NETSTAT

What is NETSTAT?

NETSTAT (Network Statistics) is a command-line network utility that displays network connections, routing tables, interface statistics, masquerade connections, and multicast memberships.

👉 In simple words:

  • Shows all active connections (inbound and outbound) on a computer.

  • Helps monitor which ports and IP addresses are communicating.

  • Useful for network troubleshooting, performance, and security checks.

💡 Why is NETSTAT Important?

Purpose
Why it’s useful

View active network connections

Know who/what your computer is communicating with.

Check listening ports

See which services are open and waiting for connections.

Monitor open and used ports

Identify potential security risks (e.g., malware).

See routing tables

Understand how data is routed on your network.

Analyze network stats

Monitor traffic and interface status.

⚙️ Basic Syntax of NETSTAT:

bashCopyEditnetstat [options]

📊 Key NETSTAT Options:

Option (Windows/Linux)
Description
Example

-a

Show all active connections and listening ports

netstat -a

-n

Show addresses and port numbers in numeric form

netstat -n

-o (Windows)

Show owning process ID (PID) for each connection

netstat -o

-p (Linux/Mac)

Show process using the connection

netstat -p

-r

Display routing table

netstat -r

-e

Display Ethernet statistics

netstat -e

-s

Show per-protocol statistics (TCP, UDP, etc.)

netstat -s

-b (Windows)

Show program name using each connection

netstat -b

📜 Example NETSTAT Output:

nginxCopyEditActive Connections

  Proto  Local Address          Foreign Address        State
  TCP    192.168.1.100:52452    142.250.190.78:443     ESTABLISHED
  TCP    192.168.1.100:52453    172.217.22.78:443      TIME_WAIT
  UDP    0.0.0.0:5353           *:*

🧠 Explanation of Columns:

Column
Description

Proto

Protocol used (TCP or UDP).

Local Address

Local machine's IP address and port.

Foreign Address

Remote machine's IP address and port.

State

Status of the connection (e.g., ESTABLISHED, LISTENING).

🔑 Common States in NETSTAT (TCP):

State
Meaning

LISTENING

Waiting for incoming connection.

ESTABLISHED

Active connection established.

CLOSE_WAIT

Waiting for connection to close.

TIME_WAIT

Waiting to ensure remote side received acknowledgment.

SYN_SENT

Connection attempt sent; waiting for reply.

SYN_RECEIVED

Acknowledgment received; waiting for final ACK.

Common Uses of NETSTAT:

  1. Check active connections (IP + Port + State):

bashCopyEditnetstat -an

  1. See which process (PID) is using a port (Windows):

bashCopyEditnetstat -ano

  1. Display programs using connections (Windows, admin mode):

bashCopyEditnetstat -b

  1. View routing table:

bashCopyEditnetstat -r

  1. See all listening ports:

bashCopyEditnetstat -an | find "LISTEN"

📌 Sample Scenario: How to Detect Malware Using NETSTAT

If you suspect malware or unknown apps are connecting to the Internet:

bashCopyEditnetstat -ano

  • Check suspicious connections.

  • Find PID.

  • Open Task Manager → "Details" tab → Match PID to process.

  • Investigate or terminate the suspicious process.

🔐 Security Tip with NETSTAT:

  • Regularly monitor open ports and active connections.

  • Close unnecessary listening ports.

  • Investigate unknown IP addresses.

  • Use firewalls to block unwanted traffic.

🚦 Interpreting NETSTAT Results:

Scenario
Meaning

Many established connections to unknown IPs

Possible malware or unauthorized connections.

Unexpected listening ports

Potential backdoor or unauthorized service.

High TIME_WAIT or CLOSE_WAIT states

Possible issue with application closing connections.

Summary:

Feature
Description

Purpose

Monitor network connections, ports, and routing.

Platform

Windows, Linux, macOS (via net-tools package).

Common Commands

netstat -an, netstat -r, netstat -o.

Useful For

Security, troubleshooting, and performance monitoring.

PreviousTRACEROUTENext4 - Software Troubleshooting

Last updated