Interpreting Netstat Reports

I've been told that the below indicates "OPEN PORTS".
that is what i'm trying to get away from.

Can someone tell me if this is true, Open Ports, and if it's the
UDP that specifies an open port or the *:*

D:\WINNT>netstat -a
UDP    my machine3cj:epmap  *:*
UDP    my machine3cj:microsoft-ds  *:*
UDP    my machine3cj:1025   *:*
UDP    my machine3cj:1027   *:*
UDP    my machine3cj:netbios-ns  *:*
UDP    my machine3cj:netbios-dgm  *:*
UDP    my machine3cj:isakmp  *:*
UDP    my machine3cj:2278   *:*
UDP    my machine3cj:2288   *:*

I'm using Zonealarm at present.
If I'm in the wrong area of experts-exchange please let me know.

Regards, Bud
LVL 14
Who is Participating?
Steve JenningsIT ManagerCommented:
Just an obnoxious correction . . .

From your example:

UDP    my machine3cj:2278   *:*

UDP = protocol type

my machine3cj = the listening IP address

2278 = the port that the indicated IP address is listening on

*:* = indicates that the "listener" will allow a connection from any IP address on any interface
UDP is the connectionless part of the TCP/IP protocol.  User Datagram protocol.  A lot of games and streaming media use UDP because it is faster than TCP due to the fact that no ACK is required.  The ports that you are showing are pretty much default for windows.
Each line indicates protocol (UDP or TCP), local ip address or name:local port, foreign ip address or name:foreign port. For TCP lines, there is also status.

UDP is a connection less protocol, which means that you will always see the UDP ports as listening, even if you are presently communicating with other machines using UDP. This is indicated by the *:*.

TCP, on the other hand is connection oriented. Therefore ports without active connections will be indicated by *:* LISTENING. For active connections you will see foreign ip or name:foreign port ESTABLISHED. Sessions can also be in SYN_SENT, TIME_WAIT and a few others, when they are either in establishment phase or deestablishment phase.

So basically, what you want to minimize is the number of ports that has *.* in them. These ports indicate that you are waiting for someone to connect to you.

Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

smeebudAuthor Commented:
Well this is new to me svindler.

I'm interested in security. I've tried ZoneAlarm, I'm using that now, also tyied blackICE.

I was told that *:* meant that that port was "Open" for any sniffer to browse around my computer.

Do you know how I can close these Open ports.

It is correct that each *:* identifies a potential entrance to your machine. It does require a more for any hacker to enter your machine.
Zonealarm and other personal firewalls will protect you a long part of the way, if you learn how to interpret their warnings.
Be aware though that any program running on your machine might hide itself as an innocent program. Therefore a good virus shield would also be recommendable, to protect you from downloading dangerous programs.
A bit of common sense also helps; do not download programs from unknown sources. If some of your friends send you a program, you might want to wait a few days before running it on your machine, to see what troubles your friend might run into.

Now, to shut each port down, you need to identify who has opened the port. This can be quite tricky on a Windows machine, as I don't know of any commands that would relate each port to the owning program.
Some of the open ports on your machine is related to Windows Networking, and some is related to a VPN client or server, which I suspect you are running.
If you can live without these, then shut them down. This is always the tradeoff when dealing with security. To protect your machine, you need to loose some features.
If you will tell me what Windows version you are running, I can send you a link to Microsft where a more detailed suggested security setup is.
smeebudAuthor Commented:
I'm running Windows 2000 Pro SP2.
Right now I'm logged on the internet, and here is my status:

D:\WINNT>netstat -a

Active Connections

Proto  Local Address          Foreign Address        State
TCP    My Machine3cj:epmap  My Machine3cj:0      LISTENING
TCP    My Machine3cj:microsoft-ds  My Machine3cj:0      LISTENING
TCP    My Machine3cj:1026   My Machine3cj:0      LISTENING
TCP    My Machine3cj:1028   My Machine3cj:0      LISTENING
TCP    My Machine3cj:netbios-ssn  My Machine3cj:0      LISTENING
TCP    My Machine3cj:2379  TIME_WAIT
TCP    My Machine3cj:2380  TIME_WAIT
TCP    My Machine3cj:2381  TIME_WAIT
TCP    My Machine3cj:2382  TIME_WAIT
TCP    My Machine3cj:pop3   My Machine3cj:0      LISTENING
UDP    My Machine3cj:epmap  *:*
UDP    My Machine3cj:microsoft-ds  *:*
UDP    My Machine3cj:1025   *:*
UDP    My Machine3cj:1027   *:*
UDP    My Machine3cj:netbios-ns  *:*
UDP    My Machine3cj:netbios-dgm  *:*
UDP    My Machine3cj:isakmp  *:*
UDP    My Machine3cj:2365   *:*
UDP    My Machine3cj:2371   *:*

I really appreciate your taking the time to explain this to me.

smeebudAuthor Commented:
 I'm not running on any network.

If this is your only machine, you can probably remove "Client for Microsoft Networks" and "File and Printer Sharing for Microsoft Networks" if that is installed.
As I can see that you have an IPSec client installed, I guess you connect to some kind of company network, and therefore can't use the above advice?
You also have a pop3 (mail) server running. Do other people connect to your machine to retrieve mail? If not, then find the service and disable it.
The lines ending in TIME_WAIT shows that you have connected to a pop3 server to get your mail in four separate sessions. I guess you DO have other people retrieving mail from your machine, as you must have collected from four different accounts.
As for the unnamed ports they are probably randomly selected by programs you are running. This could be multimedia clients like RealPlayer or Windows Media Player.

You can read a lot about security (and other technical stuff) on Microsoft TechNet. See
smeebudAuthor Commented:
The POP3 is needed.

I've never seen a Server like AT@T or any server that didn'r require a Pop3.

I think we could Identify "who" opened the ports with the nststat coimmands:


Where whould you suggest I cloase these ports at?
The proceedure:

Step 1
Step 2??

Regards, Bud
My point about POP3 is, you are running as a server, not only as a client. This is not necessary if you are only collecting mail, as opposed to being a mail server.

It is not possible to identify "who" opened a port for listening by using netstat.

I guess some third party tools could help you identify the listening programs. Maybe ZoneAlarm can do it?
smeebudAuthor Commented:
Ok, I'll try shutting down
TCP 3cj:1614

and see what happens.

I pretty much mystified right now<G>

smeebudAuthor Commented:

This one bothers me:
*:* = indicates that the "listener" will allow a connection from any IP address on any interface
 How do I block that in 200? Or ZoneAlarm?

Steve JenningsIT ManagerCommented:
Doesn't zone alarm essentially only allow connections that originate from your machine? I *** THINK *** you don't have to block ports explicitly because zone alarm only allows connections that you originate. In other words, just because your PC is listening on port XYZ doesn't mean that someone could connect to that port: zone alarm wouldn't allow the connection because it originated from outside of your network.

I'm only vaguely familiar with W2K, but I think that there's a security piece that allows you to block specific ports. But again, re-read your zone alarm documentation or scan the web for zone alarm expertise.

smeebudAuthor Commented:
You're right,
  ZoneAlarm is constantly in Stealth Mode.

You've been a big help Steve, thanks.

This port stuff is new to me.

Regards, Bud
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.