Windows Netstat Command Tutorial with Examples To List Network Ports and Connections
Netstat is used to display active TCP connections and related listening ports in the computer or system. Actually, there are more features provided by
netstat like display statistics about network stack protocols, IPv4, IPv6, TCP, UDP etc.
Syntax of the netstat command is like below. Simply we can use the following options.
netstat [-a] [-e] [-n] [-o] [-p <em>Protocol</em>] [-r] [-s] [<em>Interval</em>]
Display All TCP and UDP Connections with Listening Ports
TCP is the most used protocol for the transmission of packets between different hosts. In a regular usage for a host, there will be a lot of TCP connections in different phases. We can display all these connections with
-a option like below.
We can see that while listing listening ports following information about these ports are provided.
Protois the protocol the listening port is running. Generally, TCP and UDP are used.
Local Addressis the local or current system IP address and ports number. The IP address and the port number is delimited with the
0.0.0.0means all local IP addresses or network interfaces where
127.0.0.1means only localhost or current system
Foreign Addressis the remote IP address which is initiated a connection. Like Local address, IP address and the port number are delimited with the
Statewill provide the current status of the given port. A port can be listening which means accepting connections or
CLOSEDrecently closed etc. More details about the port or TCP states can be found below.
As we know TCP protocol provides reliable data transfer between hosts. TCP implements sessions to provide this reliability. From start to end there are different states in a TCP session. Here the sequence and meaning of TCP states.
LISTENINGmeans the port is listening but do not have any connection with a remote host
ESTABLISHEDthe connection established and communicating with the remote host
TIME_WAITthe connection is in a wait situations
CLOSE_WAITthe connection is closing phase
CLOSEDthe connection is closed
syncflag received to start the connection
Display Ethernet Statistics
Ethernet or MAC generally used for the same meaning. Ethernet is a layer 2 protocol used to communication in our LAN with other hosts and mostly with a gateway which is used to access other networks or internet. We can list detailed information about the ethernet protocol. We will use
-e option to list ethernet statistics.
> netstat -e
Following information about the Ethernet Statistics will be provided.
Receivedcolumn is used to specify the received sizes
Sentcolumn is used to specify the sent sizes
Bytesis used successfully completed transfers
Unicast packetsgenerally related with the UDP protocol where there is no connection and sessions management
Discardsis the packets that are discarded because of the problems
Errorsshow the sizes of the packets where errors occurred
Unknown protocolsshow the protocols currently unknown by the TCP/IP stack
Display Numeric Presentation of Ports and Hostname
Host and ports generally have numeric and text presentations.
netstat command by default try to resolve the host name and port name into text format. If we need to get the host and port numeric information like IP address and the port number we can use
> netstat -n
Display Connection or Ports Process ID
All ports and connections are opened and managed by processes in the operating system. For example, Apache is a web server and uses TCP 80 for listening to HTTP requests. We can list processes id of given connection or port with
> netstat -o
We can see that also
Process ID is provided which is the current application process ID which listens given port and interface.
Display Connection or Ports Process Name
Like the previous example, we can list established connection or listening port process name with
-b option. But this option requires Administrator privileges.
We can see from the output that
chrome.exe. established a connection with a remote host over
Display Fully Qualified Domain Name
netstat command list hostnames in a simple manner and with a fast way. It can skip some domain names too. We can for
netstat to print fully qualified domain names with
> netstat -f
We can see that only resolved DNS names or fully qualified domain names are shown like
Display Only TCP Protocol
netstat command provide extensive filtering options according to protocols. We can provide filter option with
-p and protocol name. In this example, we will filter and show only TCP protocol.
> netstat -p tcp
As we can see there is no UDP protocol related port and connection information.
Display Only UDP Protocol
We can also filter and show only UDP protocol ports with
-p udp option. Here we provided
-a to list UDP too.
> netstat -p udp -a
As we can see there is no TCP related port or connection information in this example.
Display Only IPv4
We can use
-p ip option to filter and show only IPv4 connections. This can be useful generally because IPv6 protocol is not common.
> netstat -p ip
Display Only IPv6
We can use
-p ipv6 option to filter and show only IPv6 connections.
> netstat -p ipv6
netstat command provides a lot of statistical information about the network stack. These statistics provide detailed metrics about protocols. We can list this statistical information with
> netstat -s
Display Only TCP Protocol Statistics
We can only list TCP protocol related statistics with
-s -p tcp option.
> netstat -s -p tcp
As we can see from output there are the following information
- Active Opens will list currently opened connection count. In this example, this is 104.
- Passive Opens will list opened connections but not transferred any data recently. In this example, this is 15.
- Failed Connection Attempts will list connection tries or attempts not completed so there are no started connections which are 4
- Reset Connections will list connections ended with
Current Connectionswill list currently opened connection count which is 5 in this example.
Segments Receivedwill list count of received TCP segments.
Segments Sentwill list count of sent TCP segments.
Segments Retransmittedwill list the count of TCP segments of retransmitted.
Display Only ICMP Protocol Statistics
We can list only ICMP related statistics with
-s -p icmp option.
> netstat -s -p icmp
Display Routing Table
Routing is used to set IP packets first hop according to their destination. Our system route information can be listed with
> netstat -r
As we can see the default route is printed in the first line which IP address is
If we need to list given options output interactively to monitor the metrics we can use interactive mode. Interactive mode is enabled by providing interval value to print output. This feature does not needs any option we will only provide interval value which is
2 in this case.
> netstat -s -p tcp 2