Explain the meaning of some Netstat Outputs?

[Thelps]

Hi all,

Been messing around with the Netstat command (specifically Netstat -a -n -o) in order to determine what processes remotely access the network and wider internet.

I've been doing this to minimise or perhaps entirely stop my PC sending information to Microsoft or, worse, hackers who exploit Windows functionality to accrue information about the OS configuration, contents of the HDD and internet browsing.

Could anyone tell me why Netstat outputs the following information?

Proto Local Address Foreign Address State PID
TCP [ : : ] <port number> [ : : ] : 0 Listening Any of a range of PIDs


Also, why do some Windows Processes connect to the local Router and then get a Loopback Address - as shown in the example below?

Proto Local Address Foreign Address State PID
TCP 127.0.0.1 Port Number 127.0.0.1:26887 ESTABLISHED Any of a Range of PIDs

My search engine research hasn't yielded real answers.

As said above, I'm interested in isolating as much of Windows from other devices as is possible, while maintaining program functionality and usage of the internet.

Even if your advice doesn't solve the most previous statement, any useful information you can shed on this would be helpful.

 

[Regedit32]

Hi Thelps,

Netstat will display the following for example after entering the command: Netstat -O

Proto.....Local Address................Foreign Address..........State..........PID
.TCP......153.149.29.116:3128....106.186.22.65:8888.....Listening...4736


The -O flag instructs windows to display the owning Process ID (PID) responsible for each connection.

So in the above example we have a TCP protocol (Proto) beginning at a local Japanese Proxy server which uses Port 3128. It passes through another Japanese VPN connection (the foreign address) via port 8888. The State says its listening (meaning, there is no connection yet but the ports are open awaiting data transfer. The Process ID (PID) 4736 refers to Microsoft Edge browser being the application that owns the connection.

Let us know if this helps you understand the first part of your question. If it does I or someone else can tackle the second question.

Regards,

Regedit32

 

[Thelps]

Thanks for your reply Regedit32.

I was more curious as to specifically what [ : : ] represents in a Netstat output.

Also, what does 0.0.0.0 as an IP indicate?

I'm interested in understanding why some programs don't display IP addresses as in example 1.

I'm also interested in why some programs connect to the router which then immediately loops them back (via router's loopback address) as in example 2.

Thanks for your help.