Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

Help with netstat command reports

- - - - -

  • Please log in to reply
4 replies to this topic

#1
Sophy

Sophy

    Vista Home Premium SP2 / Avast Internet Security 5 / WinPatrol /

  • Member
  • PipPip
  • 113 posts
  • OS:none specified
  • Country: Country Flag
I thought my Internet operations were running slow so I called my ISP. The guy had me open the command box (as administrator) and type in netstat. When it came up with near 100 connections he said that shouldn't be and I've got to have spyware or something. I continued to type "netstat" in the command box and each time it came up with fewer until it was down to 11. I had Firefox open and only 1 site open. But when I closed the command box, then reopened it and typed netstat it again came up with a whole slew of connections.

I run Avast 6.0 Internet Security and I do a FULL scan once every day. Once a week I do on demand scans with the free versions of SUPERAntiSpyware and Malwarebytes, always choosing the full scan option. So I'm finding it hard to believe I've got hidden spyware, but I'm getting scared at this point. I Googled "netstat" and I'm not reassured.

I found this: netstat -p TCP: To display a list of external machines (IP address or Machine names with Port Number) that your computer is connnected to. (Screenshot 1)

netstat -e 10: This command displays the number of bytes sent and received in real time. The command loops after every 10 seconds to give you an idea of how much data is being transferred and at what rate. If you are not transferring a file over the internet but still large data is being sent across, that signals a problem. (Screenshot 2) Doesn't this screenshot show that I've got an awful large number of bytes being sent and received considering I was sending nothing and had 1 web page open?

My ISP really got me scared, so hope someone who knows more than I do can offer me some reassurance, or tell me what I should do.

Attached Files




How to remove advertisement from MSFN

#2
CoffeeFiend

CoffeeFiend

    Coffee Aficionado

  • Super Moderator
  • 5,399 posts
  • OS:Windows 7 x64
  • Country: Country Flag
I don't see anything abnormal. The first 6 connections are to a computer on your network called Cindy-PC. The last one is your PC fetching a web page from MSN. Not sure about the 2nd last one (it's getting a securized web page, most likely from MSN too) but there's nothing that looks like you're compromised.
Coffee: \ˈkȯ-fē, ˈkä-\. noun. Heaven in a cup. Life's only treasure. The meaning of life. Kaffee ist wunderbar. C8H10N4O2 FTW.

#3
Sophy

Sophy

    Vista Home Premium SP2 / Avast Internet Security 5 / WinPatrol /

  • Member
  • PipPip
  • 113 posts
  • OS:none specified
  • Country: Country Flag
While screenshot #1 probably is no problem, I have to play devil's advocate here for a minute. What about the screenshot that shows that I'm sending over 183 million bytes and receiving over 14 million -- when all I have open is one web page and I am not sending anything over the Internet? The explanation of this online said, "If you are not transferring a file over the internet but still large data is being sent across, that signals a problem."

Also, I refer back to the ISP tech guy telling me that typing "netstat" in and the result showing a large number of connections tells him there is spyware? I just opened the command window and typed "netstat" and once again I got a whole long list. See screenshot 3. I'm not second guessing you; it's just that it didn't sound to me like you addressed situations #2 and #3.

I know nothing at all about this and am only in a bit of panic mode because of what the ISP tech told me.

#4
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,812 posts
You could try to use netstat -no to show both the process id opening the connection and the remote ip address. The process id of pid can also be shown in taskmanager so you'll be able to see there what process is making the connections and then you can use process explorer (available on Microsoft web site) see a litlle more like number of threads launched by this process (a lot of threads, more than 100 may be bad).
netstat -e show statistics of the interface since boot time and not real time so it doesn't show anything suspicious. If there was, every 10 seconds the number of packets sent and receive would increase by big numbers (10000 or so).
Anyway, i still don't see how the tech guy do its jobs: in this case, he should make a file transfer test (about 100MB) to a ftp hosted by your internet provider. That's the right way to check speed. There are also some website saying that they can test your speed but that's the speed you get to this particular website and not all internet so it can report speeds a lot lower than your max one as it heavily depends on the peering between the different providers.

#5
Sophy

Sophy

    Vista Home Premium SP2 / Avast Internet Security 5 / WinPatrol /

  • Member
  • PipPip
  • 113 posts
  • OS:none specified
  • Country: Country Flag
Thank you. This guy from ISP gave me his name in case I wanted to call him back. I'm going to call him and advise what you said about doing that file transfer test. It's real strange because for our area my download and upload speed tests are real good -- but then I go to download a 32 MB game, which shouldn't take any time at all, and I'm slow, slow.

But what about his statement that getting all these connections (screenshot 3) when I type in netstat indicates spyware?

I had that process explorer at one time and couldn't make heads nor tails out of it. I have no idea what the process of id of pid means.

Edited by Sophy, 30 March 2011 - 10:16 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN