netstat is one of the most popular network commands for all Windows operating systems. Even most of the other operating systems like Linux, Ubuntu, Debian, Mint, CentOS, Kali, RHEL, FreeBSD, etc. support netstat command with very same parameters and usage.
What Is netstat?
netstat is a command-line tool in order to get information about the Windows network. netstat can provide information about TCP, UP, IPv4, IPV6, ICMP protocols statistics, open ports, etc. By default netstat command without any parameter will display TCP protocol-related statistics and information because TCP is the most popular protocol. As an old and reliable command, netstat is provided by Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server with the same options and parameters.
netstat Command Syntax
netstat command has the following syntax which is very simple. Only options can be provided to the netstat command.
netstat [-a] [-b] [-e] [-n] [-o] [-p <PROTOCOL>] [-r] [-s] [<INTERVAL>]| Parameter | Description |
|---|---|
| -a | Display all TCP connections, TCP and UDP listening ports |
| -h | Display help information |
| -b | Display programs about connections and listening ports |
| -e | Display Ethernet protocol statistics for all interfaces |
| -n | Display TCP connections |
| -o | Display TCP connections with the Process ID (PID) |
| -p PROTOCOL | Show connections about specified PROTOCOL |
| -r | Display IP routing table |
| <INTERVAL> | Refresh display at the specified INTERVAL |
- TCP Port/Protocol States, Local Address, Foreign Address, Proto
While using the netstat command different pieces of information are provided about the protocol or port states, local address, foreign address, etc. Let’s explain these a little bit.
- Proto is the name of the protocol like TCP, UDP, IPv4, ICMP, etc.
- Local address is the local system IP address or hostname
- The foreign address is the remove system IP address or hostname
- Port or Protocol state can be;
- CLOSE_WAIT
- CLOSED
- ESTABLISHED
- FIN_WAIT_1
- FIN_WAIT_2
- LAST_ACK
- LISTEN
- SYN_RECEIVED
- SYN_SEND
- TIMED_WAIT
netstat Command
We can run the netstat command without any parameter which will list only active TCP connections like below.
> netstat
Display Ethernet Statistics
Ethernet protocol is a layer 2 protocol that can contain different information about frame transmission. This is also called as Interface Statistics.
> netstat -e -s
We can see information like bytes, unicast packets non-unicast packets, discards, errors, unknown protocols.
Display TCP Statistics
TCP protocol statistics can be listed with the -s and -p parameters and providing the protocol. With the following command, TCP statistics and active connections can be listed easily.
C:\>netstat -s -p tcp
TCP Statistics for IPv4
Active Opens = 4077
Passive Opens = 0
Failed Connection Attempts = 63
Reset Connections = 967
Current Connections = 1
Segments Received = 108697
Segments Sent = 88917
Segments Retransmitted = 763
Active Connections
Proto Local Address Foreign Address State
TCP 192.168.142.130:53410 40.67.254.36:https ESTABLISHEDWe can see that following TCP statistics are provided
- TCP Statistics
- Active Opens
- Passive Opens
- Failed Connections Attempts
- Reset Connections
- Current Connections
- Segments Received
- Segments Sent
- Segments Retransmitted
- Active Connections
Display UDP Statistics
UDP protocol statistics can be displayed with the following command. As a simpler protocol against the TCP, it has less information and fewer statistics. We will provide the -p udp parameter.
C:\>netstat -s -p udp
UDP Statistics for IPv4
Datagrams Received = 8855
No Ports = 2418
Receive Errors = 83460
Datagrams Sent = 38218
Active Connections
Proto Local Address Foreign Address State- UDP Statistics for IPV4
- Datagrams Received
- No Ports
- Received Errors
- Datagrams Sent
- Active Connections
netstat Refresh Interval
By default, netstat command is executed one time and single output is printed. But if we want to run and check netstat command output an interval should be specified. The Interval parameter is just a number without any option. We can also use interval for different parameters. In the following example, we will set the interval as 5 seconds.
> netstat 5
> netstat -s -p tcp 5