# Using netstat command to check who is logged on



## manishrathi (Apr 21, 2009)

when I run netstat command on cmd line, I get output with 4 columns. Protocol, local address, foreign address and state.

Here is the output when I use netstat at cmd line

C:\Users\Manish>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:7 Manish-PC:0 LISTEN
TCP 0.0.0.0:9 Manish-PC:0 LISTEN
TCP 0.0.0.0:13 Manish-PC:0 LISTEN
TCP 0.0.0.0:17 Manish-PC:0 LISTEN
TCP 0.0.0.0:19 Manish-PC:0 LISTEN
TCP 127.0.0.1:3826 Manish-PC:0 LISTEN
TCP 127.0.0.1:10110 Manish-PC:0 LISTEN
TCP 127.0.0.1:12025 Manish-PC:0 LISTEN
TCP 127.0.0.1:12080 Manish-PC:0 LISTEN
TCP 127.0.0.1:12110 Manish-PC:0 LISTEN
TCP 127.0.0.1:12119 Manish-PC:0 LISTEN
TCP 192.168.1.102:139 Manish-PC:0 LISTEN
TCP 192.168.1.102:49203 lga15s02-in-f154:http TIME_W
TCP 192.168.1.102:49205 lga15s01-in-f164:http TIME_W
TCP 192.168.1.102:49213 iad04s01-in-f113:http TIME_W
TCP 192.168.1.102:49223 iad04s01-in-f113:http TIME_W
TCP 192.168.1.102:49261 lga15s02-in-f148:http TIME_W
TCP [::]:7 Manish-PC:0 LISTEN
TCP [::]:9 Manish-PC:0 LISTEN
TCP [::]:13 Manish-PC:0 LISTEN
TCP [::]:17 Manish-PC:0 LISTEN
TCP [::]:19 Manish-PC:0 LISTEN
UDP 0.0.0.0:7 *:*
UDP 0.0.0.0:9 *:*
UDP 0.0.0.0:13 *:*
UDP 0.0.0.0:17 *:*
UDP 0.0.0.0:19 *:*
UDP 0.0.0.0:500 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:57930 *:*
UDP 192.168.1.102:137 *:*
UDP 192.168.1.102:138 *:*
UDP [::]:7 *:*
UDP [::]:9 *:*
UDP [::]:13 *:*
UDP [::]:17 *:*
UDP [::]:19 *:*
UDP [::]:500 *:*
UDP [fe80::1c19:1ec5:3b78:b2ae%13]:1900 *:*
UDP [fe80::1c19:1ec5:3b78:b2ae%13]:57927 *:*



Local address is the ip address of my computer, foreign address is the address of computer to which my comnputer is connected.

If thats the case, then in local address I see 0.0.0.0:7, 0.0.0.0:9, 0.0.0.0:13 etc. what does this indicate ? It looks like
different ports onmy computer are listening to different services. Then I see 127.0.0.1:3826, 127.0.0.1:10110 etc as local address. 
Does this 127.0.0.1 is temporary ip address assigned to my computer (by DHCP). Again in the same output list, I see 
192.168.1.102:139, 192.168.1.102:2869 etc as local addrresses. So how can there be two ip addresses assigned to my computer ?

Then in the Foreign address column, I see the name of my computer itself paired against local address. So how come local adxdress and
foreign address are both of my computer only ?

Please explain this output.


thanks


----------



## ab0mbs (Jul 18, 2009)

The 127.0.0.1 address is the localhost or the loop back address. This is an address that if pinged will ping your own network card. The 192.168.1.102 address is assigned by your routers DHCP server. When you ping this you are pinging your own computer again but going through the router and back to your computer. The reason you see 127.0.0.1 as a local and your computer as foreign address is because you used netstat -a. If you use netstat -n then it will show that manish-PC is really 127.0.0.1. The ports that are listening are usually programs running on your computer. One mine I have ports 23 and 445 listening. 23 is Telnet and 445 is used my AIM. Basically your computer is listening on itself to see if a certain program is communication with the internet


----------



## manishrathi (Apr 21, 2009)

whats the difference between netstat -a and netstat -n ?

What is the meaning of [:]:7 *:* ?


thanks


----------



## ab0mbs (Jul 18, 2009)

netstat -a will show names of devices like you computer name and a website name while netstat -n shows the IP address. And honestly I and not sure what that means. I assume that the * is a wildcard saying anything is to any port. The [:] might be a ditto but i am not positive.


----------

