Hosts activity
Published on
One of the tools that we have to monitor our host activity is the netstat command.
This tool is widely spread on Operating System. … At windows, at linux, at BSD, via powershell, command prompt, bash or other shell we have the ability to identify your current IP connections and data flow.
common commands: Routing information:
#Windows:
netstat -r
===========================================================================
Interface List
3...22 15 xx 4b xx ec ......Hyper-V Virtual Ethernet Adapter
12...00 15 xx 01 xx 06 ......Hyper-V Virtual Ethernet Adapter #2
17...5c c5 xx 80 xx xx ......Microsoft Wi-Fi Direct Virtual Adapter
9...b0 9d xx xx xx xx ......Sierra Wireless EM7345 4G LTE
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.111.1 192.168.111.1 50
10.12.12.0 255.255.255.0 On-link 10.12.12.1 271
10.12.12.1 255.255.255.255 On-link 10.12.12.1 271
===========================================================================
Persistent Routes:
None
#Linux:
netstat -r
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
default _gateway 0.0.0.0 UG 0 0 0 eth0
localnet 0.0.0.0 255.255.255.0 U 0 0 0 eth0
link-local 0.0.0.0 255.255.0.0 U 0 0 0 eth0
#BSD:
netstat -r
Routing tables
Internet:
Destination Gateway Flags Netif Expire
default 10.12.12.123 UGS em1
localhost link#6 UH lo0
192.168.1.0/24 192.xxx.xxx.xxx UGS ipsec100
192.168.1.0/24 link#9 U lagg0
gw1 link#9 UHS lo0
#An important option on the command netstat is the option all (-a or --all)
#It will give you with name resolution all network activity
netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN
tcp 0 0 dune1:38110 152.195.xxx.xxx:https ESTABLISHED
tcp 0 0 dune1:49314 151.101.xxx.x:https ESTABLISHED
tcp 0 0 dune1:38426 arn02s06-in-fxxx.:https ESTABLISHED
tcp 0 0 dune1:48200 147.67.xxx.xx:https ESTABLISHED
tcp 0 0 dune1:48208 147.67.xxx.xx:https ESTABLISHED
tcp 0 0 dune1:57534 104.24.xxx.xxx:https ESTABLISHED
tcp 0 0 dune1:48758 ec2-54-xxx-xx-183:https ESTABLISHED
tcp 0 0 dune1:45554 madxxsxx-in-fxx.1:https ESTABLISHED
tcp 0 0 dune1:38870 server-xx-xx-90-x:https ESTABLISHED
tcp 353 0 dune1:48138 madxxsxx-in-fxxx.:https ESTABLISHED
tcp 0 0 dune1:60312 server-xx-xxx-186:https ESTABLISHED
tcp 0 0 dune1:51862 madxxsxx-in-fxx.1:https ESTABLISHED
tcp 0 0 dune1:48756 ec2-xx-xxx-56-183:https ESTABLISHED
tcp 0 0 dune1:49312 151.101.xxx.x:https ESTABLISHED
tcp 0 0 dune1:60346 a92-122-xxx-xx.de:https ESTABLISHED
If unable to resolve addresses. You can use numeric option
netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 10.12.12.2:48200 147.67.210.xx:443 ESTABLISHED
tcp 0 0 10.12.12.2:48208 147.67.210.xx:443 ESTABLISHED
tcp 0 0 10.12.12.2:49490 151.101.133.x:443 ESTABLISHED
tcp 0 0 10.12.12.2:48202 147.67.210.xx:443 ESTABLISHED
tcp 0 0 10.12.12.2:48206 147.67.210.xx:443 ESTABLISHED
tcp 0 0 10.12.12.2:49488 151.101.133.x:443 ESTABLISHED
tcp 0 0 10.12.12.2:50378 92.122.242.xx:443 ESTABLISHED
tcp 0 0 10.12.12.2:48204 147.67.210.xx:443 ESTABLISHED
tcp 0 0 10.12.12.2:48210 147.67.210.xx:443 ESTABLISHED
tcp 0 0 10.12.12.2:41194 147.67.210.xx:443 ESTABLISHED
tcp 0 208 10.12.12.2:22 10.12.12.1:1764 ESTABLISHED
tcp6 0 0 ::1:631 :::* LISTEN
tcp6 0 0 ::1:25 :::* LISTEN
udp 0 0 10.12.12.2:46372 172.217.17.xxx:443 ESTABLISHED
udp 0 0 10.12.12.2:54704 0.0.0.0:*
udp 0 0 0.0.0.0:46555 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 10.12.12.2:42016 172.217.168.xxx:443 ESTABLISHED
udp 0 0 10.12.12.2:32802 213.30.114.xxx:443 ESTABLISHED
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp6 0 0 :::49319 :::*
At linux for instance you can install geo-localization tools:
#Debian:
apt install geoip-bin geoip-database
#Gentoo:
emerge -av geoip-bin geoip-database
#Redhat:
yum install geoip-bin geoip-database
#SLES:
zypper in geoip-bin geoip-database
#
geoiplookup 92.122.xxx.xx
GeoIP Country Edition: DE, Germany
At windows you have also several tools. Many can be found in sysinternals suite one application is TCPView