Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / DFI / MEMORY / DUMP / VOLATILITY / Network

netstat

Enumerates active TCP/UDP connections using OS-linked network structures (list-based enumeration)

Usage:

  • View active TCP connections
  • Identify listening services
  • Map PID ↔ remote IP relationships
  • Correlate suspicious processes with network activity
  • Quick triage of live connections at capture time

Better than

  • Live netstat.exe (cannot be hooked post-capture)
  • Manual process-to-socket correlation

Worse than

  • windows.netscan (does not recover unlinked / DKOM-hidden sockets)
  • Pool-scanning methods (may miss partially freed objects)

Relies on linked lists → can miss stealthy unlinked network objects.

Commands

# List active TCP/UDP connections (Vol3)
python3 vol.py -f <mem> windows.netstat

# Filter by PID
python3 vol.py -f <mem> windows.netstat --pid <PID>