netstat is a command-line network tool that is a handy troubleshooting command. Its cross-platform utility means you can use it on Linux, macOS, or Windows.
netstat can be very handy in the following.
- Display incoming and outgoing network connections
- Display routing tables
- Display number of network interfaces
- Display network protocol statistics
Let’s get it started…
Show all connections
To start with netstat, let’s see the command that displays all connections.
Type the above command and hit enter. You will see all the active connections from different states as shown below.
C:\Windows\system32>netstat -a Active Connections Proto Local Address Foreign Address State TCP 192.168.43.15:139 DESKTOP-A0PM5GD:0 LISTENING TCP 192.168.43.15:52484 153:https ESTABLISHED TCP 192.168.43.15:52532 ec2-13-228-49-204:https TIME_WAIT UDP [fe80::998c:d2d:17df:65d9%12]:58903 *:*
You will see a header with Proto, Local Address, Foreign Address, and State. Let’s see brief info about them.
- Proto – defined the protocol type (TCP, UDP, etc..,) of the socket.
- Local Address – displays your computer IP address and port, local end of the socket.
- Foreign Address – displays remote computer that your computer is connected to, the remote end of the socket.
- State – defines the state of the socket (LISTENING, ESTABLISHED, CLOSE_WAIT, TIME_WAIT).
We can filter the connections in different ways. Let’s see them.
Show only established connection
We have seen the state in the connection information. You can use below syntax to view all established connections from/to your Windows server.
netstat | findstr ESTABLISHED
C:\Windows\system32>netstat | findstr ESTABLISHED TCP 172.16.179.128:49375 a23-77-202-113:http ESTABLISHED C:\Windows\system32>
Note: to view LISTEN, CLOSE_WAIT, TIME_WAIT you can just use as follows.
To see the connections that are in LISTENING state change ESTABLISHED keyword in the previous command to LISTENING. You will get the information about connections that are in the listening state as follows.
netstat | findstr LISTENING
C:\Windows\system32>netstat | findstr LISTENING TCP 192.168.43.15:139 DESKTOP-A0PM5GD:0 LISTENING
Similarly, run the following command to see all the connections that are in CLOSE_WAIT state.
netstat | findstr CLOSE_WAIT
C:\Windows\system32>netstat | findstr CLOSE_WAIT TCP 192.168.43.15:52581 ec2-52-1-183-160:https CLOSE_WAIT TCP 192.168.43.15:52584 ec2-34-227-121-63:https CLOSE_WAIT
Finally, use the TIME_WAIT flag to get information about all the connections that are in TIME_WAIT state.
netstat | findstr TIME_WAIT
C:\Windows\system32>netstat | findstr TIME_WAIT TCP 192.168.43.15:52590 server-13-33-179-97:https TIME_WAIT
Show PID used by port number
Every connection is a process internally. And every process has an ID, and its called PID. We can see the PID of every socket connection using the following command.
The above command displays all the connections with PID. Let’s run the command and see how we get the result.
C:\Windows\system32>netstat -o Active Connections Proto Local Address Foreign Address State PID TCP 192.168.43.15:50664 188.8.131.52:https ESTABLISHED 3676 TCP 192.168.43.15:50733 184.108.40.206:https ESTABLISHED 10556
We got an extra column called PID. And its the process identifier.
A very handy when you have to find out which PID is using the particular port number.
netstat –o | findstr $portnumber
You can see the following info if you use the above command.
C:\Windows\system32>netstat -o | findstr 50664 TCP 192.168.43.15:50664 220.127.116.11:https ESTABLISHED 3676
Show statistics of all protocols
Useful when you have to find out for any received header error, received address error, discarded packet, etc. It will list out statistics from IPv4, IPv6, ICMPv4, ICMPv6, TCP, UDP, etc.
You will see the statistics of all protocols as shown below.
