NETSTAT User Commands
NAME
netstat - Network Status Utility
SYNOPSIS
netstat [OPTIONS]
DESCRIPTION
This displays the status of the LAN connection and lists all of the
active network connections as well as any of the services accepting
connections.
-U
Displays any services accepting connectionless UDP packets.
-A
Displays network statistics such as packet and error tallies.
-M
Dynamically displays network activity. The display mode is exited
by any keyboard entry.
-C [FILTER]
Generates the /temp/network.pcapng capture file which contains
recent network traffic. This may be downloaded and opened with
Wireshark
https://wireshark.org . An optional FILTER may be used to
limit the content.
-F [FILTER]
JANOS always buffers recent network traffic for capturing. This
option can set a FILTER to limit the traffic collected. Since only
a limited space is available for buffering, a filter can be used
to retain packets of interest for a much longer period of time.
The filtering is removed if FILTER is omitted.
-R
Resets the network buffer removing prior buffered traffic.
-T
Displays TLS statistics regarding the negotiation of various security
suites.
-S [FILTER]
The -C option generates a PCAPNG file that can be remotely opened in
Wireshark. The -S option enables a real-time network scanner/sniffer
where packets are displayed as they occur. Any keystroke will terminate
the scanning. A FILTER can be specified to limit the packets listed to
only those of interest.
-P [FILTER]
This displays packets from the current capture buffer. A FILTER may be
defined to limit the list to only packets of interest. If this option
is used in combination with -S, once packets are displayed from the
capture buffer the scanner will proceed to display new packets as they
occur.
-D
Enables the hexadecimal dump of packet payload when used with either
the -S and/or -P options. This displays only the data and not the
associated headers (such as MAC, IP and TCP/UDP headers).
NETWORK SCANNER
New with JANOS v2.4 is that ability from the command line to view ongoing
network communications in real-time. As more and more JNIOR applications
involve the interaction with remote network equipment it becomes important
in testing to get immediate feedback as to proper operation. The NETSTAT -S
network scanner displays network traffic as it happens.
As network packets are received and transmitted JANOS records them for later
analysis. This has always been available for export and analysis by Wireshark
through the NETSTAT -C option. The amount of network data available at any
one time is limited by the size of the capture buffer established by the
setting of the
IpConfig/CaptureBuffer Registry key. By default this is a
modest 512KB and can be expanded to 8MB. Depending on the frequency of network
communication and the amount of data exchanged the network history in terms
of time can be quite small and on the order of only several minutes.
FILTERING
A capture filter can be used to limit the traffic being recorded. A
FILTER
can be set using the NETSTAT -F command. This filter then permits only
certain communications to be recorded in the capture buffer. When analyzing
the interactions with one particular remote device this can greatly increase
the amount of time covered and the amount of interaction available for
review.
NOTE
When using the scanner to look for specific interactions
make sure that these are not filtered. The NETSTAT -F
command without a filter specification removes any existing
filter. These are Registry changes that are logged in the
jniorsys.log file if you need to determine a prior setting.
The FILTER specified with the NETSTAT -C, -P and -S options is a restriction
imposed on the data being retrieved from the capture buffer. That is to say
after what might already be filtered by the -F filter. If you are looking for
a specific communication it must not be first filtered on reception and then
not filtered upon display.
When running the scanner, network communications related to the current
connection are automatically filtered. For instance, if you are accessing the
command line console using Telnet those packets will not be displayed as you
are likely looking for other traffic. This is a secondary filter in addition
to (and does not alter) any FILTER that you define regarding display. This
traffic will however be captured in the buffer unless filtered by the incoming
-F filter. (See
IpConfig/Filter).
REAL-TIME
The NETSTAT -P command will display the (optionally) selected packets from the
capture buffer. That would start from the oldest available right up to the
present moment. At the completion of display you are returned to the command
prompt.
To view real-time traffic use the NETSTAT -S command (with optional filter).
This will immediately display new packets (matching your filter) as they
occur. This will continue for as long as the command is active. Any keystroke
will interrupt the command and return you to the prompt.
