Netstat Command, Troubleshoot Connections in Seconds Exclusive 2025 Guide
Knowing which active TCP connections are open on a networked host is crucial, especially with the 2025 IoT growth. The netstat command is a vital tool for verifying these connections on Windows (e.g., 10/11) or Linux, addressing security risks from unexplained connections, a key concern as of 2025
This netstat command shows detailed information about individual network connections, overall and protocol-specific networking statistics, all listening ports, incoming and outgoing network connections, and much more, all of which could help troubleshoot certain networking issues.
The netstat command resolves IP addresses to domain names and port numbers to well-known applications by default. We can use a variety of switches with the netstat command.
To apply the netstat command on your computer, open the Command Prompt and execute the netstat command alone to show a comparatively simple list of all active TCP connections. For each one, it will show the local IP address and the foreign IP address, along with their relevant port numbers and the TCP state.
Windows: Open Command Prompt by pressing Win + R, typing cmd, and hitting Enter. Run netstat -an to list connections.
Linux: Open a terminal (Ctrl + Alt + T on Ubuntu) and use netstat -an or ss -tuln if netstat is installed (install with sudo apt install net-tools).
Run as administrator for full access: Right-click Command Prompt and select “Run as administrator” on Windows, or use sudo on Linux (e.g., sudo netstat -an) as of July 2025.
Examples
Windows: netstat -an > C:\logs\netstat_log.txt saves output to a file.
Linux: netstat -tuln | grep 80 filters for port 80, requiring net-tools installation as of July 2025.
Detailed TCP Connection States
ESTABLISHED: Indicates an active data exchange, e.g., a web session on port 80, lasting until closed.
LISTENING: A server (e.g., 192.168.1.100:443) waits for incoming HTTPS requests, typically on well-known ports.
TIME_WAIT: Holds for 2x MSL (Maximum Segment Lifetime, ~240 seconds) to ensure no delayed packets, critical for 2025 reliability.
CLOSE_WAIT: Signals the local host to close after remote shutdown, often due to application errors, detectable with netstat -an.
FIN_WAIT_1/FIN_WAIT_2: Transition states during connection termination, ensuring orderly closure.
Troubleshooting
Windows: If netstat fails, ensure it’s not deprecated (use Get-NetTCPConnection in PowerShell) or reinstall via Windows features.
Linux: If netstat is unavailable, install with sudo apt install net-tools or switch to ss, common in 2025 distributions.
Command Syntax
netstat[-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-t] [-x] [-y] [time_interval] [/?]
| Switch | Description |
|---|---|
| -a | The -a switch shows all active TCP connections and the TCP and UDP ports on which the computer is listening |
| -b | This switch shows Ethernet statistics, such as the data includes number of bytes and packets sent and received, including unicast packets, non-unicast packets, discards, errors, and unknown protocols since the connection was established. |
| -e | This switch displays active TCP connections and includes the process ID (PID) for all connections. You can find the application based on the PID on the Processes tab in windows Task Manager. This parameter can be combined with -a, -n, and -p |
| -f | The switch -f will force the netstat command to show the (FDQN) Fully Qualified Domain Names for each foreign host IP address when possible. |
| -n | This switch could significantly decrease the time it takes for netstat to fully execute. The switch will also show active TCP connections, but addresses and port numbers are expressed numerically. |
| -o | This switch displays active TCP connections and includes the process ID (PID) for all connections. You can find the application based on the PID on the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p |
| -p proto | The -s switch shows statistics per protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If IPv6 is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols, but be sure to use -s before -p protocol when using the switches together. |
| -f | This switch displays the contents of the IP routing table. This is equivalent to the route print command. |
| -s | An integer used to display results multiple times with a specified number of seconds between displays. Continues until stopped by the command Ctrl+c. The default setting is to display once. |
| -t | This switch displays the current TCP pipe offload state in place of the type displayed TCP state. |
| [Interval] | This switch is used to display the details about the netstat command’s several options. |
| /? | The -p switch shows connections or state only for a particular protocol. You can’t define more than one protocol at once, nor can you execute netstat with -p switch without defining a protocol. Proto may be any of TCP, UDP, TCPv6, or UDPv6. If you use -s with -p to view statistics by protocol, you can use icmp, ip, icmpv6, or ipv6 in addition to the first four I mentioned. |
Examples of the netstat command
netstat -f
The example of a netstat with -f switch shows all active TCP connections. But I want to see the computers I’m connected to in Fully Qualified Domain Name format [-f] instead of a simple IP address. Here’s an example of what you might see:
The command displays all active TCP connections at the time of execution. The only protocol (in the Proto column) listed is TCP; if UDP is required, then you can use -a switch with n switch (netstat –an) to reduce the execution time.
