• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • netstat is a command-line network tool that is a handy troubleshooting command. Its cross-platform utility means you can use it on Linux, macOS, or Windows.

    netstat can be very handy in the following.

    • Display incoming and outgoing network connections
    • Display routing tables
    • Display number of network interfaces
    • Display network protocol statistics

    Let’s get it started…

    Show all connections

    To start with netstat, let’s see the command that displays all connections.

    netstat -a

    Type the above command and hit enter. You will see all the active connections from different states as shown below.

    C:\Windows\system32>netstat -a
    
    Active Connections
    
    Proto Local Address Foreign Address State
    TCP 192.168.43.15:139 DESKTOP-A0PM5GD:0 LISTENING
    TCP 192.168.43.15:52484 153:https ESTABLISHED
    TCP 192.168.43.15:52532 ec2-13-228-49-204:https TIME_WAIT
    UDP [fe80::998c:d2d:17df:65d9%12]:58903 *:*

    You will see a header with Proto, Local Address, Foreign Address, and State. Let’s see brief info about them.

    • Proto – defined the protocol type (TCP, UDP, etc..,) of the socket.
    • Local Address – displays your computer IP address and port, local end of the socket.
    • Foreign Address – displays remote computer that your computer is connected to, the remote end of the socket.
    • State – defines the state of the socket (LISTENING, ESTABLISHED, CLOSE_WAIT, TIME_WAIT).

    We can filter the connections in different ways. Let’s see them.

    Show only established connection

    We have seen the state in the connection information. You can use below syntax to view all established connections from/to your Windows server.

    netstat | findstr ESTABLISHED
    C:\Windows\system32>netstat | findstr ESTABLISHED
     TCP 172.16.179.128:49375 a23-77-202-113:http ESTABLISHED
    C:\Windows\system32>
    

    Note: to view LISTEN, CLOSE_WAIT, TIME_WAIT you can just use as follows.

    To see the connections that are in LISTENING state change ESTABLISHED keyword in the previous command to LISTENING. You will get the information about connections that are in the listening state as follows.

    netstat | findstr LISTENING
    C:\Windows\system32>netstat | findstr LISTENING
      TCP 192.168.43.15:139 DESKTOP-A0PM5GD:0 LISTENING

    Similarly, run the following command to see all the connections that are in CLOSE_WAIT state.

    netstat | findstr CLOSE_WAIT
    C:\Windows\system32>netstat | findstr CLOSE_WAIT
      TCP 192.168.43.15:52581 ec2-52-1-183-160:https CLOSE_WAIT
      TCP 192.168.43.15:52584 ec2-34-227-121-63:https CLOSE_WAIT

    Finally, use the TIME_WAIT flag to get information about all the connections that are in TIME_WAIT state.

    netstat | findstr TIME_WAIT
    C:\Windows\system32>netstat | findstr TIME_WAIT
     TCP 192.168.43.15:52590 server-13-33-179-97:https TIME_WAIT

    Show PID used by port number

    Every connection is a process internally. And every process has an ID, and its called PID. We can see the PID of every socket connection using the following command.

    netstat -o

    The above command displays all the connections with PID. Let’s run the command and see how we get the result.

    C:\Windows\system32>netstat -o
    
    Active Connections
    
    Proto Local Address Foreign Address State PID
    TCP 192.168.43.15:50664 40.90.189.152:https ESTABLISHED 3676
    TCP 192.168.43.15:50733 40.90.189.152:https ESTABLISHED 10556

    We got an extra column called PID. And its the process identifier.

    A very handy when you have to find out which PID is using the particular port number.

    netstat –o | findstr $portnumber

    You can see the following info if you use the above command.

    C:\Windows\system32>netstat -o | findstr 50664
      TCP 192.168.43.15:50664 40.90.189.152:https ESTABLISHED 3676

    Show statistics of all protocols

    Useful when you have to find out for any received header error, received address error, discarded packet, etc. It will list out statistics from IPv4, IPv6, ICMPv4, ICMPv6, TCP, UDP, etc.

    netstat –s

    You will see the statistics of all protocols as shown below.

    C:\Windows\system32>netstat -s
    IPv4 Statistics
    
    Packets Received = 1097370
    Received Header Errors = 0
    Received Address Errors = 9
    Datagrams Forwarded = 0
    Unknown Protocols Received = 0
    Received Packets Discarded = 1425
    Received Packets Delivered = 1098173
    Output Requests = 743601
    Routing Discards = 0
    Discarded Output Packets = 43
    Output Packet No Route = 23
    Reassembly Required = 0
    Reassembly Successful = 0
    Reassembly Failures = 0
    Datagrams Successfully Fragmented = 0
    Datagrams Failing Fragmentation = 0
    Fragments Created = 0
    
    IPv6 Statistics
    
    Packets Received = 24
    Received Header Errors = 0
    Received Address Errors = 0
    Datagrams Forwarded = 0
    Unknown Protocols Received = 0
    Received Packets Discarded = 208
    Received Packets Delivered = 519
    Output Requests = 1507
    Routing Discards = 0
    Discarded Output Packets = 0
    Output Packet No Route = 0
    Reassembly Required = 0
    Reassembly Successful = 0
    Reassembly Failures = 0
    Datagrams Successfully Fragmented = 0
    Datagrams Failing Fragmentation = 0
    Fragments Created = 0
    
    ICMPv4 Statistics
    
    Received Sent
    Messages 52 143
    Errors 0 0
    Destination Unreachable 52 143
    Time Exceeded 0 0
    Parameter Problems 0 0
    Source Quenches 0 0
    Redirects 0 0
    Echo Replies 0 0
    Echos 0 0
    Timestamps 0 0
    Timestamp Replies 0 0
    Address Masks 0 0
    Address Mask Replies 0 0
    Router Solicitations 0 0
    Router Advertisements 0 0
    
    ICMPv6 Statistics
    
    Received Sent
    Messages 0 25
    Errors 0 0
    Destination Unreachable 0 0
    Packet Too Big 0 0
    Time Exceeded 0 0
    Parameter Problems 0 0
    Echos 0 0
    Echo Replies 0 0
    MLD Queries 0 0
    MLD Reports 0 0
    MLD Dones 0 0
    Router Solicitations 0 15
    Router Advertisements 0 0
    Neighbor Solicitations 0 5
    Neighbor Advertisements 0 5
    Redirects 0 0
    Router Renumberings 0 0
    
    TCP Statistics for IPv4
    
    Active Opens = 4405
    Passive Opens = 5
    Failed Connection Attempts = 164
    Reset Connections = 347
    Current Connections = 19
    Segments Received = 980542
    Segments Sent = 674787
    Segments Retransmitted = 5759
    
    TCP Statistics for IPv6
    
    Active Opens = 48
    Passive Opens = 10
    Failed Connection Attempts = 38
    Reset Connections = 2
    Current Connections = 0
    Segments Received = 680
    Segments Sent = 552
    Segments Retransmitted = 128
    
    UDP Statistics for IPv4
    
    Datagrams Received = 117977
    No Ports = 1385
    Receive Errors = 1
    Datagrams Sent = 54516
    
    UDP Statistics for IPv6
    
    Datagrams Received = 1036
    No Ports = 208
    Receive Errors = 0
    Datagrams Sent = 1131

    To find out any errors quickly you can use syntax.

    netstat -s | findstr Errors
    C:\Windows\system32>netstat -s | findstr Errors
     Received Header Errors = 0
     Received Address Errors = 0
     Received Header Errors = 0
     Received Address Errors = 0
     Errors 0 0
     Errors 0 0
     Receive Errors = 0
     Receive Errors = 0
    C:\Windows\system32>

    The above command filters all the errors from statistics of all protocols.

    Show routing information

    To display Route Table, you can use the below syntax. The following syntax will also list all interfaces.

    netstat –r

    If you use the above command, then you see the info about routing as shown below.

    C:\Windows\system32>netstat -r
    
    ===========================================================================
    Interface List
    4...8c 16 45 32 4d 3c ......Realtek PCIe GBE Family Controller
    16...d4 6d 6d 27 8a 9a ......Microsoft Wi-Fi Direct Virtual Adapter
    5...d6 6d 6d 27 8a 99 ......Microsoft Wi-Fi Direct Virtual Adapter #2
    12...d4 6d 6d 27 8a 99 ......Intel(R) Dual Band Wireless-AC 3165
    10...d4 6d 6d 27 8a 9d ......Bluetooth Device (Personal Area Network)
    1...........................Software Loopback Interface 1
    ===========================================================================
    
    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.15 55
    127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
    127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
    127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    192.168.43.0 255.255.255.0 On-link 192.168.43.15 311
    192.168.43.15 255.255.255.255 On-link 192.168.43.15 311
    192.168.43.255 255.255.255.255 On-link 192.168.43.15 311
    224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
    224.0.0.0 240.0.0.0 On-link 192.168.43.15 311
    255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
    255.255.255.255 255.255.255.255 On-link 192.168.43.15 311
    ===========================================================================
    Persistent Routes:
    Network Address Netmask Gateway Address Metric
    0.0.0.0 0.0.0.0 10.30.28.1 Default
    ===========================================================================
    
    IPv6 Route Table
    ===========================================================================
    Active Routes:
    If Metric Network Destination Gateway
    1 331 ::1/128 On-link
    12 311 fe80::/64 On-link
    12 311 fe80::998c:d2d:17df:65d9/128
    On-link
    1 331 ff00::/8 On-link
    12 311 ff00::/8 On-link
    ===========================================================================
    Persistent Routes:
    None
    

    Show Interface Statistics

    To view the status of all interface, you can use the following syntax. This will display Received & Sent details.

    netstat -e
    C:\Windows\system32>netstat -e
    Interface Statistics
     Received Sent
    Bytes 8988576 2105244
    Unicast packets 12972 11880
    Non-unicast packets 0 0
    Discards 0 0
    Errors 0 0
    Unknown protocols 0
    C:\Windows\system32>

    Show Fully Qualified Domain Name of foreign address (remote host)

    If you are tracking some issues and would like to know FQDN of the remote host, then you can use the following syntax.

    netstat –f

    If you run the above command, then you will see a similar result as follows.

    C:\Windows\system32>netstat -f
    Proto Local Address Foreign Address State
    TCP 192.168.43.15:50664 40.90.189.152:https LISTENING
    TCP 192.168.43.15:51437 104.27.119.115:https ESTABLISHED
    

    Note: you can combine findstr syntax to show precise results like below.

    netstat –f | findstr ESTABLISHED

    The above command will filter the connections and displays only established connections. Let’s see an example.

    C:\Windows\system32>netstat -f | findstr ESTABLISHED
    TCP 192.168.43.15:51437 104.27.119.115:https ESTABLISHED
    

    We can filter the connections using the domain with the following command.

    netstat –f | findstr $domainnameifyouknow

    Specify the domain in the command and you will see the filtered connections as follows.

    C:\Windows\system32>netstat -f | findstr ec2-52-202-6-97.compute-1.amazonaws.com
    TCP 192.168.43.15:52573 ec2-52-202-6-97.compute-1.amazonaws.com:https ESTABLISHED

    I hope this helps you get familiar with netstat command usage on Windows. If you are interested in learning Windows administration then I would suggest checking out this course.