Netstat

netstat
	The netstat command
Developer(s)	Various open-source and commercial developers
Initial release	1983;40 years ago
Written in	Plan 9: C
Operating system	Unix, Unix-like, Plan 9, Inferno, OS/2, Microsoft Windows, ReactOS
Platform	Cross-platform
Type	Command
License	OS/2, Windows: Proprietary commercial software ; net-tools, ReactOS: GPLv2 ; Plan 9: MIT License

Last updated October 16, 2023

In computing, netstat (network statistics) is a command-line network utility that displays network connections for Transmission Control Protocol (both incoming and outgoing), routing tables, and a number of network interface (network interface controller or software-defined network interface) and network protocol statistics. It is available on Unix, Plan 9, Inferno, and Unix-like operating systems including macOS, Linux, Solaris and BSD. It is also available on IBM OS/2 and on Microsoft Windows NT-based operating systems including Windows XP, Windows Vista, Windows 7, Windows 8 and Windows 10.

Statistics provided

Netstat provides statistics for the following:

Proto – The name of the protocol (TCP or UDP).
Local Address – The IP address of the local computer and the port number being used. The name of the local computer that corresponds to the IP address and the name of the port is shown unless the -n parameter is specified. An asterisk (*) is shown for the host if the server is listening on all interfaces. If the port is not yet established, the port number is shown as an asterisk.
Foreign Address – The IP address and port number of the remote computer to which the socket is connected. The names that corresponds to the IP address and the port are shown unless the -n parameter is specified. If the port is not yet established, the port number is shown as an asterisk (*).
State – Indicates the state of a TCP connection. The possible states are as follows: CLOSE_WAIT, CLOSED, ESTABLISHED, FIN_WAIT_1, FIN_WAIT_2, LAST_ACK, LISTEN, SYN_RECEIVED, SYN_SEND, and TIME_WAIT. For more information about the states of a TCP connection, see RFC 793.

Parameters

Parameters used with this command must be prefixed with a hyphen (-) rather than a slash (/). Some parameters are not supported on all platforms.

