Blog

Question

“I have logged NetStat acitivity for a couple of days. I am analyzing the log now. I cannot find a definition of what can be recorded in the Event Column. What exactly does changed mean? What exactly does new mean? What exactly does removed mean?”

Answer

Event Columns means a log record status, for example:
1) You click on file in your browser and the browser opens a TCP connection to download file.
2) At this moment NetStat Agent (NA) found that your browser opened a new connection, so because it is a new connection, NA sets a record status as “New”.
3) But when your browser downloaded a file, it closes the opened connection and at this moment NA writes to log file that connection is closed and sets a record status as “Removed”.

A record status “Changed” means that connection state (see column “Status” in NetStat window) is changed, for example:
1) Let assume you run Skype and connected to Skype server.
2) In this case NA will find a TCP connection with status - “ESTABLISHED”.
3) Then you decide to close Skype (disconnect).
4) It means that your PC (Skype application) will send a FIN packet (a TCP signal to close connection) to a remote host (Skype server).
5) For your PC it means a changing connection status from ESTABLISHED to FIN_WAIT1.
6) So when NetStat Agent detects connection status changes it writes to log file what connection is changed and sets a record status as “Changed” to event column.

I was asked by email how to monitor only one local port, so decided to answer in blog.

Let assume that we have a HTTP server (Apache) on local port 80 and we want to monitor all HTTP connections. With installed NetStat Agent it is very easy to do.

After running NetStat you will see a lot of connections (click to see the large picture):

So we need to create a filter in “Monitor” tab to hide unwanted connections:

1. In the context menu (right click) select “Clear” to clear all fields.
2. Set the name of filter: “hide all”.
3. Set action as “Hide”.
4. Check on the box “Enabled”.
5. Press “Add” button to add a new filter.

The result you may see on the screenshot:

After adding this filter all connections are invisible. So we need another one to show only wanted connections:

1. In the context menu (right click) select “Clear” to clear all fields.
2. Set the name of filter: “show http”.
3. Set the local port: 80.
4. Check on “Select” action only.
5. Press “Add”.

See screenshot:

Now if you select “Connections” tab again, you will see only HTTP connections:

With NetStat Agent you may monitor HTTP visitors in real-time mode!

Each time when you query the route in the TraceRoute tool, NetStat Agent saves the request to cache. But if you want to clear this cache or remove a record from this cache, then you must open the RegEdit and find the path:

HKEY_CURRENT_USER\Software\Flexbyte\NetStat Agent\Tracer

In this folder, you may find records Recent.0, Recent.1 and so on. You may delete all records or only one.

The same you may do to clear the Ping history, but in Ping folder.

NetStat Agent keeps all logs in %APPDATA%\NetStat Agent\ for current user account.
Usually, it is C:\Documents and Settings\{user account}\Application Data\NetStat Agent\.

You can also open this folder from NetStat Agent. In the program select Log Manager, select a log file, press the right button to call context menu and select “Open Folder” command in the menu.

Today is the birthday of NetStat Agent. The first public version was released 4 years ago in Jule 12.

So in this happiness day we want to present the discount coupon for everyone who read this blog. 20% discount is available till September 1, 2008. The discount coupon is: BIRTHDAY