Share this page : facebooktwitterlinkedinmailfacebooktwitterlinkedinmail

The netstat command is a Command Prompt command used to display very detailed information about how your computer is communicating with other computers or network devices. netstat (network statistics) is a command-line network utility tool that displays network connections for the Transmission Control Protocol (both incoming and outgoing), routing tables, and a number of network interface (network interface controller or software-defined network interface) and network protocol statistics.

It is available on Unix-like operating systems including macOS, Linux, Solaris, and BSD, and is available on Windows NT-based operating systems including Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10. Each version has its own command-line options you can tweak to see different types of information.

Windows:

 

Command Syntax
netstat [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-t] [-x] [-y] [time_interval] [/?]

Tip: See How To Read Command Syntax if you’re not sure how to read the netstat command syntax above.

Execute the netstat command alone to show a relatively simple list of all active TCP connections which, for each one, will show the local IP address (your computer), the foreign IP address (the other computer or network device), along with their respective port numbers, as well as the TCP state.

-a = This switch displays active TCP connections, as well as UDP ports that are being listened to.

-b = This netstat switch is very similar to the -o switch listed below, but instead of displaying the PID, will display the process’s actual file name. Using -b over -o might seem like it’s saving you a step or two but using it can sometimes greatly extend the time it takes netstat to fully execute.

-e = Use this switch with the netstat command to show statistics about your network connection. This data includes bytes, unicast packets, non-unicast packets, discards, errors, and unknown protocols received and sent since the connection was established.

-f = The -f switch will force the netstat command to display the Fully Qualified Domain Name (FQDN) for each foreign IP addresses when possible.

-n = Use the -n switch to make sure the foreign address column display only IP address, in other words, it prevent netstat from attempting to resolve host names for foreign IP addresses. Depending on your current network connections, using this switch could considerably reduce the time it takes for netstat to fully execute.

-o = A handy option for many troubleshooting tasks, the -o switch displays the process identifier (PID) associated with each displayed connection. See the example below for more about using netstat -o.

-p = Use the -p switch to show connections or statistics only for a particular protocol. You can not define more than one protocol at once, nor can you execute netstat with -pwithout defining a protocol.

protocol = When specifying a protocol with the -p option, you can use tcp, udp, tcpv6, or udpv6. If you use -s with -p to view statistics by protocol, you can use icmp, ip, icmpv6, or ipv6 in addition to the first four I mentioned.

-r = Execute netstat with -r to show the IP routing table. This is the same as using the route command to execute route print.

-s = The -s option can be used with the netstat command to show detailed statistics by protocol. You can limit the statistics shown to a particular protocol by using the -s option and specifying that protocol, but be sure to use -s before -p protocol when using the switches together.

-t = Use the -t switch to show the current TCP chimney offload state in place of the typically displayed TCP state.

TCP Chimney Offload overview

TCP Chimney Offload is a networking technology that helps transfer the workload from the CPU to a network adapter during network data transfer. In Windows Server 2008, TCP Chimney Offload enables the Windows networking subsystem to offload the processing of a TCP/IP connection to a network adapter that includes special support for TCP/IP offload processing.

-x = Use the -x option to show all NetworkDirect listeners, connections, and shared endpoints.

-y = The -y switch can be used to show the TCP connection template for all connection. You cannot use -y with any other netstat option.

time_interval = This is the time, in seconds, that you’d like the netstat command to re-execute automatically, stopping only when you use Ctrl-C to end the loop. e.g to refresh the listening port every 3 seconds: netstat -ant 3

/? = Use the help switch to show details about the netstat command’s several options.

Tip: Make all that netstat information in the command line easier to work with by outputting what you see on the screen to a text file using a redirection operator.

Listening Port:

Windows: To find the port which the current host is listening to , use command  netstat -an | findstr LISTENING

Note that the text in findstr is case sensitive.

MAC: It’s easier in MAC to do this, you can use netstat -anL

Note that the L must be upper case.

Linux: show the on port the  netstat -ntl

Including the established connections: netstat -antl

Note that the -n is used to determine if the host name should be resolved.

Netstat Command Examples

netstat -f

In this first example, I execute netstat to show all active TCP connections. However, I do want to see the computers I’m connected to in FQDN format [-f] instead of a simple IP address.

Here’s an example of what you might see:

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    127.0.0.1:5357         VM-Windows-7:49229     TIME_WAIT
  TCP    127.0.0.1:49225        VM-Windows-7:12080     TIME_WAIT
  TCP    192.168.1.14:49194     75.125.212.75:http     CLOSE_WAIT
  TCP    192.168.1.14:49196     a795sm.avast.com:http  CLOSE_WAIT
  TCP    192.168.1.14:49197     a795sm.avast.com:http  CLOSE_WAIT
  TCP    192.168.1.14:49230     TIM-PC:wsd             TIME_WAIT
  TCP    192.168.1.14:49231     TIM-PC:icslap          ESTABLISHED
  TCP    [::1]:2869             VM-Windows-7:49226     ESTABLISHED
  TCP    [::1]:49226            VM-Windows-7:icslap    ESTABLISHED

As you can see, I had 9 active TCP connections at the time I executed netstat. The only protocol (in the Proto column) listed is TCP, which was expected because I did not use -a.

