How to use the netstat command

List of netstat commands
possibility Explanation
net stat Run the netstat command alone to see a fairly basic list of all active TCP connections, each containing the IP address (your computer), the foreign IP address (the other computer or network device), with their respective port numbers, and shows the TCP status .
-a This switch shows active TCP connections, TCP connections with listening status and listening UDP ports.
-b This netstat change is very similar to the -O below, but instead of showing the PID, it shows the actual filename of the process. Use -b on -O seems to save you a step or two, but sometimes it can significantly increase the time it takes netstat to fully run.
-e Use this switch with the netstat command to view statistics about your network connection. This data includes bytes, unicast packets, non-unicast packets, discards, errors, and unknown protocols that have been received and sent since the connection was established.
-f Le -f forces the netstat command to display the fully qualified domain name (FQDN) for each foreign IP address when it can.
-n Use the -n to prevent netstat from trying to determine hostnames for foreign IP addresses. Depending on your current network connections, using this switch can significantly reduce the time it takes netstat to complete.
-O A handy option for many troubleshooting tasks that -O Displays the Process Identifier (PID) associated with each connection shown. See the example below for more usage information netstat -o.
– p Use the – p Switch to viewing connections or statistics for just one log. You cannot define more than one protocol at a time, nor can you run netstat with them – p without defining a protocol.
protocol When specifying a protocol with the – p You can use the option TCP, udp, tcpv6or udpv6. if you use -s With – p to view statistics by log you can use icmp, IP, icmpv6or IPv6 in addition to the first four I mentioned.
-r Run netstat with -r to view the IP routing table. This is the same as using the route command to run track printout.
-s Le -s can be used with the netstat command to view detailed statistics by log. With the option you can limit the displayed statistics to a specific protocol -sand specify this protocol, but make sure you use it -s avant-garde – p Protocol when switches are used together.
-t Use the -t to show the current TCP stack offload status instead of the TCP status normally shown.
-x Use the -x Option to view all NetworkDirect listeners, connections and shared terminals.
-y Le -y can be used to display the TCP connection pattern for all connections. You can not use -y with any other netstat option.
time interval This is the time in seconds that the netstat command should automatically rerun and only stop if you use Ctrl-C to exit the loop.
/ ? Use the Modifier to view the details of the various options of the netstat command.
  What you should do if Windows won't start

Netstat command examples

netstat -f

In this first example, we run netstat to see all active TCP connections. However, we want to see the computers we are connected to in FQDN format [-f] instead of just an IP address.

Here is an example of what you might see:

Active Connections Proto Local Address Foreign Address State TCP VM-Windows-7:49229 TIME_WAIT TCP VM-Windows-7:12080 TIME_WAIT TCP CLOSE_WAIT TCP 192.168 .1.14:49196 CLOSE_WAIT TCP CLOSE_WAIT TCP TIM-PC:wsd TIME_WAIT TCP TIM-PC:ics TCP TIM-PC:netbios-ssn TIME_WAIT TCP TIM-PC:netbios-ssn TIME_WAIT TCP [::1]VM-Windows-7:2869:49226 MANUFACTURED TCP [::1]:49226 VM-Windows-7:icslap MANUFACTURED

As you can see, in this example there were 11 active TCP connections when netstat was run. The only protocol (in the proto example) TCP is shown, which was expected since we didn’t use it -a.

You can also see three groups of IP addresses in the Local Address section, the actual IP address and both IPv4 and IPv6 versions of the loopback addresses, along with the port used by each connection. The Foreign Site Address The “FQDN” column ( was not resolved for some reason) as well as this port.

Finally, the state indicates the TCP state of that particular connection.

  How to maximize command prompt in windows 7?

netstat -o

In this example, netstat is running normally, so only active TCP connections are shown, but we also want to see the corresponding process ID [-o] for each connection so that we can determine which computer program initiated each connection.

This is what the computer showed:

Aktive Verbindungen Proto Local Address Foreign Address State PID TCP CLOSE_WAIT 2948 TCP a795sm:http CLOSE_WAIT 2948 TCP a795sm:http 94.WAIT 2 CLOSE_WAIT 2948 TCP 192.168 .1.14:49196a795sm:http

You probably noticed the new PID column. In this case, the PIDs are all the same, which means that the same program on the computer opened those connections.

To determine which program is represented by the PID 2948 on the computer, you just need to open the task manager, select the one procedure and note the Image Name tab listed next to the PID we are looking for in the PID column.

By using the netstat command with the option -O can be very useful for finding out which program is using too much of your bandwidth. It can also help to find the destination where malware or even legitimate software might be sending information without your permission.

Although this example and the previous example were run on the same computer and were only a minute apart, you can see that the list of active TCP connections is quite different. This is because your computer is constantly connecting and disconnecting from various other devices on your network and the internet.

netstat -0 | findstr 28604

The example above is similar to what we’ve already looked at, but instead of showing all connections, we’ll tell the netstat command to only show connections that use a specific PID, 28604 in this example.

  How to copy and paste in Linux command line?

A similar command could be used to filter out connections with a CLOSE_WAIT state and change the PID to ESTABLISHED.

netstat -s -p tcp -f

In this example, we want to see log-specific statistics [-s] but not all, only TCP statistics [-p tcp]. We also want foreign addresses to be displayed in FQDN format [-f].

This is what the netstat command produced on the example computer as shown above:

TCP Statistics for IPv4 Active opens = 77 Passive opens = 21 Failed connection attempts = 2 Reset connections = 25 Current connections = 5 Received segments = 7313 Sent segments = 4824 Retransmitted segments = 5 Active connections Proto Local Address Foreign Address State TCP : 2869 VM-Windows-7:49235 TIME_WAIT TCP VM-Windows-7:49238 ESTABLISHED TCP VM-Windows-7:icslap ESTABLISHED TCP CLOSE_WAIT TCP CLOSE_WAIT TCP CLOSE_WAIT

As you can see, it shows various statistics related to TCP protocol as well as all active TCP connections at that moment.

netstat -e -t 5

This last example runs the netstat command to display some basic statistics about the network interface [-e] and that these statistics are continuously updated every five seconds in the command window [-t 5].

The following is produced on screen:

Interface Statistics Received Bytes Transmitted 22132338 1846834 Unicast Packets 19113 9869 Non-Unicast Packets 0 0 Discards 0 0 Errors 0 0 Unknown Protocols 0 Interface Statistics Received Bytes Transmitted 22134630 1846834 Unicast Packets 19128 9869 Non-Unicast Packets 0 0 Discards Errors. Unknown Logs 0 ^C

Various information that you can see here and that we have listed in the -e above syntax are displayed.

The netstat command was only run once more automatically, as can be seen in the two output tables. Note the ^C command below, which indicates that the Ctrl+C undo command was used to stop the command from being re-executed.

Netstat related commands

The netstat command is commonly used with other network-related command prompt commands such as nslookup, ping, tracert, ipconfig, and others.