Netstat foreign address
What is a netstat foreign address, and is it something to be concerned about? If someone is yammering about it on the phone with you, unsolicited, they’re probably not explaining it correctly.
Netstat is a standard utility to list all the computers your computer is talking to. It’s a normal diagnostic tool, normally used by network professionals to make sure two computers that are supposed to be talking are able. Netstat output is not conclusive evidence that your computer has been hacked.
What is netstat?
As I stated above, Netstat is a normal diagnostic tool, but one that’s rarely used on home computers.
A forensic investigator might also use netstat, but they will never, ever jump to conclusions based solely on netstat output. It’s an early step in an investigation. It’s not the entirety of an investigation. Forensic investigations are also not something that take place over the phone.
Who am I?
I’m a professional computer security analyst by trade. In 2018, I helped my clients find and close more than 2.5 million vulnerabilities in their computer networks. I’m here to explain what netstat does and give some examples of proper, ethical use of it.
Some of the tools I use will run netstat and examine its output, but it’s one of many things my tools look at.
I’m not trying to sell you anything. I’m just tired of seeing people get ripped off by strangers who know how to run a few commands that can scare and confuse people.
What does netstat output mean?
When you run netstat, it gives you a total of four or five columns of information. The first column is the protocol, the second column is the local address, which can be 0.0.0.0, 127.0.0.1, or your computer’s locally assigned IP address. The third column is that mysterious sounding foreign address. That’s any computer your computer is talking to. Including itself. Your computer talks to itself. A lot. It’s normal. Depending on the command they had you run, there might be a fourth column labeled PID, for process ID. That’s just the tracking number for any and all programs that are running on your computer at any given time. It’s normal for there to be a lot of those.
An experienced systems administrator can easily trace the PID to the program that’s running. Someone who called you unsolicited probably doesn’t have the skills to do that, and if you ask them how to find the executable file associated with a PID, they might very well tell you that you’re an idiotic IT guy and hang up on you.
In case you want to know, try running the command tasklist | findstr 0. Substitute the PID you’re interested in for the number 0, keeping in mind that partial matches will also match. So if multiple programs come up, that’s normal.
What is a netstat foreign address?
Your computer also talks with other computers on your network. A lot. That’s normal. It will talk to your router, your network printer, and any other computer on your network. My kids’ computers talk to my computer more than my kids talk to me.
So it’s completely normal to see other addresses on your local network in the foreign address column. It doesn’t mean they’re trying to infect each other. And if they were, some random dude halfway across the world has no way of knowing about it anyway.
It’s also completely normal to see tons of IP addresses that aren’t on your local network in the foreign address column. Do you have any browser tabs open? Each tab is at least one foreign address your computer is talking to. It’s not uncommon for each browser tab to cause several foreign addresses to connect. Every address is followed by a colon and another number. If you see the number 80 or 443 next to another number, that’s a browser tab. If someone is telling you otherwise, the burden of proof is on them. Not you, and not me. But I know more about what’s going on with your computer than the guy on the phone does, and you’re not even talking to me right now.
You can find out easily enough. Look for a line with a foreign address ending in a colon followed by either a number 80 or 443. I happen to have one on PID 10116 right now. Running the command tasklist | findstr 10116 reveals that PID 10116 belongs to chrome.exe, which is my web browser. Completely normal.
What’s a netstat foreign address on IPv6?
You also may see some really mysterious looking numbers with a lot of letters in them, in groups of five separated by colons. The guy on the phone probably threw a fit when he heard you have some of those, am I right? Those are also nothing to worry about. Those are IPv6 addresses. IPv6 is nothing nefarious.
In layperson’s terms, the Internet of the 1990s had room for 4.3 billion computers, which sounded like a lot then. Today it’s possible for one large company to have a million devices on its network, so 4.3 billion computers doesn’t go all that far today. There were limits to what we could do to keep the Internet from filling up without making a major change. IPv6 doesn’t provide for an infinite number of computers but the count is somewhere along the lines of the number of molecules in the known universe, so we should be OK for a while.
Several large companies have moved a number of operations to IPv6 because real estate in IPv6 is a lot cheaper. If you have a browser tab open on Google or Facebook and your Internet provider supports IPv6, you have an IPv6 foreign address open. But it’s also normal for your computer to talk to your router, or other computers on your network over IPv6. If they see a channel open, they’ll use it.
Since IPv6 is something new and unfamiliar to most people, scammers can use it to scare people. But there’s no reason to be scared of it. It’s not at all different from the phone company opening up a new area code in a large city because the existing area code is full and they need a new area code to make room for everyone’s cell phones.
What to do if you get a phone call regarding netstat
If someone calls you unsolicited and has you run netstat, it’s a scam. Don’t buy anything from them. Consider taking measures to block these types of calls in the future instead.