If you are interested in traffic past and present you will need to use both
options in one command. For instance NETSTAT -PS or NETSTAT -SP. Notice that
if you issue the NETSTAT -P and then after returning to the prompt you give
the NETSTAT -S command there is a chance that you would skip packets occurring
between the two command executions.
DISPLAY FORMAT
The network scanner displays packets in a similar fashion as Wireshark. With
each packet a timestamp is displayed followed by the source IP address, source
port number, the destination IP address and destination port number. The
timestamp does not display the date given that a capture extending over days
is unlikely. The following is a brief moment in time and happens to show only
broadcast traffic. The -V option includes underlying packets for ARP, ICMP and
so on, which are normally not listed.
** Packets for current session not displayed
Timestamp Src_IPaddr srcprt Dst_IPaddr dstprt typ
12:01:56.728 10.0.0.20 17500 255.255.255.255 17500 UDP
12:01:56.730 10.0.0.20 17500 255.255.255.255 17500 UDP
12:01:56.730 10.0.0.20 17500 10.0.0.255 17500 UDP
12:01:57.470 10.0.0.27 17500 10.0.0.255 17500 UDP
12:01:58.462 10.0.0.17 60504 10.0.0.255 1947 UDP
12:02:01.252 10.0.0.20 54131 255.255.255.255 1947 UDP
12:02:02.541 10.0.0.5 137 10.0.0.255 137 UDP
12:02:04.180 10:78:d2:75:14:06 Integpro_00:07:f9 ARP
12:02:04.180 Integpro_00:07:f9 10:78:d2:75:14:06 ARP
12:02:05.258 10.0.0.20 54131 10.0.0.255 1947 UDP
The right side of each line may define the protocol and provide some additional
details.
typ proto detail
UDP (144 bytes)
UDP (144 bytes)
UDP (144 bytes)
UDP (154 bytes)
UDP (40 bytes)
UDP (40 bytes)
UDP NBNS (50 bytes)
ARP Who has 10.0.0.102? Tell 10.0.0.20
ARP 10.0.0.102 is at 9c:8d:1a:00:07:f9
UDP (40 bytes)
If additional analysis is needed then an export using NETSTAT -C and subsequent
viewing in Wireshark is recommended.
PAYLOAD
The NETSTAT -D option used with either the -S, -P or -SP scanning, displays in
hexadecimal and ASCII the data contained in the payload portion of the
communications.
Here we use the DATE -N command to update the clock using NTP and then look
at the network exchange. Notice that NTP uses port 123 and we can use 'NTP'
in the filter definition since it is a standard port for that.
bruce_dev /> netstat -pd NTP
LAN connection active (100 Mbps)
** Packets for current session not displayed
Timestamp Src_IPaddr srcprt Dst_IPaddr dstprt typ proto detail
12:20:33.562 10.0.0.102 53270 50.205.57.38 123 UDP NTP (48 bytes)
0000 0b000000 00000000 00000000 00000000 00000000 ....................
0014 00000000 e818b7d1 8fdf3b64 00000000 00000000 ....h.7Q._;d........
0028 00000000 00000000 ........
12:20:33.601 50.205.57.38 123 10.0.0.102 53270 UDP NTP (48 bytes)
0000 0c0106e7 00000000 00000000 47505300 e818b7d1 ...g........GPS.h.7Q
0014 00000000 00000000 00000000 e818b7d1 94731021 ............h.7Q.s.!
0028 e818b7d1 94735fe5 h.7Q.s_e
bruce_dev />
Here we see the binary exchange with the network time server. None of the
packet payload involves characters that make sense. The ASCII is displayed
however since in some cases text is clearly exchanged (in serial commands
with some devices for instance) and translation from the hexadecimal ASCII
is a chore.
If you use NETSTAT -C to export this and then open the capture file in
Wireshark a complete parsing of this exchange is available.
SEE ALSO
HELP Topics:
FILTER,
ASCII
[/flash/manpages/manpages.hlp:3722]