JANOS Help System: [Commands] [Topics] [Tech Support] [Printable Manual] [Search]
NETSTAT User Commands NAME netstat - Network Status Utility SYNOPSIS netstat [OPTIONS] DESCRIPTION This displays the status of the LAN connection and lists all of the active network connections as well as any of the services accepting connections. -U Displays any services accepting connectionless UDP packets. -A Displays network statistics such as packet and error tallies. -M Dynamically displays network activity. The display mode is exited by any keyboard entry. -C [FILTER] Generates the /temp/network.pcapng capture file which contains recent network traffic. This may be downloaded and opened with Wireshark https://wireshark.org . An optional FILTER may be used to limit the content. -F [FILTER] JANOS always buffers recent network traffic for capturing. This option can set a FILTER to limit the traffic collected. Since only a limited space is available for buffering, a filter can be used to retain packets of interest for a much longer period of time. The filtering is removed if FILTER is omitted. -R Resets the network buffer removing prior buffered traffic. -T Displays TLS statistics regarding the negotiation of various security suites. -S [FILTER] The -C option generates a PCAPNG file that can be remotely opened in Wireshark. The -S option enables a real-time network scanner/sniffer where packets are displayed as they occur. Any keystroke will terminate the scanning. A FILTER can be specified to limit the packets listed to only those of interest. -P [FILTER] This displays packets from the current capture buffer. A FILTER may be defined to limit the list to only packets of interest. If this option is used in combination with -S, once packets are displayed from the capture buffer the scanner will proceed to display new packets as they occur. -D Enables the hexadecimal dump of packet payload when used with either the -S and/or -P options. This displays only the data and not the associated headers (such as MAC, IP and TCP/UDP headers). NETWORK SCANNER New with JANOS v2.4 is that ability from the command line to view ongoing network communications in real-time. As more and more JNIOR applications involve the interaction with remote network equipment it becomes important in testing to get immediate feedback as to proper operation. The NETSTAT -S network scanner displays network traffic as it happens. As network packets are received and transmitted JANOS records them for later analysis. This has always been available for export and analysis by Wireshark through the NETSTAT -C option. The amount of network data available at any one time is limited by the size of the capture buffer established by the setting of the IpConfig/CaptureBuffer Registry key. By default this is a modest 512KB and can be expanded to 8MB. Depending on the frequency of network communication and the amount of data exchanged the network history in terms of time can be quite small and on the order of only several minutes. FILTERING A capture filter can be used to limit the traffic being recorded. A FILTER can be set using the NETSTAT -F command. This filter then permits only certain communications to be recorded in the capture buffer. When analyzing the interactions with one particular remote device this can greatly increase the amount of time covered and the amount of interaction available for review. NOTE When using the scanner to look for specific interactions make sure that these are not filtered. The NETSTAT -F command without a filter specification removes any existing filter. These are Registry changes that are logged in the jniorsys.log file if you need to determine a prior setting. The FILTER specified with the NETSTAT -C, -P and -S options is a restriction imposed on the data being retrieved from the capture buffer. That is to say after what might already be filtered by the -F filter. If you are looking for a specific communication it must not be first filtered on reception and then not filtered upon display. When running the scanner, network communications related to the current connection are automatically filtered. For instance, if you are accessing the command line console using Telnet those packets will not be displayed as you