C:\Windows\system32>netstat -s IPv4 Statistics Packets Received = 1097370 Received Header Errors = 0 Received Address Errors = 9 Datagrams Forwarded = 0 Unknown Protocols Received = 0 Received Packets Discarded = 1425 Received Packets Delivered = 1098173 Output Requests = 743601 Routing Discards = 0 Discarded Output Packets = 43 Output Packet No Route = 23 Reassembly Required = 0 Reassembly Successful = 0 Reassembly Failures = 0 Datagrams Successfully Fragmented = 0 Datagrams Failing Fragmentation = 0 Fragments Created = 0 IPv6 Statistics Packets Received = 24 Received Header Errors = 0 Received Address Errors = 0 Datagrams Forwarded = 0 Unknown Protocols Received = 0 Received Packets Discarded = 208 Received Packets Delivered = 519 Output Requests = 1507 Routing Discards = 0 Discarded Output Packets = 0 Output Packet No Route = 0 Reassembly Required = 0 Reassembly Successful = 0 Reassembly Failures = 0 Datagrams Successfully Fragmented = 0 Datagrams Failing Fragmentation = 0 Fragments Created = 0 ICMPv4 Statistics Received Sent Messages 52 143 Errors 0 0 Destination Unreachable 52 143 Time Exceeded 0 0 Parameter Problems 0 0 Source Quenches 0 0 Redirects 0 0 Echo Replies 0 0 Echos 0 0 Timestamps 0 0 Timestamp Replies 0 0 Address Masks 0 0 Address Mask Replies 0 0 Router Solicitations 0 0 Router Advertisements 0 0 ICMPv6 Statistics Received Sent Messages 0 25 Errors 0 0 Destination Unreachable 0 0 Packet Too Big 0 0 Time Exceeded 0 0 Parameter Problems 0 0 Echos 0 0 Echo Replies 0 0 MLD Queries 0 0 MLD Reports 0 0 MLD Dones 0 0 Router Solicitations 0 15 Router Advertisements 0 0 Neighbor Solicitations 0 5 Neighbor Advertisements 0 5 Redirects 0 0 Router Renumberings 0 0 TCP Statistics for IPv4 Active Opens = 4405 Passive Opens = 5 Failed Connection Attempts = 164 Reset Connections = 347 Current Connections = 19 Segments Received = 980542 Segments Sent = 674787 Segments Retransmitted = 5759 TCP Statistics for IPv6 Active Opens = 48 Passive Opens = 10 Failed Connection Attempts = 38 Reset Connections = 2 Current Connections = 0 Segments Received = 680 Segments Sent = 552 Segments Retransmitted = 128 UDP Statistics for IPv4 Datagrams Received = 117977 No Ports = 1385 Receive Errors = 1 Datagrams Sent = 54516 UDP Statistics for IPv6 Datagrams Received = 1036 No Ports = 208 Receive Errors = 0 Datagrams Sent = 1131
To find out any errors quickly you can use syntax.
netstat -s | findstr Errors
C:\Windows\system32>netstat -s | findstr Errors Received Header Errors = 0 Received Address Errors = 0 Received Header Errors = 0 Received Address Errors = 0 Errors 0 0 Errors 0 0 Receive Errors = 0 Receive Errors = 0 C:\Windows\system32>
The above command filters all the errors from statistics of all protocols.
Show routing information
To display Route Table, you can use the below syntax. The following syntax will also list all interfaces.
If you use the above command, then you see the info about routing as shown below.
=========================================================================== Interface List 4...8c 16 45 32 4d 3c ......Realtek PCIe GBE Family Controller 16...d4 6d 6d 27 8a 9a ......Microsoft Wi-Fi Direct Virtual Adapter 5...d6 6d 6d 27 8a 99 ......Microsoft Wi-Fi Direct Virtual Adapter #2 12...d4 6d 6d 27 8a 99 ......Intel(R) Dual Band Wireless-AC 3165 10...d4 6d 6d 27 8a 9d ......Bluetooth Device (Personal Area Network) 1...........................Software Loopback Interface 1 =========================================================================== IPv4 Route Table =========================================================================== Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.43.1 192.168.43.15 55 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 192.168.43.0 255.255.255.0 On-link 192.168.43.15 311 192.168.43.15 255.255.255.255 On-link 192.168.43.15 311 192.168.43.255 255.255.255.255 On-link 192.168.43.15 311 18.104.22.168 240.0.0.0 On-link 127.0.0.1 331 22.214.171.124 240.0.0.0 On-link 192.168.43.15 311 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 192.168.43.15 311 =========================================================================== Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 10.30.28.1 Default =========================================================================== IPv6 Route Table =========================================================================== Active Routes: If Metric Network Destination Gateway 1 331 ::1/128 On-link 12 311 fe80::/64 On-link 12 311 fe80::998c:d2d:17df:65d9/128 On-link 1 331 ff00::/8 On-link 12 311 ff00::/8 On-link =========================================================================== Persistent Routes: None
Show Interface Statistics
To view the status of all interface, you can use the following syntax. This will display Received & Sent details.
C:\Windows\system32>netstat -e Interface Statistics Received Sent Bytes 8988576 2105244 Unicast packets 12972 11880 Non-unicast packets 0 0 Discards 0 0 Errors 0 0 Unknown protocols 0 C:\Windows\system32>
Show Fully Qualified Domain Name of foreign address (remote host)
If you are tracking some issues and would like to know FQDN of the remote host, then you can use the following syntax.
If you run the above command, then you will see a similar result as follows.
C:\Windows\system32>netstat -f Proto Local Address Foreign Address State TCP 192.168.43.15:50664 126.96.36.199:https LISTENING TCP 192.168.43.15:51437 188.8.131.52:https ESTABLISHED
Note: you can combine
findstr syntax to show precise results like below.
netstat –f | findstr ESTABLISHED
The above command will filter the connections and displays only established connections. Let’s see an example.
C:\Windows\system32>netstat -f | findstr ESTABLISHED TCP 192.168.43.15:51437 184.108.40.206:https ESTABLISHED
We can filter the connections using the domain with the following command.
netstat –f | findstr $domainnameifyouknow
Specify the domain in the command and you will see the filtered connections as follows.
C:\Windows\system32>netstat -f | findstr ec2-52-202-6-97.compute-1.amazonaws.com TCP 192.168.43.15:52573 ec2-52-202-6-97.compute-1.amazonaws.com:https ESTABLISHED
I hope this helps you get familiar with netstat command usage on Windows. If you are interested in learning Windows administration then I would suggest checking out this course.