Netstat:What is normal # of established connections?

Discussion in 'other security issues & news' started by emir, Jan 10, 2006.

Thread Status:
Not open for further replies.
  1. emir

    emir Registered Member

    Joined:
    Dec 21, 2005
    Posts:
    61
    I've gone in to packet forensics and trying to understand the Windows API but I still am not satisfied about the answers I have gotten from people about how many connections should show up established on netstat's output. I've never posted this question here, will someone who is sure about this please take the time to let me know how many should be established on a computer with say Sygate and nod 32 being among the tcp/ip stack or with say zone alarm security suite in the stack.
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    There is no magic number where "X" is OK and "Y" is not. Connections showing in netstat will vary on OS version, configuration, services and applications running. When looking at these connections I will usually first determine if it belongs to a trusted process, then look into why these processes use the connections they do.

    Regards,

    CrazyM
     
  3. emir

    emir Registered Member

    Joined:
    Dec 21, 2005
    Posts:
    61
    You think nmap is what I should use for port to process mapping CrazyM?
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    You could use the OS itself, with XP "netstat -ano" will list active connections and the associated PID (process). When you see multiple instances of svchost.exe use "tasklist /svc" to see the processes associated with each instance.

    When exploring what is going on with your system there are several utilities out there and as far a free ones go I don't think you could go wrong checking out the ones at Sysinternals. In this case for checking connections and processes you would want to consider using TCPView and Process Explorer.

    Regards,

    CrazyM
     
Loading...
Thread Status:
Not open for further replies.