Nowadays every PC is connected to the Internet constantly and you may not notice there are numerous programs or system processes running in the background which are “silently” connecting to other devices or servers within your network or on the Internet.
Netstat is a Windows built-in command that comes with every favor of Windows from XP to Windows 8. If you are still running Windows XP then please make sure you have SP2 installed (which should at least protect your computer to the maximum possible extent that Microsoft can offer).
To use the Netstat tool, you need to open the Command Prompt. You also need to have administrative rights on your computer. If you are using Windows 8.x, you can right-click on the Start button and select “Command Prompt (Admin)”.
If you are using Windows 7 or Vista, click the Start menu and type cmd in the Search box. When you see cmd.exe display at the top of the result, right-click on it and select “Run as administrator” from the pop-up menu.
On some computers, if the UAC box displays, click Yes to continue.
At the command prompt, type the following and hit enter.
netstat -bf 2 > result.txt
The parameters are explained as follows:
- -b Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in  at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.
- -f Displays Fully Qualified Domain Names (FQDN) for foreign addresses.
- 2 is the interval. It means to collect the stats every 2 seconds.
The results will be directed to the result.txt file.
Try to run it for 3 minutes (or as long as you like) while you do normal activities on your computer. Press Ctrl-C to stop the capture.
All your network activities (including internal within your home or office network, and external Internet traffic) and the programs that triggered them will be shown in the result.txt file which you can examine using Notepad or import to Excel for sorting.
You will see under Foreign Address column are the servers that your computer has connected to.
If you just want to see what websites your computer has connected to, you can use the following netstat parameters:
netstat -bf 2 | find “:80” > result2.txt
netstat -bf 2 | find “:http” > result2.txt
If you want to see in (almost) real time what websites your computer is connecting to, remove the trailing pipe (> result.txt) and you will see the result in every 2 seconds.
There are other free tools which can display your computer’s network activities and provide useful insights into what programs are triggering them. If interested, check out TCPView (http://technet.microsoft.com/en-sg/sysinternals/bb897437.aspx) from SysInternals and Currports (http://www.nirsoft.net/utils/cports.html) from NirSoft. Both can run as portable application which does not require any installation and support all versions of Windows. For Currports, choose the correct 32-bit or 64-bit version when you download it from the NirSoft site.