Netstat is a common command line TCP/IP networking utility available in most versions of Windows, Linux, UNIX and other operating systems. Netstat provides information and statistics about protocols in use and current TCP/IP network connections. (The name derives from the words network and statistics.)

The Windows help screen (analogous to a Linux or UNIX man page) for netstat reads as follows:

Displays protocol statistics and current TCP/IP network connections.

NETSTAT -a -b -e -n -o -p proto -r -s -v interval

-a Displays all connections and listening ports.
-b Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions.
-e Displays Ethernet statistics. This may be combined with the -s option.
-n Displays addresses and port numbers in numerical form.
-o Displays the owning process ID associated with each connection.
-p proto Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be any of: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-r Displays the routing table.
-s Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default.
-v When used in conjunction with -b, will display sequence of components involved in creating the connection or listening port for all executables.
interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once.

Careful perusal of this information informs the reader that netstat not only documents active TCP and UDP connections and related port addresses but that it can also tie established TCP or UDP connections to the executable files, runtime components, and process IDs that opened or use them. Netstat can also provide counts of byteunicast and non-unicast packets, discards, errors, and unknown protocols. Netstat can also show connections for transport layer protocols for IPv4 and IPv6, display routing table contents, and can redisplay selected statistics at regular intervals.

Netstat can be a helpful forensic tool when trying to determine what processes and programs are active on a computer and involved in networked communications. It can provide telltale signs of malware compromise under some circumstances and is a good tool to use to observe what kinds of communications are underway at any given time.

This was last updated in September 2007

Continue Reading About netstat

Dig Deeper on Network Infrastructure