Name	Description	Windows	ReactOS	macOS	BSD	NetBSD	FreeBSD	Linux	Solaris	OS/2
-a	Displays all active connections and the TCP and UDP ports on which the computer is listening.	Yes	Yes					Yes
-b	Displays the binary (executable) program's name involved in creating each connection or listening port. (Windows XP, Windows Server 2003 and newer Windows operating systems; not Microsoft Windows 2000 or older).	Yes	No							No
-b	Causes -i to report the total number of bytes of traffic.		No	Yes		Yes				No
-e	Displays ethernet statistics, such as the number of bytes and packets sent and received. This parameter can be combined with -s.	Yes	Yes							No
-f	Displays fully qualified domain names <FQDN> for foreign addresses (only available on Windows Vista and newer operating systems).	Yes	No							No
-fAddress Family	Limits display to a particular socket address family, unix, inet, inet6		No				Yes			No
-g	Displays multicast group membership information for both IPv4 and IPv6 (may only be available on newer operating systems)	No	No					Yes
-i	Displays network interfaces and their statistics	No	No					Yes
-m	Displays the memory statistics for the networking code (STREAMS statistics on Solaris).	No	No
-n	Displays active TCP connections, however, addresses and port numbers are expressed numerically and no attempt is made to determine names.	Yes	Yes					Yes
-o	Displays active TCP connections and includes the process id (PID) for each connection. You can find the application based on the PID in the Processes tab in Windows Task Manager. This parameter can be combined with -a, -n, and -p. This parameter is available on Microsoft Windows XP, Windows Server 2003, and Windows 2000 if a hotfix is applied.^[6]	Yes	No							No
-pprotocol	Shows connections for the protocol specified by protocol. In this case, protocol can be tcp, udp, tcpv6, or udpv6. If this parameter is used with -s to display statistics by protocol, protocol can be tcp, udp, icmp, ip, tcpv6, udpv6, icmpv6, or ipv6.	Yes	Yes		Yes
-p	Show which processes are using which sockets (similar to -b under Windows) (you must be root to do this)	No	No					Yes
-Pprotocol	Shows connections for the protocol specified by protocol. In this case, protocol can be ip, ipv6, icmp, icmpv6, igmp, udp, tcp, or rawip.	No	No						Yes
-r	Displays the contents of the IP routing table. (This is equivalent to the route print command under Windows.)	Yes	Yes					Yes		Yes
-s	Displays statistics by protocol. By default, statistics are shown for the TCP, UDP, ICMP, and IP protocols. If the IPv6 protocol for Windows XP is installed, statistics are shown for the TCP over IPv6, UDP over IPv6, ICMPv6, and IPv6 protocols. The -p parameter can be used to specify a set of protocols.	Yes	Yes					Yes
-t	Display only TCP connections.		No					Yes		Yes
-u	Display only UDP connections.	No	No					Yes		Yes
-W	Display wide output - doesn't truncate hostnames or IPv6 addresses	No	No				Yes			No
-x	Displays NetworkDirect connections, listeners, and shared endpoints.	Yes
-y	Displays the TCP connection template for all connections.Cannot be combined with the other options.	Yes
-v	When used in conjunction with -b it will display the sequence of components involved in creating the connection or listening port for all executables.	Yes	No							No
Interval	Redisplays the selected information every Interval seconds. Press CTRL+C to stop the redisplay. If this parameter is omitted, netstat prints the selected information only once.	Yes	Yes							No
-h	Displays help at the command prompt.	Yes	No	Yes	Yes	Yes	Yes	Yes	Yes	No
-?	Displays help at the command prompt.	Yes	No	No	No	No	No	No	No	Yes
/?	Displays help at the command prompt.	Yes	Yes	No	No	No	No	No	No	No

Examples

Cross platform

On macOS, BSD systems, Linux distributions, and Microsoft Windows:

To display the statistics for only the TCP or UDP protocols, type one of the following commands:

netstat -sp tcp

netstat -sp udp

Unix-like

On Unix-like systems:

To display all ports open by a process with id pid:

netstat -aop | grep "pid"

To continuously display open TCP and UDP connections numerically and also which program is using them on Linux:

netstat -nutpacw

Windows

On Microsoft Windows:

To display active TCP connections and the process IDs every 5 seconds, type the following command (works on NT based systems only, or Windows 2000 with hotfix):

netstat -o 5

To display active TCP connections and the process IDs using numerical form, type the following command (works on NT based systems only, or Windows 2000 with hotfix):

netstat -no

*nix

Command	Explanation
`netstat -a`	Shows all sockets, both listening and non-listening, all protocols like TCP, UDP etc.
`netstat -at`	Shows only TCP connections (-au shows only UDP connections)
`netstat -ant`	Shows all TCP connections with no DNS resolution (show IP addresses instead).
`netstat -al`	Shows only listening sockets.
`netstat -aep`	Also show PID and to which program each socket belongs, e adds extra info like the user. Run as root to see all PIDs.
`netstat -s > file2.txt`	Shows network statistics.
`netstat -r`	Shows kernel routing information. This is the same output as route -e.
`netstat -i`	Displays a table of all network interfaces. Add -e to get output similar to ifconfig.
`netstat -ct`	Displays TCP connections continuously.
`netstat -g`	Display multicast group membership information for IPv4 and IPv6.
`netstat -lntu`	Display all services listening for TCP and UDP, all free open ports on the local machine.
`netstat -atnp \| grep ESTA`	Displays all currently "established" TCP connections.

