The netstat command is a Command
Prompt command used to display very detailed information about how
your computer is communicating with other computers or network devices.
Specifically, the netstat command can show details about
individual network connections, overall and protocol-specific networking
statistics, and much more, all of which could help troubleshoot certain kinds
of networking issues.
Netstat Command Availability
The netstat command is available from within the Command Prompt
in most versions of Windows including Windows 10, Windows 8, Windows 7, Windows Vista,
Windows XP,
Windows Server operating systems, and some older versions of Windows, too.
The availability of certain netstat command switches and other netstat command syntax may
differ from operating system to operating system.
Netstat Command Syntax
netstat [
-a] [
-b] [
-e]
[
-f] [
-n] [
-o] [
-p
protocol] [
-r] [
-s] [
-t]
[
-x] [
-y] [
time_interval] [
/?]
How
to Read Command Syntax
Execute the netstat command alone to show a relatively simple list of all
active TCP connections which, for each one, will show the local IP address (your computer), the foreign IP address (the
other computer or network device), along with their respective port numbers, as
well as the TCP state.
-a = This switch displays active TCP connections, TCP
connections with the listening state, as well as UDP ports that are being
listened to.
-b = This netstat switch is very similar to the
-o
switch listed below, but instead of displaying the PID, will display the
process's actual file name. Using
-b over
-o
might seem like it's saving you a step or two but using it can sometimes
greatly extend the time it takes netstat to fully execute.
-e = Use this switch with the netstat command to show
statistics about your network connection. This data includes bytes, unicast
packets, non-unicast packets, discards, errors, and unknown protocols received
and sent since the connection was established.
-f = The
-f switch will force the netstat
command to display the Fully Qualified Domain Name (FQDN) for each foreign IP
addresses when possible.
-n = Use the
-n switch to prevent netstat
from attempting to determine host names for
foreign IP addresses. Depending on your current network connections, using this
switch could considerably reduce the time it takes for netstat to fully execute.
-o = A handy option for many troubleshooting tasks, the
-o
switch displays the process identifier (PID) associated with each displayed
connection. See the example below for more about using
netstat -o.
-p = Use the
-p switch to show connections
or statistics only for a particular
protocol. You can not define more
than one
protocol at once, nor can you execute netstat with
-p
without defining a
protocol.
protocol = When specifying a
protocol with the
-p
option, you can use
tcp,
udp,
tcpv6,
or
udpv6. If you use
-s with
-p
to view statistics by protocol, you can use
icmp,
ip,
icmpv6, or
ipv6 in addition to the first four
I mentioned.
-r = Execute netstat with
-r to show the
IP routing table. This is the same as using the route command to execute
route
print.
-s = The
-s option can be used with the
netstat command to show detailed statistics by protocol. You can limit the
statistics shown to a particular protocol by using the
-s
option and specifying that
protocol, but be sure to use
-s
before
-p protocol when using the switches together.
-t = Use the
-t switch to show the current TCP
chimney offload state in place of the typically displayed TCP state.
-x = Use the
-x option to show all
NetworkDirect listeners, connections, and shared endpoints.
-y = The
-y switch can be used to show the
TCP connection template for all connection. You cannot use
-y
with any other netstat option.
time_interval = This is the time, in seconds, that you'd like the
netstat command to re-execute automatically, stopping only when you use Ctrl-C to end the loop.
/? = Use the help switch to
show details about the netstat command's several options.
Make all that netstat information in the command line easier to work with by
outputting what you see on the screen to a text file
using a redirection operator.
Netstat
Command Examples
netstat -f
In this first example, I execute netstat to show all active TCP connections.
However, I do want to see the computers I'm connected to in FQDN format [
-f]
instead of a simple IP address.
Here's an example of what you might see:
Active Connections
Proto Local Address Foreign Address State
TCP 127.0.0.1:5357 VM-Windows-7:49229 TIME_WAIT
TCP 127.0.0.1:49225 VM-Windows-7:12080 TIME_WAIT
TCP 192.168.1.14:49194 75.125.212.75:http CLOSE_WAIT
TCP 192.168.1.14:49196 a795sm.avast.com:http CLOSE_WAIT
TCP 192.168.1.14:49197 a795sm.avast.com:http CLOSE_WAIT
TCP 192.168.1.14:49230 TIM-PC:wsd TIME_WAIT
TCP 192.168.1.14:49231 TIM-PC:icslap ESTABLISHED
TCP 192.168.1.14:49232 TIM-PC:netbios-ssn TIME_WAIT
TCP 192.168.1.14:49233 TIM-PC:netbios-ssn TIME_WAIT
TCP [::1]:2869 VM-Windows-7:49226 ESTABLISHED
TCP [::1]:49226 VM-Windows-7:icslap ESTABLISHED
As you can see, there were 11 active TCP connections at the time
netstat was executed in this example. The only protocol (in the
Proto
column) listed is TCP, which was expected because I did not use
-a.
