If you suspect someone’s secretly connecting to your computer (like a backdoor from malware or a hacker), the netstat command can help you peek at what’s happening with your network connections. Think of it as a window into who’s “talking” to your machine and through which “doors” (ports). Here’s how to use it to check for suspicious activity.
What You’ll Need
- A Windows, macOS, or Linux computer.
- A command-line tool (Command Prompt on Windows, Terminal on macOS/Linux).
- No special software—just tools already on your system.
Step 1: Open Your Command Line
- Windows: Press Win + R, type cmd, and hit Enter.
- macOS/Linux: Search for “Terminal” in your applications and open it.
Step 2: Run the netstat Command
Type this command and press Enter:
- Windows: netstat -ano
- macOS/Linux: netstat -tulnp (Note: On macOS, you might need netstat -an instead, as -tulnp is more Linux-specific.)
Here’s what these options mean:
- -a: Shows all connections, not just active ones.
- -n: Displays IP addresses and port numbers (no names, for clarity).
- -o (Windows only): Shows the Process ID (PID) tied to each connection.
- -tuln (Linux): Lists TCP/UDP, listening ports, and numeric format.
- -p (Linux): Shows the program/process using the port.
You’ll see a list of connections—don’t panic if it’s long! We’ll narrow it down.
Step 3: Understand the Output
Here’s a sample output from Windows (netstat -ano):
Proto Local Address Foreign Address State PID
TCP 192.168.1.10:12345 0.0.0.0:0 LISTENING 4567
TCP 192.168.1.10:80 203.0.113.5:54321 ESTABLISHED 7890- Proto: Protocol (TCP or UDP).
- Local Address: Your computer’s IP and port (e.g., 192.168.1.10:12345).
- Foreign Address: The remote IP and port connecting to you (e.g., 203.0.113.5:54321).
- State: LISTENING (waiting for a connection) or ESTABLISHED (active link).
- PID: The process ID running this connection.
On Linux (netstat -tulnp):
Proto Local Address Foreign Address State PID/Program name
tcp 0.0.0.0:22 0.0.0.0:* LISTEN 1234/sshd
udp 0.0.0.0:123 0.0.0.0:* 5678/ntpdStep 4: Spot Suspicious Backdoors
A backdoor is a hidden connection letting someone control your system. Look for these red flags:
- Weird Ports: Ports like 12345, 4444, or 6666 aren’t common for legit apps (e.g., web uses 80, SSH uses 22). Google unfamiliar port numbers.
- Unknown Foreign IPs: If Foreign Address shows an IP you don’t recognize (not your router or a known service like Google’s 8.8.8.8), it’s suspect.
- Listening State: Lots of LISTENING entries on odd ports could mean something’s waiting for a hacker to connect.
- Unexpected Processes: On Windows, check the PID in Task Manager (Ctrl+Shift+Esc > Details tab). On Linux, the PID/Program name shows the app (e.g., sshd is normal, but unknown.exe isn’t).
Step 5: Investigate with PID (Windows)
If you see something odd (e.g., TCP 192.168.1.10:12345 0.0.0.0:0 LISTENING 4567):
- Open Task Manager (Ctrl+Shift+Esc).
- Go to the “Details” tab, find the PID (4567), and see what program it is.
- If it’s not something you recognize (e.g., not Chrome or Zoom), it might be trouble.
Step 6: Test and Act
- Run netstat when you’re offline (no apps open) to see what’s still active—legit systems should have minimal connections.
- If you spot a backdoor (e.g., a strange IP on port 4444), disconnect from the internet, run an antivirus scan (like Windows Defender or Malwarebytes), and consider professional help.
Example of a Backdoor
Normal: TCP 192.168.1.10:80 203.0.113.5:54321 ESTABLISHED 7890 (web server). Suspicious: TCP 192.168.1.10:6666 198.51.100.1:12345 LISTENING 9999 (odd port, unknown IP).