Wildcards

Netstat uses an asterisk * as a wildcard which means "any". An example would be

Example output:

....Local Address Foreign Address State... *:smtp          *:*   LISTEN

Under "Local Address" *, in *:smtp, means the process is listening on all of the network interfaces the machine has for the port mapped as smtp (see /etc/services for service resolution). This can also be shown as 0.0.0.0. The first *, in *:*, means connections can come from any IP address, and the second *, in *:*, means the connection can originate from any port on the remote machine.

Caveats

Some versions of netstat lack explicit field delimiters in their printf-generated output, leading to numeric fields running together and thus corrupting the output data.

Platform specific remarks

Under Linux, raw data can often be obtained from the /proc/net/dev to work around the printf output corruption arising in netstat's network interface statistics summary, netstat -i, until such time as the problem is corrected.^{[ citation needed ]}

On the Windows platform, netstat information can be retrieved by calling the GetTcpTable and GetUdpTable functions in the IP Helper API, or IPHLPAPI.DLL. Information returned includes local and remote IP addresses, local and remote ports, and (for GetTcpTable) TCP status codes. In addition to the command-line netstat.exe tool that ships with Windows, GUI-based netstat programs are available.

On the Windows platform, this command is available only if the Internet Protocol (TCP/IP) protocol is installed as a component in the properties of a network adapter in Network Connections.

On the Windows platform running Remote Desktop Services (formerly Terminal Services) it will only show connections for the current user, not for the whole computer.

On macOS, the /System/Library/CoreServices/Applications folder (or /Applications/Utilities in OS X Mountain Lion and earlier) contains a network GUI utility called Network Utility, the Netstat tab of which runs the netstat command and displays its output in the tab.

Related Research Articles

Telnet is a client/server application protocol that provides access to virtual terminals of remote systems on local area networks or the Internet. Telnet consists of two components: (1) the protocol itself which specifies how two parties are to communicate and (2) the software application that provides the service. User data is interspersed in-band with Telnet control information in an 8-bit byte oriented data connection over the Transmission Control Protocol (TCP). Telnet was developed in 1969 beginning with RFC 15, extended in RFC 855, and standardized as Internet Engineering Task Force (IETF) Internet Standard STD 8, one of the first Internet standards. Telnet transmits all information including usernames and passwords in plaintext so it is not recommended for security-sensitive applications such as remote management of routers. Telnet's use for this purpose has waned significantly in favor of SSH. Some extensions to Telnet which would provide encryption have been proposed.

In computing, traceroute and tracert are computer network diagnostic commands for displaying possible routes (paths) and measuring transit delays of packets across an Internet Protocol (IP) network. The history of the route is recorded as the round-trip times of the packets received from each successive host in the route (path); the sum of the mean times in each hop is a measure of the total time spent to establish the connection. Traceroute proceeds unless all sent packets are lost more than twice; then the connection is lost and the route cannot be evaluated. Ping, on the other hand, only computes the final round-trip times from the destination point.

Network address translation (NAT) is a method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used to bypass the need to assign a new address to every host when a network was moved, or when the upstream Internet service provider was replaced, but could not route the network's address space. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network.

NetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol. Operating systems of the 1980s ran NetBIOS over IEEE 802.2 and IPX/SPX using the NetBIOS Frames (NBF) and NetBIOS over IPX/SPX (NBX) protocols, respectively. In modern networks, NetBIOS normally runs over TCP/IP via the NetBIOS over TCP/IP (NBT) protocol. This results in each computer in the network having both an IP address and a NetBIOS name corresponding to a host name. NetBIOS is also used for identifying system names in TCP/IP (Windows). Simply stated, it is a protocol that allows communication of data for files and printers through the Session Layer of the OSI Model in a LAN.

Unix security refers to the means of securing a Unix or Unix-like operating system. A secure environment is achieved not only by the design concepts of these operating systems, but also through vigilant user and administrative practices.

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server. SOCKS5 optionally provides authentication so only authorized users may access a server. Practically, a SOCKS server proxies TCP connections to an arbitrary IP address, and provides a means for UDP packets to be forwarded.

