Sophy

Help with netstat command reports

5 posts in this topic

I thought my Internet operations were running slow so I called my ISP. The guy had me open the command box (as administrator) and type in netstat. When it came up with near 100 connections he said that shouldn't be and I've got to have spyware or something. I continued to type "netstat" in the command box and each time it came up with fewer until it was down to 11. I had Firefox open and only 1 site open. But when I closed the command box, then reopened it and typed netstat it again came up with a whole slew of connections.

I run Avast 6.0 Internet Security and I do a FULL scan once every day. Once a week I do on demand scans with the free versions of SUPERAntiSpyware and Malwarebytes, always choosing the full scan option. So I'm finding it hard to believe I've got hidden spyware, but I'm getting scared at this point. I Googled "netstat" and I'm not reassured.

I found this: netstat -p TCP: To display a list of external machines (IP address or Machine names with Port Number) that your computer is connnected to. (Screenshot 1)

netstat -e 10: This command displays the number of bytes sent and received in real time. The command loops after every 10 seconds to give you an idea of how much data is being transferred and at what rate. If you are not transferring a file over the internet but still large data is being sent across, that signals a problem. (Screenshot 2) Doesn't this screenshot show that I've got an awful large number of bytes being sent and received considering I was sending nothing and had 1 web page open?

My ISP really got me scared, so hope someone who knows more than I do can offer me some reassurance, or tell me what I should do.

post-142907-0-62042200-1301535827_thumb.

0

Share this post


Link to post
Share on other sites

I don't see anything abnormal. The first 6 connections are to a computer on your network called Cindy-PC. The last one is your PC fetching a web page from MSN. Not sure about the 2nd last one (it's getting a securized web page, most likely from MSN too) but there's nothing that looks like you're compromised.

0

Share this post


Link to post
Share on other sites

While screenshot #1 probably is no problem, I have to play devil's advocate here for a minute. What about the screenshot that shows that I'm sending over 183 million bytes and receiving over 14 million -- when all I have open is one web page and I am not sending anything over the Internet? The explanation of this online said, "If you are not transferring a file over the internet but still large data is being sent across, that signals a problem."

Also, I refer back to the ISP tech guy telling me that typing "netstat" in and the result showing a large number of connections tells him there is spyware? I just opened the command window and typed "netstat" and once again I got a whole long list. See screenshot 3. I'm not second guessing you; it's just that it didn't sound to me like you addressed situations #2 and #3.

I know nothing at all about this and am only in a bit of panic mode because of what the ISP tech told me.

0

Share this post


Link to post
Share on other sites

You could try to use netstat -no to show both the process id opening the connection and the remote ip address. The process id of pid can also be shown in taskmanager so you'll be able to see there what process is making the connections and then you can use process explorer (available on Microsoft web site) see a litlle more like number of threads launched by this process (a lot of threads, more than 100 may be bad).

netstat -e show statistics of the interface since boot time and not real time so it doesn't show anything suspicious. If there was, every 10 seconds the number of packets sent and receive would increase by big numbers (10000 or so).

Anyway, i still don't see how the tech guy do its jobs: in this case, he should make a file transfer test (about 100MB) to a ftp hosted by your internet provider. That's the right way to check speed. There are also some website saying that they can test your speed but that's the speed you get to this particular website and not all internet so it can report speeds a lot lower than your max one as it heavily depends on the peering between the different providers.

0

Share this post


Link to post
Share on other sites

Thank you. This guy from ISP gave me his name in case I wanted to call him back. I'm going to call him and advise what you said about doing that file transfer test. It's real strange because for our area my download and upload speed tests are real good -- but then I go to download a 32 MB game, which shouldn't take any time at all, and I'm slow, slow.

But what about his statement that getting all these connections (screenshot 3) when I type in netstat indicates spyware?

I had that process explorer at one time and couldn't make heads nor tails out of it. I have no idea what the process of id of pid means.

Edited by Sophy
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.