are likely looking for other traffic. This is a secondary filter in addition to (and does not alter) any FILTER that you define regarding display. This traffic will however be captured in the buffer unless filtered by the incoming -F filter. (See IpConfig/Filter). REAL-TIME The NETSTAT -P command will display the (optionally) selected packets from the capture buffer. That would start from the oldest available right up to the present moment. At the completion of display you are returned to the command prompt. To view real-time traffic use the NETSTAT -S command (with optional filter). This will immediately display new packets (matching your filter) as they occur. This will continue for as long as the command is active. Any keystroke will interrupt the command and return you to the prompt. If you are interested in traffic past and present you will need to use both options in one command. For instance NETSTAT -PS or NETSTAT -SP. Notice that if you issue the NETSTAT -P and then after returning to the prompt you give the NETSTAT -S command there is a chance that you would skip packets occurring between the two command executions. DISPLAY FORMAT The network scanner displays packets in a similar fashion as Wireshark. With each packet a timestamp is displayed followed by the source IP address, source port number, the destination IP address and destination port number. The timestamp does not display the date given that a capture extending over days is unlikely. The following is a brief moment in time and happens to show only broadcast traffic. The -V option includes underlying packets for ARP, ICMP and so on, which are normally not listed. ** Packets for current session not displayed Timestamp Src_IPaddr srcprt Dst_IPaddr dstprt typ 12:01:56.728 10.0.0.20 17500 255.255.255.255 17500 UDP 12:01:56.730 10.0.0.20 17500 255.255.255.255 17500 UDP 12:01:56.730 10.0.0.20 17500 10.0.0.255 17500 UDP 12:01:57.470 10.0.0.27 17500 10.0.0.255 17500 UDP 12:01:58.462 10.0.0.17 60504 10.0.0.255 1947 UDP 12:02:01.252 10.0.0.20 54131 255.255.255.255 1947 UDP 12:02:02.541 10.0.0.5 137 10.0.0.255 137 UDP 12:02:04.180 10:78:d2:75:14:06 Integpro_00:07:f9 ARP 12:02:04.180 Integpro_00:07:f9 10:78:d2:75:14:06 ARP 12:02:05.258 10.0.0.20 54131 10.0.0.255 1947 UDP The right side of each line may define the protocol and provide some additional details. typ proto detail UDP (144 bytes) UDP (144 bytes) UDP (144 bytes) UDP (154 bytes) UDP (40 bytes) UDP (40 bytes) UDP NBNS (50 bytes) ARP Who has 10.0.0.102? Tell 10.0.0.20 ARP 10.0.0.102 is at 9c:8d:1a:00:07:f9 UDP (40 bytes) If additional analysis is needed then an export using NETSTAT -C and subsequent viewing in Wireshark is recommended. PAYLOAD The NETSTAT -D option used with either the -S, -P or -SP scanning, displays in hexadecimal and ASCII the data contained in the payload portion of the communications. Here we use the DATE -N command to update the clock using NTP and then look at the network exchange. Notice that NTP uses port 123 and we can use 'NTP' in the filter definition since it is a standard port for that. bruce_dev /> netstat -pd NTP LAN connection active (100 Mbps) ** Packets for current session not displayed Timestamp Src_IPaddr srcprt Dst_IPaddr dstprt typ proto detail 12:20:33.562 10.0.0.102 53270 50.205.57.38 123 UDP NTP (48 bytes) 0000 0b000000 00000000 00000000 00000000 00000000 .................... 0014 00000000 e818b7d1 8fdf3b64 00000000 00000000 ....h.7Q._;d........ 0028 00000000 00000000 ........ 12:20:33.601 50.205.57.38 123 10.0.0.102 53270 UDP NTP (48 bytes) 0000 0c0106e7 00000000 00000000 47505300 e818b7d1 ...g........GPS.h.7Q 0014 00000000 00000000 00000000 e818b7d1 94731021 ............h.7Q.s.! 0028 e818b7d1 94735fe5 h.7Q.s_e bruce_dev /> Here we see the binary exchange with the network time server. None of the packet payload involves characters that make sense. The ASCII is displayed however since in some cases text is clearly exchanged (in serial commands with some devices for instance) and translation from the hexadecimal ASCII is a chore. If you use NETSTAT -C to export this and then open the capture file in Wireshark a complete parsing of this exchange is available. SEE ALSO HELP Topics: FILTER, ASCII [/flash/manpages/manpages.hlp:3722]