Network utilities are software utilities designed to analyze and configure various aspects of computer networks. The majority of them originated on Unix systems, but several later ports to other operating systems exist.

Explicit Congestion Notification (ECN) is an extension to the Internet Protocol and to the Transmission Control Protocol and is defined in RFC 3168 (2001). ECN allows end-to-end notification of network congestion without dropping packets. ECN is an optional feature that may be used between two ECN-enabled endpoints when the underlying network infrastructure also supports it.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

netcat is a computer networking utility for reading from and writing to network connections using TCP or UDP. The command is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of connection its user could need and has a number of built-in capabilities.

ifconfig is a system administration utility in Unix-like operating systems for network interface configuration.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It involves allowing private network communications to be sent across a public network through a process called encapsulation.

NetBIOS over TCP/IP is a networking protocol that allows legacy computer applications relying on the NetBIOS API to be used on modern TCP/IP networks.

In computer networking, STREAMS is the native framework in Unix System V for implementing character device drivers, network protocols, and inter-process communication. In this framework, a stream is a chain of coroutines that pass messages between a program and a device driver. STREAMS originated in Version 8 Research Unix, as Streams.

A network socket is a software structure within a network node of a computer network that serves as an endpoint for sending and receiving data across the network. The structure and properties of a socket are defined by an application programming interface (API) for the networking architecture. Sockets are created only during the lifetime of a process of an application running in the node.

The program ttcp is a utility for measuring network throughput, popular on Unix systems. It measures the network throughput between two systems using the TCP or optionally UDP protocols. It was written by Mike Muuss and Terry Slattery at BRL sometime before December 1984, to compare the performance of TCP stacks by the Computer Systems Research Group (CSRG) of the University of California, Berkeley and Bolt, Beranek and Newman (BBN) to help DARPA decide which version to place in 4.3BSD.

In computing, route is a command used to view and manipulate the IP routing table in Unix-like and Microsoft Windows operating systems and also in IBM OS/2 and ReactOS. Manual manipulation of the routing table is characteristic of static routing.

The Stream Control Transmission Protocol (SCTP) is a computer networking communications protocol in the transport layer of the Internet protocol suite. Originally intended for Signaling System 7 (SS7) message transport in telecommunication, the protocol provides the message-oriented feature of the User Datagram Protocol (UDP), while ensuring reliable, in-sequence transport of messages with congestion control like the Transmission Control Protocol (TCP). Unlike UDP and TCP, the protocol supports multihoming and redundant paths to increase resilience and reliability.

In computing, Mosh is a tool used to connect from a client computer to a server over the Internet, to run a remote terminal. Mosh is similar to SSH, with additional features meant to improve usability for mobile users. The major features are:

References

↑ "IBM Systems Information Center". ibm.com. 8 May 2007.
↑ "net-tools". linuxfoundation.org. Archived from the original on 2016-06-11. Retrieved 2014-08-02.
↑ "Arch Linux". archlinux.org. 8 June 2011.
↑ "Deprecated Linux networking commands and their replacements". Doug Vitale Tech Blog. 21 December 2011.
↑ "netstat man page (notes section)" . Retrieved 2 August 2014. This program is obsolete. Replacement for netstat is ss. Replacement for netstat -r is ip route. Replacement for netstat -i is ip -s link. Replacement for netstat -g is ip maddr.
↑ "The netstat command can now display process IDs that correspond to active TCP or UDP connections in Windows 2000". Archived from the original on 24 August 2007.

External links

netstat(8) – Linux Programmer's Manual – Administration and Privileged Commands
netstat(1) – FreeBSD General Commands Manual
netstat(8) – Solaris 11.4 System Administration Commands Reference Manual
netstat(1) – Inferno General commands Manual
Microsoft TechNet: Netstat – documentation for the Windows netstat.exe command-line program
net-tools project page on SourceForge
Netstat Command: WindowsCMD.com Archived 2022-01-11 at the Wayback Machine

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "IBM Systems Information Center". ibm.com. 8 May 2007.

