Windows Netstat Command Tutorial with Examples To List Network Ports and Connections


Netstat is used to display active TCP connections and related listening ports in the computer or system. Actually, there are more features provided by netstat like display statistics about network stack protocols, IPv4, IPv6, TCP, UDP, etc.

Syntax

The syntax of the netstat command is like below. Simply we can use the following options.

netstat OPTIONS
  • OPTIONS will set different options and arguments about the netstat command behavior.

Display All TCP and UDP Connections with Listening Ports

TCP is the most used protocol for the transmission of packets between different hosts. In a regular usage for a host, there will be a lot of TCP connections in different phases. We can display all these connections with -a option like below.

>netstat -a
Display All TCP Connections
Display All TCP Connections

We can see that while listing listening ports following information about these ports is provided.

  • `Proto` is the protocol the listening port is running. Generally, TCP and UDP are used.
  • `Local Address` is the local or current system IP address and ports number. The IP address and the port number are delimited with the `:`. `0.0.0.0` means all local IP addresses or network interfaces where `127.0.0.1` means only localhost or current system
  • `Foreign Address` is the remote IP address which is initiated a connection. Like Local address, IP address and the port number are delimited with the `:`.
  • `State` will provide the current status of the given port. A port can be listening which means accepting connections or `CLOSED` recently closed etc. More details about the port or TCP states can be found below.

TCP States

As we know TCP protocol provides reliable data transfer between hosts. TCP implements sessions to provide this reliability. From start to end there are different states in a TCP session. Here the sequence and meaning of TCP states.

  • LISTENING means the port is listening but do not have any connection with a remote host
  • ESTABLISHED the connection established and communicating with the remote host
  • TIME_WAIT the connection is in a wait situations
  • CLOSE_WAIT the connection is the closing phase
  • CLOSED the connection is closed
  • SYN_RECEIVED the sync flag received to start the connection
LEARN MORE  Nmap Commands Cheat Sheet

Display Ethernet Statistics

Ethernet or MAC generally used for the same meaning. Ethernet is a Layer 2 protocol used to communicate in our LAN with other hosts and mostly with a gateway that is used to access other networks or the internet. We can list detailed information about the ethernet protocol. We will use -e option to list ethernet statistics.

> netstat -e
Display Ethernet Statistics
Display Ethernet Statistics

Following information about Ethernet Statistics will be provided.

  • `Received` column is used to specify the received sizes
  • `Sent` column is used to specify the sent sizes
  • `Bytes` is used successfully completed transfers
  • `Unicast packets` generally related to the UDP protocol where there is no connection and sessions management
  • `Non-unicast`
  • `Discards` is the packets that are discarded because of the problems
  • `Errors` show the sizes of the packets where errors occurred
  • `Unknown protocols` show the protocols currently unknown by the TCP/IP stack

Display Numeric Presentation of Ports and Hostname

Host and ports generally have numeric and text presentations. netstat command by default try to resolve the hostname and port name into text format. If we need to get the host and port numeric information like IP address and the port number we can use -n option.

> netstat -n
Display Numeric Presentation of Ports and Hostname
Display Numeric Presentation of Ports and Hostname

Display Connection or Ports Process ID

All ports and connections are opened and managed by processes in the operating system. For example, Apache is a web server and uses TCP 80 for listening to HTTP requests. We can list processes id of given connection or port with -o option.

> netstat -o
Display Connection or Ports Process ID
Display Connection or Ports Process ID

We can see that also PID or Process ID is provided which is the current application process ID which listens given port and interface.

Display Connection or Ports Process Name

Like the previous example, we can list established connection or listening port process name with -b option. But this option requires Administrator privileges.

>netstat -b
Display Connection or Ports Process Name
Display Connection or Ports Process Name

We can see from the output that chrome.exe. established a connection with a remote host over https protocol.

LEARN MORE  10 Things To Do After Fedora Installation

Display Fully Qualified Domain Name

Normally netstat will list hostnames in a simple manner and in a fast way. It can skip some domain names too. We can for netstat to print fully qualified domain names with -f option.

 > netstat -f
Display Fully Qualified Domain Name
Display Fully Qualified Domain Name

We can see that only resolved DNS names or fully qualified domain names are shown like oracle.com.

Display Only TCP Protocol

netstat command provides extensive filtering options according to protocols. We can provide a filter option with  -p and protocol name. In this example, we will filter and show only TCP protocol.

> netstat -p tcp
Display Only TCP Protocol
Display Only TCP Protocol

As we can see there is no UDP protocol related port and connection information.

Display Only UDP Protocol

We can also filter and show only UDP protocol ports with -p udp option. Here we provided -a to list UDP too.

> netstat -p udp -a
Display Only UDP Protocol
Display Only UDP Protocol

As we can see there is no TCP related port or connection information in this example and all UDP ports are currently listening mode without a connection state. This is because the UDP protocol is a connectionless protocol that does not create a session for data transmission.

Display Only IPv4

We can use -p ip option to filter and show only IPv4 connections. This can be useful generally because the IPv6 protocol is not common.

> netstat -p ip

Display Only IPv6

We can use -p ipv6 option to filter and show only IPv6 connections about the netstat command.

> netstat -p ipv6

Display IPv4 ve IPv6 Statistics

netstat command provides a lot of statistical information about the network stack. These statistics provide detailed metrics about protocols. We can list this statistical information with -s option.

> netstat -s
Display Statistics
Display Statistics

We can see that the following information about IPv4 and IPv6 protocol is provided.

  • `Packets Received`: The total IP packets received.
  • `Received Header Errors`: Total number of headers errors of the received packets.
  • `Received Address Errors`: The total number of address errors of the received packets.
  • `Unknown Protocols Received`: The total number of protocols which is unknown.
  • `Received Packets Discarded`: The total number of packets that are discarded after received.
LEARN MORE  Atop Command Tutorial With Examples To Monitor Linux System Metrics

Display Only TCP Protocol Statistics

We can only list TCP protocol-related statistics with -s -p tcp option.

> netstat -s -p tcp
Display Only TCP Protocol Statistics
Display Only TCP Protocol Statistics

As we can see from output there is the following information

  • Active Opens will list currently opened connection count. In this example, this is 104.
  • Passive Opens will list open connections but not transferred any data recently. In this example, this is 15.
  • Failed Connection Attempts will list connection tries or attempts not completed so there are no started connections which are 4
  • Reset Connections will list connections that ended with the `RST` TCP flag.
  • `Current Connections`will list currently opened connection count which is 5 in this example.
  • `Segments Received` will list count of received TCP segments.
  • `Segments Sent` will list the count of sent TCP segments.
  • `Segments Retransmitted` will list the count of retransmitted TCP segments.

Display Only ICMP Protocol Statistics

We can list only ICMP related statistics with -s -p icmp option.

> netstat -s -p icmp
Display Only ICMP Protocol Statistics
Display Only ICMP Protocol Statistics
  • `Messages`: ICMP Messages.
  • `Errors`: ICMP Errors.
  • `Destination Unreachable`: ICMP Destination Unreachable Messages.
  • `Echo Replies`: ICMP Echo replies which are generally used for ping or ping command.

Display Routing Table

Routing is used to set IP packets first-hop according to their destination. Our system route information can be listed with -r option.

> netstat -r
Display Routing Table
Display Routing Table

As we can see the default route is printed in the first line which IP address is 192.168.122.1 .

Display Interactively

If we need to list given options output interactively to monitor the metrics we can use interactive mode. Interactive mode is enabled by providing interval value to print output. This feature does not needs any option we will only provide interval value which is 2 in this case.

> netstat -s -p tcp 2

Leave a Comment