You can also see three sets of IP addresses in the Local Address column – my actual IP address of 192.168.1.14 and both IPv4 and IPv6 versions of my loopback addresses, along with the port each connection is using. The Foreign Address column lists the FQDN (75.125.212.75 didn’t resolve for some reason) along with that port as well.

Finally, the State column lists the TCP state of that particular connection.

netstat -o

In this example, I want to run netstat normally so it only shows active TCP connections, but I also want to see the corresponding process identifier [-o] for each connection so I can determine which program on my computer initiated each one.

Here’s what my computer displayed:

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    192.168.1.14:49194     75.125.212.75:http     CLOSE_WAIT      2948
  TCP    192.168.1.14:49196     a795sm:http            CLOSE_WAIT      2948
  TCP    192.168.1.14:49197     a795sm:http            CLOSE_WAIT      2948

You probably noticed the new PID column. In this case, the PIDs are all the same, meaning that the same program on my computer opened these connections.

Using the netstat command with the -o option can be very helpful when tracking down which program is using too big a share of your bandwidth. It can also help locate the destination where some kind of malware, or even an otherwise legitimate piece of software, might be sending information without your permission.

Note: While this and the previous example were both run on the same computer, and within just a minute of each other, you can see that the list of active TCP connections is considerably different. This is because your computer is constantly connecting to, and disconnecting from, various other devices on your network and over the Internet.

netstat -s -p tcp -f

In this third example, I want to see protocol specific statistics [-s] but not all of them, just TCP stats [-p tcp]. I also want the foreign addresses displayed in FQDN format [-f].

This is what the netstat command, as shown above, produced on my computer:

TCP Statistics for IPv4

  Active Opens                        = 77
  Passive Opens                       = 21
  Failed Connection Attempts          = 2
  Reset Connections                   = 25
  Current Connections                 = 5
  Segments Received                   = 7313
  Segments Sent                       = 4824
  Segments Retransmitted              = 5

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    127.0.0.1:2869         VM-Windows-7:49235     TIME_WAIT
  TCP    127.0.0.1:2869         VM-Windows-7:49238     ESTABLISHED
  TCP    127.0.0.1:49238        VM-Windows-7:icslap    ESTABLISHED
  TCP    192.168.1.14:49194     75.125.212.75:http     CLOSE_WAIT
  TCP    192.168.1.14:49196     a795sm.avast.com:http  CLOSE_WAIT
  TCP    192.168.1.14:49197     a795sm.avast.com:http  CLOSE_WAIT

As you can see, various statistics for the TCP protocol are displayed, as are all active TCP connections at the time.

netstat -e -t 5

In this final example, I executed the netstat command to show some basic network interface statistics [-e] and I wanted these statistics to continually update in the command window every five seconds [-t 5].

 

Linux

 

Options

The type of information printed by netstat is controlled by the first argument, which is one of the following:

(none) By default, netstat displays a list of open sockets. If you don’t specify any address families, then the active sockets of all configured address families will be printed.
–route, -r Display the kernel routing tables. See the description in route for details. netstat -r and route -e produce the same output.
–groups, -g Display multicast group membership information for IPv4 and IPv6.
–interfaces, -i Display a table of all network interfaces.
–masquerade, -M Display a list of masqueraded connections.
–statistics, -s Display summary statistics for each protocol.

After the first argument, the following options specify the reporting behavior of netstat:

–verbose, -v Tell the user what is going on by operating verbosely. Especially print some useful information about unconfigured address families.
–wide, -W Do not truncate IP addresses by using output as wide as needed. This is optional for now to not break existing scripts.
–numeric, -n Show numerical addresses instead of trying to determine symbolic host, port or user names.
–numeric-hosts shows numerical host addresses but does not affect the resolution of port or user names.
–numeric-ports shows numerical port numbers but does not affect the resolution of host or user names.
–numeric-users shows numerical user IDs but does not affect the resolution of host or port names.
–protocol=family, -A Specifies the “address families” (low-level protocols) for which connections are to be shown. family is a comma-separated list of address family keywords like inet, unix, ipx, ax25, netrom, and ddp. This has the same effect as using the –inet, –unix (-x), –ipx, –ax25, –netrom, and –ddp options.

The address family inet includes raw, udp and tcp protocol sockets.

