I learned of the command "netstat -a" at the BlackCode site. I tried it on my machine while DSL was active and someone at a particular IP is sitting on my port 1047 even though the status is "close_wait". I have had security scans done at many sites and no one has been able to crack a single port. Does this report mean that this IP is camped on my closed port 1047 waiting for it to provide access? If so, how can I ID the offender? I did a tracert but it didn't resolve a domain for the IP. I just did another netstat and two more IPs are there with the status "time_wait". Any information would be helpful. Thanks in advance.

Could you copy and paste a copy of your netstat -a?

I really don't think it's anything to worry about. "Time wait" is a connection just closed and the system is waiting to see if it will be reopened. By doing this, it doesn't take as long to establish a possible severed connection.

Let us have a look, but be sure if your IP is in the list to edit it out.

I can't seem to find a way to copy and paste the contents of the command prompt window. I used an Image Capture program and saved the file as a *.jpeg but the forum won't let me use attachments. Any idea how I can copy and paste from the prompt window with no menu commands? Thanks.

Post the IP and I will run it thru Neotrace.

Croc.

thanks Croc, IP is 141.150.159.90 What kind of tool is Neotrace? Thanks.

It comes back to Bell Atlantic.

Bell Atlantic (NETBLK-BELL-ATLANTIC)
1880 Campus Commons Drive
Reston, VA 20191
US

Netname: BELL-ATLANTIC
Netblock: 141.149.0.0 - 141.158.255.255
Maintainer: BAIS

Coordinator:
Verizon Global Networks Inc. (ZV20-ARIN) noc@gnilink.net
(703) 295-4583

Domain System inverse mapping provided by:

NSDC.BA-DSG.NET 199.45.45.14
GTEPH.BA-DSG.NET 141.151.0.68

Record last updated on 19-Jul-2001.
Database last updated on 15-Feb-2002 19:56:15 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

You can get a free copy of NeoTrace Express here. (http://www.webattack.com/download/dlneofree.shtml) and there is a useful site on the web that has even more tools. See below:

http://www.all-nettools.com/

another link you might find useful
http://www.ciberpol.com/eng/netstat_made_easy.htm

In order to copy and paste from dos, you need to run your netstat and then click on what looks like a box outlined, take your cursor and highlight the entries to be copied, then click the copy button. I open up notepad and paste the contents in there, rather then to the clipboard from with in netstat. Actually, it's a pain in the arse to do that from dos window, but it can be done. So you know for the future. You can try and experiment with it and see what way you like to use it. :)

Just for you info.

In a command prompt window click the little drive letter indentifier box or the letters msdosv on the left top corner.

Then select edit
mark(now highlight everything you want to copy)
then select edit copy

you can now paste in into notepad or whatever you want.

Jon

What I do instead of going through the Dos window for netstat -a is make a small batch file, so I can just click it when I need to.

Copy/paste the following lines into Notepad, then save it, and then rename it to anything.bat (Netstat.bat is good)

@ECHO OFF
%systemroot%\system32\netstat -a -e -n -r -s >netstat.txt
netstat.txt
cls
@exit

Then you can just click the .bat file and the results come up in Notepad. You can copy/paste from there easily.

Thanks to Blebs99, Jon, and Norm for the good info. I appreciate all of you taking the time. Later.

Sorry I didn't get back, Steve-O.
Time differences between U.S. and Australia. Needed the sleep.
Looks like it's all sorted anyway.

Croc.

FYI - (Norm, you forgot to mention this)

"close wait" is nothing to be alarmed about. When you connect to a server via the browser, then close the browser, or move to a different site, the connection to the first server is still there. It is "closed" but "waiting" for a return response from you/vice versa on the server too.

The length of time close-wait will exist depends upon server TCP\IP settings.

close-wait means the connection is actually closed but can be reopened quickly upon your initiation.

Thanks Tony, that's what I was lookin' for. Later.

Originally posted by Norm
What I do instead of going through the Dos window for netstat -a is make a small batch file, so I can just click it when I need to.

Copy/paste the following lines into Notepad, then save it, and then rename it to anything.bat (Netstat.bat is good)

@ECHO OFF
%systemroot%\system32\netstat -a -e -n -r -s >netstat.txt
netstat.txt
cls
@exit

Then you can just click the .bat file and the results come up in Notepad. You can copy/paste from there easily.

you are god.

thanks!

I think a switch or command is missing from that code Norm, the bat closes immediately & no Notepad.

Originally posted by TonyT
I think a switch or command is missing from that code Norm, the bat closes immediately & no Notepad.
No there is no missing switch or command, it works just fine.
Sorry Tony, and anyone else on Win98, the above is for Win2K and possibly XP.
If you're on Win98 use the following lines.


@ECHO OFF
%windir%\netstat -a -e -n -r -s >netstat.txt
start netstat.txt
cls
@exit

I think a switch or command is missing from that code Norm, the bat closes immediately & no Notepad.

One little piece on the third line:

@ECHO OFF
%systemroot%\system32\netstat -a -e -n -r -s >netstat.txt
notepad.exe netstat.txt
cls
@exit

Have fun,

Skye

works fine on XP ;)

That's a great trick! Thanks for the tip.