[2] "net-tools". linuxfoundation.org. Archived from the original on 2016-06-11. Retrieved 2014-08-02.

[3] "Arch Linux". archlinux.org. 8 June 2011.

[4] "Deprecated Linux networking commands and their replacements". Doug Vitale Tech Blog. 21 December 2011.

[5] "netstat man page (notes section)" . Retrieved 2 August 2014. This program is obsolete. Replacement for netstat is ss. Replacement for netstat -r is ip route. Replacement for netstat -i is ip -s link. Replacement for netstat -g is ip maddr.

[6] "The netstat command can now display process IDs that correspond to active TCP or UDP connections in Windows 2000". Archived from the original on 24 August 2007.

[1]

[2]

[3]

[4]

[5]

[6]

v t e Unix command-line interface programs and shell builtins
File system	cat chattr chmod chown chgrp cksum cmp cp dd du df file fuser ln ls mkdir mv pax pwd rm rmdir split tee touch type umask
Processes	at bg crontab fg kill nice ps time
User environment	env exit logname mesg talk tput uname who write
Text processing	awk basename comm csplit cut diff dirname ed ex fold head iconv join m4 more nl paste patch printf read sed sort strings tail tr troff uniq vi wc xargs
Shell builtins	alias cd echo test unset wait
Searching	find grep
Documentation	man
Software development	ar ctags lex make nm strip yacc
Miscellaneous	bc cal expr lp od sleep true and false
Categories Standard Unix programs Unix SUS2008 utilities List

v t e Plan 9 command-line interface programs and shell builtins
File system	chmod chgrp cmp cp dd du file gzip ls mkdir pwd rm split tee touch
Processes	kill ps
User environment	passwd who
Text processing	awk basename comm diff ed eqn join sed sort spell strings tail tr troff uniq wc
Shell builtins	echo test
Networking	ip/ipconfig ip/ping netstat
Searching	grep
Software development	ar hoc lex nm strip yacc
Miscellaneous	bc cal fortune sleep
Category

v t e Windows command-line programs and shell builtins
COMMAND.COM Command Prompt Windows PowerShell Recovery Console
File system navigation	cd (chdir) dir popd pushd tree
File management	attrib cacls cipher compact copy del (erase) deltree icacls mkdir (md) mklink move openfiles recover ren (rename) replace rmdir (rd) robocopy takeown xcopy
Archiving	expand extrac32 extract makecab pax tar
Disk management	chkdsk convert defrag diskcomp diskcopy diskpart diskraid diskshadow drvspace fdisk format fsutil label manage-bde refsutil subst scandisk sys vol vssadmin
Processes	at exit kill powercfg runas sc schtasks shutdown start taskkill tasklist
Registry	assoc ftype reg regini regsvr32
User environment	chcp cmdkey date graftabl mode path set setver setx time title ver where whoami
File contents	comp edit edlin fc find findstr print type
Scripting	choice clip cscript doskey echo for forfiles goto if more pause prompt rem timeout
Networking	arp bitsadmin curl getmac hostname ipconfig nbtstat net netsh netstat nslookup PathPing ping rpcping route scp setspn sftp ssh ssh-add ssh-agent ssh-keygen ssh-keyscan tracert winrm winrs
Maintenance and care	auditpol dispdiag driverquery eventcreate eventtriggers logman mofcomp msiexec ntbackup pnpunattend pnputil REAgentC relog sfc sxstrace systeminfo tracerpt typeperf w32tm WBAdmin wecutil wevtutil winmgmt winsat wmic
Boot management	bcdedit bootcfg bootsect fixboot fixmbr
Software development	debug exe2bin QBasic
Miscellaneous	break cls dism dpath gpresult gpupdate help MSCDEX pentnt tpmtool tpmvscmgr wsl
List of DOS commands Environment variables Windows Support Tools