-c, –continuous This will cause netstat to print the selected information every second continuously.
-e, –extend Display additional information. Use this option twice for maximum detail.
-o, –timers Include information related to networking timers.
-p, –program Show the PID (process identifier) and name of the program to which each socket belongs.
-l, –listening Show only listening sockets. (These are omitted by default.)
-a, –all Show both listening and non-listening sockets. With the –interfacesoption, show interfaces that are not up.
-F Print routing information from the FIB. (This is the default.)
-C Print routing information from the route cache.
Output: Internet Connections

Information about Active Internet Connections (TCP, UDP, raw) falls under the following categories:

Proto The protocol (tcp, udp, raw) used by the socket.
Recv-Q The count of bytes not copied by the user program connected to this socket.
Send-Q The count of bytes not acknowledged by the remote host.
Local Address Address and port number of the local end of the socket. Unless the –numeric (-n) option is specified, the socket address is resolved to its canonical host name (FQDN), and the port number is translated into the corresponding service name.
Foreign Address Address and port number of the remote end of the socket; analogous to “Local Address.”
State The state of the socket. Since there are no states in raw mode and usually no states used in UDP, this column may be left blank. Normally this can be one of several values:

ESTABLISHED The socket has an established connection.
SYN_SENT The socket is actively attempting to establish a connection.
SYN_RECV A connection request has been received from the network.
FIN_WAIT1 The socket is closed, and the connection is shutting down.
FIN_WAIT2 Connection is closed, and the socket is waiting for a shutdown from the remote end.
TIME_WAIT The socket is waiting after close to handle packets still in the network.
CLOSE The socket is not being used.
CLOSE_WAIT The remote end has shut down, waiting for the socket to close.
LAST_ACK The remote end has shut down, and the socket is closed. Waiting for acknowledgement.
LISTEN The socket is listening for incoming connections. Such sockets are not included in the output unless you specify the –listening (-l) or –all (-a) option.
CLOSING Both sockets are shut down but we still don’t have all our data sent.
UNKNOWN The state of the socket is unknown.
User The username or the user id (UID) of the owner of the socket.
PID/Program name Slash-separated pair of the process id (PID) and process name of the process that owns the socket. –program causes this column to be included. You will also need superuser privileges to see this information on sockets you don’t own. This identification information is not yet available for IPX sockets.
Output: UNIX Domain Sockets

Information about Active UNIX Domain Sockets falls under the following categories:

Proto The protocol (usually unix) used by the socket.
RefCnt The reference count (i.e. attached processes via this socket).
Flags The flags displayed are SO_ACCEPTON (displayed as ACC), SO_WAITDATA (W) or SO_NOSPACE (N). SO_ACCECPTON is used on unconnected sockets if their corresponding processes are waiting for a connect request. The other flags are not of normal interest.
Type There are several types of socket access:

SOCK_DGRAM The socket is used in Datagram (connectionless) mode.
SOCK_STREAM This is a stream (connection) socket.
SOCK_RAW The socket is used as a raw socket.
SOCK_RDM This one serves reliably-delivered messages.
SOCK_SEQPACKET This is a sequential packet socket.
SOCK_PACKET Raw interface access socket.
State This field will contain one of the following keywords:

FREE The socket is not allocated.
LISTENING The socket is listening for a connection request. Such sockets are only included in the output if you specify the –listening (-l) or –all (-a) option.
CONNECTING The socket is about to establish a connection.
CONNECTED The socket is connected.
DISCONNECTING The socket is disconnecting.
(empty) The socket is not connected to another one.
PID/Program name Process ID (PID) and process name of the process that has the socket open. More info available in Active Internet connections section written above.
Path This is the path name as which the corresponding processes attached to the socket.
Active IPX sockets A list of active IPX sockets.
Active NET/ROM sockets A list of active NET/ROM sockets.
Active AX.25 sockets A list of active AX.25 sockets.

Files

netstat makes use of the following files:

/etc/services The services translation file.
/proc Mount point for the proc filesystem, which gives access to kernelstatus information as a file hierarchy.
/proc/net/dev device information file.
/proc/net/raw raw socket information.
/proc/net/tcp TCP socket information.
/proc/net/udp UDP socket information.
/proc/net/igmp IGMP multicast information.
/proc/net/unix Unix domain socket information.
/proc/net/ipx IPX socket information.
/proc/net/ax25 AX25 socket information.
/proc/net/appletalk DDP (appletalk) socket information.
/proc/net/nr NET/ROM socket information.
/proc/net/route IP routing information.
/proc/net/ax25_route AX25 routing information.
/proc/net/ipx_route IPX routing information.
/proc/net/nr_nodes NET/ROM nodelist.
/proc/net/nr_neigh NET/ROM neighbours.
/proc/net/ip_masquerade masqueraded connections.
/proc/net/snmp statistics.

netstat examples
netstat

Displays generic statistics about the network activity of the local system.

netstat -an

Shows information about all active connections to the server, including the source and destination IP addresses and ports, if you have proper permissions.

netstat -rn

Displays the routing table for all IP addresses bound to the server.

netstat -an |grep :80 | wc -l

Collects statistics about the amount of active connections on port 80, and pipes this data to the wc command, which displays the number of connections by counting the lines of the original netstat output.

netstat -natp

Display statistics about active Internet connections