The netstat Command

Sometimes it is necessary to know which active TCP connections are open and running on a networked host. netstat command is a useful network tool for checking and verifying those connections. The verification of TCP connection is important because unexplained TCP connections are a major security risk. The TCP connection shows that something or someone is connected to the localhost.

This netstat command shows detailed information about individual network connections, overall and protocol-specific networking statistics, all listening ports, along with incoming and outgoing network connections and much more, all of which could help troubleshoot certain kinds of networking issues.

By default, the netstat command resolves IP addresses to domain names and port numbers to well-known applications. We can use a variety of switches with netstat command.

To apply the netstat command in your computer open the Command Prompt and execute the netstat command alone to show a comparatively simple list of all active TCP connections which, for each one, will show the local IP address, the foreign IP address, along with their relevant port numbers, as well as the TCP state.

 Command Syntax

netstat[-a] [-b] [-e] [-f] [-n] [-o] [-p protocol] [-r] [-s] [-t] [-x] [-y] [time_interval] [/?]

-aThe -a switch shows all active TCP connections and the TCP and UDP ports on which the computer is listening
-bThe -b switch shows executable concerned in creating each connection or listening port. This switch is added in XP SP2.
-eThis switch shows Ethernet statistics, such as the data includes the number of bytes and packet sent and received including unicast packets, non-unicast packets, discards, errors, and unknown protocols since the connection was established.
-fThe switch -f will force the netstat command to show the (FDQN) fully Qualified Domain Names for each foreign host IP addresses when possible.
-nThis switch could significantly decrease the time it takes for netstat to fully execute. The switch will also show active TCP connections, but addresses and port numbers are expressed numerically.
-oThis switch display active TCP connection and includes the process ID (PID) for all connections. You can find the application based on the PID on the processes tab in windows Task Manager. This parameter can be combined with -a, -n, and -p
-p protoThe -p switch show connections or state only for a particular protocol. You can't define more than one protocol at once, nor can you execute netstat with -p switch without defining a protocol. proto may be any of TCP, UDP, TCPv6 or UDPv6. If you use -s with -p to view statistics by protocol, you can use icmp, ip, icmpv6 or ipv6 addition to the first four I mentioned.
-fThis switch displays the contents of the IP routing table. this equivalent to the route print command.
-sThe -s switch shows statistics per-protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. the -p parameter can be used to specify a set of protocols, but be sure to use -s before -p protocol when using the switches together.
-tThis switch displays the current TCP pipe offload state in place of the type displayed TCP state.
[Interval]An integer used to display results multiple times with a specified number of seconds between displays. Continues until stopped by command ctrl+c. the default setting is to display once.
/?This switch is used to display the details about the netstat command's several option.

Examples of netstat command

netstat -f

The example of a netstat with -f switch shows all active TCP connections. but, I do want to see the computers I’m connected to in Fully Qualified Domain Name format [-f] instead of a simple IP address. Here’s an example of what you might see:

netstat command

The command displays all active TCP connections at the time of execution. The only protocol (in the Proto column) listed is TCP, if UDP is required then you can use -a switch with n switch  (netstat –an) to reduce the execution time.

netstat command

The information above is displayed in the result of the command with –an switch including the protocol, the local address and port number, the foreign address and port number, and the connection status. An explanation of the different connection states is given below.

LISTENINGLISTENING status show that the server is ready to accept a connection.
CLOSEDThis status shows that the server has received an ACK signal from the client and the connection is closed now.
CLOSE_WAITThis status display that the server has received an ACK signal from the client and the connection is closed now.
ESTABLISHEDESTABLISHED status means that the server received the SYN signal from the client and the session is now established.
FIN_WAIT_1This status means that the connection is still active but not currently in use.
FIN_WAIT_2This status means that the client now received ack of the FIN signal from the server.
LAST_ACKThis status show that the server is in the process of sending its own FIN.
SYN_SENDThis status means that this particular connection is open and active.
SYN_RECEIVEDThe status means that the server just recived an SYN signal from the client.
TIME_WAITTIME_WAIT status means that the client recognizes the connection as still active but not currently being used.