Networking/Computing Tips/Tricks

Rate this content:
2 of 5 - 1 votes
Thank you for rating this article.

Netstat is a useful tool for checking network and Internet connections. Some useful applications for the average PC user are considered, including checking for malware connections.

To execute netstat on windows, you must execute a START> RUN> CMD. 

The command syntax is netstat [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]

Switches for Netstat command
-a Displays all connections and listening ports
-b Displays the executable involved in creating each connection or listening port. (Added in XP SP2.)
-e Displays Ethernet statistics
-n Displays addresses and port numbers in numerical form
-o Displays the owning process ID associated with each connection
-p proto Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6.
-r Displays the routing table
-s Displays per-protocol statistics
-v When used in conjunction with -b, will display sequence of components involved in creating the connection or listening port for all executables.
[interval] An integer used to display results multiple times with specified number of seconds between displays. Continues until stopped by command ctrl+c. Default setting is to display once.


Netstat is one of a number of command-line tools available to check the functioning of a network. It provides a way to check if various aspects of TCP/IP are working and what connections are present. In Windows XP SP2, a new switch "-B" was added that allows the actual executable file that has opened a connection to be displayed. This newer capability provides a chance to catch malware that may be phoning home or using your computer in unwanted ways on the Internet. There are various ways that a system administrator might use the assortment of switches but I will give two examples that might be useful to home PC users.

TCP and UDP connections and their IP and port addresses can be seen by entering a command combining two switches: netstat -an

Here is an example:



The information that is displayed includes the protocol, the local address and port number, the remote (foreign) address and port number, and the connection state. Note that the various IP addresses include port information as well.

If you want to check what the port numbers are look at this reference list.

An explanation of the different connection states is given below:

CLOSED Indicates that the server has received an ACK signal from the client and the connection is closed
CLOSE_WAIT Indicates that the server has received the first FIN signal from the client and the connection is in the process of being closed
ESTABLISHED Indicates that the server received the SYN signal from the client and the session is established
FIN_WAIT_1 Indicates that the connection is still active but not currently being used
FIN_WAIT_2 Indicates that the client just received acknowledgment of the first FIN signal from the server
LAST_ACK Indicates that the server is in the process of sending its own FIN signal
LISTENING Indicates that the server is ready to accept a connection
SYN_RECEIVED Indicates that the server just received a SYN signal from the client
SYN_SEND Indicates that this particular connection is open and active
TIME_WAIT Indicates that the client recognizes the connection as still active but not currently being used


If you see a lot of active connections with TIMED_WAIT status, that may be holding down the speed of your internet transfer. Kill the culprit process(es) from the Task manager, or if it's an essential process, restart the computer.


Here are some more cool things you can do with netstat:
  • Specify which type of protocols are in use. Type "netstat -p TCP" to show only TCP connections. Type "netstat -p UDP" to show UDP traffic.  You may have to type a Control-C to stop this.
  • Enter "netstat interval 10" to have netstat information displayed every 10 seconds. Replace the 10 with any number you want to use. To stop, press "ctrl" and "c" at the same time.
  • Try netstat -e 10.  This command displays the number of bytes sent and received in real time. The command loops after every 10 seconds to give you an idea of how much data is being transferred and at what rate. If you are not transferring a file over the internet, but large data is still being sent across, that signals a problem.  Simply hit control-C to stop.
  • Try the -f parameter will display the fully qualified domain name (FQDN) of the foreign address in the netstat display. This will resolve names internally and externally if possible.
  • Tracking down which process identifier (PID) has a port open is quite easy when netstat is run with the -a -n -o combination of parameters.
  • View the implementation of friendly names for each process with the -b   parameter.  You probably have to run CMD in administrator mode.
If you would like to see what the netstat command can do for IPv6, look here.
We hope this helps disect this powerful command.
I hope you find this article and its content helpful.  Comments are welcomed below.  If you would like to see more articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!, and all comments are welcome!

Comments powered by CComment

Did you learn something?
Did I save you time? 

Buy me a coffeeBuy me a coffee!

Find by Tag

5G Networks 6LoWLAN 6LoWPAN 802.11 802.11ah 802.11ax 802.11ay 802.11az ACL Addressing Analysis Ansible Architecture ARP Assessment AToM Backup Bandwidth BGP Biography Bloom's Taxonomy Briefings CBRS CellStream Cellular Central Office Cheat Sheet Chrome Cisco Clock Cloud Computer Consulting CPI Data Center Data Networking Decryption DHCPv4 DHCPv6 Display Filter DNS Documentation ECMP EIGRP Ethernet Ethics Flipping the Certification Model Follow Me Fragmentation Git GNS3 Google GQUIC Hands-On History Home Network HTTPS ICMP ICMPv6 IEEE 802.11p IEEE 802.15.4 In A Day Internet IOS Classic IoT IPv4 IPv6 IS-IS L2 Switch L2VPN L3VPN LDP Learning Services Linux LLN Logging LoL M-BGP MAC MAC OSx Macro Microsoft mininet Monitoring Monitor Mode MPLS Multicast Name Resolution Netflow NetMon netsh Networking Network Science nmap Npcap nslookup Online Learning Online School OpenFlow OSPF OSPFv2 OSPFv3 OSX Parrot PIM Ping Policy POTS POTS to Pipes PPP Profile Profiles Programming Project Management PW3E Python QoS QUIC Requirements RIP Routing RPL RSVP Rural SAS SDN Security Self Certification Service Provider Services Sharepoint Small Business Smartport SONET Speed SSH SSL Subnetting T-Shark TCP TCP/IP Telco Telecom 101 Telecommunications Telephone Telnet Terminal TLS Tools Traceroute Traffic Analysis Traffic Engineering Training Travel Tunnel Utility Video Virtualbox Virtualization Voice VoIP VRF VXLAN Webex Wi-Fi Wi-Fi 6 Wi-Fi 6/6E Windows Wireless Wireless 5G Wireshark Wireshark Tip WLAN ZigBee Zoom

Twitter Feed