The information above is displayed in the result of the command with –an switch including the protocol, the local address and port number, the foreign address and port number, and the connection status. An explanation of the different connection states is given below.
| Switch | Description |
|---|---|
| -a | The -p switch shows connections or states only for a particular protocol. You can’t define more than one protocol at once, nor can you execute netstat with -p switch without defining a protocol. Proto may be any of TCP, UDP, TCPv6, or UDPv6. If you use -s with -p to view statistics by protocol, you can use icmp, ip, icmpv6, or ipv6 in addition to the first four I mentioned. |
| -b | This switch shows Ethernet statistics, such as the data, including the number of bytes and packets sent and received, including unicast packets, non-unicast packets, discards, errors, and unknown protocols since the connection was established. |
| -e | The switch -f will force the netstat command to show the (FDQN) Fully Qualified Domain Names for each foreign host IP address when possible. |
| -f | The -p switch shows connections or states only for a particular protocol. You can’t define more than one protocol at once, nor can you execute netstat with -p switch without defining a protocol. proto may be any of TCP, UDP, TCPv6, or UDPv6. If you use -s with -p to view statistics by protocol, you can use icmp, ip, icmpv6, or ipv6 in addition to the first four I mentioned. |
| -n | This switch could significantly decrease the time it takes for netstat to fully execute. The switch will also show active TCP connections, but addresses and port numbers are expressed numerically. |
| -o | The -p switch shows connections or states only for a particular protocol. You can’t define more than one protocol at once, nor can you execute netstat with the -p switch without defining a protocol. Proto may be any of TCP, UDP, TCPv6 or UDPv6. If you use -s with -p to view statistics by protocol, you can use icmp, ip, icmpv6, or ipv6 in addition to the first four I mentioned. |
| -p proto | The -s switch shows statistics per-protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If IPv6 is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. the -p parameter can be used to specify a set of protocols, but be sure to use -s before -p protocol when using the switches together. |
| -f | This switch displays the contents of the IP routing table. This is equivalent to the route print command. |
| -s | An integer used to display results multiple times with a specified number of seconds between displays. Continues until stopped by the command Ctrl+c. The default setting is to display once. |
| -t | This switch displays the current TCP pipe offload state in place of the type displayed TCP state. |
| [Interval] | This switch is used to display the details about the netstat command’s several options. |
| /? | This switch is used to display the details about the netstat command’s several option. |
Advanced Use Case
Monitor a multi-user VPN with netstat -an | find “1723” to track PPTP connections (e.g., 192.168.1.100:5000 to 115.110.0.150:1723), optimizing 2025 remote access security.
Performance Metrics
Netstat execution with -n reduces latency by ~50ms compared to default FQDN resolution. Use time netstat -an to benchmark, enhancing 2025 network efficiency.
Specific Threat Examples
Port 445 (SMB): Vulnerable to WannaCry; detect with netstat -an | find “445” and block with iptables -A INPUT -p tcp –dport 445 -j DROP.
Port 23 (Telnet): Prone to brute force; monitor with netstat -an | find “23” and disable unless secured.
OS Compatibility Notes
Netstat is native on Windows but may be deprecated in future releases (use PowerShell’s Get-NetTCPConnection). On Linux, ss from iproute2 is preferred, installed via sudo apt install iproute2, ensuring 2025 cross-platform support.
Execution Security
Run netstat with admin privileges to avoid permission errors (e.g., sudo netstat -an on Linux or “Run as administrator” on Windows). Use encrypted logs (e.g., cipher /e on Windows) to protect data.
FAQs
-
Netstat monitors TCP/UDP connections on Windows or Linux, detecting anomalies for 2025 security.
