1. Technology
You can opt-out at any time. Please refer to our privacy policy for contact information.

Netstat

By

What is the Netstat Command?

The netstat command is a Command Prompt command used to display very detailed information about how your computer is communicating with other computers or network devices.

Specifically, the netstat command can show details about individual network connections, overall and protocol-specific networking statistics, and much more, all of which could help troubleshoot certain kinds of networking issues.

Netstat Command Syntax

netstat [-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-t] [-x] [-y] [time_interval] [/?]

Tip: See How To Read Command Syntax if you're not sure how to read the netstat command syntax above.

Execute the netstat command alone to show a relatively simple list of all active TCP connections which, for each one, will show the local IP address (your computer), the foreign IP address (the other computer or network device), along with their respective port numbers, as well as the TCP state.

-a = This switch displays active TCP connections, TCP connections with the listening state, as well as UDP ports that are being listened to.

-b = This netstat switch is very similar to the -o switch listed below, but instead of displaying the PID, will display the process's actual file name. Using -b over -o might seem like it's saving you a step or two but using it can sometimes greatly extend the time it takes netstat to fully execute.

-e = Use this switch with the netstat command to show statistics about your network connection. This data includes bytes, unicast packets, non-unicast packets, discards, errors, and unknown protocols received and sent since the connection was established.

-f = The -f switch will force the netstat command to display the Fully Qualified Domain Name (FQDN) for each foreign IP addresses when possible.

-n = Use the -n switch to prevent netstat from attempting to determine host names for foreign IP addresses. Depending on your current network connections, using this switch could considerably reduce the time it takes for netstat to fully execute.

-o = A handy option for many troubleshooting tasks, the -o switch displays the process identifier (PID) associated with each displayed connection. See the example below for more about using netstat -o.

-p = Use the -p switch to show connections or statistics only for a particular protocol. You can not define more than one protocol at once, nor can you execute netstat with -p without defining a protocol.

protocol = When specifying a protocol with the -p option, you can use tcp, udp, tcpv6, or udpv6. If you use -s with -p to view statistics by protocol, you can use icmp, ip, icmpv6, or ipv6 in addition to the first four I mentioned.

-r = Execute netstat with -r to show the IP routing table. This is the same as using the route command to execute route print.

-s = The -s option can be used with the netstat command to show detailed statistics by protocol. You can limit the statistics shown to a particular protocol by using the -s option and specifying that protocol, but be sure to use -s before -p protocol when using the switches together.

-t = Use the -t switch to show the current TCP chimney offload state in place of the typically displayed TCP state.

-x = Use the -x option to show all NetworkDirect listeners, connections, and shared endpoints.

-y = The -y switch can be used to show the TCP connection template for all connection. You cannot use -y with any other netstat option.

time_interval = This is the time, in seconds, that you'd like the netstat command to re-execute automatically, stopping only when you use Ctrl-C to end the loop.

/? = Use the help switch to show details about the netstat command's several options.

Tip: Make all that netstat information in the command line easier to work with by outputting what you see on the screen to a text file using a redirection operator. See How To Redirect Command Output to a File for complete instructions.

Netstat Command Examples

netstat -f

In this first example, I execute netstat to show all active TCP connections. However, I do want to see the computers I'm connected to in FQDN format [-f] instead of a simple IP address.

Here's an example of what you might see:

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    127.0.0.1:5357         VM-Windows-7:49229     TIME_WAIT
  TCP    127.0.0.1:49225        VM-Windows-7:12080     TIME_WAIT
  TCP    192.168.1.14:49194     75.125.212.75:http     CLOSE_WAIT
  TCP    192.168.1.14:49196     a795sm.avast.com:http  CLOSE_WAIT
  TCP    192.168.1.14:49197     a795sm.avast.com:http  CLOSE_WAIT
  TCP    192.168.1.14:49230     TIM-PC:wsd             TIME_WAIT
  TCP    192.168.1.14:49231     TIM-PC:icslap          ESTABLISHED
  TCP    192.168.1.14:49232     TIM-PC:netbios-ssn     TIME_WAIT
  TCP    192.168.1.14:49233     TIM-PC:netbios-ssn     TIME_WAIT
  TCP    [::1]:2869             VM-Windows-7:49226     ESTABLISHED
  TCP    [::1]:49226            VM-Windows-7:icslap    ESTABLISHED

As you can see, I had 11 active TCP connections at the time I executed netstat. The only protocol (in the Proto column) listed is TCP, which was expected because I did not use -a.

