In the evolving landscape of system administration and network diagnostics, legacy tools often give way to more efficient, modern alternatives. One such shift involves the deprecation of the widely used netstat command on both Windows and Linux systems. Although netstat served as a cornerstone for analyzing network connections, it has become outdated, with its functionality being replaced by more powerful and flexible tools: Get-NetTCPConnection on Windows and ss (socket statistics) on Linux. These new tools are not merely replacements but advancements designed to address the limitations of their predecessor, offering improved performance, greater precision, and enhanced integration with modern systems.

The Linux ss command provides a faster and more detailed way to view socket information than netstat. By directly accessing kernel data structures, ss delivers real-time insights into active connections, listening ports, and protocol-specific details. This efficiency makes it particularly useful for monitoring high-volume servers or troubleshooting complex networking scenarios. Moreover, ss offers a rich set of filtering options that allow you to hone in on specific connections, states, or protocols with minimal effort.

On Windows, the Get-NetTCPConnection cmdlet brings the power of PowerShell's object-oriented paradigm to network diagnostics. As part of the NetTCPIP module, it not only replicates the netstat core functionality but also integrates seamlessly into the broader PowerShell ecosystem, enabling advanced filtering, automation, and reporting. Unlike netstat, which outputs plain text, Get-NetTCPConnection provides structured data that can be easily manipulated and combined with other PowerShell cmdlets to create robust workflows. This modern approach makes it an indispensable tool for Windows administrators tasked with managing network resources and ensuring system security.

The Linux ss Command

The ss command is a powerful utility for examining network connections, sockets, and their statuses. It provides detailed insights into the state of your system's network, making it an essential tool for network diagnostics and troubleshooting.

To use ss, open a terminal and execute the command with the appropriate options. By default, running ss without options displays a summary of established network connections, including their source and destination addresses, ports, and states (Figure 1).

Figure 1: The ss command output on Linux.

If you need more specific information, you can use the -t, -u, and -x options to filter by protocol. The -t flag restricts the output to TCP connections, whereas -u displays only UDP connections. The -x option shows Unix domain sockets, which are used for interprocess communication. For example, running ss -t lists only TCP connections, making it easier to focus on this protocol.

One of the most commonly used flags is -n, which prevents the resolution of IP addresses into hostnames and ports into service names, ensuring faster execution and numerical output. Conversely, the -r option resolves IPs into hostnames, which can help when understanding external connections but might slow down the command because of DNS lookups. For security audits, the -p flag is essential because it links sockets to the process names and IDs responsible for the connections, allowing users to trace suspicious activity back to specific applications. Advanced users might also find the -i option useful, because it reveals detailed internal socket information for debugging purposes.

To view listening sockets, you can use the -l option. For instance, ss -lt shows only listening TCP sockets, which is useful for checking which services or applications are awaiting incoming connections on specific ports. When you need to display process information alongside the sockets, adding the -p option reveals the process name and process ID (PID) associated with each connection. For example, ss -tulpn combines multiple options to display TCP and UDP listening sockets with associated processes and numeric port numbers.

Filtering capabilities in ss allow you to narrow down results on the basis of specific criteria. You can use keywords such as dst (destination) or src (source) followed by an IP address, port number, or hostname. For example,

ss dst 192.168.1.1

lists all connections targeting that IP address, whereas

ss src :80

displays connections originating from port 80.

For more detailed output, the -i option adds interface information, such as network interfaces involved in connections, and the -e option provides extended information about TCP sockets, like retransmission counts. If you need continuous monitoring, adding watch,

watch -n 1 ss -t

refreshes the output at regular intervals, so you can observe real-time changes.

Filtering connections by state is another powerful feature of ss. For example, viewing established connections (-e) allows you to focus solely on active connections, or you can isolate sockets in the listening state (-l). These options can be further refined by the -4 or -6 options to limit the results to IPv4 or IPv6 connections. The -f flag lets users specify an address family (e.g., inet for IPv4 and IPv6 or unix for Unix domain sockets), providing a tailored view of network activity.

Identifying Potential Threats

When analyzing network connections with the ss command, the goal is to gain a deep understanding of the state of the system's network activity and identify any unusual patterns that could suggest malicious or unauthorized behavior. The ss command can produce a detailed view of the sockets on your system, helping you detect any irregularities.

To begin, you might run a simple

ss -tuln

command to display a list of all listening TCP and UDP sockets. The output includes the address and port combinations on which your system is awaiting incoming connections. Looking closely at this output, you should be familiar with what normal, expected services are running on your machine. For instance, you might see services like SSH on port 22, HTTP on port 80, or HTTPS on port 443. However, unexpected services listening on unusual ports could be a sign of a misconfiguration or even a potential security issue. For example, if a service like FTP is running without your knowledge or an unknown process is listening on a port that doesn't match any known service, you might want to investigate further.

