The netstat Command
Knowing which active TCP connections are open and running on a networked host is sometimes necessary. The netstat command is a useful network tool for checking and verifying those connections. Verifying TCP connections is essential because unexplained TCP connections are a major security risk. The TCP connection shows that something or someone is connected to the local host.
This netstat command shows detailed information about individual network connections, overall and protocol-specific networking statistics, all listening ports, incoming and outgoing network connections, and much more, all of which could help troubleshoot certain networking issues.
The netstat command resolves IP addresses to domain names and port numbers to well-known applications by default. We can use a variety of switches with the netstat command.
To apply the netstat command in your computer, open the Command Prompt and execute the netstat command alone to show a comparatively simple list of all active TCP connections. For each one, it will show the local IP address and the foreign IP address, along with their relevant port numbers and the TCP state.
Command Syntax
netstat[-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-t] [-x] [-y] [time_interval] [/?]
| Switch | Description |
|---|---|
| -a | The -a switch shows all active TCP connections and the TCP and UDP ports on which the computer is listening |
| -b | The -b switch shows executable concerned in creating each connection or listening port. This switch is added in XP SP2. |
| -e | This switch shows Ethernet statistics, such as the data includes the number of bytes and packet sent and received including unicast packets, non-unicast packets, discards, errors, and unknown protocols since the connection was established. |
| -f | The switch -f will force the netstat command to show the (FDQN) fully Qualified Domain Names for each foreign host IP addresses when possible. |
| -n | This switch could significantly decrease the time it takes for netstat to fully execute. The switch will also show active TCP connections, but addresses and port numbers are expressed numerically. |
| -o | This switch display active TCP connection and includes the process ID (PID) for all connections. You can find the application based on the PID on the processes tab in windows Task Manager. This parameter can be combined with -a, -n, and -p |
| -p proto | The -p switch show connections or state only for a particular protocol. You can’t define more than one protocol at once, nor can you execute netstat with -p switch without defining a protocol. proto may be any of TCP, UDP, TCPv6 or UDPv6. If you use -s with -p to view statistics by protocol, you can use icmp, ip, icmpv6 or ipv6 addition to the first four I mentioned. |
| -f | This switch displays the contents of the IP routing table. this equivalent to the route print command. |
| -s | The -s switch shows statistics per-protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. the -p parameter can be used to specify a set of protocols, but be sure to use -s before -p protocol when using the switches together. |
| -t | This switch displays the current TCP pipe offload state in place of the type displayed TCP state. |
| [Interval] | An integer used to display results multiple times with a specified number of seconds between displays. Continues until stopped by command ctrl+c. the default setting is to display once. |
| /? | This switch is used to display the details about the netstat command’s several option. |
Examples of netstat command
netstat -f
The example of a netstat with -f switch shows all active TCP connections. But I want to see the computers I’m connected to in Fully Qualified Domain Name format [-f] instead of a simple IP address. Here’s an example of what you might see:
The command displays all active TCP connections at the time of execution. The only protocol (in the Proto column) listed is TCP; if UDP is required, then you can use -a switch with n switch (netstat –an) to reduce the execution time.
The information above is displayed in the result of the command with –an switch including the protocol, the local address and port number, the foreign address and port number, and the connection status. An explanation of the different connection states is given below.
| Switch | Description |
|---|---|
| -a | The -a switch shows all active TCP connections and the TCP and UDP ports on which the computer is listening |
| -b | This switch shows Ethernet statistics, such as the data, including the number of bytes and packets sent and received, including unicast packets, non-unicast packets, discards, errors, and unknown protocols since the connection was established. |
| -e | The switch -f will force the netstat command to show the (FDQN) Fully Qualified Domain Names for each foreign host IP address when possible. |
| -f | This switch displays an active TCP connection and includes the process ID (PID) for all connections. You can find the application based on the PID on the processes tab in windows Task Manager. This parameter can be combined with -a, -n, and -p |
| -n | This switch could significantly decrease the time it takes for netstat to fully execute. The switch will also show active TCP connections, but addresses and port numbers are expressed numerically. |
| -o | The -p switch shows connections or states only for a particular protocol. You can’t define more than one protocol at once, nor can you execute netstat with the -p switch without defining a protocol. Proto may be any of TCP, UDP, TCPv6 or UDPv6. If you use -s with -p to view statistics by protocol, you can use icmp, ip, icmpv6, or ipv6 in addition to the first four I mentioned. |
| -p proto | The -p switch shows connections or states only for a particular protocol. You can’t define more than one protocol at once, nor can you execute netstat with -p switch without defining a protocol. proto may be any of TCP, UDP, TCPv6 or UDPv6. If you use -s with -p to view statistics by protocol, you can use icmp, ip, icmpv6, or ipv6 in addition to the first four I mentioned. |
| -f | This switch displays the contents of the IP routing table. this equivalent to the route print command. |
| -s | The -s switch shows statistics per-protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. the -p parameter can be used to specify a set of protocols, but be sure to use -s before -p protocol when using the switches together. |
| -t | This switch displays the current TCP pipe offload state in place of the type displayed TCP state. |
| [Interval] | An integer used to display results multiple times with a specified number of seconds between displays. Continues until stopped by command ctrl+c. the default setting is to display once. |
| /? | This switch is used to display the details about the netstat command’s several option. |
FAQs
What are well-known port numbers?
Well-known port numbers are those from 0 to 1023 and are assigned to common services like HTTP, HTTPS, FTP, and SSH.
What is the difference between registered and dynamic ports?
Registered ports range from 1024 to 49151 and are assigned to user or vendor-specific services, while dynamic ports range from 49152 to 65535 and are used for client-side communication.
Why are port numbers important in networking?
Port numbers help identify specific services or applications running on a device, ensuring proper communication and data transfer.
Can you list some common services and their port numbers?
Sure! For example, HTTP uses port 80, HTTPS uses port 443, FTP uses ports 20 and 21, and SSH uses port 22.
How can I find out which port a specific service is using?
You can use tools like netstat, ss, or lsof on Unix-like systems or the netstat command on Windows to check which ports are in use and by which services.