You can also see three sets of IP addresses in the
Local Address
column—my actual IP address of
192.168.1.14 and both IPv4 and IPv6
versions of my loopback addresses, along with the port each connection is
using. The
Foreign Address column lists the FQDN (
75.125.212.75
didn't resolve for some reason) along with that port as well.
Finally, the
State column lists the TCP state of that particular
connection.
netstat -o
In this example, netstat will be run normally so it only shows active TCP
connections, but we also want to see the corresponding process identifier [
-o]
for each connection so we can determine which program on the computer initiated
each one.
Here's what the computer displayed:
Active Connections
Proto Local Address Foreign Address State PID
TCP 192.168.1.14:49194 75.125.212.75:http CLOSE_WAIT 2948
TCP 192.168.1.14:49196 a795sm:http CLOSE_WAIT 2948
TCP 192.168.1.14:49197 a795sm:http CLOSE_WAIT 2948
You probably noticed the new
PID column. In this case, the PIDs are
all the same, meaning that the same program on my computer opened these
connections.
To determine what program is represented by the PID of
2948 on the
computer, all you have to do is open Task Manager,
click on the
Processes tab, and note the
Image Name listed
next to the PID I'm looking for in the
PID column.
1
Using the netstat command with the
-o option can be very
helpful when tracking down which program is using too big a share of your bandwidth. It
can also help locate the destination where some kind of malware, or
even an otherwise legitimate piece of software, might be sending information
without your permission.
While this and the previous example were both run on the same computer, and
within just a minute of each other, you can see that the list of active TCP
connections is considerably different. This is because your computer is
constantly connecting to, and disconnecting from, various other devices on your
network and over the internet.
netstat -s -p tcp -f
In this third example, we want to see protocol specific statistics [
-s]
but not all of them, just TCP stats [
-p tcp]. We also
want the foreign addresses displayed in FQDN format [
-f].
This is what the netstat command, as shown above, produced on the example
computer:
TCP Statistics for IPv4
Active Opens = 77
Passive Opens = 21
Failed Connection Attempts = 2
Reset Connections = 25
Current Connections = 5
Segments Received = 7313
Segments Sent = 4824
Segments Retransmitted = 5
Active Connections
Proto Local Address Foreign Address State
TCP 127.0.0.1:2869 VM-Windows-7:49235 TIME_WAIT
TCP 127.0.0.1:2869 VM-Windows-7:49238 ESTABLISHED
TCP 127.0.0.1:49238 VM-Windows-7:icslap ESTABLISHED
TCP 192.168.1.14:49194 75.125.212.75:http CLOSE_WAIT
TCP 192.168.1.14:49196 a795sm.avast.com:http CLOSE_WAIT
TCP 192.168.1.14:49197 a795sm.avast.com:http CLOSE_WAIT
As you can see, various statistics for the TCP protocol are displayed, as
are all active TCP connections at the time.
netstat -e -t 5
In this final example, netstat command is executed to show some basic
network interface statistics [
-e] and so that these statistics
continually updated in the command window every five seconds [
-t
5].
Here's what's produced on screen:
Interface Statistics
Received Sent
Bytes 22132338 1846834
Unicast packets 19113 9869
Non-unicast packets 0 0
Discards 0 0
Errors 0 0
Unknown protocols 0
Interface Statistics
Received Sent
Bytes 22134630 1846834
Unicast packets 19128 9869
Non-unicast packets 0 0
Discards 0 0
Errors 0 0
Unknown protocols 0
^C
Various pieces of information, which you can see here and that I listed in
the
-e syntax above, are displayed.
The netstat command only automatically executed one extra time, as you can
see by the two tables in the result. Note the
^C at the bottom,
indicating that the Ctrl-C abort command was used to stop the re-running of the
command.
Netstat
Related Commands
The netstat command is often used with other networking related Command
Prompt commands like nslookup, ping, tracert,
ipconfig, and others.
[1] You may have to manually add the PID column to Task Manager. You
can do this by selecting the "PID (Process Identifier)" checkbox from
View -> Select Columns in Task Manager. You may also have to click the
"Show processes from all users" button on the Processes tab if the
PID you're looking for isn't listed.
