What does event column mean?

Question

“I have logged NetStat acitivity for a couple of days. I am analyzing the log now. I cannot find a definition of what can be recorded in the Event Column. What exactly does changed mean? What exactly does new mean? What exactly does removed mean?”

Answer

Event Columns means a log record status, for example:
1) You click on file in your browser and the browser opens a TCP connection to download file.
2) At this moment NetStat Agent (NA) found that your browser opened a new connection, so because it is a new connection, NA sets a record status as “New”.
3) But when your browser downloaded a file, it closes the opened connection and at this moment NA writes to log file that connection is closed and sets a record status as “Removed”.

A record status “Changed” means that connection state (see column “Status” in NetStat window) is changed, for example:
1) Let assume you run Skype and connected to Skype server.
2) In this case NA will find a TCP connection with status - “ESTABLISHED”.
3) Then you decide to close Skype (disconnect).
4) It means that your PC (Skype application) will send a FIN packet (a TCP signal to close connection) to a remote host (Skype server).
5) For your PC it means a changing connection status from ESTABLISHED to FIN_WAIT1.
6) So when NetStat Agent detects connection status changes it writes to log file what connection is changed and sets a record status as “Changed” to event column.

  • March 4th, 2010
  • flexbyte
  • Bookmark and Share

Leave a Reply