determine that something is not allowed, as opposed to just not working. Save us all some time, and communicate on the internal network by blocking. Save dropping for the Internet connection.

bonus6

We’re using the FIND command instead of FINDSTR, so that we can string parameters together. FINDSTR may not need as much typing, but it can only do one value. With FIND, you can string parameters together. 
netstat –an 1 | find /i "192.168.100.5" becomes netstat –an 1 | findstr 192.168.100.5 in our simple examples, but you can also use find to do counts, or to search for what does not match.

 

  • FIND [/V] [/C] [/N] [/I] [/OFF[LINE]] "string" [[drive:][path]filename[ ...]]
      /V         Displays all lines NOT containing the specified string.
      /C         Displays only the count of lines containing the string.
      /N         Displays line numbers with the displayed lines.
      /I         Ignores the case of characters when searching for the string.
      /OFF[LINE] Do not skip files with offline attribute set.
      "string"   Specifies the text string to find.
      [drive:][path]filename
                 Specifies a file or files to search.
    If a path is not specified, FIND searches the text typed at the prompt
    or piped from another command.

Try these on for size.
netstat –an | find /V /I "established" [enter]

netstat –an | find ":80" | find /i "established" [enter]

We can also output our results to a file by redirecting output with >>. Here’s a command that will check for connections every three seconds and dump to a file, terminating after 50 tries. You could use this if you are trying to ‘catch’ something happening. You’ll want to put this in a batch file, since sleep is a batch processing command, and not a cmd-line function. We’re using ping to set a delay. You could also install sleep from the resource kit, but this will work without any extra tools. If using Windows 7, make sure to do this in an administrative cmd prompt.
for /L %%I in (1,1,50) do (netstat –afbo >> c:\scratch\output.txt) & (ping 127.0.0.1 –n 3 –w 1000)

Want to see per protocol statistics? Try
netstat –s [enter]

Which brings us to the end of this post, and a segue between this post and our closing clip. A funny thing, segues. No, not the freaky little two-wheelers, those are segways.

They do look like fun!
NOT what I meant.

A segue is smooth transition from one topic to another. I went looking for a funny or witty video to close out this post, and my search went from sniffing, to sniffers, to bloodhounds…to this! Hard to believe this song is already over ten years old. Mildly NSFW, small children, but ultimately full of win. I still love this song.

What about you? Have any netstat tricks to share when troubleshooting the network? Leave a reply and share the love.

You might also enjoy:

  1. howto://macgyver netstat into a sniffer-part one
  2. howto://connect clients to exchange-part one
  3. howto://connect clients to exchange-part two
  4. howto://troubleshoot networks with ping

Tagged as: cli, howto, networking

Leave a Comment

Previous post:

Next post: