English English French French Spanish Spanish German German
Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
Share on:

7 netstat Command Usage on Windows with Example

windows
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

netstat is a command-line network tool that is a handy troubleshooting command. Its cross-platform utility means you can use it on Linux, macOS, or Windows.

netstat can be very handy in the following.

  • Display incoming and outgoing network connections
  • Display routing tables
  • Display number of network interfaces
  • Display network protocol statistics

Let’s get it started…

Show all connections

To start with netstat, let’s see the command that displays all connections.

netstat -a

Type the above command and hit enter. You will see all the active connections from different states as shown below.

C:\Windows\system32>netstat -a

Active Connections

Proto Local Address Foreign Address State
TCP 192.168.43.15:139 DESKTOP-A0PM5GD:0 LISTENING
TCP 192.168.43.15:52484 153:https ESTABLISHED
TCP 192.168.43.15:52532 ec2-13-228-49-204:https TIME_WAIT
UDP [fe80::998c:d2d:17df:65d9%12]:58903 *:*

You will see a header with Proto, Local Address, Foreign Address, and State. Let’s see brief info about them.

  • Proto – defined the protocol type (TCP, UDP, etc..,) of the socket.
  • Local Address – displays your computer IP address and port, local end of the socket.
  • Foreign Address – displays remote computer that your computer is connected to, the remote end of the socket.
  • State – defines the state of the socket (LISTENING, ESTABLISHED, CLOSE_WAIT, TIME_WAIT).

We can filter the connections in different ways. Let’s see them.

Show only established connection

We have seen the state in the connection information. You can use below syntax to view all established connections from/to your Windows server.

netstat | findstr ESTABLISHED
C:\Windows\system32>netstat | findstr ESTABLISHED
 TCP 172.16.179.128:49375 a23-77-202-113:http ESTABLISHED
C:\Windows\system32>

Note: to view LISTEN, CLOSE_WAIT, TIME_WAIT you can just use as follows.

To see the connections that are in LISTENING state change ESTABLISHED keyword in the previous command to LISTENING. You will get the information about connections that are in the listening state as follows.

netstat | findstr LISTENING
C:\Windows\system32>netstat | findstr LISTENING
  TCP 192.168.43.15:139 DESKTOP-A0PM5GD:0 LISTENING

Similarly, run the following command to see all the connections that are in CLOSE_WAIT state.

netstat | findstr CLOSE_WAIT
C:\Windows\system32>netstat | findstr CLOSE_WAIT
  TCP 192.168.43.15:52581 ec2-52-1-183-160:https CLOSE_WAIT
  TCP 192.168.43.15:52584 ec2-34-227-121-63:https CLOSE_WAIT

Finally, use the TIME_WAIT flag to get information about all the connections that are in TIME_WAIT state.

netstat | findstr TIME_WAIT
C:\Windows\system32>netstat | findstr TIME_WAIT
 TCP 192.168.43.15:52590 server-13-33-179-97:https TIME_WAIT

Show PID used by port number

Every connection is a process internally. And every process has an ID, and its called PID. We can see the PID of every socket connection using the following command.

netstat -o

The above command displays all the connections with PID. Let’s run the command and see how we get the result.

C:\Windows\system32>netstat -o

Active Connections

Proto Local Address Foreign Address State PID
TCP 192.168.43.15:50664 40.90.189.152:https ESTABLISHED 3676
TCP 192.168.43.15:50733 40.90.189.152:https ESTABLISHED 10556

We got an extra column called PID. And its the process identifier.

A very handy when you have to find out which PID is using the particular port number.

netstat –o | findstr $portnumber

You can see the following info if you use the above command.

C:\Windows\system32>netstat -o | findstr 50664
  TCP 192.168.43.15:50664 40.90.189.152:https ESTABLISHED 3676

Show statistics of all protocols

Useful when you have to find out for any received header error, received address error, discarded packet, etc. It will list out statistics from IPv4, IPv6, ICMPv4, ICMPv6, TCP, UDP, etc.

netstat –s

You will see the statistics of all protocols as shown below.

C:\Windows\system32>netstat -s
IPv4 Statistics

Packets Received = 1097370
Received Header Errors = 0
Received Address Errors = 9
Datagrams Forwarded = 0
Unknown Protocols Received = 0
Received Packets Discarded = 1425
Received Packets Delivered = 1098173
Output Requests = 743601
Routing Discards = 0
Discarded Output Packets = 43
Output Packet No Route = 23
Reassembly Required = 0
Reassembly Successful = 0
Reassembly Failures = 0
Datagrams Successfully Fragmented = 0
Datagrams Failing Fragmentation = 0
Fragments Created = 0

IPv6 Statistics

Packets Received = 24
Received Header Errors = 0
Received Address Errors = 0
Datagrams Forwarded = 0
Unknown Protocols Received = 0
Received Packets Discarded = 208
Received Packets Delivered = 519
Output Requests = 1507
Routing Discards = 0
Discarded Output Packets = 0
Output Packet No Route = 0
Reassembly Required = 0
Reassembly Successful = 0
Reassembly Failures = 0
Datagrams Successfully Fragmented = 0
Datagrams Failing Fragmentation = 0
Fragments Created = 0

ICMPv4 Statistics

Received Sent
Messages 52 143
Errors 0 0
Destination Unreachable 52 143
Time Exceeded 0 0
Parameter Problems 0 0
Source Quenches 0 0
Redirects 0 0
Echo Replies 0 0
Echos 0 0
Timestamps 0 0
Timestamp Replies 0 0
Address Masks 0 0
Address Mask Replies 0 0
Router Solicitations 0 0
Router Advertisements 0 0

ICMPv6 Statistics

Received Sent
Messages 0 25
Errors 0 0
Destination Unreachable 0 0
Packet Too Big 0 0
Time Exceeded 0 0
Parameter Problems 0 0
Echos 0 0
Echo Replies 0 0
MLD Queries 0 0
MLD Reports 0 0
MLD Dones 0 0
Router Solicitations 0 15
Router Advertisements 0 0
Neighbor Solicitations 0 5
Neighbor Advertisements 0 5
Redirects 0 0
Router Renumberings 0 0

TCP Statistics for IPv4

Active Opens = 4405
Passive Opens = 5
Failed Connection Attempts = 164
Reset Connections = 347
Current Connections = 19
Segments Received = 980542
Segments Sent = 674787
Segments Retransmitted = 5759

TCP Statistics for IPv6

Active Opens = 48
Passive Opens = 10
Failed Connection Attempts = 38
Reset Connections = 2
Current Connections = 0
Segments Received = 680
Segments Sent = 552
Segments Retransmitted = 128

UDP Statistics for IPv4

Datagrams Received = 117977
No Ports = 1385
Receive Errors = 1
Datagrams Sent = 54516

UDP Statistics for IPv6

Datagrams Received = 1036
No Ports = 208
Receive Errors = 0
Datagrams Sent = 1131

To find out any errors quickly you can use syntax.

netstat -s | findstr Errors
C:\Windows\system32>netstat -s | findstr Errors
 Received Header Errors = 0
 Received Address Errors = 0
 Received Header Errors = 0
 Received Address Errors = 0
 Errors 0 0
 Errors 0 0
 Receive Errors = 0
 Receive Errors = 0
C:\Windows\system32>

The above command filters all the errors from statistics of all protocols.

Show routing information

To display Route Table, you can use the below syntax. The following syntax will also list all interfaces.

netstat –r

If you use the above command, then you see the info about routing as shown below.

C:\Windows\system32>netstat -r
===========================================================================
Interface List
4...8c 16 45 32 4d 3c ......Realtek PCIe GBE Family Controller
16...d4 6d 6d 27 8a 9a ......Microsoft Wi-Fi Direct Virtual Adapter
5...d6 6d 6d 27 8a 99 ......Microsoft Wi-Fi Direct Virtual Adapter #2
12...d4 6d 6d 27 8a 99 ......Intel(R) Dual Band Wireless-AC 3165
10...d4 6d 6d 27 8a 9d ......Bluetooth Device (Personal Area Network)
1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.15 55
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
192.168.43.0 255.255.255.0 On-link 192.168.43.15 311
192.168.43.15 255.255.255.255 On-link 192.168.43.15 311
192.168.43.255 255.255.255.255 On-link 192.168.43.15 311
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 192.168.43.15 311
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 192.168.43.15 311
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.30.28.1 Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
12 311 fe80::/64 On-link
12 311 fe80::998c:d2d:17df:65d9/128
On-link
1 331 ff00::/8 On-link
12 311 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

Show Interface Statistics

To view the status of all interface, you can use the following syntax. This will display Received & Sent details.

netstat -e
C:\Windows\system32>netstat -e
Interface Statistics
 Received Sent
Bytes 8988576 2105244
Unicast packets 12972 11880
Non-unicast packets 0 0
Discards 0 0
Errors 0 0
Unknown protocols 0
C:\Windows\system32>

Show Fully Qualified Domain Name of foreign address (remote host)

If you are tracking some issues and would like to know FQDN of the remote host, then you can use the following syntax.

netstat –f

If you run the above command, then you will see a similar result as follows.

C:\Windows\system32>netstat -f
Proto Local Address Foreign Address State
TCP 192.168.43.15:50664 40.90.189.152:https LISTENING
TCP 192.168.43.15:51437 104.27.119.115:https ESTABLISHED

Note: you can combine findstr syntax to show precise results like below.

netstat –f | findstr ESTABLISHED

The above command will filter the connections and displays only established connections. Let’s see an example.

C:\Windows\system32>netstat -f | findstr ESTABLISHED
TCP 192.168.43.15:51437 104.27.119.115:https ESTABLISHED

We can filter the connections using the domain with the following command.

netstat –f | findstr $domainnameifyouknow

Specify the domain in the command and you will see the filtered connections as follows.

C:\Windows\system32>netstat -f | findstr ec2-52-202-6-97.compute-1.amazonaws.com
TCP 192.168.43.15:52573 ec2-52-202-6-97.compute-1.amazonaws.com:https ESTABLISHED

I hope this helps you get familiar with netstat command usage on Windows. If you are interested in learning Windows administration then I would suggest checking out this course.

Thanks to our Sponsors
More great readings on Windows
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Semrush is an all-in-one digital marketing solution with more than 50 tools in SEO, social media, and content marketing.
    Try Semrush
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder