Security: How To Monitor Your Network Connections

One of the most important concepts in computer security is “knowing thy
system”. This essentially means that in order to be able to protect
something you need to have some idea of what it’s doing and/or how it works.

Your computer’s connections to the outside world is among the most important
information you can have about your system. In addition to what connections
are currently established, you also want to know what ports your computer is
“listening” on, or in other words, what ways other systems are able to
interact with your computer.

Below I’ll cover how to see who your Windows or Linux computer is currently
talking to, and the ways your computer is willing to talk through
open, listening ports.

Ports

There is often some confusion about what network ports are, and what it
means for them to be “open”. Think of network ports as spring-loaded windows
on a house. So if someone doesn’t actively hold the window open, it’ll shut
automatically and remain closed until it’s opened again.

The important thing to remember is that when you see a port open on your
system, it’s because something opened it. Remember, if there wasn’t a
midget in the window it would just close by itself. The issue then becomes
finding out what program opened the port, and whether or not it’s
legitimate.

Windows

Windows has a built-in tool called netstat that can show a decent amount of
information. If you just have a quick question about a certain port you can
use it right from the command line and avoid using a third party
application:

netstat -an | find “LISTENING”

TCP    0.0.0.0:135          0.0.0.0:0            LISTENING
TCP    0.0.0.0:445           0.0.0.0:0            LISTENING
TCP    0.0.0.0:1049          0.0.0.0:0            LISTENING
TCP    0.0.0.0:9000          0.0.0.0:0            LISTENING
TCP    0.0.0.0:33333         0.0.0.0:0            LISTENING

netstat -an | find “ESTABLISHED”

TCP    1.2.3.4:4095          66.102.7.99:80          ESTABLISHED
TCP    1.2.3.4:8324          209.73.177.115:25       ESTABLISHED

Tcpview

For those that want more information about their network connections and/or
are graphically inclined, there’s a free tool called Tcpview that’s a must
for any serious Windows user.

Tcpview allows you to view, in real time, the connections that are open on
your system. Not only does it update constantly as connections spawn or die
off, but
it also shows you what program is responsible for opening a given port on
your system. [For those bent on command line kung-fu, you can get similar
functionality from netstat -anb]

Linux

Being a Linux/OS X guy myself I would deserve a good pummeling if I didn’t
show how to get similar information from a *nix system. The best way to do
this is with the lsof command:

lsof -i

COMMAND  PID USER   FD   TYPE DEVICE SIZE NODE NAME
dhcpcd  6061 root    4u  IPv4   4510       UDP *:bootpc
sshd    7703 root    3u  IPv6   6499       TCP *:ssh (LISTEN)
sshd    7892 root    3u  IPv6   6757       TCP 10.10.1.5:ssh->
192.168.1.5:49901 (ESTABLISHED)

lsof
>

lsof -iTCP // only TCPlsof -iUDP // only UDPlsof -i :22 // involving port
22lsof -i :@attacker.com // connections with attacker.comlsof -i :1.2.3.4 //
connections to 1.2.3.4lsof -i :mail.com:25 // connections to mail.com on the
SMTP portlsof -i | grep LISTEN // see what’s listeninglsof -i | grep
ESTABLISHED // see what’s established

Conclusion

Knowing who your system is talking to (and who it’s willing to talk
to) is crucial to your overall computer security. Using the short guide
above you can now gather this information in both Windows and *nix
environments.:

—1 Not true in all cases.