You can also see three sets of IP addresses in the Local Address column - my actual IP address of 192.168.1.14 and both IPv4 and IPv6 versions of my loopback addresses, along with the port each connection is using. The Foreign Address column lists the FQDN (75.125.212.75 didn't resolve for some reason) along with that port as well.

Finally, the State column lists the TCP state of that particular connection.

netstat -o

In this example, I want to run netstat normally so it only shows active TCP connections, but I also want to see the corresponding process identifier [-o] for each connection so I can determine which program on my computer initiated each one.

Here's what my computer displayed:

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    192.168.1.14:49194     75.125.212.75:http     CLOSE_WAIT      2948
  TCP    192.168.1.14:49196     a795sm:http            CLOSE_WAIT      2948
  TCP    192.168.1.14:49197     a795sm:http            CLOSE_WAIT      2948

You probably noticed the new PID column. In this case, the PIDs are all the same, meaning that the same program on my computer opened these connections.

To determine what program is represented by the PID of 2948 on my computer, all I have to do is open Task Manager, click on the Processes tab, and note the Image Name listed next to the PID I'm looking for in the PID column.1

Using the netstat command with the -o option can be very helpful when tracking down which program is using too big a share of your bandwidth. It can also help locate the destination where some kind of malware, or even an otherwise legitimate piece of software, might be sending information without your permission.

Note: While this and the previous example were both run on the same computer, and within just a minute of each other, you can see that the list of active TCP connections is considerably different. This is because your computer is constantly connecting to, and disconnecting from, various other devices on your network and over the Internet.

netstat -s -p tcp -f

In this third example, I want to see protocol specific statistics [-s] but not all of them, just TCP stats [-p tcp]. I also want the foreign addresses displayed in FQDN format [-f].

This is what the netstat command, as shown above, produced on my computer:

TCP Statistics for IPv4

  Active Opens                        = 77
  Passive Opens                       = 21
  Failed Connection Attempts          = 2
  Reset Connections                   = 25
  Current Connections                 = 5
  Segments Received                   = 7313
  Segments Sent                       = 4824
  Segments Retransmitted              = 5

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    127.0.0.1:2869         VM-Windows-7:49235     TIME_WAIT
  TCP    127.0.0.1:2869         VM-Windows-7:49238     ESTABLISHED
  TCP    127.0.0.1:49238        VM-Windows-7:icslap    ESTABLISHED
  TCP    192.168.1.14:49194     75.125.212.75:http     CLOSE_WAIT
  TCP    192.168.1.14:49196     a795sm.avast.com:http  CLOSE_WAIT
  TCP    192.168.1.14:49197     a795sm.avast.com:http  CLOSE_WAIT

As you can see, various statistics for the TCP protocol are displayed, as are all active TCP connections at the time.

netstat -e -t 5

In this final example, I executed the netstat command to show some basic network interface statistics [-e] and I wanted these statistics to continually update in the command window every five seconds [-t 5].

Here's what's produced on screen:

Interface Statistics

                           Received            Sent

Bytes                      22132338         1846834
Unicast packets               19113            9869
Non-unicast packets               0               0
Discards                          0               0
Errors                            0               0
Unknown protocols                 0
Interface Statistics

                           Received            Sent

Bytes                      22134630         1846834
Unicast packets               19128            9869
Non-unicast packets               0               0
Discards                          0               0
Errors                            0               0
Unknown protocols                 0
^C

Various pieces of information, which you can see here and that I listed in the -e syntax above, are displayed.

I only let the netstat command automatically execute one extra time, as you can see by the two tables in the result. Note the ^C at the bottom, indicating that I used the Ctrl-C abort command to stop the rerunning of the command.

Netstat Command Availability

The netstat command is available from within the Command Prompt in most versions of Windows including Windows 8, Windows 7, Windows Vista, Windows XP, Windows Server operating systems, and some older versions of Windows too.

Note: The availability of certain netstat command switches and other netstat command syntax may differ from operating system to operating system.

Netstat Related Commands

The netstat command is often used with other networking related Command Prompt commands like nslookup, ping, tracert, ipconfig, and others.

[1] You may have to manually add the PID column to Task Manager. You can do this by selecting the "PID (Process Identifier)" checkbox from View -> Select Columns in Task Manager. You may also have to click the "Show processes from all users" button on the Processes tab if the PID you're looking for isn't listed.

©2014 About.com. All rights reserved.