 - Netstat is a common command line TCP/IP networking utility available in most versions of Windows, Linux, Unix and other operating systems. Netstat provides information and statistics about protocols in use and current TCP/IP network connections. (The name derives from the words network and statistics.)
The Windows help screen (analogous to a Linux or UNIX man page) for netstat reads as follows:
Displays protocol statistics and current TCP/IP network connections.
NETSTAT -a -b -e -n -o -p proto -r -s -v interval
| -a | Displays all connections and listening ports. |
-b | Displays the executable involved in creating each connection or
listening port. In some cases well-known executables host
multiple independent components, and in these cases the
sequence of components involved in creating the connection
or listening port is displayed. In this case the executable
name is in [] at the bottom, on top is the component it called,
and so forth until TCP/IP was reached. Note that this option
can be time-consuming and will fail unless you have sufficient
permissions. |
-e | Displays Ethernet statistics. This may be combined with the -s
option. |
-n | Displays addresses and port numbers in numerical form. |
-o | Displays the owning process ID associated with each connection. |
-p proto | Shows connections for the protocol specified by proto; proto
may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s
option to display per-protocol statistics, proto may be any of:
IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6. |
-r | Displays the routing table. |
-s | Displays per-protocol statistics. By default, statistics are
shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6;
the -p option may be used to specify a subset of the default. |
-v | When used in conjunction with -b, will display sequence of
components involved in creating the connection or listening
port for all executables. |
interval | Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once. |
Careful perusal of this information informs the reader that netstat not only documents active TCP and UDP connections and related port addresses but that it can also tie established TCP or UDP connections to the executable files, runtime components, and process IDs that opened or use them. Netstat can also provide counts of bytes and packets sent and received via Ethernet, including unicast and non-unicast packets, discards, errors, and unknown protocols. Netstat can also show connections for transport layer protocols for IPv4 and IPv6, display routing table contents, and can redisplay selected statistics at regular intervals.
Netstat can be a helpful forensic tool when trying to determine what processes and programs are active on a computer and involved in networked communications. It can provide telltale signs of malware compromise under some circumstances and is a good tool to use to observe what kinds of communications are underway at any given time.
 |
Learn more about Network Monitoring |
| LAST UPDATED: |
06 Sep 2007
|
 |
Do you have something to add to this definition? Let us know.
Send your comments to techterms@whatis.com
|
|
More resources from around the web:
|
|
Show me everything on 
