The netstat command is a Command Prompt command used to display very detailed information about how your computer is communicating with other computers or network devices. netstat (network statistics) is a command-line network utility tool that displays network connections for the Transmission Control Protocol (both incoming and outgoing), routing tables, and a number of network interface (network interface controller or software-defined network interface) and network protocol statistics.
It is available on Unix-like operating systems including macOS, Linux, Solaris, and BSD, and is available on Windows NT-based operating systems including Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10. Each version has its own command-line options you can tweak to see different types of information.
Windows:
Command Syntax
netstat [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-t] [-x] [-y] [time_interval] [/?]
Tip: See How To Read Command Syntax if you’re not sure how to read the netstat command syntax above.
Execute the netstat command alone to show a relatively simple list of all active TCP connections which, for each one, will show the local IP address (your computer), the foreign IP address (the other computer or network device), along with their respective port numbers, as well as the TCP state.
-a = This switch displays active TCP connections, as well as UDP ports that are being listened to.
-b = This netstat switch is very similar to the -o switch listed below, but instead of displaying the PID, will display the process’s actual file name. Using -b over -o might seem like it’s saving you a step or two but using it can sometimes greatly extend the time it takes netstat to fully execute.
-e = Use this switch with the netstat command to show statistics about your network connection. This data includes bytes, unicast packets, non-unicast packets, discards, errors, and unknown protocols received and sent since the connection was established.
-f = The -f switch will force the netstat command to display the Fully Qualified Domain Name (FQDN) for each foreign IP addresses when possible.
-n = Use the -n switch to make sure the foreign address column display only IP address, in other words, it prevent netstat from attempting to resolve host names for foreign IP addresses. Depending on your current network connections, using this switch could considerably reduce the time it takes for netstat to fully execute.
-o = A handy option for many troubleshooting tasks, the -o switch displays the process identifier (PID) associated with each displayed connection. See the example below for more about using netstat -o.
-p = Use the -p switch to show connections or statistics only for a particular protocol. You can not define more than one protocol at once, nor can you execute netstat with -pwithout defining a protocol.
protocol = When specifying a protocol with the -p option, you can use tcp, udp, tcpv6, or udpv6. If you use -s with -p to view statistics by protocol, you can use icmp, ip, icmpv6, or ipv6 in addition to the first four I mentioned.
-r = Execute netstat with -r to show the IP routing table. This is the same as using the route command to execute route print.
-s = The -s option can be used with the netstat command to show detailed statistics by protocol. You can limit the statistics shown to a particular protocol by using the -s option and specifying that protocol, but be sure to use -s before -p protocol when using the switches together.
-t = Use the -t switch to show the current TCP chimney offload state in place of the typically displayed TCP state.
TCP Chimney Offload overview
TCP Chimney Offload is a networking technology that helps transfer the workload from the CPU to a network adapter during network data transfer. In Windows Server 2008, TCP Chimney Offload enables the Windows networking subsystem to offload the processing of a TCP/IP connection to a network adapter that includes special support for TCP/IP offload processing.
-x = Use the -x option to show all NetworkDirect listeners, connections, and shared endpoints.
-y = The -y switch can be used to show the TCP connection template for all connection. You cannot use -y with any other netstat option.
time_interval = This is the time, in seconds, that you’d like the netstat command to re-execute automatically, stopping only when you use Ctrl-C to end the loop. e.g to refresh the listening port every 3 seconds: netstat -ant 3
/? = Use the help switch to show details about the netstat command’s several options.
Tip: Make all that netstat information in the command line easier to work with by outputting what you see on the screen to a text file using a redirection operator.
Listening Port:
Windows: To find the port which the current host is listening to , use command netstat -an | findstr LISTENING
Note that the text in findstr is case sensitive.
MAC: It’s easier in MAC to do this, you can use netstat -anL
Note that the L must be upper case.
Linux: show the on port the netstat -ntl
Including the established connections: netstat -antl
Note that the -n is used to determine if the host name should be resolved.
Netstat Command Examples
netstat -f
In this first example, I execute netstat to show all active TCP connections. However, I do want to see the computers I’m connected to in FQDN format [-f] instead of a simple IP address.
Here’s an example of what you might see:
Active Connections Proto Local Address Foreign Address State TCP 127.0.0.1:5357 VM-Windows-7:49229 TIME_WAIT TCP 127.0.0.1:49225 VM-Windows-7:12080 TIME_WAIT TCP 192.168.1.14:49194 75.125.212.75:http CLOSE_WAIT TCP 192.168.1.14:49196 a795sm.avast.com:http CLOSE_WAIT TCP 192.168.1.14:49197 a795sm.avast.com:http CLOSE_WAIT TCP 192.168.1.14:49230 TIM-PC:wsd TIME_WAIT TCP 192.168.1.14:49231 TIM-PC:icslap ESTABLISHED TCP [::1]:2869 VM-Windows-7:49226 ESTABLISHED TCP [::1]:49226 VM-Windows-7:icslap ESTABLISHED
As you can see, I had 9 active TCP connections at the time I executed netstat. The only protocol (in the Proto column) listed is TCP, which was expected because I did not use -a.
You can also see three sets of IP addresses in the Local Address column – my actual IP address of 192.168.1.14 and both IPv4 and IPv6 versions of my loopback addresses, along with the port each connection is using. The Foreign Address column lists the FQDN (75.125.212.75 didn’t resolve for some reason) along with that port as well.
Finally, the State column lists the TCP state of that particular connection.
netstat -o
In this example, I want to run netstat normally so it only shows active TCP connections, but I also want to see the corresponding process identifier [-o] for each connection so I can determine which program on my computer initiated each one.
Here’s what my computer displayed:
Active Connections
Proto Local Address Foreign Address State PID
TCP 192.168.1.14:49194 75.125.212.75:http CLOSE_WAIT 2948
TCP 192.168.1.14:49196 a795sm:http CLOSE_WAIT 2948
TCP 192.168.1.14:49197 a795sm:http CLOSE_WAIT 2948
You probably noticed the new PID column. In this case, the PIDs are all the same, meaning that the same program on my computer opened these connections.
Using the netstat command with the -o option can be very helpful when tracking down which program is using too big a share of your bandwidth. It can also help locate the destination where some kind of malware, or even an otherwise legitimate piece of software, might be sending information without your permission.
Note: While this and the previous example were both run on the same computer, and within just a minute of each other, you can see that the list of active TCP connections is considerably different. This is because your computer is constantly connecting to, and disconnecting from, various other devices on your network and over the Internet.
netstat -s -p tcp -f
In this third example, I want to see protocol specific statistics [-s] but not all of them, just TCP stats [-p tcp]. I also want the foreign addresses displayed in FQDN format [-f].
This is what the netstat command, as shown above, produced on my computer:
TCP Statistics for IPv4 Active Opens = 77 Passive Opens = 21 Failed Connection Attempts = 2 Reset Connections = 25 Current Connections = 5 Segments Received = 7313 Segments Sent = 4824 Segments Retransmitted = 5 Active Connections Proto Local Address Foreign Address State TCP 127.0.0.1:2869 VM-Windows-7:49235 TIME_WAIT TCP 127.0.0.1:2869 VM-Windows-7:49238 ESTABLISHED TCP 127.0.0.1:49238 VM-Windows-7:icslap ESTABLISHED TCP 192.168.1.14:49194 75.125.212.75:http CLOSE_WAIT TCP 192.168.1.14:49196 a795sm.avast.com:http CLOSE_WAIT TCP 192.168.1.14:49197 a795sm.avast.com:http CLOSE_WAIT
As you can see, various statistics for the TCP protocol are displayed, as are all active TCP connections at the time.
netstat -e -t 5
In this final example, I executed the netstat command to show some basic network interface statistics [-e] and I wanted these statistics to continually update in the command window every five seconds [-t 5].
Linux
Options
The type of information printed by netstat is controlled by the first argument, which is one of the following:
| (none) | By default, netstat displays a list of open sockets. If you don’t specify any address families, then the active sockets of all configured address families will be printed. |
| –route, -r | Display the kernel routing tables. See the description in route for details. netstat -r and route -e produce the same output. |
| –groups, -g | Display multicast group membership information for IPv4 and IPv6. |
| –interfaces, -i | Display a table of all network interfaces. |
| –masquerade, -M | Display a list of masqueraded connections. |
| –statistics, -s | Display summary statistics for each protocol. |
After the first argument, the following options specify the reporting behavior of netstat:
| –verbose, -v | Tell the user what is going on by operating verbosely. Especially print some useful information about unconfigured address families. |
| –wide, -W | Do not truncate IP addresses by using output as wide as needed. This is optional for now to not break existing scripts. |
| –numeric, -n | Show numerical addresses instead of trying to determine symbolic host, port or user names. |
| –numeric-hosts | shows numerical host addresses but does not affect the resolution of port or user names. |
| –numeric-ports | shows numerical port numbers but does not affect the resolution of host or user names. |
| –numeric-users | shows numerical user IDs but does not affect the resolution of host or port names. |
| –protocol=family, -A | Specifies the “address families” (low-level protocols) for which connections are to be shown. family is a comma-separated list of address family keywords like inet, unix, ipx, ax25, netrom, and ddp. This has the same effect as using the –inet, –unix (-x), –ipx, –ax25, –netrom, and –ddp options.
The address family inet includes raw, udp and tcp protocol sockets. |
| -c, –continuous | This will cause netstat to print the selected information every second continuously. |
| -e, –extend | Display additional information. Use this option twice for maximum detail. |
| -o, –timers | Include information related to networking timers. |
| -p, –program | Show the PID (process identifier) and name of the program to which each socket belongs. |
| -l, –listening | Show only listening sockets. (These are omitted by default.) |
| -a, –all | Show both listening and non-listening sockets. With the –interfacesoption, show interfaces that are not up. |
| -F | Print routing information from the FIB. (This is the default.) |
| -C | Print routing information from the route cache. |
Output: Internet Connections
Information about Active Internet Connections (TCP, UDP, raw) falls under the following categories:
| Proto | The protocol (tcp, udp, raw) used by the socket. | ||||||||||||||||||||||||
| Recv-Q | The count of bytes not copied by the user program connected to this socket. | ||||||||||||||||||||||||
| Send-Q | The count of bytes not acknowledged by the remote host. | ||||||||||||||||||||||||
| Local Address | Address and port number of the local end of the socket. Unless the –numeric (-n) option is specified, the socket address is resolved to its canonical host name (FQDN), and the port number is translated into the corresponding service name. | ||||||||||||||||||||||||
| Foreign Address | Address and port number of the remote end of the socket; analogous to “Local Address.” | ||||||||||||||||||||||||
| State | The state of the socket. Since there are no states in raw mode and usually no states used in UDP, this column may be left blank. Normally this can be one of several values:
|
||||||||||||||||||||||||
| User | The username or the user id (UID) of the owner of the socket. | ||||||||||||||||||||||||
| PID/Program name | Slash-separated pair of the process id (PID) and process name of the process that owns the socket. –program causes this column to be included. You will also need superuser privileges to see this information on sockets you don’t own. This identification information is not yet available for IPX sockets. |
Output: UNIX Domain Sockets
Information about Active UNIX Domain Sockets falls under the following categories:
| Proto | The protocol (usually unix) used by the socket. | ||||||||||||
| RefCnt | The reference count (i.e. attached processes via this socket). | ||||||||||||
| Flags | The flags displayed are SO_ACCEPTON (displayed as ACC), SO_WAITDATA (W) or SO_NOSPACE (N). SO_ACCECPTON is used on unconnected sockets if their corresponding processes are waiting for a connect request. The other flags are not of normal interest. | ||||||||||||
| Type | There are several types of socket access:
|
||||||||||||
| State | This field will contain one of the following keywords:
|
||||||||||||
| PID/Program name | Process ID (PID) and process name of the process that has the socket open. More info available in Active Internet connections section written above. | ||||||||||||
| Path | This is the path name as which the corresponding processes attached to the socket. | ||||||||||||
| Active IPX sockets | A list of active IPX sockets. | ||||||||||||
| Active NET/ROM sockets | A list of active NET/ROM sockets. | ||||||||||||
| Active AX.25 sockets | A list of active AX.25 sockets. |
Files
netstat makes use of the following files:
| /etc/services | The services translation file. |
| /proc | Mount point for the proc filesystem, which gives access to kernelstatus information as a file hierarchy. |
| /proc/net/dev | device information file. |
| /proc/net/raw | raw socket information. |
| /proc/net/tcp | TCP socket information. |
| /proc/net/udp | UDP socket information. |
| /proc/net/igmp | IGMP multicast information. |
| /proc/net/unix | Unix domain socket information. |
| /proc/net/ipx | IPX socket information. |
| /proc/net/ax25 | AX25 socket information. |
| /proc/net/appletalk | DDP (appletalk) socket information. |
| /proc/net/nr | NET/ROM socket information. |
| /proc/net/route | IP routing information. |
| /proc/net/ax25_route | AX25 routing information. |
| /proc/net/ipx_route | IPX routing information. |
| /proc/net/nr_nodes | NET/ROM nodelist. |
| /proc/net/nr_neigh | NET/ROM neighbours. |
| /proc/net/ip_masquerade | masqueraded connections. |
| /proc/net/snmp | statistics. |
netstat examples
netstat
Displays generic statistics about the network activity of the local system.
netstat -an
Shows information about all active connections to the server, including the source and destination IP addresses and ports, if you have proper permissions.
netstat -rn
Displays the routing table for all IP addresses bound to the server.
netstat -an |grep :80 | wc -l
Collects statistics about the amount of active connections on port 80, and pipes this data to the wc command, which displays the number of connections by counting the lines of the original netstat output.
netstat -natp
Display statistics about active Internet connections