Windows Networking – Strange Entries in Netstat Output

internetnetstatnetworkingwindows

Out of curiosity, I ran Netstat on my Windows PC, and I found some strange entries like:

xx-fbcdn-shv-01-amt2:https
edge-star-mini-shv-01-frt3:https
mil04s03-in-f10:https
xx-fbcdn-shv-01-amt2:https
fra16s25-in-f14:https
lu7:http
40:https
mil04s04-in-f12:https
wb-in-f188:https
ec2-52-86-85-106:https
db5sch101101419:https
bam-6:https

What are these/how can I tell what these are?

Best Answer

You can get more useful information from the Netstat command by adding the -f and -b parameters, like this:

netstat -f -b

According to the help (netstat -?) the -f switch:

Displays Fully Qualified Domain Names (FQDN) for foreign addresses.

And the -b switch:

Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.

Put the two together and you'll see what processes are creating each connection and the full remote host name.

To aid in investigating the executables (and the connection's they're making) use Microsoft's Process Explorer. When you run the program you'll be presented with a list of everything running on your system, like this:

Then, to see the connections made by an executable, double-click it and have a look at the TCP/IP tab:

Related Solutions

How Mac OSX Prioritizes Network Interfaces When Routing

Most systems follows these rules when choosing which route to use:

Find the most specific ones (i.e. the ones with the longest matching prefix).
Choose the one with the highest priority.

On Linux (and, I think, on Windows) priority is determined by metric, but it is not the case on macOS as you correctly pointed out. Instead of assigning metrics to individual routes, macOS assigns priorities to interfaces. You can use networksetup -listnetworkserviceorder to view this order and networksetup -ordernetworkservices to change it.

Now, this route from your output makes me think that in your case specificity also plays its role:

Destination        Gateway            Flags        Refs      Use   Netif Expire
0/1                10.10.99.100       UGSc            0        0    ppp0

This route covers the bottom half of the address space and therefore I would expect to also find:

128.0/1            10.10.99.100       UGSc            0        0    ppp0

in your routing table. This is a standard trick VPN software uses to prioritise its routes over default: it adds two routes which together cover all IP addresses, but each of them is more specific than default, so they win.

Networking Ports – Can the Same Port Act as Both Client and Server?

Line: TCP 127.0.0.1:55486 127.0.0.1:55487 ESTABLISHED 5808

Is stating the client is connecting to the port on 55487 for the server while the client uses port 55486.

Line: TCP 127.0.0.1:55487 127.0.0.1:55486 ESTABLISHED 5808

is stating the server is connecting back to the client on port 55486 from 55487.

TCP requires the "3-way handshake" to set up the connection between a client and server.

The client connects to the a server (part 1 of the 3 way handshake). The server responds acknowledging the connection (part 2). The client responds to the acknowledgement with its own acknowledgement (part 3).

TL;DR - Client generally uses random port to connect to a server with a specific port. The server responds back to that machine using the random port. The client and server are NOT on the same port.

Best Answer

Related Solutions

How Mac OSX Prioritizes Network Interfaces When Routing

Networking Ports – Can the Same Port Act as Both Client and Server?

Related Question