Another key aspect of monitoring is checking the status of the active connections. The

ss -tn

command lets you examine the current state of active TCP connections (Figure 2). Each connection is shown with its status, which could be ESTABLISHED , SYN_SENT , TIME_WAIT , or other states that indicate the lifecycle of a connection. An unusually high number of connections in certain states can indicate abnormal behavior. For example, a surge in SYN_SENT connections might suggest a SYN flood attack, which is a type of denial-of-service attack that attempts to overwhelm the target system by sending many connection requests that go unanswered. If you're seeing many connections stuck in this state, it could point to this kind of attack. Similarly, if an unexpected number of connections are in the TIME_WAIT state, you might have a problem with connection teardown, potentially because of a malfunctioning service or attack.

Figure 2: The current state of active Linux TCP connections.

Beyond just the connection state, it's critical to examine which processes are tied to each connection. The

ss -p

command displays the PID and the name of the program associated with each connection. This information is useful for identifying suspicious activity tied to processes you might not recognize. For example, if you notice that a connection on an unusual port is being held by a process you don't recognize, it's worth digging deeper to determine whether the process is legitimate or whether it could be malware. On a secure system, you should confidently be able to identify the processes that have network connections. Anything outside of this norm is a red flag and should be investigated further.

An additional method for identifying unusual connections is to monitor the system's network activity over time. Regularly running ss with the appropriate options allows you to spot trends and changes in network behavior. For example, if you regularly run ss and suddenly notice a significant spike in the number of connections or an influx of foreign IP addresses connecting to your system, it could indicate an unauthorized access attempt or data exfiltration. Similarly, connections to unusual ports, such as those not typically used by your services, should be flagged for investigation.

Cross-referencing the IP addresses you see in the connection list is also important. If you spot IP addresses from regions or countries that you don't expect to communicate with your system, or if the IP addresses are known to be associated with malicious activity (on the basis of threat intelligence feeds or a reputable IP blacklist), you have a strong indicator that something might be wrong.

The beauty of the ss command lies in the granularity of the information it provides. By observing patterns, process associations, and the state of network connections, you can develop a thorough understanding of your system's network activity, which over time, enables the recognition of what constitutes normal behavior, making it easier to spot irregularities that could signify potential security threats. By leveraging ss as part of a broader network monitoring strategy, you can proactively detect issues and take steps to safeguard your system.

Get-NetTCPConnection Windows Cmdlet

The Get-NetTCPConnection command in Windows PowerShell is a modern and powerful tool designed to retrieve detailed information about TCP connections on a Windows system. It is part of the NetTCPIP module. Unlike netstat, which outputs plain text that often requires additional parsing, Get-NetTCPConnection produces structured data that integrates seamlessly into PowerShell's object-oriented framework, making it far more flexible and suitable for modern network diagnostics and automation.

When executed without parameters, Get-NetTCPConnection displays all active TCP connections and listening ports on the system (Figure 3). The default output includes essential details such as the local and remote IP addresses, their corresponding ports, the state of the connection, and the PID of the application responsible for each connection. For example, you might see connections in an established state, which indicates active communication, or a listening state, which shows that a port is awaiting incoming connections.

Figure 3: Get-NetTCPConnection output on Windows 11.

The command can also filter and refine the output by specific criteria. For instance, if you want to view only established connections, you can use the -State parameter and specify Established. Similarly, you can narrow the results to connections associated with a specific local port, such as port 80, with the -LocalPort parameter. If you need to investigate connections to a particular remote IP address or port, the -RemoteAddress and -RemotePort parameters let you isolate these details with precision.

By examining the OwningProcess property, which provides the PID of the application managing a connection, you can identify the responsible program. This information is particularly useful when troubleshooting connectivity issues or detecting unexpected network activity. For a more detailed analysis, the results can be enriched by combining Get-NetTCPConnection with other PowerShell cmdlets like Get-Process. For example, you can append the process name associated with each connection to the output, offering a clearer view of how applications are interacting with the network.

The structured nature of the Get-NetTCPConnection output also allows for easy export and further analysis. By piping the command's results into tools like Export-Csv, you can generate reports that are suitable for audits or compliance purposes. Additionally, because PowerShell allows for real-time filtering and scripting, you can create automated workflows that continuously monitor your system's connections, alerting you to suspicious activity, or generate periodic summaries.